An ideal introduction and a quick reference to PCI DSS version 3.1 All businesses that accept payment cards are prey for hackers and criminal gangs trying to steal financial information and commit identity fraud. The PCI DSS (Payment Card Industry Data Security Standard) exists to ensure that businesses process credit and debit card orders in a way that protects cardholder data effectively. All organisations that accept, store, transmit or process cardholder data must comply with the Standard; failure to do so can have serious consequences for their ability to process card payments. Product overview Co-written by a PCI QSA (Qualified Security Assessor) and updated to cover PCI DSS version 3.1, this handy pocket guide provides all the information you need to consider as you approach the PCI DSS. It is also an ideal training resource for anyone in your organisation who deals with payment card processing. Coverage includes: An overview of Payment Card Industry Data Security Standard v3.1. A PCI self-assessment questionnaire (SAQ). Procedures and qualifications. An overview of the Payment Application Data Security Standard. Contents 1.What is the Payment Card Industry Data Security Standard (PCI DSS)? 2.What is the Scope of the PCI DSS? 3.Compliance and Compliance Programmes 4.Consequences of a Breach 5.How do you Comply with the Requirements of the Standard? 6.Maintaining Compliance 7.PCI DSS - The Standard 8.Aspects of PCI DSS Compliance 9.The PCI Self-Assessment Questionnaire 10.Procedures and Qualifications 11.The PCI DSS and ISO/IEC 27001 12.The Payment Application Data Security Standard (PA-DSS) 13.PIN Transaction Security (PTS) About the authors Alan Calder is the founder and executive chairman of IT Governance Ltd, an information, advice and consultancy firm that helps company boards tackle IT governance, risk management, compliance and information security issues. He has many years of senior management experience in the private and public sectors. Geraint Williams is a knowledgeable and experienced senior information security consultant and PCI QSA, with a strong technical background and experience of the PCI DSS and security testing. Geraint has provided consultancy on implementation of the PCI DSS, and conducted audits with a wide range of merchants and service providers. He has performed penetration testing and vulnerability assessments for various clients. Geraint leads the IT Governance CISSP Accelerated Training Programme, as well as the PCI Foundation and Implementer training courses. He has broad technical knowledge of security and IT infrastructure, including high performance computing, and Cloud computing. His certifications include CISSP, PCI QSA, CREST Registered Tester, CEH and CHFI."

When is a gift not a gift? When it's a bribe. For many, corporate hospitality oils the wheels of commerce. But where do you draw the line? Bribes, incentives and inducements are not just a matter of used banknotes stuffed in brown envelopes. Expenses, corporate settlement of personal bills, gifts and hospitality can all be used to influence business partners, clients and contractors. Can you afford unlimited fines? Under the Bribery Act 2010, a maximum of ten years' imprisonment and an unlimited fine may be imposed for offering, promising, giving, requesting, agreeing, receiving or accepting bribes. With such strict penalties, it's astonishing that so few companies have few or no measures in place to ensure that they are not liable for prosecution. This is especially astonishing as the Ministry of Justice's Quick start guide to the Bribery Act makes it clear that "There is a full defence if you can show you had adequate procedures in place to prevent bribery." Such procedures can be found in BS 10500:2010, the British Standard for anti-bribery management systems (ABMSs). How to implement an ABMS An Introduction to Anti-Bribery Management Systems (BS 10500) explains how to implement an ABMS that meets the requirements of BS 10500, from initial gap analysis to due diligence management: * An introduction to BS 10500 * An explanation of an ABMS * Management processes within an ABMS * Implementing an ABMS * Risk assessment in due diligence * Whistleblowing and bribery investigations * Internal auditing and corrective action * Certification to BS 10500 It provides helpful guidance on the importance of clearly defining policies; logging gifts and hospitality in auditable records; ensuring a consistent approach across the organisation; controls for contractors; facilitation payments; charitable and political donations; risk assessment in due diligence; whistle-blowing and bribery investigations; and internal auditing and corrective action. Meet the stringent requirements of the Bribery Act Not only will a BS 10500-compliant ABMS help your organisation prove its probity by meeting the stringent requirements of the Bribery Act, it can also be adapted to most legal or compliance systems. An ethical approach to business is not just a legal obligation but a way to protect your reputation. About the author Alan Field, MA, LL.B (Hons), PgC, MCQI CQP, MIIRSM, AIEMA, GIFireE, GradIOSH is a Chartered Quality Professional, an IRCA Registered Lead Auditor and member of the Society of Authors. Alan has particular expertise in auditing and assessing anti-bribery management systems to BS 10500 and public-sector counter-fraud systems to ISO9001. Alan has many years' experience with quality and integrated management systems in the legal, financial, property services and project management sectors in auditing, assessment and gap analysis roles. Your company's integrity is important. An Introduction to Anti-Bribery Management Systems (BS 10500) shows you how to maintain and prove it.

Protect your organisation from information security risks For any modern business to thrive, it must assess, control and audit the risks it faces in a manner appropriate to its risk appetite. As information-based risks and threats continue to proliferate, it is essential that they are addressed as an integral component of your enterprise's risk management strategy, not in isolation. They must be identified, documented, assessed and managed, and assigned to risk owners so that they can be mitigated and audited. Fundamentals of Information Risk Management Auditing provides insight and guidance on this practice for those considering a career in information risk management, and an introduction for non-specialists, such as those managing technical specialists. Product overview Fundamentals of Information Risk Management Auditing - An Introduction for Managers and Auditors has four main parts: What is risk and why is it important? An introduction to general risk management and information risk. Introduction to general IS and management risks An overview of general information security controls, and controls over the operation and management of information security, plus risks and controls for the confidentiality, integrity and availability of information. Introduction to application controls An introduction to application controls, the controls built into systems to ensure that they process data accurately and completely. Life as an information risk management specialist/auditor A guide for those considering, or undergoing, a career in information risk management. Each chapter contains an overview of the risks and controls that you may encounter when performing an audit of information risk, together with suggested mitigation approaches based on those risks and controls. Chapter summaries provide an overview of the salient points for easy reference, and case studies illustrate how those points are relevant to businesses. The book concludes with an examination of the skills and qualifications necessary for an information risk management auditor, an overview of typical job responsibilities, and an examination of the professional and ethical standards that an information risk auditor should adhere to. Topics covered Fundamentals of Information Risk Management Auditing covers, among other subjects, the three lines of defence; change management; service management; disaster planning; frameworks and approaches, including Agile, COBIT(R)5, CRAMM, PRINCE2(R), ITIL(R) and PMBOK; international standards, including ISO 31000, ISO 27001, ISO 22301 and ISO 38500; the UK Government's Cyber Essentials scheme; IT security controls; and application controls. About the author Christopher Wright is a qualified accountant, Certified Information Systems Auditor and Certified ScrumMaster(TM) with over 30 years' experience providing financial and IT advisory and risk management services. For 16 years, he worked at KPMG, where he was head of information risk training in the UK and also ran training courses overseas, including in India and throughout mainland Europe. He managed a number of major IS audit and risk assignments, including project risk and business control reviews. He has worked in a wide range of industry sectors including oil and gas, the public sector, aviation, and travel. For the past eight years, he has been an independent consultant specialising in financial, SOX and operational controls for major ERP implementations, mainly at oil and gas/utilities enterprises. He is an international speaker and trainer on Agile audit and governance, and is the author of two other titles, also published by ITGP: Agile Governance and Audit and Reviewing IT in Due Diligence.

Ensure the success of your security programme by understanding users' motivations"This book cuts to the heart of many of the challenges in risk management, providing advice and tips from interviews as well as models that can be employed easily. Leron manages to do this without being patronising or prescriptive, making it an easy read with some very real practical takeaways."Thom Langford, Chief Information Security Officer at Publicis Groupe"Based on real world examples the book provides valuable insights into the relationship of information security, compliance, business economics and decision theory. Drawing on interdisciplinary studies, commentary from the field and his own research Leron gives the reader the necessary background and practical tools to drive improvements in their own information security program."Daniel Schatz, Director for Threat & Vulnerability Management at Thomson Reuters In today's corporations, information security professionals have a lot on their plate. In the face of constantly evolving cyber threats they must comply with numerous laws and regulations, protect their company's assets and mitigate risks to the furthest extent possible.Security professionals can often be ignorant of the impact that implementing security policies in a vacuum can have on the end users' core business activities. These end users are, in turn, often unaware of the risk they are exposing the organisation to. They may even feel justified in finding workarounds because they believe that the organisation values productivity over security. The end result is a conflict between the security team and the rest of the business, and increased, rather than reduced, risk.This can be addressed by factoring in an individual's perspective, knowledge and awareness, and a modern, flexible and adaptable information security approach. The aim of the security practice should be to correct employee misconceptions by understanding their motivations and working with the users rather than against them - after all, people are a company's best assets.Product descriptionBased on insights gained from academic research as well as interviews with UK-based security professionals from various sectors, The Psychology of Information Security - Resolving conflicts between security compliance and human behaviour explains the importance of careful risk management and how to align a security programme with wider business objectives, providing methods and techniques to engage stakeholders and encourage buy-in.The Psychology of Information Security redresses the balance by considering information security from both viewpoints in order to gain insight into security issues relating to human behaviour , helping security professionals understand how a security culture that puts risk into context promotes compliance. About the authorLeron Zinatullin (zinatullin.com) is an experienced risk consultant specialising in cyber security strategy, management and delivery. He has led large-scale, global, high-value security transformation projects with a view to improve cost performance and support business strategy.He has extensive knowledge and practical experience in solving information security, privacy and architectural issues across multiple industry sectors.He has an MSc in information security from University College London, where he focused on the human aspects of information security. His research was related to modelling conflicts between security compliance and human behaviour.Series informationThe Psychology of Information Security is part of the Fundamentals Series, co-published by IT Governance Publishing and Information Security Buzz.Ensure the success of your security programmes by understanding the psychology of information security. Buy this book today.

Considering the pandemic threat in a business continuity context I thoroughly enjoyed reading Clark's book which is written in a style that makes it easy for anyone to understand without requiring a background in medicine or business. I have been involved in disaster management planning for the past ten years and yet I still found this book both enlightening and extremely informative. Dr Tanya Melillo MD, MSc(Dist), PhD This informative book is written in an easy going and conversational manner, but the message it brings to the table is critical to understanding the meaning of any forthcoming pandemic threat and considerations of how to mitigate the effects, where possible, to you and your organisation Owen Gregory MSc BA (Hons) MBCI MBCS The increase in commercial aviation and international travel means that pandemics now spread faster than ever before. Seasonal flu pandemics, zoonotic contagions such as Ebola, swine flu and avian flu (e.g. H5N1 and H7N9), and respiratory syndromes such as SARS and MERS have affected millions worldwide. Add the ever-present threat of terrorism and biological warfare, and the possibility of large proportions of your workforce being incapacitated is a lot stronger than you might think. You may well have prepared for limited business interruptions, but how would your business fare if 50% or more of your employees, including those you rely on to execute your business continuity plan, were afflicted by illness - or worse? Although nothing can be done to prevent pandemics, their impact can be significantly mitigated. Business Continuity and the Pandemic Threat explains how. Product overview The book is divided into two parts, which examine the pandemic threat and explain how businesses can address it: Part I: Understanding the Threat The first, shorter, part provides the reader with a detailed overview of the challenge that pandemic threats can present. It uses historical examples (such as the 1918-19 Spanish Flu outbreak, which killed 50 million) to illustrate how pandemics can have devastating effects not only on the global population but also on critical infrastructure, the global economy and society. Part II: Preparing for the Inevitable The second part of the book considers the actions that can be taken at a global, national, corporate and individual level to mitigate the risk and limit the damage of pandemic incidents. It provides guidance on creating and validating a pandemic plan, and explains how it integrates with a business continuity plan. Comprehensive case studies are provided throughout. Topics covered include: The World Health Organisation (WHO)'s pandemic phases and the Centre for Disease Control (CDC)'s Pandemic Severity Index Preventive control measures Crisis management and the composition of a crisis management team Dealing with cash-flow, staff absenteeism, home working and supply chain management Communications and media plans Pandemic issues for HR The threat to critical national infrastructure Health service contingency plans and first responders' business continuity plans The provision of vaccines and antiviral medicines, including relevant ethical issues Take your business continuity plan to the next level: ensure your organisation survives a pandemic with a substantially depleted workforce. Buy Business Continuity and the Pandemic Threat today. About the author A Fellow of the Institute of Business Continuity Management and Member of the Business Continuity Institute, Robert A. Clark is also a Fellow of the British Computer Society and a Member of the Security Institute. His career includes 15 years with IBM and 11 years with Fujitsu Services working with clients on BCM related assignments. He is now a freelance business continuity consultant at www.bcm-consultancy.com.

Information technology plays a fundamental role in the operations of any modern business. While the confidentiality and integrity of your organisation's information have to be protected, a business still needs to have this information readily available in order to be able to function from day to day. If you are an information security practitioner, you need to be able to sell complex and often technical solutions to boards and management teams. Persuading the board to invest in information security measures requires sales skills. As an information security professional, you are a scientific and technical specialist; and yet you need to get your message across to people whose primary interests lie elsewhere, in turnover and overall performance. In other words, you need to develop sales and marketing skills. This pocket guide will help you with the essential sales skills that persuade company directors to commit money and resources to your information security initiatives. How this book can help information security professionals: Understand basic sales techniques Find out what to do to capture the attention of management and win them over Understand how to present yourself Present yourself so that management takes you seriously, and ensure your proposal receives a proper hearing. Find out how to earn management's trust This guide shows you how to persuade management that you are the kind of information security professional who is interested in supporting, rather than impeding, business success. Learn how to craft a successful proposal This guide offers you invaluable tips on how to write a proposal that will communicate your ideas effectively to senior executives. Improve your powers of persuasion with the board ... Buy this pocket guide today! About the author Alan Calder is the CEO and founder of IT Governance Ltd. He has written widely on IT governance and information security management. This pocket guide is the first in a suite of products to focus on the important subject of making sure you can convince management of information security's importance. A book, a podcast, and more will follow shortly.

The true power of Agile methodologies is not technology; it is business value generation. Use Agile methodologies to turn your IT solution challenges into high business-value returns All too often, IT solutions are plagued by budget overruns, missed deadlines, low-quality outputs and dissatisfied users. Agile methodologies are proven, common-sense methods for substantially increasing the relevance, flexibility and bottom-line business value of your software solutions. Quantify and measure the benefits that Agile methodologies can deliver to your organisation. Agile methodologies, such as Scrum, DSDM, FDD, Lean, XP and Kanban, are proven approaches for applying the finite resources of an organisation to deliver high business-value software solutions on time and within allocated budgets. These methodologies protect organisations from wasting their IT budgets by replacing large upfront financial commitments with incremental investment based on the ongoing business value of delivered software. They encourage collaboration with key stakeholders, empower staff to regularly deliver bottom-line value, and ensure that IT solutions are responsive to ongoing organisational and market changes. Read this guide and ... Understand the 10 core business benefits of Agile. At the heart of Agile methodologies are 10 core business benefits that enable organisations to maximise their IT investments, including: Better risk management, ongoing control of budget expenditure, better alignment with business requirements, and substantially higher quality IT solutions. Agile: An Executive Guide details each of these benefits from a strategic senior management perspective. Identify which Agile methodologies align with the specific needs of your organisation. Agile: An Executive Guide provides you with tools to assess your organisational culture, structure and dynamic in order to determine whether Agile methodologies are suitable to your specific needs, and to select those Agile methodologies that are the best fit for your organisation. Get the essential information you need to implement Agile within your organisation. Agile: An Executive Guide is full of practical advice, including detailed guidelines to help you: Choose the right kick-off point for Agile within your organisation; avoid common traps; monitor and measure your investment; and broaden the use of Agile methodologies into other areas of your organisation. It includes step-by-step guidelines, interactive tools and targeted questionnaires to help you and your staff successfully implement these methodologies. Agile: An Executive Guide describes Agile methodologies in clear business language specifically written for business professionals. It will help you make realistic business-driven decisions on whether Agile methodologies are appropriate for your organisation; whether you are looking to consolidate your IT overheads, to provide better software solutions to your clients, or to have more control over your IT expenditures. This guide provides practical, proven ways to introduce, incorporate and leverage Agile methodologies to maximise your business returns.

75% of companies without a business continuity plan fail within three years. Disruptive incidents can affect any organisation and occur at any moment. ICT outages, cyber attacks, natural disasters, terrorist attacks, pandemics, supply chain failures and other unexpected events can all affect productivity and in many cases place a company's survival in serious jeopardy. Business continuity planning is essential to overcoming business disruptions, but too many companies prepare business continuity plans and then shelve them, only for those plans to fail when they're actually needed. 80% of companies that have not recovered from a disaster within one month go out of business. A business continuity plan that isn't validated isn't a plan at all - it's merely a strategy. Indeed, in some cases an untested plan is worse than no plan at all. In spite of this, only 30% of businesses actually validate their business continuity plans. Product overview Business continuity planning is a process of continual improvement, not a matter of writing a plan and then putting your feet up. Attempting to validate every aspect of your plan, however - particularly in a live rehearsal situation - could create a disaster of your own making.Validating Your Business Continuity Plan examines the three essential components of validating a business continuity plan - exercising, maintenance and review - and outlines a controlled and systematic approach to BCP validation while considering each component, covering methods and techniques such as table-top reviews, workshops and live rehearsals. The book also takes account of industry standards and guidelines to help steer the reader through the validation process, including the international standard ISO 22301 and the Business Continuity Institute's Good Practice Guidelines. In addition, it provides a number of case studies based on the author's considerable experience - some of them successful, others less so - to highlight common pitfalls and problems associated with the validation process. Contents Introduction Standards and guidelines Business continuity begins at home Defining your exercise programme Selected scenarios Live rehearsal case studies It could happen to anyone, couldn't it? Maintaining your BCMS Reviewing your BCMS Performance appraisal Using consultants to help you exercise Training and education Additional reference material About the author Robert A Clark is a fellow of the Institute of Business Continuity Management, a fellow of the British Computer Society, a member of the Business Continuity Institute and an Approved BCI Instructor. He was employed by IBM for 15 years and Fujitsu for 11, working with clients on BCM-related assignments. He is now a freelance business continuity consultant at www.bcm-consultancy.com. Since 2014, he has been a part-time associate lecturer at Manchester Metropolitan University, where he has delivered BCM courses to both undergraduate and postgraduate students. Move your employees' BCP awareness from 'unconscious incompetence' to 'unconscious competence'. Order Validating Your Business Continuity Plan today.

A comprehensive reference guide to IT project assessments, from planning to presentation Companies invest billions in technology projects each year, yet their success rates remain surprisingly low. Industry benchmarks suggest that only 15-20% of projects are completed on time and on budget. Project failures can impair an organization's capability as well as having significant commercial, compliance, and security ramifications, which in turn could cause reputational damage and long-term financial losses. It is therefore critical that projects meet their objectives. One way of ensuring that they do is to conduct assessments or audits at key points during their lifecycle. Product overview Assessing IT Projects to Ensure Successful Outcomes is a comprehensive reference guide that focuses on the assessment of IT projects. Organised into five main sections (Approach, Plan, Collect Information, Assess and Recommend, Package and Present), interspersed with case studies based on the author's extensive experience delivering projects, the book provides exhaustive guidance on structuring and conducting an IT project assessment, from planning to presentation. Assessing IT Projects to Ensure Successful Outcomes includes guidance on: Types of assessments and project approaches, including the difference between a project and program assessment. Determining a suitable assessment approach, developing a plan, preparing inventories, and planning for logistics. Information collection and assessment, including identifying and addressing challenges and gaps. Project scoping, change management, schedule management, and cost management. Key roles and focus areas, including team responsibilities and necessary documents, for each project stage. Communication strategies to ensure all stakeholders are kept appropriately informed of a project's progress. RAID (risks, actions, issues, decisions) management to address risks and issues that arise, actions that must be performed, and decisions that need to be made throughout the project's lifecycle. Compliance with standard frameworks. Intangibles, such as adapting to company cultures and reacting to cultural conflicts, resource and team dynamics, perception and reputations, and morale. How to package and present an assessment's findings and recommendations in a suitable manner. It also features a detailed summary section containing checklists for assessing all stages of projects - including typical roles on a project team, details of interview responsibilities by role, and a list of necessary project documents. This information can be used either reactively as an easy reference to assess projects, or proactively as a checklist of the considerations and activities required to plan and manage a project. Although principally aimed at professionals who are assessing projects - such as internal auditors, framework auditors, project assessors, or external consultants - Assessing IT Projects to Ensure Successful Outcomes can also be used by project managers looking for a comprehensive view of approaches for managing projects, or as a means of preparing for an assessment of their project. About the author Kerry Wills is a consultant and a project manager who has worked on multi-million dollar technology projects for Fortune 500 companies since 1995, gaining essential experience as program manager, project manager, architect, developer, business analyst, and tester. This breadth of experience gives him a deep understanding of all facets of IT projects. He has planned and executed several large programs, as well as assessed and remediated several troubled programs . Kerry Wills is also the author of Essential Project Management Skills and Applying Guiding Principles of Effective Program Delivery.

The Internet has become the defining medium for information exchange in the modern world, and the unprecedented success of new web publishing platforms such as those associated with social media has confirmed its dominance as the main information exchange platform for the foreseeable future. But how do you conduct an online investigation when so much of the Internet isn't even indexed by search engines? Accessing and using the information that's freely available online is about more than just relying on the first page of Google results. Open source intelligence (OSINT) is intelligence gathered from publically available sources and is the key to unlocking this domain for the purposes of investigation. Product overview The Tao of Open Source Intelligence provides a comprehensive guide to OSINT techniques, for the investigator: It catalogues and explains the tools and investigative approaches that are required when conducting research within the surface, deep and dark webs. It explains how to scrutinise criminal activity without compromising your anonymity - and your investigation. It examines the relevance of cyber geography and how to get around its limitations. It describes useful add-ons for common search engines, as well as considering metasearch engines (including Dogpile, Zuula, PolyMeta, iSeek, Cluuz and Carrot2) that collate search data from single-source intelligence platforms such as Google. It considers deep-web social media platforms and platform-specific search tools, detailing such concepts as concept mapping, entity extraction tools and specialist search syntax (Google kung fu). It gives comprehensive guidance on Internet security for the smart investigator, and how to strike a balance between security, ease of use and functionality, giving tips on counterintelligence, safe practices and debunking myths about online privacy. OSINT is a rapidly evolving approach to intelligence collection, and its wide application makes it a useful methodology for numerous practices, including within the criminal investigation community. The Tao of Open Source Intelligence is your guide to the cutting edge of this information collection capability. About the author Stewart K. Bertram is a career intelligence analyst who has spent over a decade working across the fields of counterterrorism, cyber security, corporate investigations and geopolitical analysis. The holder of a master's degree in computing and a master of letters in terrorism studies, Stewart is uniquely placed at the cutting edge of intelligence and investigation, where technology and established tradecraft combine. Stewart fuses his academic knowledge with significant professional experience, having used open source intelligence on such diverse real-world topics as the terrorist use of social media in Sub-Saharan Africa and threat assessment at the London Olympic Games. Stewart teaches courses on open source intelligence as well as practising what he preaches in his role as a cyber threat intelligence manager for some of the world's leading private-sector intelligence and security agencies.

Passwords are not enough A password is a single authentication factor - anyone who has it can use it. No matter how strong it is, if it's lost or stolen, it's entirely useless at keeping information private. To secure your data properly, you also need to use a separate, secondary authentication factor. Data breaches are now commonplace In recent years, large-scale data breaches have increased dramatically in both severity and number, and the loss of personal information - including password data - has become commonplace. Furthermore, the fact that rapidly evolving password-cracking technology and the habitual use - and reuse - of weak passwords has rendered the security of username and password combinations negligible, and you have a very strong argument for more robust identity authentication. Consumers are beginning to realise just how exposed their personal and financial information is, and are demanding better security from the organisations that collect, process and store it. This has led to a rise in the adoption of two-factor authentication (TFA or 2FA). In the field of authentication security, the method of proving identity can be broken down into three characteristics - roughly summarised as 'what you have', 'what you are' and 'what you know'. Two-factor authentication relies on the combination of two of these factors. Product overview TFA is nothing new. It's mandated by requirement 8.3 of the Payment Card Industry Data Security Standard (PCI DSS) and banks have been using it for years, combining payment cards ('what you have') and PINs ('what you know'). If you use online banking you'll probably also have a chip authentication programme (CAP) keypad, which generates a one-time password (OTP). What is new is TFA's rising adoption beyond the financial sector. Two-Factor Authentication provides a comprehensive evaluation of popular secondary authentication methods, such as: Hardware-based OTP generation SMS-based OTP delivery Phone call-based mechanisms Geolocation-aware authentication Push notification-based authentication Biometric authentication factors Smart card verification As well as examining MFA (multi-factor authentication), 2SV (two-step verification) and strong authentication (authentication that goes beyond passwords, using security questions or layered security), the book also discusses the wider application of TFA for the average consumer, for example at such organisations as Google, Amazon and Facebook. It also considers the future of multi-factor authentication, including its application to the Internet of Things (IoT). Increasing your password strength will do absolutely nothing to protect you from online hacking, phishing attacks or corporate data breaches. If you're concerned about the security of your personal and financial data, you need to read this book. About the author Mark Stanislav is an information technology professional with over a decade's varied experience in systems administration, web application development and information security. He is currently a senior security consultant for the Strategic Services team at Rapid7. Mark has spoken internationally at nearly 100 events, including RSA, DEF CON, SecTor, SOURCE Boston, ShmooCon and THOTCON. News outlets such as the Wall Street Journal, Al Jazeera America, Fox Business, MarketWatch, CNN Money, Yahoo Finance, Marketplace and The Register have featured Mark's research, initiatives and insights on information security.

Protect your organisation by building a security-minded culture "With this book, Kai Roer has taken his many years of cyber experience and provided those with a vested interest in cyber security a firm basis on which to build an effective cyber security training programme." Dr. Jane LeClair Chief Operating Officer National Cybersecurity Institute, Washington, D.C. Human nature - easy prey for hackers? Human behaviour is complex and inconsistent, making it a rich hunting ground for would-be hackers and a significant risk to the security of your organisation . An effective way to address this risk is to create a culture of security. Using the psychology of group behaviour and explaining how and why people follow social and cultural norms, the author highlights the underlying cause for many successful and easily preventable attacks. An effective framework for behavioural security In this book Kai Roer presents his Security Culture Framework, and addresses the human and cultural factors in organisational security. The author uses clear, everyday examples and analogies to reveal social and cultural triggers that drive human behaviour . He explains how to manage these threats by implementing an effective framework for an organisational culture, ensuring that your organisation is set up to repel malicious intrusions and threats based on common human vulnerabilities. Contents What is security culture? The Elements of security culture How does security culture relate to security awareness? Asking for help raises your chances of success The psychology of groups and how to use it to your benefit Measuring culture Building security culture About the author Kai Roer is a management and security consultant and trainer with extensive international experience from more than 30 countries around the world. He is a guest lecturer at several universities, and the founder of The Roer Group, a European management consulting group focusing on security culture. Kai has authored a number of books on leadership and cyber security , has been published extensively in print and online, has appeared on radio and television, and has featured in printed media. He is a columnist at Help Net Security and has been the Cloud Security Alliance Norway chapter president since 2012. Kai is a passionate public speaker who engages his audience with his entertaining style and deep knowledge of human behaviours , psychology and cyber security . He is a Fellow of the National Cybersecurity Institute and runs a blog on information security and culture (roer.com). Kai is the host of Security Culture TV, a monthly video and podcast. Series information Build a Security Culture is part of the Fundamentals Series, co-published by IT Governance Publishing and Information Security Buzz.

An expert introductionMore than 85% of businesses now take advantage of Cloud computing, but Cloud computing does not sit easily with the DPA. Data Protection and the Cloud addresses that issue, providing an expert introduction to the legal and practical data protection risks involved in using Cloud services. Data Protection and the Cloud highlights the risks an organisation's use of the Cloud might generate, and offers the kind of remedial measures that might be taken to mitigate those risks.Topics covered include:Protecting the confidentiality, integrity and accessibility of personal dataData protection responsibilitiesThe data controller/data processor relationshipHow to choose Cloud providersCloud security - including two-factor authentication, data classification and segmentationThe increased vulnerability of data in transitThe problem of BYOD (bring your own device)Data transfer abroad, US Safe Harbor and EU legislationRelevant legislation, frameworks and guidance, including:the EU General Data Protection RegulationCloud computing standardsthe international information security standard, ISO 27001the UK Government's Cyber Essentials scheme and security frameworkCESG's Cloud security management principlesguidance from the Information Commissioner's Office and the Open Web Application Security Project (OWASP)Mitigate the security risksMitigating security risks requires a range of combined measures to be used to provide end-to-end security. Moving to the Cloud does not solve security problems, it just adds another element that must be addressed. Data Protection and the Cloud provides information on how to do so while meeting the DPA's eight principles.

Accessible and professional advice on how to implement an ISO14001 environmental management system In the 21st century, business has to take sustainability seriously. As public opinion becomes increasingly concerned about climate change, governments are imposing ever tighter environmental regulations on both industry and the retail sector. By putting in place an environmental management system (EMS), you can ensure you are disposing of your waste in a responsible manner and making the most efficient use of raw materials. This will help you to lower carbon emissions and keep the negative impact of your business on the environment to a minimum. ISO14001 The International Standard The international standard for an EMS is ISO14001. With an EMS certified to ISO14001, you can improve the safety and efficiency of your business operations, and, at the same time, boost customer confidence and reassure your stakeholders. An invaluable step-by-step guide This pocket guide, intended to help you put in place an EMS, is specifically focused on ISO14001. It is designed to enable industry managers, who may be lacking in specialist knowledge, to achieve compliance with the Standard. A step-by-step approach makes the guide easy to follow. The authors, two experienced auditors, are acknowledged experts on environmental management systems, and they have drawn on material from the UK's Environment Agency. The pocket guide will prove invaluable, not only for auditors and trainers, but also for managers across many sectors of industry. Read this guide and learn how to ...*Achieve compliance with ISO14001 Instead of just telling you, in bureaucratic fashion, what is specified under ISO14001, this user-friendly guide looks at the active steps you can take in order to ensure compliance with the Standard. It discusses the factors you need to consider when defining the objectives of the EMS, such as financial viability and available technology, and offers suggestions for measuring and monitoring the effectiveness of your environmental policy. *Manage environmental risks The Deepwater Horizon oil spill is an example of the financial and reputational risks associated with environmental pollution. This pocket guide contains sound advice on the types of operational controls you need to put in place to manage environmental risks and help avoid incidents. *Prepare to deal with an emergency The pocket guide offers suggestions on how to plan for an emergency, such as a spillage or a gas leak, ensuring you have procedures in place to minimise the environmental impact. *Improve the image of your brand Ultimately, organisations aim to operate in a way that shows respect for the environment. Certification to ISO14001 is a recognised measure of that commitment. It is in the interests of your business to be well regarded by the public and, if you use this guide to help secure compliance with ISO14001, you can improve public perception of your organisation. Investing in ISO14001 certification can contribute to enhanced brand equity. Take your organisation step by step towards successful ISO14001 certification! Order this pocket guide today!

This pocket guide provides you with an insider s detailed description of Accenture s IT governance policy and details its governance structure. It will show how effective IT governance links IT strategy and IT decisions to Accenture s business strategy and business priorities. Following the best practices approach set out in this pocket guide will serve as an excellent starting point for any organisation with ambitions to achieve high performance. Benefits to business include: * Boost productivity How hard do you work in other areas of your business to cut costs and improve efficiency? In testing economic times, is the absence of a clear strategy for your business s IT governance still a realistic option? Learning from Accenture s proven approach will enable you to increase your organisation s competitiveness over the longer term. * Coordinate your operations To ensure effective decision-making and align your IT function with your broader business goals, you need to make the structure of your IT governance fit your overall corporate governance structure. That way, you can make your IT work for your business. * Manage change effectively IT is crucial for realising the changes you want your business to make. For this reason, you cannot afford to have these changes treated merely as IT projects that have been foisted on the company by the IT department. By bringing top management on board, and giving business leaders a formal role in the IT governance of your organisation, you will make the success of any project with an IT component much more likely. * Keep a grip on budgets The costs of IT projects are notoriously prone to overrun, while some IT development programmes have promised more than they ever delivered. The Accenture way of doing business is different. Following the Accenture approach means ensuring that your IT investment is backed by a solid business case, and measuring the return on investment following project completion. High performance Chief executives now put high performance IT among their top strategic objectives. So, if you are looking to improve IT governance in your own organisation, finding out what Robert E. Kress has to say is as good a starting point as any. This book will show you his company s best practice approach to the subject. Whatever business you are in, there is nearly always a clear link between the performance of your IT function and your company s overall results. The bottom line Robert E. Kress, the writer of this pocket guide, is someone who gets things done. As Executive Director of Business Operations for Accenture s IT organisation, he manages a $700 million IT operation for a company with employees in 52 countries. IT is critical to Accenture s success as a management consultancy and technology services provider. IT governance matters to the bottom line, so Accenture insists on clear accountability for IT decisions and delivery. The capacity of Accenture s IT function to stay focussed on the needs of the business is one reason why Accenture has succeeded in doubling its revenue and racking up profits. Between 2001 and 2009, Accenture s operating profits nearly trebled to reach $2.6 billion.

ITIL 4 is the latest evolution of the leading best-practice framework for ITSM (IT service management). It has been significantly updated from ITIL v3 and addresses new ITSM challenges, includes new technologies and incorporates new ways of working. ITIL Foundation Essentials - ITIL 4 Edition* is the ultimate revision guide for candidates preparing for the ITIL 4 Foundation exam. It is fully aligned with the Foundation course syllabus and gives a clear and concise overview of the facts. You can use it in place of writing revision notes, giving you more time to focus on learning the information you need to pass the exam. Whether you are taking an ITIL 4 Foundation training course or are a self-study candidate, new to the framework or looking to upgrade your ITIL 2011 certification, this guide is the essential companion. It: -Provides definitions of the key terms and concepts used in ITIL 4; -Presents detailed information in clear, user-friendly and easy-to-follow ways through tables, bullet points and diagrams; and -Explains the key figures and diagrams in the ITIL syllabus. New for the ITIL 4 Edition: -Fully updated to reflect the changes introduced in ITIL 4. -New sections on the guiding principles of ITIL and the four dimensions of service management. -Updated overview of the ITIL Foundation exam.

The EU General Data Protection Regulation (GDPR) will supersede the 1995 EU Data Protection Directive (DPD) and all EU member states' national laws based on it - including the UK Data Protection Act 1998 - in May 2018. All organizations - wherever they are in the world - that process the personally identifiable information (PII) of EU residents must comply with the Regulation. Failure to do so could cost them up to 20 million, or 4% of annual global turnover in fines. US organizations that process EU residents' PII can comply with the GDPR via the EU-US Privacy Shield, which replaced the EU-US Safe Harbor framework in 2016. The Privacy Shield is based on the DPD, and will likely be updated once the GDPR is applied in May 2018. This book provides a detailed commentary on the GDPR, explains the changes you need to make to your data protection and information security regimes, and tells you exactly what you need to do to avoid severe financial penalties. Product overview EU GDPR - An Implementation and Compliance Guide is a clear and comprehensive guide to this new data protection law, explaining the Regulation, and setting out the obligations of data processors and controllers in terms you can understand. Topics covered include: *The role of the data protection officer (DPO) - including whether you need one and what they should do. *Risk management and data protection impact assessments (DPIAs), including how, when and why to conduct a DPIA. *Data subjects' rights, including consent and the withdrawal of consent; subject access requests and how to handle them; and data controllers' and processors' obligations. *International data transfers to "third countries" - including guidance on adequacy decisions and appropriate safeguards; the EU-US Privacy Shield; international organizations; limited transfers; and Cloud providers. *How to adjust your data protection processes to transition to GDPR compliance, and the best way of demonstrating that compliance. *A full index of the Regulation to help you find the recitals and articles relevant to your organization. * The GDPR will have a significant impact on organizations' data protection regimes around the world. EU GDPR - An Implementation and Compliance Manual shows you exactly what you need to do to comply with the new law. About the authors

A clear, concise primer on the EU GDPR The EU General Data Protection Regulation (GDPR) is a key piece of legislation that provides a single, harmonised privacy law for the European Union, improving the promotion and regulation of data privacy. With the Regulation now formally approved by the European Parliament, all companies that operate in Europe have until 26 April 2018 to comply with the new law, or potentially face fines of up to 4% of annual turnover or 20 million. This pocket guide is the perfect introduction for organisations that need to get to grips with the key principles of data privacy and the EU General Data Protection Regulation.

Deploying releases into production is fraught with difficulty With so many interested constituencies, processes can go wrong in more ways than they can go right. The problems start when requirements are gathered and, if unmanaged, can flow unchecked through the entire process, potentially delivering something that's bound to fail while, paradoxically, exactly meeting the specification. In Release and Deployment: An ITSM Narrative Account, we follow the story of the release & deployment process in fictional form. Product overview Chris has got a new job as a release manager - but he's struggling. Parachuted into a large company to fix its release & deployment process after the catastrophic failure of its new app, Asgard, he finds himself battling an array of insular department heads who are all determined that whatever has gone wrong must be another team's fault. They all want the finger of blame pointed elsewhere, and Chris seems to be the perfect target - so they shout down his questions and suggestions as insubordination. How can he pacify his new colleagues, avoid getting fired and get the job done? Lessons from real projects in a narrative format This latest ITSM narrative from Daniel Mclean explains the common pitfalls of release & deployment in fictional form, with each chapter describing a difficult meeting with a different department head and featuring a set of pointers that our hero would have found beneficial. Based on the real-life experience of the author and other ITSM practitioners, Release and Deployment: An ITSM Narrative Account exposes the potential pitfalls and explores how to handle the issues that come with such projects, all in the face of shifting organisational structures and changing management objectives. Contents Winning The Job Where Did My Job Go? Finance - Wisdom or Indifference? Bad Beginnings Requirements - Voice of the Business Sales - Heart of the Business Application Development Infrastructure - Physical Clouds QA - Guardians of the Gates Management Intervention Change Management - Short Circuit Release - Let Slip the Dogs of War Deploy - The End of the Beginning About the author Daniel McLean is an ITSM consultant with over 20 years' experience in IT. He has spent the last ten years designing, implementing and operating processes supporting ITSM. He was also a peer reviewer during development of the OGC ITIL v3 Service Strategy Best Practice. Daniel McLean's other ITSM narrative accounts are also available from IT Governance.

A compendium of essential information for the modern security entrepreneur and practitioner The modern security practitioner has shifted from a predominantly protective site and assets manager to a leading contributor to overall organizational resilience. Accordingly, The Security Consultant's Handbook sets out a holistic overview of the essential core knowledge, emerging opportunities, and approaches to corporate thinking that are increasingly demanded by employers and buyers in the security market. This book provides essential direction for those who want to succeed in security, either individually or as part of a team. It also aims to stimulate some fresh ideas and provide new market routes for security professionals who may feel that they are underappreciated and overexerted in traditional business domains. Product overview Distilling the author's fifteen years' experience as a security practitioner, and incorporating the results of some fifty interviews with leading security practitioners and a review of a wide range of supporting business literature, The Security Consultant's Handbook provides a wealth of knowledge for the modern security practitioner, covering: Entrepreneurial practice (including business intelligence, intellectual property rights, emerging markets, business funding, and business networking) Management practice (including the security function's move from basement to boardroom, fitting security into the wider context of organizational resilience, security management leadership, adding value, and professional proficiency) Legislation and regulation (including relevant UK and international laws such as the Human Rights Act 1998, the Data Protection Act 1998 and the Geneva Conventions) Private investigations (including surveillance techniques, tracing missing people, witness statements and evidence, and surveillance and the law) Information and cybersecurity (including why information needs protection, intelligence and espionage, cybersecurity threats, and mitigation approaches such as the ISO 27001 standard for information security management) Protective security (including risk assessment methods, person-focused threat assessments, protective security roles, piracy, and firearms) Safer business travel (including government assistance, safety tips, responding to crime, kidnapping, protective approaches to travel security and corporate liability) Personal and organizational resilience (including workplace initiatives, crisis management, and international standards such as ISO 22320, ISO 22301 and PAS 200) Featuring case studies, checklists, and helpful chapter summaries, The Security Consultant's Handbook aims to be a practical and enabling guide for security officers and contractors. Its purpose is to plug information gaps or provoke new ideas, and provide a real-world support tool for those who want to offer their clients safe, proportionate, and value-driven security services. About the author Richard Bingley is a senior lecturer in security and organizational resilience at Buckinghamshire New University, and co-founder of CSARN, the popular business security advisory network. He has more than fifteen years' experience in a range of high-profile security and communications roles, including as a close protection operative at London's 2012 Olympics and in Russia for the 2014 Winter Olympic Games. He is a licensed close protection operative in the UK, and holds a postgraduate certificate in teaching and learning in higher education. Richard is the author of two previous books: Arms Trade: Just the Facts (2003) and Terrorism: Just the Facts (2004).

How do you engage with your peers when they think you're there to stop them working? Corporate information security is often hindered by a lack of adequate communication between the security team and the rest of the organisation . Information security affects the whole company and is a responsibility shared by all staff, so failing to obtain wider acceptance can endanger the security of the entire organisation . Many consider information security a block, not a benefit, however, and view security professionals with suspicion if not outright hostility. As a security professional, how can you get broader buy-in from your colleagues? Information Security: A Practical Guide addresses that issue by providing an overview of basic information security practices that will enable your security team to better engage with their peers to address the threats facing the organisation as a whole. Product overview Covering everything from your first day at work as an information security professional to developing and implementing enterprise-wide information security processes, Information Security: A Practical Guide explains the basics of information security, and how to explain them to management and others so that security risks can be appropriately addressed. Topics covered include: How to understand the security culture of the organisation Getting to know the organisation and building relationships with key personnel How to identify gaps in the organisation's security set-up The impact of compromise on the organisation Identifying, categorising and prioritising risks The five levels of risk appetite and how to apply risk treatments via security controls Understanding the threats facing your organisation and how to communicate them How to raise security awareness and engage with specific peer groups System mapping and documentation (including control boundaries and where risks exist) The importance of conducting regular penetration testing and what to do with the results Information security policies and processes A standards-based approach to information security If you're starting a new job as an information security professional, Information Security: A Practical Guide contains all you need to know. About the author Tom Mooney has over ten years' IT experience working with sensitive information. His current role is as a security risk advisor for the UK Government, where he works with project teams and the wider organisation to deliver key business systems securely. His key responsibility is to act as an intermediary between management and IT teams to ensure appropriate security controls are put in place. His extensive experience has led him to develop many skills and techniques to converse with people who are not technical or information security experts. Many of these skills and techniques are found in this book. He has a BSc (Hons) in information and computer security, and is also a CESG certified professional.

Mergers and acquisitions - are you getting an IT asset or liability? "I found this book very interesting. Due diligence is one of those functions that happens way before us 'IT'ers' get involved and so this is a useful insight into the work that happens up front and the evidence we can obtain for our work even if we were not involved in the initial due diligence." Chris Evans, ITSM Specialist "Being new to this subject I found the guidance solid and presented in an excellent style. I found it an excellent and informative read." Brian Johnson, CA When you merge with or acquire another business, you also gain their IT and data. In an ideal world this integration would be seamless and easy. In reality, however, this is often not the case. Mergers can, for example, lead to the loss of sales systems or to badly configured data. The problems don't stop in the computer room, either - they affect the whole of the business and the success of the merger/acquisition. Don't make a risky mistake Businesses and investors use due diligence reviews to ensure such deals do not have nasty hidden surprises. Many overlook the IT systems and services of the businesses they are acquiring, however, and push information risk management (IRM) professionals to the sidelines in the due diligence process. In a world of increasing cyber attacks and information security threats, this can be a very risky mistake to make. Product overview Reviewing IT in Due Diligence provides an introduction to IRM in due diligence, and outlines some of the key IT issues to consider as part of the due diligence process. For those new to the process, it explains how to conduct an IT due diligence review, from scoping to reporting, and includes information on post-merger integration to realise business benefits from the deal. For more experienced practitioners, Reviewing IT in Due Diligence provides fresh insight into the process, highlighting issues that need to be addressed, and provides a business case for IRM involvement in the due diligence process. Topics covered include: Why IT is important to due diligence The importance of IT security System reviews and data reviews Reviewing projects and changes in progress IT service provision value for money IT due diligence reporting Post-merger integration Comprehensive case studies are included throughout the book. About the authors Bryan Altimas has over 32 years' experience of technology risk management, having led teams performing technology due diligence, and having advised organisations in numerous business sectors, locations and circumstances on the effectiveness of their technology strategy in delivering business objectives. He is a qualified accountant, Certified Information Systems Auditor (CISA) and Certified in Risk and Information Systems Control (CRISC). He left KPMG in 2014 after 17 years, having contributed to their IT due diligence methodology. Chris Wright is a qualified accountant and Certified Information Systems Auditor (CISA) with over 30 years' experience providing financial and IT advisory and risk management services. He worked for 16 years at KPMG, where he managed a number of IT due diligence reviews and was head of information risk training in the UK. He has also worked in a wide range of industry sectors including oil and gas, small and medium enterprises, public sector, aviation and travel. He is the author of Agile Governance and Audit, which is also available from ITGP. Understand the key IT issues that need to be considered in the due diligence process - buy this book now.

A global perspective on AI This book will provide a global perspective on AI and the challenges it represents, and will focus on the digital ethics surrounding AI technology.

This book is about cyber security. In Part 1, the author discusses his thoughts on the cyber security industry and how those that operate within it should approach their role with the mindset of an artist. Part 2 explores the work of Sun Tzu's The Art of War.