| Acknowledgements |
|
xi | |
| Publisher's acknowledgements |
|
xiii | |
|
|
|
1 | (10) |
|
|
|
1 | (3) |
|
Models of security in a business setting |
|
|
4 | (3) |
|
The structure of the book |
|
|
7 | (2) |
|
The objectives of the book |
|
|
9 | (2) |
| PART 1 THREATS AND RISKS |
|
11 | (50) |
|
|
|
13 | (19) |
|
Placing a value on information |
|
|
13 | (2) |
|
Business dependence on information systems |
|
|
15 | (2) |
|
New sources of threats to information systems |
|
|
17 | (1) |
|
Outsourcing and re-engineering: two decades of change |
|
|
18 | (2) |
|
The nature and sources of threats |
|
|
20 | (7) |
|
Internal versus external threats |
|
|
27 | (2) |
|
|
|
29 | (3) |
|
Risk appraisal and management |
|
|
32 | (29) |
|
|
|
32 | (2) |
|
|
|
34 | (3) |
|
Decisions about risk: the need for anticipation |
|
|
37 | (3) |
|
Systematic appraisal of risk: an introduction |
|
|
40 | (6) |
|
Risk assessment: large organisations |
|
|
46 | (7) |
|
Risk assessment: smaller organisations |
|
|
53 | (2) |
|
Costs and benefits of risk reduction |
|
|
55 | (3) |
|
|
|
58 | (3) |
| PART 2 CONTROLS FOR INTERNAL SERVICES |
|
61 | (68) |
|
Computerised controls: the organisational context |
|
|
63 | (19) |
|
|
|
63 | (1) |
|
Information security and control as a responsibility of general management |
|
|
64 | (3) |
|
Matching control systems to the organisation's structure and culture |
|
|
67 | (3) |
|
Balancing trust and enforcement |
|
|
70 | (3) |
|
The limits of trust: the rise of `social engineering' |
|
|
73 | (2) |
|
Legitimacy of controls: some issues of probity and surveillance |
|
|
75 | (4) |
|
Conflicts of loyalty and obligation |
|
|
79 | (2) |
|
|
|
81 | (1) |
|
|
|
82 | (25) |
|
|
|
82 | (2) |
|
Characteristics of methods of user identification |
|
|
84 | (10) |
|
System-wide access controls |
|
|
94 | (2) |
|
Application controls: multiple versus single sign-on |
|
|
96 | (3) |
|
Constructing and implementing rules for access control |
|
|
99 | (2) |
|
Access to databases and aggregated data |
|
|
101 | (3) |
|
Some risk and cost issues |
|
|
104 | (1) |
|
|
|
105 | (2) |
|
Controls within business processes |
|
|
107 | (22) |
|
Introduction: transactions and processes |
|
|
108 | (2) |
|
Input: checks applied to data capture |
|
|
110 | (7) |
|
|
|
117 | (2) |
|
Output: printers and displays |
|
|
119 | (2) |
|
Information derived from transactions |
|
|
121 | (3) |
|
Case study: The FAO Microbanker system - selling secure systems in the Third World |
|
|
124 | (2) |
|
|
|
126 | (3) |
| PART 3 CONTROLS FOR NETWORKED SERVICES |
|
129 | (68) |
|
Controls for network communications |
|
|
131 | (26) |
|
|
|
132 | (1) |
|
Commercial networks: functions and origins |
|
|
132 | (2) |
|
Eavesdropping on data transmissions |
|
|
134 | (2) |
|
|
|
136 | (3) |
|
|
|
139 | (5) |
|
Business applications of encryption |
|
|
144 | (4) |
|
Costs and vulnerabilities of cryptographic methods |
|
|
148 | (4) |
|
|
|
152 | (4) |
|
|
|
156 | (1) |
|
Managing the security of networked facilities |
|
|
157 | (22) |
|
|
|
158 | (1) |
|
Maintenance and distribution of cryptographic keys |
|
|
159 | (3) |
|
PGP, Certification Authorities, and Public Key Infrastructures |
|
|
162 | (4) |
|
Key storage, escrow and recovery |
|
|
166 | (2) |
|
Inter-company transactions: EFT, EDI and Electronic Mail |
|
|
168 | (2) |
|
Trading with the public: Electronic Commerce |
|
|
170 | (5) |
|
Monitoring and surveillance of networks |
|
|
175 | (3) |
|
|
|
178 | (1) |
|
Controls for local area networks and small systems |
|
|
179 | (18) |
|
|
|
179 | (1) |
|
Managing compliance within the local work group |
|
|
180 | (2) |
|
Controls within office software (1): clerical and administrative applications |
|
|
182 | (5) |
|
Controls within office software (2): accounting applications |
|
|
187 | (3) |
|
Viruses, downloads, and other hazards of networked personal computing |
|
|
190 | (4) |
|
Regulating usage of the Internet |
|
|
194 | (1) |
|
|
|
195 | (2) |
| PART 4 BUSINESS CONTINUITY AND ARCHIVING |
|
197 | (38) |
|
|
|
199 | (23) |
|
|
|
199 | (2) |
|
Threats to business continuity |
|
|
201 | (2) |
|
Physical protection of processors, nodes and terminals |
|
|
203 | (2) |
|
|
|
205 | (5) |
|
Creating and implementing the Disaster Recovery Plan |
|
|
210 | (6) |
|
Implications of the proliferation of IT |
|
|
216 | (1) |
|
Justifying investment in measures for business continuity protection |
|
|
217 | (3) |
|
|
|
220 | (2) |
|
Controls for archived data |
|
|
222 | (13) |
|
|
|
222 | (2) |
|
Obsolescence of software and media |
|
|
224 | (2) |
|
Requirements for archiving of business data |
|
|
226 | (2) |
|
Authentication of archived files and documents |
|
|
228 | (3) |
|
Record retention policies |
|
|
231 | (2) |
|
|
|
233 | (2) |
| PART 5 COMPUTER AUDIT |
|
235 | (42) |
|
Computer audit: the introduction of new systems |
|
|
237 | (11) |
|
The role of the computer auditor |
|
|
237 | (4) |
|
Auditing of systems development |
|
|
241 | (1) |
|
Non-traditional approaches: packages and end-user computing |
|
|
242 | (3) |
|
Auditing systems testing and implementation |
|
|
245 | (2) |
|
|
|
247 | (1) |
|
Computer audit: control of existing systems |
|
|
248 | (13) |
|
|
|
248 | (1) |
|
Change management and control |
|
|
249 | (4) |
|
Routine checks and investigations |
|
|
253 | (2) |
|
Competencies required of computer auditors |
|
|
255 | (4) |
|
|
|
259 | (2) |
|
|
|
261 | (16) |
|
|
|
261 | (2) |
|
Techniques and procedures to obtain valid computer evidence |
|
|
263 | (2) |
|
Correlation of data from multiple sources |
|
|
265 | (3) |
|
Misuse of telecommunications services |
|
|
268 | (1) |
|
Proof of ownership: electronic watermarks |
|
|
269 | (3) |
|
The ethics of investigations |
|
|
272 | (2) |
|
|
|
274 | (3) |
| PART 6 REGULATION AND STANDARDS |
|
277 | (28) |
|
Standards, codes of practice and regulatory bodies |
|
|
279 | (26) |
|
Frameworks for regulation |
|
|
280 | (5) |
|
Certification schemes: BS 7799 and Web Trust |
|
|
285 | (2) |
|
Technical standards for IS products |
|
|
287 | (3) |
|
Issues of Data Protection in business systems |
|
|
290 | (3) |
|
Information systems in the future: some issues of control and regulation |
|
|
293 | (6) |
| Appendices |
|
|
1 Twelve Rules of Thumb for Managers |
|
|
299 | (2) |
|
2 Useful Internet addresses |
|
|
301 | (4) |
| Glossary |
|
305 | (8) |
| References |
|
313 | (10) |
| Index |
|
323 | |
More info about Taylor & Francis e-books