Security Program and Policies ─ Principles and Practices

This is the first complete, up-to-date, hands-on guide to creating effective information security policies and procedures. It introduces essential security policy concepts and their rationale, thoroughly covers information security regulations and frameworks, and presents best-practice policies specific to industry sectors, including finance, healthcare and small business. Ideal for both InfoSec students and practitioners, it covers all facets of Security Education, Training & Awareness (SETA), illuminates key concepts through real-life examples. Coverage includes:

• InfoSec program objectives, elements, domains, and governance
• A complete introduction to risk management
• Proven techniques for policy development and implementation
• Establishing a layered defense
• Implementing operational, personnel, and vendor security
• Responding to incidents and ensuring continuation of operations
• Auditing and monitoring security on an ongoing basis
• Meeting unique legal and regulatory environments, including GLBA, HIPAA/HITECH, FISMA, state data security and notification rules, and PCI-DSS

This guide also contains easily-adapted sample Employee Affirmation Statements, and links to authoritative, up-to-date additional resources.

Sari Greene is an information security practitioner, author, and entrepreneur. She founded Sage Data Security in 2002 and has amassed thousands of hours in the field working with a spectrum of technical, operational, and management personnel as well as board of directors, regulators, and service providers. Sari provided expert witness testimony in the groundbreaking PATCO v. Ocean National Bank case. From 2006 through 2010, she served as the managing director for the MEAPC, a coalition of 24 financial institutions that embrace a mission of preventing information theft and fraud through public education and awareness. Since 2010, she has served as the chair of the annual Cybercrime Symposium held in Portsmouth, New Hampshire. Sari’s first text was Tools and Techniques for Securing Microsoft Networks, commissioned by Microsoft to train its partner channel, followed soon after by the first edition of Security Policies and Procedures: Principles and Practices. She has published a number of articles and whitepapers related to information security and has been quoted in The New York Times, Wall Street Journal, CNN, and on CNBC. She speaks regularly at security conferences and workshops around the country and is a frequent guest lecturer. Sari has an MBA from the University of New Hampshire system and has earned an array of government and industry certifications and accreditations, including ISACA Certification in Risk and Information Systems Control (CRISC), ISACA Certification in Security Management (CISM), ISC2 Certification in Information Systems Security (CISSP), and Microsoft Certified Network Engineer (MCSE), and is certified by the National Security Agency to conduct NSA-IAM assessments for federal government agencies and contractors. You can contact Sari at sari@sarigreene.com or follow her on Twitter @sari_greene.