How this Book Is Laid Out
This book follows a chronological progression of building a security program and getting ready for audit.
Part I: Getting a Handle on Things. A good way to develop a security program is to design with an audit in mind to focus attention and to ensure that all controls work as described. This section covers the audit focus, asset analysis, risk assessment, and scope design.
Part II: Wrangling the Organization. This section includes chapters on how to design, nurture, and incorporate an IT security program into a dynamic organization over time. You rarely have a chance to design a program when a new company is formed. Most companies are born without security and need it
added later as they grow and experience more security incidents. A security professional is always growing and trimming their program to fit the needs of their organization. These chapters cover everything from high-level governance to how you work with the various teams.
Part III: Managing Risk with Controls. Once the risk and scope are fleshed out, controls can be applied to reduce the risk. These series of chapters cover the various types of controls and how you
can best implement them. This is the biggest section, starting with control design and moving into the implementation details of technical and physical controls.
Part IV: Being Audited. This section covers the process of being audited. Its chapters describe how to hire an auditor and the mechanics of various types of formal audits. It also covers the healing power of internal audits and the auditing of your organization’s critical partners and suppliers.