Books published by IT Governance Publishing

Many companies fail to carry out any business continuity exercising. This book explains why validating your BCP is essential to your business's survival, and describes the component parts of a validation programme, with case studies and expert guidance.

ISO 9001:2015 - A Pocket Guide provides a useful introduction to ISO 9001 and the principles of quality management.

A concise introduction to the EU GDPRThe EU General Data Protection Regulation (GDPR) will unify data protection and simplify the use of personal data across the EU from 25 May 2018, when it will automatically supersede member states' domestic data protection laws.It will also apply to every organisation in the world that processes personal information of EU residents.The Regulation introduces a number of key changes for all organisations that process EU residents' personal data.EU GDPR: A Pocket Guide provides an essential introduction to this new data protection law, explaining the Regulation and setting out the compliance obligations for EU organisations. Product overviewEU GDPR - A Pocket Guide sets out: A brief history of data protection and national data protection laws in the EU (such as the German BDSG, French LIL and UK DPA). The terms and definitions used in the GDPR, including explanations. The key requirements of the GDPR, including: Which fines apply to which Articles; The six principles that should be applied to any collection and processing of personal data; The Regulation's applicability; Data subjects' rights; Data protection impact assessments (DPIAs); The role of the data protection officer (DPO) and whether you need one; Data breaches, and the notification of supervisory authorities and data subjects; Obligations for international data transfers. How to comply with the Regulation, including: Understanding your data, and where and how it is used (e.g. Cloud suppliers, physical records); The documentation you need to maintain (such as statements of the information you collect and process, records of data subject consent, processes for protecting personal data); The "appropriate technical and organisational measures" you need to take to ensure your compliance with the Regulation. A full index of the Regulation, enabling you to find relevant Articles quickly and easily. About the authorAlan Calder, the founder and executive chairman of IT Governance Ltd, is an internationally acknowledged cyber security expert, and a leading author on information security and IT governance issues. He co-wrote the definitive compliance guide IT Governance: An International Guide to Data Security and ISO27001/ISO27002, which is the basis for the Open University's postgraduate course on information security, and has been involved in the development of a wide range of information security management training courses that have been accredited by the International Board for IT Governance Qualifications (IBITGQ). Alan has consulted on data security for numerous clients in the UK and abroad, and is a regular media commentator and speaker.Quickly understand your new obligations under the EU GDPR, and learn what steps you need to take to avoid costly fines.

A compendium of essential information for the modern security entrepreneur and practitionerThe modern security practitioner has shifted from a predominantly protective site and assets manager to a leading contributor to overall organizational resilience. Accordingly, The Security Consultant's Handbook sets out a holistic overview of the essential core knowledge, emerging opportunities, and approaches to corporate thinking that are increasingly demanded by employers and buyers in the security market.This book provides essential direction for those who want to succeed in security, either individually or as part of a team. It also aims to stimulate some fresh ideas and provide new market routes for security professionals who may feel that they are underappreciated and overexerted in traditional business domains.Product overviewDistilling the author's fifteen years' experience as a security practitioner, and incorporating the results of some fifty interviews with leading security practitioners and a review of a wide range of supporting business literature, The Security Consultant's Handbook provides a wealth of knowledge for the modern security practitioner, covering:Entrepreneurial practice (including business intelligence, intellectual property rights, emerging markets, business funding, and business networking)Management practice (including the security function's move from basement to boardroom, fitting security into the wider context of organizational resilience, security management leadership, adding value, and professional proficiency)Legislation and regulation (including relevant UK and international laws such as the Human Rights Act 1998, the Data Protection Act 1998 and the Geneva Conventions)Private investigations (including surveillance techniques, tracing missing people, witness statements and evidence, and surveillance and the law)Information and cybersecurity (including why information needs protection, intelligence and espionage, cybersecurity threats, and mitigation approaches such as the ISO 27001 standard for information security management)Protective security (including risk assessment methods, person-focused threat assessments, protective security roles, piracy, and firearms)Safer business travel (including government assistance, safety tips, responding to crime, kidnapping, protective approaches to travel security and corporate liability)Personal and organizational resilience (including workplace initiatives, crisis management, and international standards such as ISO 22320, ISO 22301 and PAS 200)Featuring case studies, checklists, and helpful chapter summaries, The Security Consultant's Handbook aims to be a practical and enabling guide for security officers and contractors. Its purpose is to plug information gaps or provoke new ideas, and provide a real-world support tool for those who want to offer their clients safe, proportionate, and value-driven security services.About the authorRichard Bingley is a senior lecturer in security and organizational resilience at Buckinghamshire New University, and co-founder of CSARN, the popular business security advisory network. He has more than fifteen years' experience in a range of high-profile security and communications roles, including as a close protection operative at London's 2012 Olympics and in Russia for the 2014 Winter Olympic Games. He is a licensed close protection operative in the UK, and holds a postgraduate certificate in teaching and learning in higher education. Richard is the author of two previous books: Arms Trade: Just the Facts (2003) and Terrorism: Just the Facts (2004).

OSINT is a rapidly evolving approach to intelligence collection, and its wide application makes it a useful methodology for numerous practices, including within the criminal investigation community. The Tao of Open Source Intelligence is your guide to the cutting edge of this information collection capability.

Passwords are not enoughA password is a single authentication factor - anyone who has it can use it. No matter how strong it is, if it's lost or stolen it's entirely useless at keeping private information private. To secure your data properly, you also need to use a separate, secondary authentication factor.Data breaches are now commonplaceIn recent years, large-scale data breaches have increased dramatically in both severity and number, and the loss of personal information - including password data - has become commonplace. Add to this the fact that rapidly evolving password-cracking technology and the habitual use - and reuse - of weak passwords has rendered the security of username and password combinations negligible, and you have a very strong argument for more robust identity authentication methods. Consumers are beginning to realise just how exposed their personal and financial information is, and are demanding better security from the organisations that collect, process and store it, which in turn has led to a rise in the uptake of two-factor authentication (TFA or 2FA). In the field of authentication security, the method of proving identity can be broken down into three factor classes - roughly summarised as 'what you have', 'what you are', and 'what you know'. Two-factor authentication relies on the combination of two of these factors.Product overviewTFA is nothing new. It's mandated by requirement 8.3 of the Payment Card Industry Data Security Standard (PCI DSS) and banks have been using it for years, combining paymentcards ('what you have') and PINs ('what you know'). If you use online banking you'll probably also have a chip authentication programme (CAP) keypad, which generates a one-time password (OTP).What is new is TFA's rising uptake beyond the financial sector.Two-Factor Authentication provides a comprehensive evaluation of popular secondary authentication methods, such as:* Hardware-based OTP generation* SMS-based OTP delivery* Phone call-based mechanisms* Geolocation-aware authentication* Push notification-based authentication* Biometric authentication factors* Smart card verificationas well as examining MFA (multi-factor authentication), 2SV (two-step verification) and strong authentication (authentication that goes beyond passwords, using security questions or layered security).The book also discusses the wider application of TFA for the average consumer, for example at such organisations as Google, Amazon and Facebook, as well as considering the future of multi-factor authentication, including its application to the Internet of Things (IoT). Increasing your password strength will do absolutely nothing to protect you from online hacking, phishing attacks or corporate data breaches. If you're concerned about the security of your personal and financial data, you need to read this book.

Applying the Data Protection Act to the CloudThe UK's Data Protection Act 1998 (DPA) applies to the whole lifecycle of information, from its original collection to its final destruction. Failure to comply with the DPA's eight principles could lead to claims for compensation from affected individuals and financial penalties of up to 000 from the Information Commissioner's Office, not to mention negative publicity and reputational damage.An expert introductionMore than 85% of businesses now take advantage of Cloud computing, but Cloud computing does not sit easily with the DPA. Data Protection and the Cloud addresses that issue, providing an expert introduction to the legal and practical data protection risks involved in using Cloud services. Data Protection and the Cloud highlights the risks an organisation's use of the Cloud might generate, and offers the kind of remedial measures that might be taken to mitigate those risks.Topics covered include:Protecting the confidentiality, integrity and accessibility of personal dataData protection responsibilitiesThe data controller/data processor relationshipHow to choose Cloud providersCloud security - including two-factor authentication, data classification and segmentationThe increased vulnerability of data in transitThe problem of BYOD (bring your own device)Data transfer abroad, US Safe Harbor and EU legislationRelevant legislation, frameworks and guidance, including:- the EU General Data Protection Regulation- Cloud computing standards- the international information security standard, ISO 27001- the UK Government's Cyber Essentials scheme and security framework- CESG's Cloud security management principles- guidance from the Information Commissioner's Office and the Open Web Application Security Project (OWASP)Mitigate the security risksMitigating security risks requires a range of combined measures to be used to provide end-to-end security. Moving to the Cloud does not solve security problems, it just adds another element that must be addressed. Data Protection and the Cloud provides information on how to do so while meeting the DPA's eight principles.

This book is intended for application developers, system administrators and operators, as well as networking professionals who need a comprehensive top level view of web application security in order to better defend and protect both the "web" and the "application" against potential attacks

Provides an insight into the changing role and responsibilities of the ISM, walking you through a typical ISM's year and using the role of project manager on a programme of change to highlight the various incidents and issues that arise on an almost daily basis - and often go unnoticed.

Reviewing IT in Due Diligence provides an introduction to IRM in due diligence, and outlines some of the key IT issues to consider as part of the due diligence process. For those new to the process, it explains how to conduct an IT due diligence review, from scoping to reporting, and includes information on post-merger integration.

Protect your organisation by building a security-minded culture"e;With this book, Kai Roer has taken his many years of cyber experience and provided those with a vested interest in cyber security a firm basis on which to build an effective cyber security training programme."e;Dr. Jane LeClair Chief Operating Officer National Cybersecurity Institute, Washington, D.C.Human nature - easy prey for hackers?Human behaviour is complex and inconsistent, making it a rich hunting ground for would-be hackers and a significant risk to the security of your organisation . An effective way to address this risk is to create a culture of security. Using the psychology of group behaviour and explaining how and why people follow social and cultural norms, the author highlights the underlying cause for many successful and easily preventable attacks.An effective framework for behavioural securityIn this book Kai Roer presents his Security Culture Framework, and addresses the human and cultural factors in organisational security. The author uses clear, everyday examples and analogies to reveal social and cultural triggers that drive human behaviour . He explains how to manage these threats by implementing an effective framework for an organisational culture, ensuring that your organisation is set up to repel malicious intrusions and threats based on common human vulnerabilities.ContentsWhat is security culture?The Elements of security cultureHow does security culture relate to security awareness?Asking for help raises your chances of successThe psychology of groups and how to use it to your benefitMeasuring cultureBuilding security cultureAbout the authorKai Roer is a management and security consultant and trainer with extensive international experience from more than 30 countries around the world. He is a guest lecturer at several universities, and the founder of The Roer Group, a European management consulting group focusing on security culture.Kai has authored a number of books on leadership and cyber security , has been published extensively in print and online, has appeared on radio and television, and has featured in printed media. He is a columnist at Help Net Security and has been the Cloud Security Alliance Norway chapter president since 2012.Kai is a passionate public speaker who engages his audience with his entertaining style and deep knowledge of human behaviours , psychology and cyber security . He is a Fellow of the National Cybersecurity Institute and runs a blog on information security and culture (roer.com). Kai is the host of Security Culture TV, a monthly video and podcast.Series informationBuild a Security Culture is part of theFundamentals Series, co-published by IT Governance Publishing and Information Security Buzz.

Do you trust the Cloud? Should you trust the Cloud?'Cloud Computing' are the words on everyone's lips - it's the latest technology, the way forward. But how safe is it? Is it reliable? How secure will your information be?Questions ...Cloud Computing: Assessing the risks answers these questions and many more. Using jargon-free language and relevant examples, analogies and diagrams, it is an up-to-date, clear and comprehensive guide the security, governance, risk, and compliance elements of Cloud Computing.Written by three internationally renowned experts, this book discusses the primary concerns of most businesses leaders - the security and risk elements of the Cloud. But 'security and risk' are just two elements of Cloud Computing, and this book focuses on all the critical components of a successful cloud programme including - compliance, risk, reliability, availability, areas of responsibility, Cloud Computing borders, legalities, digital forensics and business continuity. This book covers them all.... and answersThis book will enable you to:understand the different types of Cloud and know which is the right one for your businesshave realistic expectations of what a Cloud service can give you, and enable you to manage it in the way that suits your businessminimise potential disruption by successfully managing the risks and threatsmake appropriate changes to your business in order to seize opportunities offered by Cloudset up an effective governance system and benefit from the consequential cost savings and reductions in expenditureunderstand the legal implications of international data protection and privacy laws, and protect your business against falling foul of such lawsappreciate how the Cloud can benefit your business continuity and disaster recovery planning.

This practical guide recognises that every organisation functions differently, has different goals, and faces different challenges. It will give you the tools you need to understand the factors influencing your organisation, to identify how your business must respond, and to implement the necessary changes.

The Agile auditing challengeMany auditors are now encountering Agile management methodologies for the first time. In some cases, this can cause problems for the audit process because the methodology is very different from traditional approaches. Aside from the difficulties faced by the auditor, an ineffective audit can have a negative effect on an Agile project by giving a false impression of its progress. It might even harm the final project outcome.Bridging the gap between Agile teams and AuditorsWritten for auditors and Agile managers, Agile Governance and Audit bridges the gap between traditional auditing approaches and the requirements of Agile methodologies. It provides an overview of Agile for auditors and other risk professionals who have not encountered the approach before. The book also tells Agile teams what auditors and risk professionals need, and the sort of questions they are likely to ask.Essential reading for anyone involved in an Agile auditEach chapter includes hints and tips for auditors, and a selection of case studies is included to illustrate the practical issues involved in auditing Agile projects. This makes it an ideal book for any auditor encountering the Agile methodology, and any Agile teams preparing for a management audit.This book will enable you to:understand the principles of Agileappreciate how it might be effectively auditedimprove communication between the auditor and the Agile team.Read this book to understand how to get the most out of Agile audits, whatever your role.

Are your internal audits adding value? Organizations hoping to comply with any of the International Standards for management systems (e.g. ISO9001, ISO27001) must carry out internal audits. However, the requirements set down by accreditation bodies for auditor courses make little distinction between internal and external audit programs. As a result, many organizations instruct their internal auditors using resources designed for external auditors. Such internal audit programs often fail to develop beyond simple compliance monitoring, and risk becoming 'box-ticking' exercises, adding little value to the organization. This book provides a model for the management and implementation of internal audits that moves beyond simple compliance to ISO requirements and turns the internal audit into a transformational tool that the organization can use to assist with the management of risk, and implement improvements to management systems. It shows you how you can transform your internal auditing process to become a tool for development and continual improvement in your management systems. Buy this book and start adding value to your internal auditing program.

Uses the principles of IT service management to create a framework for professional development.

What if you suffer an information security breach?Many titles explain how to reduce the risk of information security breaches. Nevertheless breaches do occur, even to organisations that have taken all reasonable precautions. Information Security Breaches - Avoidance and treatment based on ISO27001:2013 helps you to manage this threat by detailing what to do as soon as you discover a breach.Be prepared, be prompt, be decisiveWhen your organisation's security is compromised, you cannot afford to waste time deciding how to resolve the issue. You must be ready to take prompt and decisive action. Updated to cover ISO27001:2013, this second edition gives you clear guidance on how to treat an information security breach and tells you the plans and procedures you have to put in place to minimise damage and return to business as usual.A recovery plan will help you to:recover, and resume normal operations, more quicklypreserve customer confidence by quickly resolving service disruptionsecure evidence to help with any criminal investigation and improve your chances of catching those responsible.Read this guide and find out how to manage in the face of a data breach.

Bridges the knowledge gap between ISO27001 managers and Windows(R) security specialists. Covers Windows(R) 8 and Microsoft(R) Windows Server(R) 2012.

The story of fictional ITSM practitioner Chris as he faces the challenge of transforming behaviour to achieve business goals. Previously published as "No One of Us is as Strong as all of Us".

Agile Productivity Unleashed: Proven approaches for achieving real productivity gains in any organization introduces every industry sector to the Agile approaches that have dramatically improved the IT, product development and manufacturing sectors over the past two decades. Agile Productivity Unleashed clearly explains how the key principles of Agile approaches can be used to significantly increase productivity, quality and customer satisfaction in any organization. Written in non-technical language specifically for business professionals, this book is an essential tool for anyone whose job it is to deliver high-quality results on time and on budget.

Deconstructs many of the major disasters from the last thirty years, giving essential insights for anyone involved in business continuity planning or disaster recovery.

CyberWar, CyberTerror, CyberCrime and CyberActivism encourages cybersecurity professionals to take a wider view of what cybersecurity means and to make the most of international standards and best practice to create a culture of cybersecurity awareness that complements technology-based defenses.

Establish a disaster recovery plan and minimise the risks to your business.

Practical guidance on COBIT(R)5 implementation COBIT (Control Objectives for Information and related Technology) is the latest release of the popular framework for the governance of enterprise IT. It links controls, technical issues and business risks, enabling managers to manage the risks associated with business goals.Covers all key concepts of COBITWritten for IT service managers, consultants and other practitioners in IT governance, risk and compliance, this practical book discusses all the key concepts of COBIT, and explains how to direct the governance of enterprise IT (GEIT) using the COBIT framework. The book also covers the main frameworks and standards supporting GEIT, discusses the ideas of enterprise and governance, and shows the path from corporate governance to the governance of enterprise IT.Drawing on more than 30 years of experience in the IT sector, the author explains crucial concepts, including:the key elements of COBIT, the 5 principles, 7 enablers and the goals cascadethe structure of the 37 COBIT processesthe implementation of GEIT using COBIT and an implementation lifecyclethe COBIT Process Assessment Model (PAM) - the approach to process assessment of COBIT processes based on International Standard ISO/IEC 15504.Prepare for the COBIT Foundation examFor those studying for the COBIT qualifications,Governance of Enterprise IT based on COBITcovers all the material needed for the COBIT Foundation course, making it invaluable to anyone planning to take the exam.Read this book and get to grips with COBIT today.

Effective time-management techniques to revolutionise the way you workDo you struggle to get everything done in the time you have available? Are you deluged with interruptions to your work flow? Do you find it difficult to prioritise your tasks and wish you were more organised?Today's working environment moves at a very fast pace and, at times, it can be difficult to keep up. Expectations are high, and there are so many things competing for our attention. On top of the workload, we're interrupted by the phone ringing, e-mails landing in the inbox, people dropping in the office and, before we know it, the day has passed and we've only achieved half of what we intended to do.If any of this sounds familiar, then this book is for you! Essential Time Management and Organisation will help you transform the way you work and regain control of your working day. This clear and concise guide offers tried and tested techniques for organising your time and achieving your goals.Be more productiveDrawing on current best practice and personal experience, Sarah Cook shows you how to:accomplish more in the working dayreduce your stress levels by being more organisedget things done efficiently and effectivelyenjoy a reputation as a highly-efficient member of the team.Improve your working practicesWith the help of clear diagrams, checklists and models, this pocket guide will enable you to:transform your methods of workingprioritise your tasksfollow the 4D model for dealing with e-mailstake full advantage of your most productive time of daymanage interruptionseliminate timewastersdelegate effectively - including upwards!Buy this pocket guidetake charge of your working day

The truth about integrating Cloud services and ITSM Cloud functionality increases flexibility and capacity in IT systems, but it also adds complexity and requires a combination of business, financial and technical expertise to make it work effectively. Moreover, organizations often confuse availability with capacity, and assume incorrectly that using cloud services reduces the need to manage these factors.Lessons from real projects in a narrative format In Availability and Capacity Management in the Cloud: An ITSM narrative, Daniel McLean's fictional IT service management practitioner, Chris, faces the challenge of integrating cloud services into an ITSM structure. Based on the real-life experience of the author and other ITSM practitioners, this book tells the story of a cloud services implementation, exposing potential pitfalls and exploring how to handle issues that come with such projects.Tips to help you through your own project The end-of-chapter pointers give useful advice on dealing with the challenges organizations face when considering cloud services. Read this book and see how Chris meets the challenge of integrating cloud services with ITSM, and how you can do the same. Learn from the successes. Avoid the mistakes