Information Assurance

Managing Organizational IT Security Risks


  • Joseph Boyce, Employee of the Department of Defense
  • Daniel Jennings, Information Systems Security Manager, European Command (EUCOM)

Written by two INFOSEC experts, this book provides a systematic and practical approach for establishing, managing and operating a comprehensive Information Assurance program. It is designed to provide ISSO managers, security managers, and INFOSEC professionals with an understanding of the essential issues required to develop and apply a targeted information security posture to both public and private corporations and government run agencies.There is a growing concern among all corporations and within the security industry to come up with new approaches to measure an organization's information security risks and posture. Information Assurance explains and defines the theories and processes that will help a company protect its proprietary information including: * The need to assess the current level of risk.* The need to determine what can impact the risk.* The need to determine how risk can be reduced.The authors lay out a detailed strategy for defining information security, establishing IA goals, providing training for security awareness, and conducting airtight incident response to system compromise. Such topics as defense in depth, configuration management, IA legal issues, and the importance of establishing an IT baseline are covered in-depth from an organizational and managerial decision-making perspective.
View full description


Security Managers, INFOSEC Managers, Operational Managers, Information and Operational System Auditors, IT System Administrators and IT Network Managers.


Book information

  • Published: June 2002
  • ISBN: 978-0-7506-7327-3


Information security experts with the Department of Defense, authors Joseph Boyce and Dan Jennings outline the steps needed to develop an information assurance plan to protect an organization’ knowledge and information. Though the authors’ backgrounds are in government, the book is as applicable to protecting the proprietary corporate information as it is to safeguarding classified government data. Perhaps the best resource in the book is the wealth of references cited, leading the reader to a trove of additional information. It is a high-level overview of the necessary elements of an effective information-assurance plan and strategy, written in such a way that it can be used to explain the fundamentals to management. – Security Management

Table of Contents

Section I - The Organizational IA Program: The Practical and Conceptual FoundationCh. 1 IA and the Organization: The ChallengesCh. 2 Basic Security Concepts, Principles, and StrategySection II - Defining the Organization's Current IA PostureCh. 3 Determining the Organization's IA BaselineCh. 4 Determining IT Security PrioritiesCh. 5 The Organization's IA PostureIII - Establishing and Managing an IA Defense In Depth Strategy within an OrganizationCh. 6 Layer 1: IA PoliciesCh. 7 Layer 2: IA ManagementCh. 8 Layer 3: IA ArchitectureCh. 9 Layer 4: Operational Security Administration;Ch. 10 Layer 5: Configuration ManagementCh. 11 Layer 6: Life-Cycle SecurityCh. 12 Layer 7: Contingency PlanningCh. 13 Layer 8: IA Education, Training, and AwarenessCh. 14 Layer 9: IA Policy Compliance OversightCh. 15 Layer 10: IA Incident ResponseCh. 16 Layer 11: IA ReportingAppendix