Information Security Governance Simplified: From the Boardroom to the Keyboard, 1st Edition (Hardback) book cover

Information Security Governance Simplified

From the Boardroom to the Keyboard, 1st Edition

By Todd Fitzgerald

CRC Press

431 pages | 34 B/W Illus.

Purchasing Options:$ = USD
Hardback: 9781439811634
pub: 2011-12-20
SAVE ~$18.19
eBook (VitalSource) : 9780429131905
pub: 2016-04-19
from $45.48

FREE Standard Shipping!


Security practitioners must be able to build cost-effective security programs while also complying with government regulations. Information Security Governance Simplified: From the Boardroom to the Keyboard lays out these regulations in simple terms and explains how to use control frameworks to build an air-tight information security (IS) program and governance structure.

Defining the leadership skills required by IS officers, the book examines the pros and cons of different reporting structures and highlights the various control frameworks available. It details the functions of the security department and considers the control areas, including physical, network, application, business continuity/disaster recover, and identity management.

Todd Fitzgerald explains how to establish a solid foundation for building your security program and shares time-tested insights about what works and what doesn’t when building an IS program. Highlighting security considerations for managerial, technical, and operational controls, it provides helpful tips for selling your program to management. It also includes tools to help you create a workable IS charter and your own IS policies. Based on proven experience rather than theory, the book gives you the tools and real-world insight needed to secure your information while ensuring compliance with government regulations.


Todd Fitzgerald’s new book, Information Security Governance Simplified: From the Boardroom to the Keyboard, presents 15 chapters of advice and real-world experience on how to handle the roll out of an effective program …. Todd has taken the time to include for the reader some practical security considerations for managerial, technical, and operational controls. This is followed up with a discussion on how legal issues are impacting the information security program.

Tom Peltier, CISSP

Table of Contents

Getting Information Security Right: Top to Bottom

Information Security Governance

Tone at the Top

Tone at the Bottom

Governance, Risk, and Compliance (GRC)

The Compliance Dilemma

Suggested Reading

Developing Information Security Strategy

Evolution of Information Security

Organization Historical Perspective

Fear, Uncertainty, Doubt, Fear, Uncertainty, Doubt

Understand the External Environment



Emerging Threats

Technology Cost Changes

External Independent Research

The Internal Company Culture

Risk Appetite


Collaborative versus Authoritative

Trust Level

Growth Seeker or Cost Cutter

Company Size

Outsourcing Posture

Prior Security Incidents, Audits

Security Strategy Development Techniques

Mind Mapping

SWOT Analysis

Balanced Scorecard

Face-to-Face Interviews

Security Planning



Operational/Project Plans

Suggested Reading

Defining the Security Management Organization

History of the Security Leadership Role Is Relevant

The New Security Officer Mandate

Day 1: Hey, I Got the Job!

Security Leader Titles

Techie versus Leader

The Security Leaders Library

Security Leadership Defined

Security Leader Soft Skills

Seven Competencies for Effective Security Leadership

Security Functions

Learning from Leading Organizations

What Functions Should the Security Officer Be Responsible For?

Assessing Risk and Determining Needs Functions

Implement Policies and Control Functions

Promote Awareness Functions

Monitor and Evaluate Functions

Reporting Model

Suggested Reading

Interacting with the C-Suite

Communication between the CEO, CIO, Other Executives, and CISO

13 "Lucky" Questions to Ask One Another

The CEO, Ultimate Decision Maker

The CEO Needs to Know Why

The CIO, Where Technology Meets the Business

CIO’s Commitment to Security Important

The Security Officer, Protecting the Business

The CEO, CIO, and CISO Are Business Partners

Building Grassroots Support through an Information Security Council

Establishing the Security Council

Appropriate Security Council Representation

"-Inging" the Council: Forming, Storming, Norming, and Performing

Integration with Other Committees

Establish Early, Incremental Success

Let Go of Perfectionism

Sustaining the Security Council

End User Awareness

Security Council Commitment

Suggested Reading

Managing Risk to an Acceptable Level

Risk in Our Daily Lives

Accepting Organizational Risk

Just Another Set of Risks

Management Owns the Risk Decision

Qualitative versus Quantitative Risk Analysis

Risk Management Process

Risk Analysis Involvement

Step 1: Categorize the System

Step 2: Identify Potential Dangers (Threats)

Step 3: Identify Vulnerabilities That Could Be Exploited

Step 4: Identify Existing Controls

Step 5: Determine Exploitation Likelihood Given Existing Controls

Step 6: Determine Impact Severity

Step 7: Determine Risk Level

Step 8: Determine Additional Controls

Risk Mitigation Options

Risk Assumption

Risk Avoidance

Risk Limitation

Risk Planning

Risk Research

Risk Transference


Suggested Reading

Creating Effective Information Security Policies

Why Information Security Policies Are Important

Avoiding Shelfware

Electronic Policy Distribution

Canned Security Policies

Policies, Standards, Guidelines Definitions

Policies Are Written at a High Level


Security Policy Best Practices

Types of Security Policies





Combination of Policies, Standards, Baselines, Procedures, and Guidelines

An Approach for Developing Information Security Policies

Utilizing the Security Council for Policies

The Policy Review Process

Information Security Policy Process

Suggested Reading

Security Compliance Using Control Frameworks

Security Control Frameworks Defined

Security Control Frameworks and Standards Examples

Heath Insurance Portability and Accountability Act (HIPAA)

Federal Information Security Management Act of 2002 (FISMA)

National Institute of Standards and Technology(NIST) Recommended Security Controls for Federal Information Systems (800-53)

Federal Information System Controls Audit Manual (FISCAM)

ISO/IEC 27001:2005 Information Security Management Systems—Requirements

ISO/IEC 27002:2005 Information technology—Security Techniques—Code of Practice for Information Security Management

Control Objectives for Information and Related Technology (COBIT)

Payment Card Industry Data Security Standard (PCI DSS)

Information Technology Infrastructure Library (ITIL)

Security Technical Implementation Guides (STIGs) and National Security Agency (NSA) Guides

Federal Financial Institutions Examination Council (FFIEC) IT Examination Handbook

The World Operates on Standards

Standards Are Dynamic

The How Is Typically Left Up to Us

Key Question: Why Does the Standard Exist?

Compliance Is Not Security, But It Is a Good Start

Integration of Standards and Control Frameworks

Auditing Compliance

Adoption Rate of Various Standards

ISO 27001/2 Certification

NIST Certification

Control Framework Convergence

The 11-Factor Compliance Assurance Manifesto

The Standards/Framework Value Proposition

Suggested Reading

Managerial Controls: Practical Security Considerations

Security Control Convergence

Security Control Methodology

Security Assessment and Authorization Controls

Planning Controls

Risk Assessment Controls

System and Services Acquisition Controls

Program Management Controls

Suggested Reading

Technical Controls: Practical Security Considerations

Access Control Controls

Audit and Accountability Controls

Identification and Authentication

System and Communications Protections

Suggested Reading

Operational Controls: Practical Security Considerations

Awareness and Training Controls

Configuration Management Controls

Contingency Planning Controls

Incident Response Controls

Maintenance Controls

Media Protection Controls

Physical and Environmental Protection Controls

Personnel Security Controls

System and Information Integrity Controls

Suggested Reading

The Auditors Have Arrived, Now What?

Anatomy of an Audit

Audit Planning Phase

Preparation of Document Request List

Gather Audit Artifacts

Provide Information to Auditors

On-Site Arrival Phase

Internet Access

Reserve Conference Rooms

Physical Access

Conference Phones

Schedule Entrance, Exit, Status Meetings

Set Up Interviews

Audit Execution Phase

Additional Audit Meetings

Establish Auditor Communication Protocol

Establish Internal Company Protocol

Media Handling

Audit Coordinator Quality Review

The Interview Itself

Entrance, Exit, and Status Conferences

Entrance Meeting

Exit Meeting

Status Meetings

Report Issuance and Finding Remediation Phase

Suggested Reading

Effective Security Communications

Why a Chapter Dedicated to Security Communications?

End User Security Awareness Training

Awareness Definition

Delivering the Message

Step 1: Security Awareness Needs Assessment

Step 2: Program Design

Step 3: Develop Scope

Step 4: Content Development

Step 5: Communication and Logistics Plan

Step 6: Awareness Delivery

Step 7: Evaluation/Feedback Loops

Security Awareness Training Does Not Have to Be Boring

Targeted Security Training

Continuous Security Reminders

Utilize Multiple Security Awareness Vehicles

Security Officer Communication Skills

Talking versus Listening

Roadblocks to Effective Listening

Generating a Clear Message

Influencing and Negotiating Skills

Written Communication Skills

Presentation Skills

Applying Personality Type to Security Communications

The Four Myers–Briggs Type Indicator (MBTI)

Preference Scales

Determining Individual MBTI Personality

Summing Up the MBTI for Security

Suggested Reading

The Law and Information Security

Civil Law versus Criminal Law

Electronic Communications Privacy Act of 1986 (ECPA)

The Computer Security Act of 1987

The Privacy Act of 1974

Sarbanes–Oxley Act of 2002 (SOX)

Gramm–Leach–Bliley Act (GLBA)

Health Insurance Portability and Accountability Act of 1996

Health Information Technology for Economic and Clinical Health (HITECH) Act

Federal Information Security Management Act of 2002 (FISMA)


Suggested Reading

Learning from Information Security Incidents

Recent Security Incidents

Texas State Comptroller

Sony PlayStation Network

Student Loan Social Security Numbers Stolen

Social Security Numbers Printed on Outside of Envelopes

Valid E-Mail Addresses Exposed

Office Copier Hard Disk Contained Confidential Information

Advanced Persistent Threat Targets Security Token

Who Will Be Next?

Every Control Could Result in an Incident

Suggested Reading

Ways to Dismantle Information Security Governance Efforts

Final Thoughts

Suggested Reading


About the Author

Todd Fitzgerald, CISSP, CISA, CISM, CIPM, CIPP/US, CIPP/E, CIPP/C, CGEIT, CRISC, PMP, ISO27000, and ITILv3 certified, is Managing Director and CISO of CISO Spotlight, LLC.

Todd has built and led multiple Fortune 500/large company information security programs for 20 years across multiple industries, named 2016-17 Chicago CISO of the Year by AITP, ISSA, ISACA, Infragard and SIM, ranked Top 50 Information Security Executive, and Information Security Executive (ISE) Award Finalist, and named Ponemon Institute Fellow. Fitzgerald coauthored with Micki Krause the first professional organization Chief Information Security Officer book, CISO Leadership: Essential Principles for Success (Auerbach, 2008). Todd also authored Information Security Governance Simplified: From the Boardroom to the Keyboard (Auerbach, 2012), and co-authored Certified Chief Information Security Officer Body of Knowledge (E-C Council, 2014), and has contributed to over a dozen others. Fitzgerald has participated in the development of materials for the Official (ISC)2 Guide to the CISSP CBK, Information Security Handbook Series, ISACA COBIT 5 for Information Security, and ISACA CSX Cybersecurity Fundamentals.

Fitzgerald is a top-rated RSA Conference speaker and is frequently called upon to present at international, national and local conferences for Information Systems Audit and Control Association (ISACA), Information Systems security Association (ISSA), Management Information Systems Training Institute (MISTI), COSAC, Centers for Medicare and Medicaid Services, T.E.N., and others. Fitzgerald serves on the HIPAA Collaborative of Wisconsin Board of Directors (2002-present), Milwaukee Area Technical College Security Advisory Board, and University of Wisconsin-La Crosse College of Business Administration Board of Advisors.

Prior senior leadership includes SVP, CAO Information Security Northern Trust, Global CISO Grant Thornton International, Ltd, Global CISO ManpowerGroup, Medicare Security Officer/External Audit Oversight WellPoint (now Anthem) Blue Cross Blue Shield-National Government Services, CISO North & Latin America Zeneca/Syngenta and senior Information Technology leadership positions with IMS Health, and American Airlines. Todd earned a B.S. in Business Administration from the University of Wisconsin-La Crosse and Master Business Administration with highest honors from Oklahoma State University.

Subject Categories

BISAC Subject Codes/Headings:
COMPUTERS / Information Technology
COMPUTERS / Security / General