Аннотация

Effective cybersecurity is very difficult. A number of organizations, based on wide professional input, have developed best-practices types of documents as well as standards for implementing and evalu-ating cybersecurity. On the standards side, the most prominent player is the National Institute of Stan-dards and Technology (NIST). NIST has created a huge number of security publications, including 9 Federal Information Processing Standards (FIPS) and well over 100 active Special Publications (SP) that provide guidance on virtually all aspects of cybersecurity. Equally important is the International Organization for Standardization (ISO) 27000 series of standards on information security management systems. Other organizations that have produced cybersecurity standards and guidelines include:
■ ISACA/COBIT: The COBIT-5 for information security and related documents are widely used by the industry.
■ ITU Telecommunication Standardization Sector (ITU-T): Most important are the series X.1050 through X.1069 on security management.
■ Internet Society (ISOC): A number of published standards and RFCs relate to cybersecurity.
In addition, a number of professional and industry groups have produced best-practices documents and guidelines. The most important such document is The Standard of Good Practice for Information Security (SGP), produced by the Information Security Forum (ISF). This almost 300-page document provides a wide range of best practices based on the consensus of industry and government orga-nizations. Another key organization is the Center for Internet Security (CIS), which has published detailed lists of industry-approved security controls and metrics. Other respected organizations have also produced a number of similar documents.
Thus, there is an immense amount of practical, widely accepted material available. The problem is that the amount of information is so massive that it is difficult for cybersecurity practitioners to take advantage of it to build and maintain effective cybersecurity systems and policies.
The objective of this book is to organize, consolidate, and explain all this material to enable the security practitioner to make effective use of it.
This book is addressed to people in both IT and security management, people tasked with maintaining IT security, and a wide range of others interested in cybersecurity and information security.