What do you think?
Rate this book
IT Security Risk Control Management: An Audit Preparation Plan
Follow step-by-step guidance to craft a successful security program. You will identify with the paradoxes of information security and discover handy tools that hook security controls into business processes.
Information security is more than configuring firewalls, removing viruses, hacking machines, or setting passwords. Creating and promoting a successful security program requires skills in organizational consulting, diplomacy, change management, risk analysis, and out-of-the-box thinking.
What You Will
Build a security program that will fit neatly into an organization and change dynamically to suit both the needs of the organization and survive constantly changing threats
Prepare for and pass such common audits as PCI-DSS, SSAE-16, and ISO 27001
Calibrate the scope, and customize security controls to fit into an organization’s culture
Implement the most challenging processes, pointing out common pitfalls and distractions
Frame security and risk issues to be clear and actionable so that decision makers, technical personnel, and users will listen and value your advice
Who This Book Is
IT professionals moving into the security field; new security managers, directors, project heads, and would-be CISOs; and security specialists from other disciplines moving into information security (e.g., former military security professionals, law enforcement professionals, and physical security professionals)
Information security is more than configuring firewalls, removing viruses, hacking machines, or setting passwords. Creating and promoting a successful security program requires skills in organizational consulting, diplomacy, change management, risk analysis, and out-of-the-box thinking.
What You Will
Build a security program that will fit neatly into an organization and change dynamically to suit both the needs of the organization and survive constantly changing threats
Prepare for and pass such common audits as PCI-DSS, SSAE-16, and ISO 27001
Calibrate the scope, and customize security controls to fit into an organization’s culture
Implement the most challenging processes, pointing out common pitfalls and distractions
Frame security and risk issues to be clear and actionable so that decision makers, technical personnel, and users will listen and value your advice
Who This Book Is
IT professionals moving into the security field; new security managers, directors, project heads, and would-be CISOs; and security specialists from other disciplines moving into information security (e.g., former military security professionals, law enforcement professionals, and physical security professionals)
631 pages, Kindle Edition
First published September 26, 2016
11 people are currently reading
20 people want to read
Ratings & Reviews
Friends & Following
Create a free account to discover what your friends think of this book!
Community Reviews
Displaying 1 - 2 of 2 reviews
July 18, 2018
When it comes to information security, there is a whole lot of that around. From firewalls to switches, IDS to SIEM, to a lot of other hardware and software with 3 and 4-letter acronyms, technology is at the heart of information security. But how does an enterprise ensure that the huge amounts they spend are implementing good security. That is where an information security audit comes to play.
It’s not clear if Benjamin Franklin really it said this, but it is a fact nonetheless: if you fail to plan, you are planning to fail.
When it comes to information technology or information security audits, far too many organizations don’t really plan for them. They repeat the mistake Fred Brooks identified in his groundbreaking 1975 book The Mythical Man-Month, that throwing more people at a problem, counterintuitively, will not make the project finish faster. Out of that came Brooks's law: adding manpower to a late software project makes it later.
In IT Security Risk Control Management: An Audit Preparation Plan, author Raymond Pompon takes the approach that metaphorically speaking, every day is camera day. Rather than dressing up the IT department for audit week, ensure the department is audit ready the enter year.
Pompon notes that an audit is meant to show the effectiveness of a good information security program. Rather than focus on the audit, focus on what needs to be done to put good security controls and business processes in place, and a successful audit will follow.
For those looking to build a good security program, the book is quite helpful in that it shows how to implement real security, not audit check-box security.
The book provides a good mix of technical and business known how, and he also details a number of tools that can be used to a new or existing security program.
The mistake that using a check-box approach engenders, is that it is narrowly focuses to the specific audit at hand. Be it HIPAA, Sarbanes-Oxley, PCI and the like. Pompon encourages the reader to take a much broader approach. By doing that, they will implement good security controls, to with a passing audit is much more likely.
As under 300 pages, the book is deep enough to cover all of the core areas of information security. It provides the reader with a very good start in creating their infosec program. The goal of an audit is to pass it. And to pass it take good security. The best way is to build that in from the start. And if you want to do that; IT Security Risk Control Management: An Audit Preparation Plan is an excellent resource to get you there.
It’s not clear if Benjamin Franklin really it said this, but it is a fact nonetheless: if you fail to plan, you are planning to fail.
When it comes to information technology or information security audits, far too many organizations don’t really plan for them. They repeat the mistake Fred Brooks identified in his groundbreaking 1975 book The Mythical Man-Month, that throwing more people at a problem, counterintuitively, will not make the project finish faster. Out of that came Brooks's law: adding manpower to a late software project makes it later.
In IT Security Risk Control Management: An Audit Preparation Plan, author Raymond Pompon takes the approach that metaphorically speaking, every day is camera day. Rather than dressing up the IT department for audit week, ensure the department is audit ready the enter year.
Pompon notes that an audit is meant to show the effectiveness of a good information security program. Rather than focus on the audit, focus on what needs to be done to put good security controls and business processes in place, and a successful audit will follow.
For those looking to build a good security program, the book is quite helpful in that it shows how to implement real security, not audit check-box security.
The book provides a good mix of technical and business known how, and he also details a number of tools that can be used to a new or existing security program.
The mistake that using a check-box approach engenders, is that it is narrowly focuses to the specific audit at hand. Be it HIPAA, Sarbanes-Oxley, PCI and the like. Pompon encourages the reader to take a much broader approach. By doing that, they will implement good security controls, to with a passing audit is much more likely.
As under 300 pages, the book is deep enough to cover all of the core areas of information security. It provides the reader with a very good start in creating their infosec program. The goal of an audit is to pass it. And to pass it take good security. The best way is to build that in from the start. And if you want to do that; IT Security Risk Control Management: An Audit Preparation Plan is an excellent resource to get you there.
June 10, 2021
Ray Pompon's book is the guide I needed back in 2011 when I first took a service organization through an audit. It is a thorough discussion of the subject, covering the range of a service audit's scope in a spare and to-the-point style that serves both as a guide and reference. Rather than exploring any handful of subjects in exhaustive detail, the book concentrates on covering the subject area with enough understanding to communicate the important ideas ("why") and the necessary tasks ("what"), then adds pointers and links to the reams of underlying "how" material. It's a great way to organize the book, and a great way to organize an approach to the daunting challenge before any practitioner with a SOC-2/SOC-1 a year away.
Even after five years, I still need a reference with ideas, and this is that book.
One oddity was the font chosen by the publisher. It's small, dark, and cramped.
Even after five years, I still need a reference with ideas, and this is that book.
One oddity was the font chosen by the publisher. It's small, dark, and cramped.
Displaying 1 - 2 of 2 reviews