What do you think?
Rate this book
IT Security Risk Control Management: An Audit Preparation Plan
This book explains how to construct an information security program, from inception to audit, with enduring, practical, hands-on advice and actionable behavior for IT professionals. Information security is more than configuring firewalls, removing viruses, hacking machines, or setting passwords. Creating and promoting a successful security program requires skills in organizational consulting, diplomacy, change management, risk analysis, and out-of-the-box thinking.
IT Security Risk Control Management provides step-by-step guidance on how to craft a security program that will fit neatly into an organization and change dynamically to suit both the needs of the organization and survive constant changing threats. Readers will understand the paradoxes of information security and discover handy tools that hook security controls into business processes.
With this book, you will be able to equip your security program to prepare for and pass such common audits as PCI, SSAE-16 and ISO 27001. In addition, you will learn the depth and breadth of the expertise necessary to become an adaptive and effective security professional. This
Starts at the beginning of how to approach, scope, and customize a security program to fit an organization.Walks you through how to implement the most challenging processes, pointing out common pitfalls and distractions.Teaches you how to frame security and risk issues to be clear and actionable to decision makers, technical personnel, and users. What you’ll learn
How to organically grow a useful, functional security program appropriate to an organization's culture and requirementsHow to inform, advise, and influence executives, IT staff, and users on information securityHow to think like a seasoned security professional, understanding how cyber-criminals subvert systems with subtle and insidious tricks.How to analyze, select, implement, and monitor security controls such as change control, vulnerability management, incident response, and access controls.How to prepare an organization to pass external formal audits such as PCI, SSAE-16 or ISO 27001How to write clear, easy to follow, comprehensive security policies and procedures
Who This Book Is For
IT professionals moving into the security field; new security managers, directors, project heads, and would-be CISOs; and security specialists from other disciplines moving into information security (e.g., former military security professionals, law enforcement professionals, and physical security professionals).
IT Security Risk Control Management provides step-by-step guidance on how to craft a security program that will fit neatly into an organization and change dynamically to suit both the needs of the organization and survive constant changing threats. Readers will understand the paradoxes of information security and discover handy tools that hook security controls into business processes.
With this book, you will be able to equip your security program to prepare for and pass such common audits as PCI, SSAE-16 and ISO 27001. In addition, you will learn the depth and breadth of the expertise necessary to become an adaptive and effective security professional. This
Starts at the beginning of how to approach, scope, and customize a security program to fit an organization.Walks you through how to implement the most challenging processes, pointing out common pitfalls and distractions.Teaches you how to frame security and risk issues to be clear and actionable to decision makers, technical personnel, and users. What you’ll learn
How to organically grow a useful, functional security program appropriate to an organization's culture and requirementsHow to inform, advise, and influence executives, IT staff, and users on information securityHow to think like a seasoned security professional, understanding how cyber-criminals subvert systems with subtle and insidious tricks.How to analyze, select, implement, and monitor security controls such as change control, vulnerability management, incident response, and access controls.How to prepare an organization to pass external formal audits such as PCI, SSAE-16 or ISO 27001How to write clear, easy to follow, comprehensive security policies and procedures
Who This Book Is For
IT professionals moving into the security field; new security managers, directors, project heads, and would-be CISOs; and security specialists from other disciplines moving into information security (e.g., former military security professionals, law enforcement professionals, and physical security professionals).
631 pages, Kindle Edition
First published September 26, 2016
11 people are currently reading
21 people want to read
Ratings & Reviews
Friends & Following
Create a free account to discover what your friends think of this book!
Community Reviews
Displaying 1 - 3 of 3 reviews
July 18, 2018
When it comes to information security, there is a whole lot of that around. From firewalls to switches, IDS to SIEM, to a lot of other hardware and software with 3 and 4-letter acronyms, technology is at the heart of information security. But how does an enterprise ensure that the huge amounts they spend are implementing good security. That is where an information security audit comes to play.
It’s not clear if Benjamin Franklin really it said this, but it is a fact nonetheless: if you fail to plan, you are planning to fail.
When it comes to information technology or information security audits, far too many organizations don’t really plan for them. They repeat the mistake Fred Brooks identified in his groundbreaking 1975 book The Mythical Man-Month, that throwing more people at a problem, counterintuitively, will not make the project finish faster. Out of that came Brooks's law: adding manpower to a late software project makes it later.
In IT Security Risk Control Management: An Audit Preparation Plan, author Raymond Pompon takes the approach that metaphorically speaking, every day is camera day. Rather than dressing up the IT department for audit week, ensure the department is audit ready the enter year.
Pompon notes that an audit is meant to show the effectiveness of a good information security program. Rather than focus on the audit, focus on what needs to be done to put good security controls and business processes in place, and a successful audit will follow.
For those looking to build a good security program, the book is quite helpful in that it shows how to implement real security, not audit check-box security.
The book provides a good mix of technical and business known how, and he also details a number of tools that can be used to a new or existing security program.
The mistake that using a check-box approach engenders, is that it is narrowly focuses to the specific audit at hand. Be it HIPAA, Sarbanes-Oxley, PCI and the like. Pompon encourages the reader to take a much broader approach. By doing that, they will implement good security controls, to with a passing audit is much more likely.
As under 300 pages, the book is deep enough to cover all of the core areas of information security. It provides the reader with a very good start in creating their infosec program. The goal of an audit is to pass it. And to pass it take good security. The best way is to build that in from the start. And if you want to do that; IT Security Risk Control Management: An Audit Preparation Plan is an excellent resource to get you there.
It’s not clear if Benjamin Franklin really it said this, but it is a fact nonetheless: if you fail to plan, you are planning to fail.
When it comes to information technology or information security audits, far too many organizations don’t really plan for them. They repeat the mistake Fred Brooks identified in his groundbreaking 1975 book The Mythical Man-Month, that throwing more people at a problem, counterintuitively, will not make the project finish faster. Out of that came Brooks's law: adding manpower to a late software project makes it later.
In IT Security Risk Control Management: An Audit Preparation Plan, author Raymond Pompon takes the approach that metaphorically speaking, every day is camera day. Rather than dressing up the IT department for audit week, ensure the department is audit ready the enter year.
Pompon notes that an audit is meant to show the effectiveness of a good information security program. Rather than focus on the audit, focus on what needs to be done to put good security controls and business processes in place, and a successful audit will follow.
For those looking to build a good security program, the book is quite helpful in that it shows how to implement real security, not audit check-box security.
The book provides a good mix of technical and business known how, and he also details a number of tools that can be used to a new or existing security program.
The mistake that using a check-box approach engenders, is that it is narrowly focuses to the specific audit at hand. Be it HIPAA, Sarbanes-Oxley, PCI and the like. Pompon encourages the reader to take a much broader approach. By doing that, they will implement good security controls, to with a passing audit is much more likely.
As under 300 pages, the book is deep enough to cover all of the core areas of information security. It provides the reader with a very good start in creating their infosec program. The goal of an audit is to pass it. And to pass it take good security. The best way is to build that in from the start. And if you want to do that; IT Security Risk Control Management: An Audit Preparation Plan is an excellent resource to get you there.
June 10, 2021
Ray Pompon's book is the guide I needed back in 2011 when I first took a service organization through an audit. It is a thorough discussion of the subject, covering the range of a service audit's scope in a spare and to-the-point style that serves both as a guide and reference. Rather than exploring any handful of subjects in exhaustive detail, the book concentrates on covering the subject area with enough understanding to communicate the important ideas ("why") and the necessary tasks ("what"), then adds pointers and links to the reams of underlying "how" material. It's a great way to organize the book, and a great way to organize an approach to the daunting challenge before any practitioner with a SOC-2/SOC-1 a year away.
Even after five years, I still need a reference with ideas, and this is that book.
One oddity was the font chosen by the publisher. It's small, dark, and cramped.
Even after five years, I still need a reference with ideas, and this is that book.
One oddity was the font chosen by the publisher. It's small, dark, and cramped.
March 18, 2026
This is the best book ever. Super entertaining and educational. I bet whoever wrote it is a cool guy who pays for Papa John's pizza when his daughter orders it without his permission... or so I've heard.
Displaying 1 - 3 of 3 reviews