What do you think?
Rate this book
IT Security Risk Control Management: An Audit Preparation Plan
Part Getting a Handle on Things Chapter 1: Why Audit Chapter 2: Assume Breach Chapter 3: Risk Assets and Impacts Chapter 4: Risk Natural Threats Chapter 5: Risk Adversarial Risk Part Wrangling the Organization Chapter 6: Scope Chapter 7: Governance Chapter 8: Talking to the Suits Chapter 9: Talking to the Techs< Chapter 10: Talking to the Users Part Managing Risk with Controls Chapter 11: Policy Chapter 12: Control Design Chapter 13: Administrative Controls Chapter 14: Vulnerability Management Chapter 15: People Controls Chapter 16: Logical Access Control Chapter 17: Network Security Controls Chapter 18: More Technical Controls Chapter 19: Physical Security Controls Part Being Audited Chapter 20: Response Controls Chapter 21: Starting the Audit Chapter 22: Internal Audit Chapter 23: Third Party Security Chapter 24: Post Audit Improvement
348 pages, Paperback
First published September 26, 2016
11 people are currently reading
20 people want to read
Ratings & Reviews
Friends & Following
Create a free account to discover what your friends think of this book!
Community Reviews
Displaying 1 - 2 of 2 reviews
July 18, 2018
When it comes to information security, there is a whole lot of that around. From firewalls to switches, IDS to SIEM, to a lot of other hardware and software with 3 and 4-letter acronyms, technology is at the heart of information security. But how does an enterprise ensure that the huge amounts they spend are implementing good security. That is where an information security audit comes to play.
It’s not clear if Benjamin Franklin really it said this, but it is a fact nonetheless: if you fail to plan, you are planning to fail.
When it comes to information technology or information security audits, far too many organizations don’t really plan for them. They repeat the mistake Fred Brooks identified in his groundbreaking 1975 book The Mythical Man-Month, that throwing more people at a problem, counterintuitively, will not make the project finish faster. Out of that came Brooks's law: adding manpower to a late software project makes it later.
In IT Security Risk Control Management: An Audit Preparation Plan, author Raymond Pompon takes the approach that metaphorically speaking, every day is camera day. Rather than dressing up the IT department for audit week, ensure the department is audit ready the enter year.
Pompon notes that an audit is meant to show the effectiveness of a good information security program. Rather than focus on the audit, focus on what needs to be done to put good security controls and business processes in place, and a successful audit will follow.
For those looking to build a good security program, the book is quite helpful in that it shows how to implement real security, not audit check-box security.
The book provides a good mix of technical and business known how, and he also details a number of tools that can be used to a new or existing security program.
The mistake that using a check-box approach engenders, is that it is narrowly focuses to the specific audit at hand. Be it HIPAA, Sarbanes-Oxley, PCI and the like. Pompon encourages the reader to take a much broader approach. By doing that, they will implement good security controls, to with a passing audit is much more likely.
As under 300 pages, the book is deep enough to cover all of the core areas of information security. It provides the reader with a very good start in creating their infosec program. The goal of an audit is to pass it. And to pass it take good security. The best way is to build that in from the start. And if you want to do that; IT Security Risk Control Management: An Audit Preparation Plan is an excellent resource to get you there.
It’s not clear if Benjamin Franklin really it said this, but it is a fact nonetheless: if you fail to plan, you are planning to fail.
When it comes to information technology or information security audits, far too many organizations don’t really plan for them. They repeat the mistake Fred Brooks identified in his groundbreaking 1975 book The Mythical Man-Month, that throwing more people at a problem, counterintuitively, will not make the project finish faster. Out of that came Brooks's law: adding manpower to a late software project makes it later.
In IT Security Risk Control Management: An Audit Preparation Plan, author Raymond Pompon takes the approach that metaphorically speaking, every day is camera day. Rather than dressing up the IT department for audit week, ensure the department is audit ready the enter year.
Pompon notes that an audit is meant to show the effectiveness of a good information security program. Rather than focus on the audit, focus on what needs to be done to put good security controls and business processes in place, and a successful audit will follow.
For those looking to build a good security program, the book is quite helpful in that it shows how to implement real security, not audit check-box security.
The book provides a good mix of technical and business known how, and he also details a number of tools that can be used to a new or existing security program.
The mistake that using a check-box approach engenders, is that it is narrowly focuses to the specific audit at hand. Be it HIPAA, Sarbanes-Oxley, PCI and the like. Pompon encourages the reader to take a much broader approach. By doing that, they will implement good security controls, to with a passing audit is much more likely.
As under 300 pages, the book is deep enough to cover all of the core areas of information security. It provides the reader with a very good start in creating their infosec program. The goal of an audit is to pass it. And to pass it take good security. The best way is to build that in from the start. And if you want to do that; IT Security Risk Control Management: An Audit Preparation Plan is an excellent resource to get you there.
June 10, 2021
Ray Pompon's book is the guide I needed back in 2011 when I first took a service organization through an audit. It is a thorough discussion of the subject, covering the range of a service audit's scope in a spare and to-the-point style that serves both as a guide and reference. Rather than exploring any handful of subjects in exhaustive detail, the book concentrates on covering the subject area with enough understanding to communicate the important ideas ("why") and the necessary tasks ("what"), then adds pointers and links to the reams of underlying "how" material. It's a great way to organize the book, and a great way to organize an approach to the daunting challenge before any practitioner with a SOC-2/SOC-1 a year away.
Even after five years, I still need a reference with ideas, and this is that book.
One oddity was the font chosen by the publisher. It's small, dark, and cramped.
Even after five years, I still need a reference with ideas, and this is that book.
One oddity was the font chosen by the publisher. It's small, dark, and cramped.
Displaying 1 - 2 of 2 reviews