Information security is more than configuring firewalls, removing viruses, hacking machines, or setting passwords. Creating and promoting a successful security program requires skills in organizational consulting, diplomacy, change management, risk analysis, and out-of-the-box thinking.

Part I: Getting a Handle on Things.- Chapter 1: Why Audit. Chapter 2: Assume Breach. Chapter 3: Risk Analysis: Assets and Impacts. Chapter 4: Risk Analysis: Natural Threats. Chapter 5: Risk Analysis: Adversarial Risk. Part II: Wrangling the Organization.- Chapter 6: Scope. Chapter 7: Governance. Chapter 8: Talking to the Suits. Chapter 9: Talking to the Techs. Chapter 10: Talking to the Users. Part III: Managing Risk with Controls.- Chapter 11: Policy. Chapter 12: Control Design. Chapter 13: Administrative Controls. Chapter 14: Vulnerability Management. Chapter 15: People Controls. Chapter 16: Logical Access Control. Chapter 17: Network Security Controls. Chapter 18: More Technical Controls. Chapter 19: Physical Security Controls. Part IV: Being Audited.-C hapter 20: Response Controls. Chapter 21: Starting the Audit. Chapter 22: Internal Audit. Chapter 23: Third Party Security. Chapter 24: Post Audit Improvement.