A Practical Guide to Managing Information Security

Front Cover
Artech House, 2004 - Business & Economics - 280 pages
0 Reviews
This groundbreaking book helps you master the management of information security, concentrating on the recognition and resolution of the practical issues of developing and implementing IT security for the enterprise. Drawing upon the authors' wealth of valuable experience in high-risk commercial environments, the work focuses on the need to align the information security process as a whole with the requirements of the modern enterprise, which involves empowering business managers to manage information security-related risk. Throughout, the book places emphasis on the use of simple, pragmatic risk management as a tool for decision-making. The first book to cover the strategic issues of IT security, it helps you to: understand the difference between more theoretical treatments of information security and operational reality; learn how information security risk can be measured and subsequently managed; define and execute an information security strategy design and implement a security architecture; and ensure that limited resources are used optimally. Illustrated by practical examples, this topical volume reveals the current problem areas in IT security deployment and management. Moreover, it offers guidelines for writing scalable and flexible procedures for developing an IT security strategy and monitoring its implementation. You discover an approach for reducing complexity and risk, and find tips for building a successful team and managing communications issues within the organization. This essential resource provides practical insight into contradictions in the current approach to securing enterprise-wide IT infrastructures, recognizes the need to continually challenge dated concepts, demonstrates the necessity of using appropriate risk management techniques, and evaluates whether or not a given risk is acceptable in pursuit of future business opportunities.
 

What people are saying - Write a review

We haven't found any reviews in the usual places.

Contents

The need for a proactive approach
1
12 The reality of the modern enterprise
3
13 Evolution of organizational structures
4
14 Evolution of technical infrastructure
5
15 Limitations of policydriven decision making
7
16 Education and awareness
9
162 The technology trap
10
17 Operational issues
11
510 Agreement and publication of final strategy
127
511 Summary
128
References
129
Policy and standards
131
62 Designing the documentation set
132
63 Policy
135
632 Identifying required policy statements
136
633 Design and implementation
137

172 Scalability
13
18 New challenges
14
182 Privacy
16
19 Introducing The not so Secure Bank
17
110 Summary
19
References
20
Management techniques
23
22 Information relating to security incidents and vulnerabilities
25
23 Risk analysis and risk management
27
24 Strategy and planning
30
25 Policy and standards
32
26 Processes and procedures
34
27 Methodologies and frameworks
36
28 Awareness and training
38
29 Audits
40
210 Contracts
41
211 Outsourcing
42
212 Summary
43
References
44
Technical tools
47
32 Classification of security tools
48
33 Hostoriented tools
49
332 The native operating system security subsystem
50
333 Authentication and authorization
51
334 System integrity
52
335 System access control
56
336 System security monitoring
58
337 Data confidentiality and integrity
60
34 Networkoriented tools
62
342 Network integrity
65
343 Network access control
68
344 Network security monitoring
71
345 Data confidentiality and integrity
72
35 Supporting infrastructure
74
352 Smart cards and cryptographic modules
76
353 Authentication devices
79
36 Summary
80
References
81
A proactive approach Overview
85
42 The consolidation period and strategicplanning cycles
86
43 Deciding on a personal strategy
87
44 The consolidation period
89
442 Establishing contact with stakeholders
90
443 Identifying major issues
91
444 Classifying issues
92
445 Implementing shortterm solutions
95
446 Identifying quick wins
98
447 Implementing initial managementcontrol mechanisms
99
45 The strategicplanning cycle
100
452 Definition of a strategy
101
453 Production of a strategic plan
102
455 Monitoring for further improvement
104
46 The core deliverables
105
47 Summary
106
References
107
The informationsecurity strategy
109
52 Planning
110
53 Analysis of the current situation
111
54 Identification of business strategy requirements
114
55 Identification of legal and regulatory requirements
117
56 Identification of requirements due to external trends
119
57 Definition of the target situation
122
58 Definition and prioritization of strategic initiatives
123
59 Distribution of the draft strategy
126
634 The Secure BankPolicy statements
139
64 Establishing a control framework
140
65 Standards
143
652 External standards
144
653 Internal standards
147
654 Agreement and distribution of standards
148
66 Guidelines and working papers
150
References
151
Process design and implementation
155
72 Why processes fail to deliver
156
722 Adaptability issues
157
723 Acceptance issues
158
73 Process improvement
159
732 Improving productivity
161
733 Improving adaptability
165
734 Improving acceptance
166
Improving the authorization and accesscontrol procedure
168
743 Identifying the target situation
171
744 Planning incremental improvements
172
745 Implementing improvements
174
75 Continuous improvement
176
76 Summary
177
References
178
Building an IT security architecture
181
82 Problems associated with systemfocused approaches
182
83 A threephased approach
184
84 The design phase
185
842 Agreeing on basic design principles
186
843 Modeling the IT infrastructure
187
844 Risk analysis
192
845 Identifying logical components
194
846 Obtaining signoff of the concept
198
852 Production of a phased implementation plan
200
853 Preparing proposals
202
854 Selection of commercial packages
203
855 Testing and integration
205
856 SLAs and support contracts
206
857 Technical training
208
861 Routine administration and maintenance
209
863 Managing incidents
210
864 Managing risk using risk indicators
212
87 Summary
213
Creating a securityminded culture
215
92 Techniques for introducing cultural change
217
93 Internal marketing and sales
219
94 Support and feedback
221
95 Securityawareness training
222
952 Planning considerations
223
953 Defining the objectives
224
955 Identifying the message
227
956 Developing the material
228
957 Defining tracking and followup procedures
231
96 Security skills training
232
962 The informationsecurity team
233
963 Other staff
236
97 Involvement initiatives
237
98 Summary
238
References
239
Fast risk analysis
241
A3 A worked example
243
About the author
249
Index
251
Copyright

Other editions - View all

Common terms and phrases

References to this book

About the author (2004)

Steve Purser is the manager of ICSD Security Support & Administration for Clearstream Services, where he is responsible for the operational aspects of IT security Formerly, he was head of IT security for Banque Generale du Luxembourg and an expert consultant in the areas of IT and Networking to the European Commission. He holds a Ph.D. in chemical physics from the University of East Anglia.

Bibliographic information