| |
| |
Forward | |
| |
| |
Acknowledgments | |
| |
| |
Team Acknowledgment | |
| |
| |
Organizations We Would Like to Thank | |
| |
| |
Introduction | |
| |
| |
Overview | |
| |
| |
| |
Assess | |
| |
| |
Overview | |
| |
| |
Foundation Concepts | |
| |
| |
Critical Skills | |
| |
| |
Consultative Sales Skills | |
| |
| |
Enabling New Business Opportunities | |
| |
| |
Reducing Business Risk | |
| |
| |
Critical Knowledge | |
| |
| |
Understanding Your Business | |
| |
| |
Understanding Risk | |
| |
| |
Understanding Your Enterprise Differentiators | |
| |
| |
Understanding Your Legal and Regulatory Environment | |
| |
| |
Understanding Your Organizational Structure | |
| |
| |
Understanding Your Organizational Dynamics | |
| |
| |
Enterprise Culture | |
| |
| |
Understanding Your Enterprise's View of Technology | |
| |
| |
Assessment Methodology | |
| |
| |
Identifying Your Program's Primary Driver | |
| |
| |
Why Are You Here? | |
| |
| |
Stakeholders | |
| |
| |
Types of Stakeholders | |
| |
| |
Identifying Your External Drivers | |
| |
| |
Regulatory/Audit Environment | |
| |
| |
Other External Drivers | |
| |
| |
Identifying Your Internal Drivers | |
| |
| |
Political Climate | |
| |
| |
Who Is on Your Team? | |
| |
| |
The Enterprise's Business | |
| |
| |
Financial Environment | |
| |
| |
Technical Environment | |
| |
| |
Industry | |
| |
| |
Assessment Checklist | |
| |
| |
| |
Plan | |
| |
| |
Overview | |
| |
| |
Foundation Concepts | |
| |
| |
Critical Skills | |
| |
| |
Visioning | |
| |
| |
Strategic Planning | |
| |
| |
Negotiating | |
| |
| |
Marketing | |
| |
| |
Talent Assessment | |
| |
| |
Critical Skills Summary | |
| |
| |
Critical Knowledge | |
| |
| |
ISC[superscript 2] Common Body of Knowledge (CBK) | |
| |
| |
Other Security Industry Resources | |
| |
| |
Planning Methodology | |
| |
| |
Understanding Your Program's Mandate | |
| |
| |
Determining Your Program Mission | |
| |
| |
Mission Statements | |
| |
| |
Building Your Mission Statement | |
| |
| |
Determining Your Program's Structure | |
| |
| |
Operational Versus Non-Operational | |
| |
| |
Size of Your Enterprise | |
| |
| |
Political Climate | |
| |
| |
Centralized Versus Decentralized | |
| |
| |
Common Reasons for Choosing a Centralized Model | |
| |
| |
Common Reasons for Choosing a De-Centralized Model | |
| |
| |
Security Pipeline | |
| |
| |
Architecture | |
| |
| |
Maintenance | |
| |
| |
Inspection | |
| |
| |
Size of Your Program | |
| |
| |
Large Program Considerations | |
| |
| |
Small Program Considerations | |
| |
| |
Conclusion | |
| |
| |
Common Security Responsibilities | |
| |
| |
Information Security Program Structure Summary | |
| |
| |
Determining Your Program's Staffing | |
| |
| |
Define the Roles and Responsibilities of Your Team Members | |
| |
| |
Critical Attributes | |
| |
| |
Security Roles and Responsibilities | |
| |
| |
Influence on Staffing by the Information Security Program Structure | |
| |
| |
Perform a Gap Analysis | |
| |
| |
Evaluate Talent | |
| |
| |
Planning Summary | |
| |
| |
Planning Checklist | |
| |
| |
| |
Design | |
| |
| |
Overview | |
| |
| |
Foundation Concepts | |
| |
| |
Critical Skills | |
| |
| |
Analytical Skills | |
| |
| |
Discovery | |
| |
| |
Evaluation | |
| |
| |
Strategy | |
| |
| |
Formulation | |
| |
| |
Organizational Skills | |
| |
| |
Sales | |
| |
| |
Financial Planning and Budgeting | |
| |
| |
Critical Skills Summary | |
| |
| |
Critical Knowledge | |
| |
| |
Opportunity Cost | |
| |
| |
Security Documents | |
| |
| |
Policies | |
| |
| |
Standards | |
| |
| |
Procedures | |
| |
| |
Guidelines | |
| |
| |
Example | |
| |
| |
Risks, Threats, and Vulnerabilities ... Oh My! | |
| |
| |
Example | |
| |
| |
Types of Security Controls | |
| |
| |
Preventive Controls | |
| |
| |
Detective Controls | |
| |
| |
Gap Analysis | |
| |
| |
SMART Statements | |
| |
| |
Types of Projects | |
| |
| |
People Projects | |
| |
| |
Process Projects | |
| |
| |
Technology Projects | |
| |
| |
Methodology | |
| |
| |
Preview | |
| |
| |
Security Document Development | |
| |
| |
Project Portfolio Development | |
| |
| |
Communication Plan Development | |
| |
| |
Incorporating Your Enterprise Drivers | |
| |
| |
Constraints | |
| |
| |
Laws and Regulations | |
| |
| |
Corporate Responsibility/Code of Conduct | |
| |
| |
Enablers | |
| |
| |
Requirements | |
| |
| |
Business Requirements | |
| |
| |
Example | |
| |
| |
Example | |
| |
| |
Functional Requirement | |
| |
| |
Example | |
| |
| |
Business Requirements of PCSC | |
| |
| |
Functional Requirement | |
| |
| |
Analysis | |
| |
| |
Methods for Creating Functional Requirements | |
| |
| |
Requirements Summary | |
| |
| |
Gap Analysis | |
| |
| |
Building Security Policies, Standards, Procedures, and Guidelines | |
| |
| |
The Theory of Security Policies | |
| |
| |
Drafting Your Information Security Policies | |
| |
| |
Ratifying the Security Policies | |
| |
| |
Standards, Procedures, and Guidelines | |
| |
| |
Build Security Documents Summary | |
| |
| |
Building the Security Project Portfolio | |
| |
| |
Performing the Policy Gap Analysis | |
| |
| |
Example | |
| |
| |
Analysis | |
| |
| |
Defining Ambiguities | |
| |
| |
Evaluating Controls (Gap Analysis) | |
| |
| |
Risk and Exposure Statements | |
| |
| |
Risk Rating | |
| |
| |
Risk Rating - High | |
| |
| |
Deriving the Security Projects | |
| |
| |
Quantitative Evaluation | |
| |
| |
Qualitative Evaluation | |
| |
| |
Cursory Project Scoping | |
| |
| |
Projects Versus Core | |
| |
| |
Scheduling (First Three Years) | |
| |
| |
Capital Budgeting | |
| |
| |
Approval of the Security Project Portfolio | |
| |
| |
Believe in Your Product | |
| |
| |
Ensure That Your Logic for Prioritization Is Understood | |
| |
| |
Know Your Product | |
| |
| |
Know What Others Are Buying | |
| |
| |
Identify the Buyers and the Roadblocks | |
| |
| |
Those Who Will Buy Your Offerings | |
| |
| |
Those Who Will Not Buy Any of Your Offerings | |
| |
| |
Those Who Can Apply Pressure to Individuals Who Won't Buy Your Offerings | |
| |
| |
Sell through Momentum | |
| |
| |
Sell through Others | |
| |
| |
Ensure That It's Sold before You Attempt to Sell It | |
| |
| |
Always Present in Person | |
| |
| |
Summary | |
| |
| |
Annual Portfolio Review | |
| |
| |
Build the Communication Plan | |
| |
| |
Potential Channels for the Communication Plan | |
| |
| |
Chapter Summary | |
| |
| |
Design Checklist | |
| |
| |
| |
Execute | |
| |
| |
Overview | |
| |
| |
Foundation Concepts | |
| |
| |
Preview | |
| |
| |
Critical Skills | |
| |
| |
Executor | |
| |
| |
Commander | |
| |
| |
Communication | |
| |
| |
Tactician | |
| |
| |
Research | |
| |
| |
Analysis | |
| |
| |
Critical Skills Summary | |
| |
| |
Critical Knowledge | |
| |
| |
Overview of Project Management Methodologies | |
| |
| |
Benefits of a Project Mentality for Your Information Security Program | |
| |
| |
The Project Management Triangle | |
| |
| |
Technical Control Layers | |
| |
| |
Summary | |
| |
| |
Methodology | |
| |
| |
Preview | |
| |
| |
Project Execution | |
| |
| |
Development Methodology Structure | |
| |
| |
Critical Success Factors for a Project | |
| |
| |
Business, Functional, and Technical Requirements | |
| |
| |
Marketing Metrics | |
| |
| |
Project Governance Model | |
| |
| |
Management Support - Sponsorship | |
| |
| |
Establish a Team | |
| |
| |
Shared Vision | |
| |
| |
Formalized Project Plan (Gantt Chart) | |
| |
| |
Identifying and Working through the Lull of Doom | |
| |
| |
Critical Success Factors Summary | |
| |
| |
Warning Signs for Projects | |
| |
| |
Train Wrecks | |
| |
| |
Project Types and Their Intricacies | |
| |
| |
Common Guidelines for All Projects | |
| |
| |
Common Guidelines for People Projects | |
| |
| |
Common Guidelines for Process Projects | |
| |
| |
Common Guidelines for Technology Projects | |
| |
| |
Project Type Summary | |
| |
| |
Incorporating Security into Projects | |
| |
| |
Tools for Adding Security into a Properly Structured Project | |
| |
| |
Deploy | |
| |
| |
Tools for Adding Security into a Project with Missing Components | |
| |
| |
Vendor Evaluation/Selection | |
| |
| |
Preparing the Marketing Material | |
| |
| |
Chapter Summary | |
| |
| |
| |
Report | |
| |
| |
Overview | |
| |
| |
Foundation Concepts | |
| |
| |
Critical Skills | |
| |
| |
Writer | |
| |
| |
Presenter | |
| |
| |
Critical Knowledge | |
| |
| |
Primary Principle of Reporting | |
| |
| |
Basic Reporting Components | |
| |
| |
Delivery Mechanisms | |
| |
| |
Marketing | |
| |
| |
Branding | |
| |
| |
Metrics | |
| |
| |
Damage Control | |
| |
| |
Summary | |
| |
| |
Methodology | |
| |
| |
Report Construction Process | |
| |
| |
Identifying the Need | |
| |
| |
Determine Intent | |
| |
| |
Desired Reaction | |
| |
| |
Determine Target Audience | |
| |
| |
Internal Audiences | |
| |
| |
Executive Management/Board of Directors | |
| |
| |
Technical Engineering Staff | |
| |
| |
Employees | |
| |
| |
Internal Audit/Regulatory Compliance Office | |
| |
| |
External Audiences | |
| |
| |
Government Agencies/Independent Auditors/Regulators | |
| |
| |
Stockholders and Owners | |
| |
| |
Customers and Clients | |
| |
| |
Target Audience Summary | |
| |
| |
Delivery Mechanisms | |
| |
| |
Administrative Reporting | |
| |
| |
Operational Reporting | |
| |
| |
Types of Delivery | |
| |
| |
Follow up on the Message | |
| |
| |
Close the Deal | |
| |
| |
Chapter Summary | |
| |
| |
| |
The Final Phase | |
| |
| |
Overview | |
| |
| |
Back to the Beginning | |
| |
| |
Parting Thoughts | |
| |
| |
Appendices | |
| |
| |
| |
Design Chapter Worksheets | |
| |
| |
| |
Report Creation Process Worksheet | |
| |
| |
| |
Requirements Sample | |
| |
| |
| |
SDLC Checklist | |
| |
| |
| |
Recommended Reading | |
| |
| |
Index | |