| |
| |
| Foreword | |
| |
| |
| Acknowledgments | |
| |
| |
| Introduction | |
| |
| |
| About the Author | |
| |
| |
| |
| Getting Information Security Right: Top to Bottom | |
| |
| |
| Information Security Governance | |
| |
| |
| Tone at the Top | |
| |
| |
| Tone at the Bottom | |
| |
| |
| Governance, Risk, and Compliance (GRC) | |
| |
| |
| The Compliance Dilemma | |
| |
| |
| Suggested Reading | |
| |
| |
| |
| Developing Information Security Strategy | |
| |
| |
| Evolution of Information Security | |
| |
| |
| Organization Historical Perspective | |
| |
| |
| Fear, Uncertainty, Doubt, Fear, Uncertainty, Doubt | |
| |
| |
| Understand the External Environment | |
| |
| |
| Regulatory | |
| |
| |
| Competition | |
| |
| |
| Emerging Threats | |
| |
| |
| Technology Cost Changes | |
| |
| |
| External Independent Research | |
| |
| |
| The Internal Company Culture | |
| |
| |
| Risk Appetite | |
| |
| |
| Speed | |
| |
| |
| Collaborative versus Authoritative | |
| |
| |
| Trust Level | |
| |
| |
| Growth Seeker or Cost Cutter | |
| |
| |
| Company Size | |
| |
| |
| Outsourcing Posture | |
| |
| |
| Prior Security Incidents, Audits | |
| |
| |
| Security Strategy Development Techniques | |
| |
| |
| Mind Mapping | |
| |
| |
| SWOT Analysis | |
| |
| |
| Balanced Scorecard | |
| |
| |
| Face-to-Face Interviews | |
| |
| |
| Security Planning | |
| |
| |
| Strategic | |
| |
| |
| Tactical | |
| |
| |
| Operational/Project Plans | |
| |
| |
| Suggested Reading | |
| |
| |
| |
| Defining the Security Management Organization | |
| |
| |
| History of the Security Leadership Role Is Relevant | |
| |
| |
| The New Security Officer Mandate | |
| |
| |
| Day 1: Hey, I Got the Job! | |
| |
| |
| Security Leader Titles | |
| |
| |
| Techie versus Leader | |
| |
| |
| The Security Leaders Library | |
| |
| |
| Security Leadership Defined | |
| |
| |
| Security Leader Soft Skills | |
| |
| |
| Seven Competencies for Effective Security Leadership | |
| |
| |
| Security Functions | |
| |
| |
| Learning from Leading Organizations | |
| |
| |
| Assess Risk and Determine Needs | |
| |
| |
| Implement Policies and Controls | |
| |
| |
| Promote Awareness | |
| |
| |
| Monitor and Evaluate | |
| |
| |
| Central Management | |
| |
| |
| What Functions Should the Security Officer Be Responsible For? | |
| |
| |
| Assessing Risk and Determining Needs Functions | |
| |
| |
| Risk Assessment/Analysis | |
| |
| |
| Systems Security Plan Development | |
| |
| |
| External Penetration Testing | |
| |
| |
| Implement Policies and Control Functions | |
| |
| |
| Security Policy Development | |
| |
| |
| Security Architecture | |
| |
| |
| Security Control Assessment | |
| |
| |
| Identity and Access Management | |
| |
| |
| Business Continuity and Disaster Recovery | |
| |
| |
| Promote Awareness Functions | |
| |
| |
| End User Security Awareness Training | |
| |
| |
| Intranet Site and Policy Publication | |
| |
| |
| Targeted Awareness | |
| |
| |
| Monitor and Evaluate Functions | |
| |
| |
| Security Baseline Configuration Review | |
| |
| |
| Logging and Monitoring | |
| |
| |
| Vulnerability Assessment | |
| |
| |
| Internet Monitoring/Management of Managed Services | |
| |
| |
| Incident Response | |
| |
| |
| Forensic Investigations | |
| |
| |
| Central Management Functions | |
| |
| |
| Reporting Model | |
| |
| |
| Business Relationships | |
| |
| |
| Reporting to the CEO | |
| |
| |
| Reporting to the Information Systems Department | |
| |
| |
| Reporting to Corporate Security | |
| |
| |
| Reporting to the Administrative Services Department | |
| |
| |
| Reporting to the Insurance and Risk Management Department | |
| |
| |
| Reporting to the Internal Audit Department | |
| |
| |
| Reporting to the Legal Department | |
| |
| |
| Determining the Best Fit | |
| |
| |
| Suggested Reading | |
| |
| |
| |
| Interacting with the C-Suite | |
| |
| |
| Communication between the CEO, CIO, Other Executives, and CISO | |
| |
| |
| 13 "Lucky" Questions to Ask One Another | |
| |
| |
| The CEO, Ultimate Decision Maker | |
| |
| |
| The CEO Needs to Know Why | |
| |
| |
| The CIO, Where Technology Meets the Business | |
| |
| |
| CIO's Commitment to Security Is Important | |
| |
| |
| The Security Officer, Protecting the Business | |
| |
| |
| The CEO, CIO, and CISO Are Business Partners | |
| |
| |
| Building Grassroots Support through an Information Security Council | |
| |
| |
| Establishing the Security Council | |
| |
| |
| Oversight of Security Program | |
| |
| |
| Decide on Project Initiatives | |
| |
| |
| Prioritize Information Security Efforts | |
| |
| |
| Review and Recommend Security Policies | |
| |
| |
| Champion Organizational Security Efforts | |
| |
| |
| Recommend Areas Requiring Investment | |
| |
| |
| Appropriate Security Council Representation | |
| |
| |
| "-Inging" the Council: Forming, Storming, Norming, and Performing | |
| |
| |
| Forming | |
| |
| |
| Storming | |
| |
| |
| Norming | |
| |
| |
| Performing | |
| |
| |
| Integration with Other Committees | |
| |
| |
| Establish Early, Incremental Success | |
| |
| |
| Let Go of Perfectionism | |
| |
| |
| Sustaining the Security Council | |
| |
| |
| End User Awareness | |
| |
| |
| Security Council Commitment | |
| |
| |
| Suggested Reading | |
| |
| |
| |
| Managing Risk to an Acceptable Level | |
| |
| |
| Risk in Our Daily Lives | |
| |
| |
| Accepting Organizational Risk | |
| |
| |
| Just Another Set of Risks | |
| |
| |
| Management Owns the Risk Decision | |
| |
| |
| Qualitative versus Quantitative Risk Analysis | |
| |
| |
| Risk Management Process | |
| |
| |
| Risk Analysis Involvement | |
| |
| |
| Step 1: Categorize the System | |
| |
| |
| Step 2: Identify Potential Dangers (Threats) | |
| |
| |
| Human Threats | |
| |
| |
| Environmental/Physical Threats | |
| |
| |
| Technical Threats | |
| |
| |
| Step 3: Identify Vulnerabilities That Could Be Exploited | |
| |
| |
| Step 4: Identify Existing Controls | |
| |
| |
| Step 5: Determine Exploitation Likelihood Given Existing Controls | |
| |
| |
| Step 6: Determine Impact Severity | |
| |
| |
| Step 7: Determine Risk Level | |
| |
| |
| Step 8: Determine Additional Controls | |
| |
| |
| Risk Mitigation Options | |
| |
| |
| Risk Assumption | |
| |
| |
| Risk Avoidance | |
| |
| |
| Risk Limitation | |
| |
| |
| Risk Planning | |
| |
| |
| Risk Research | |
| |
| |
| Risk Transference | |
| |
| |
| Conclusion | |
| |
| |
| Suggested Reading | |
| |
| |
| |
| Creating Effective Information Security Policies | |
| |
| |
| Why Information Security Policies Are Important | |
| |
| |
| Avoiding Shelfware | |
| |
| |
| Electronic Policy Distribution | |
| |
| |
| Canned Security Policies | |
| |
| |
| Policies, Standards, Guidelines Definitions | |
| |
| |
| Policies Are Written at a High Level | |
| |
| |
| Policies | |
| |
| |
| Security Policy Best Practices | |
| |
| |
| Types of Security Policies | |
| |
| |
| Standards | |
| |
| |
| Procedures | |
| |
| |
| Baselines | |
| |
| |
| Guidelines | |
| |
| |
| Combination of Policies, Standards, Baselines, Procedures, and Guidelines | |
| |
| |
| Policy Analogy | |
| |
| |
| An Approach for Developing Information Security Policies | |
| |
| |
| Utilizing the Security Council for Policies | |
| |
| |
| The Policy Review Process | |
| |
| |
| Information Security Policy Process | |
| |
| |
| Suggested Reading | |
| |
| |
| |
| Security Compliance Using Control Frameworks | |
| |
| |
| Security Control Frameworks Defined | |
| |
| |
| Security Control Frameworks and Standards Examples | |
| |
| |
| Heath Insurance Portability and Accountability Act (HIPAA) | |
| |
| |
| Federal Information Security Management Act of2002 (FISMA) | |
| |
| |
| National Institute of Standards and Technology (NIST) Recommended Security Controls for Federal Information Systems (800-53) | |
| |
| |
| Federal Information System Controls Audit Manual (FISCAM) | |
| |
| |
| ISO/IEC 27001:2005 Information Security Management Systems-Requirements | |
| |
| |
| ISO/IEC 27002:2005 Information Technology-Security Techniques-Code of Practice for Information Security Management | |
| |
| |
| Control Objectives for Information and Related Technology (COBIT) | |
| |
| |
| Payment Card Industry Data Security Standard (PCI DSS) | |
| |
| |
| Information Technology Infrastructure Library (ITIL) | |
| |
| |
| Security Technical Implementation Guides (STIGs) and National Security Agency (NSA) Guides | |
| |
| |
| Federal Financial Institutions Examination Council (FFIEC) IT Examination Handbook | |
| |
| |
| The World Operates on Standards | |
| |
| |
| Standards Are Dynamic | |
| |
| |
| The How Is Typically Left Up to Us | |
| |
| |
| Key Question: Why Does the Standard Exist? | |
| |
| |
| Compliance Is Not Security, But It Is a Good Start | |
| |
| |
| Integration of Standards and Control Frameworks | |
| |
| |
| Auditing Compliance | |
| |
| |
| Adoption Rate of Various Standards | |
| |
| |
| ISO 27001/2 Certification | |
| |
| |
| NIST Certification | |
| |
| |
| Control Framework Convergence | |
| |
| |
| The 11-Factor Compliance Assurance Manifesto | |
| |
| |
| The Standards/Framework Value Proposition | |
| |
| |
| Suggested Reading | |
| |
| |
| |
| Managerial Controls: Practical Security Considerations | |
| |
| |
| Security Control Convergence | |
| |
| |
| Security Control Methodology | |
| |
| |
| Security Assessment and Authorization Controls | |
| |
| |
| Planning Controls | |
| |
| |
| Risk Assessment Controls | |
| |
| |
| System and Services Acquisition Controls | |
| |
| |
| Program Management Controls | |
| |
| |
| Suggested Reading | |
| |
| |
| |
| Technical Controls: Practical Security Considerations | |
| |
| |
| Access Control Controls | |
| |
| |
| Audit and Accountability Controls | |
| |
| |
| Identification and Authentication | |
| |
| |
| System and Communications Protections | |
| |
| |
| Suggested Reading | |
| |
| |
| |
| Operational Controls: Practical Security Considerations | |
| |
| |
| Awareness and Training Controls | |
| |
| |
| Configuration Management Controls | |
| |
| |
| Contingency Planning Controls | |
| |
| |
| Incident Response Controls | |
| |
| |
| Maintenance Controls | |
| |
| |
| Media Protection Controls | |
| |
| |
| Physical and Environmental Protection Controls | |
| |
| |
| Personnel Security Controls | |
| |
| |
| System and Information Integrity Controls | |
| |
| |
| Suggested Reading | |
| |
| |
| |
| The Auditors Have Arrived, Now What? | |
| |
| |
| Anatomy of an Audit | |
| |
| |
| Audit Planning Phase | |
| |
| |
| Preparation of Document Request List | |
| |
| |
| Gather Audit Artifacts | |
| |
| |
| Provide Information to Auditors | |
| |
| |
| On-Site Arrival Phase | |
| |
| |
| Internet Access | |
| |
| |
| Reserve Conference Rooms | |
| |
| |
| Physical Access | |
| |
| |
| Conference Phones | |
| |
| |
| Schedule Entrance, Exit, Status Meetings | |
| |
| |
| Set Up Interviews | |
| |
| |
| Audit Execution Phase | |
| |
| |
| Additional Audit Meetings | |
| |
| |
| Establish Auditor Communication Protocol | |
| |
| |
| Establish Internal Company Protocol | |
| |
| |
| Media Handling | |
| |
| |
| Audit Coordinator Quality Review | |
| |
| |
| The Interview Itself | |
| |
| |
| Entrance, Exit, and Status Conferences | |
| |
| |
| Entrance Meeting | |
| |
| |
| Exit Meeting | |
| |
| |
| Status Meetings | |
| |
| |
| Report Issuance and Finding Remediation Phase | |
| |
| |
| Suggested Reading | |
| |
| |
| |
| Effective Security Communications | |
| |
| |
| Why a Chapter Dedicated to Security Communications? | |
| |
| |
| End User Security Awareness Training | |
| |
| |
| Awareness Definition | |
| |
| |
| Delivering the Message | |
| |
| |
| Step 1: Security Awareness Needs Assessment | |
| |
| |
| New or Changed Policies | |
| |
| |
| Past Security Incidents | |
| |
| |
| Systems Security Plans | |
| |
| |
| Audit Findings and Recommendations | |
| |
| |
| Event Analysis | |
| |
| |
| Industry Trends | |
| |
| |
| Management Concerns | |
| |
| |
| Organizational Changes | |
| |
| |
| Step 2: Program Design | |
| |
| |
| Target Audience | |
| |
| |
| Frequency of Sessions | |
| |
| |
| Number of Users | |
| |
| |
| Method of Delivery | |
| |
| |
| Resources Required | |
| |
| |
| Step 3: Develop Scope | |
| |
| |
| Determine Participants Needing Training | |
| |
| |
| Business Units | |
| |
| |
| Select Theme | |
| |
| |
| Step 4: Content Development | |
| |
| |
| Step 5: Communication and Logistics Plan | |
| |
| |
| Step 6: Awareness Delivery | |
| |
| |
| Step 7: Evaluation/Feedback Loops | |
| |
| |
| Security Awareness Training Does Not Have to Be Boring | |
| |
| |
| Targeted Security Training | |
| |
| |
| Continuous Security Reminders | |
| |
| |
| Utilize Multiple Security Awareness Vehicles | |
| |
| |
| Security Officer Communication Skills | |
| |
| |
| Talking versus Listening | |
| |
| |
| Roadblocks to Effective Listening | |
| |
| |
| Generating a Clear Message | |
| |
| |
| Influencing and Negotiating Skills | |
| |
| |
| Written Communication Skills | |
| |
| |
| Presentation Skills | |
| |
| |
| Applying Personality Type to Security Communications | |
| |
| |
| The Four Myers-Briggs Type Indicator (MBTI) Preference Scales | |
| |
| |
| Extraversion versus Introversion Scale | |
| |
| |
| Sensing versus Intuition Scale | |
| |
| |
| Thinking versus Feeling Scale | |
| |
| |
| Judging versus Perceiving Scale | |
| |
| |
| Determining Individual MBTI Personality | |
| |
| |
| Summing Up the MBTI for Security | |
| |
| |
| Suggested Reading | |
| |
| |
| |
| The Law and Information Security | |
| |
| |
| Civil Law versus Criminal Law | |
| |
| |
| Electronic Communications Privacy Act of 1986 (ECPA) | |
| |
| |
| The Computer Security Act of 1987 | |
| |
| |
| The Privacy Act of 1974 | |
| |
| |
| Sarbanes-Oxley Act of 2002 (SOX) | |
| |
| |
| Gramm-Leach-Bliley Act (GLBA) | |
| |
| |
| Health Insurance Portability and Accountability Act of 1996 | |
| |
| |
| Health Information Technology for Economic and Clinical Health (HITECH) Act | |
| |
| |
| Federal Information Security Management Act of 2002 (FISMA) | |
| |
| |
| Summary | |
| |
| |
| Suggested Reading | |
| |
| |
| |
| Learning from Information Security Incidents | |
| |
| |
| Recent Security Incidents | |
| |
| |
| Texas State Comptroller | |
| |
| |
| Sony PlayStation Network | |
| |
| |
| Student Loan Social Security Numbers Stolen | |
| |
| |
| Social Security Numbers Printed on Outside of Envelopes | |
| |
| |
| Valid E-Mail Addresses Exposed | |
| |
| |
| Office Copier Hard Disk Contained Confidential Information | |
| |
| |
| Advanced Persistent Threat Targets Security Token | |
| |
| |
| Who Will Be Next? | |
| |
| |
| Every Control Could Result in an Incident | |
| |
| |
| Suggested Reading | |
| |
| |
| |
| 17 Ways to Dismantle Information Security Governance Efforts | |
| |
| |
| Final Thoughts | |
| |
| |
| Suggested Reading | |
| |
| |
| Index | |