| |
| |
Foreword | |
| |
| |
Acknowledgments | |
| |
| |
Introduction | |
| |
| |
About the Author | |
| |
| |
| |
Getting Information Security Right: Top to Bottom | |
| |
| |
Information Security Governance | |
| |
| |
Tone at the Top | |
| |
| |
Tone at the Bottom | |
| |
| |
Governance, Risk, and Compliance (GRC) | |
| |
| |
The Compliance Dilemma | |
| |
| |
Suggested Reading | |
| |
| |
| |
Developing Information Security Strategy | |
| |
| |
Evolution of Information Security | |
| |
| |
Organization Historical Perspective | |
| |
| |
Fear, Uncertainty, Doubt, Fear, Uncertainty, Doubt | |
| |
| |
Understand the External Environment | |
| |
| |
Regulatory | |
| |
| |
Competition | |
| |
| |
Emerging Threats | |
| |
| |
Technology Cost Changes | |
| |
| |
External Independent Research | |
| |
| |
The Internal Company Culture | |
| |
| |
Risk Appetite | |
| |
| |
Speed | |
| |
| |
Collaborative versus Authoritative | |
| |
| |
Trust Level | |
| |
| |
Growth Seeker or Cost Cutter | |
| |
| |
Company Size | |
| |
| |
Outsourcing Posture | |
| |
| |
Prior Security Incidents, Audits | |
| |
| |
Security Strategy Development Techniques | |
| |
| |
Mind Mapping | |
| |
| |
SWOT Analysis | |
| |
| |
Balanced Scorecard | |
| |
| |
Face-to-Face Interviews | |
| |
| |
Security Planning | |
| |
| |
Strategic | |
| |
| |
Tactical | |
| |
| |
Operational/Project Plans | |
| |
| |
Suggested Reading | |
| |
| |
| |
Defining the Security Management Organization | |
| |
| |
History of the Security Leadership Role Is Relevant | |
| |
| |
The New Security Officer Mandate | |
| |
| |
Day 1: Hey, I Got the Job! | |
| |
| |
Security Leader Titles | |
| |
| |
Techie versus Leader | |
| |
| |
The Security Leaders Library | |
| |
| |
Security Leadership Defined | |
| |
| |
Security Leader Soft Skills | |
| |
| |
Seven Competencies for Effective Security Leadership | |
| |
| |
Security Functions | |
| |
| |
Learning from Leading Organizations | |
| |
| |
Assess Risk and Determine Needs | |
| |
| |
Implement Policies and Controls | |
| |
| |
Promote Awareness | |
| |
| |
Monitor and Evaluate | |
| |
| |
Central Management | |
| |
| |
What Functions Should the Security Officer Be Responsible For? | |
| |
| |
Assessing Risk and Determining Needs Functions | |
| |
| |
Risk Assessment/Analysis | |
| |
| |
Systems Security Plan Development | |
| |
| |
External Penetration Testing | |
| |
| |
Implement Policies and Control Functions | |
| |
| |
Security Policy Development | |
| |
| |
Security Architecture | |
| |
| |
Security Control Assessment | |
| |
| |
Identity and Access Management | |
| |
| |
Business Continuity and Disaster Recovery | |
| |
| |
Promote Awareness Functions | |
| |
| |
End User Security Awareness Training | |
| |
| |
Intranet Site and Policy Publication | |
| |
| |
Targeted Awareness | |
| |
| |
Monitor and Evaluate Functions | |
| |
| |
Security Baseline Configuration Review | |
| |
| |
Logging and Monitoring | |
| |
| |
Vulnerability Assessment | |
| |
| |
Internet Monitoring/Management of Managed Services | |
| |
| |
Incident Response | |
| |
| |
Forensic Investigations | |
| |
| |
Central Management Functions | |
| |
| |
Reporting Model | |
| |
| |
Business Relationships | |
| |
| |
Reporting to the CEO | |
| |
| |
Reporting to the Information Systems Department | |
| |
| |
Reporting to Corporate Security | |
| |
| |
Reporting to the Administrative Services Department | |
| |
| |
Reporting to the Insurance and Risk Management Department | |
| |
| |
Reporting to the Internal Audit Department | |
| |
| |
Reporting to the Legal Department | |
| |
| |
Determining the Best Fit | |
| |
| |
Suggested Reading | |
| |
| |
| |
Interacting with the C-Suite | |
| |
| |
Communication between the CEO, CIO, Other Executives, and CISO | |
| |
| |
13 "Lucky" Questions to Ask One Another | |
| |
| |
The CEO, Ultimate Decision Maker | |
| |
| |
The CEO Needs to Know Why | |
| |
| |
The CIO, Where Technology Meets the Business | |
| |
| |
CIO's Commitment to Security Is Important | |
| |
| |
The Security Officer, Protecting the Business | |
| |
| |
The CEO, CIO, and CISO Are Business Partners | |
| |
| |
Building Grassroots Support through an Information Security Council | |
| |
| |
Establishing the Security Council | |
| |
| |
Oversight of Security Program | |
| |
| |
Decide on Project Initiatives | |
| |
| |
Prioritize Information Security Efforts | |
| |
| |
Review and Recommend Security Policies | |
| |
| |
Champion Organizational Security Efforts | |
| |
| |
Recommend Areas Requiring Investment | |
| |
| |
Appropriate Security Council Representation | |
| |
| |
"-Inging" the Council: Forming, Storming, Norming, and Performing | |
| |
| |
Forming | |
| |
| |
Storming | |
| |
| |
Norming | |
| |
| |
Performing | |
| |
| |
Integration with Other Committees | |
| |
| |
Establish Early, Incremental Success | |
| |
| |
Let Go of Perfectionism | |
| |
| |
Sustaining the Security Council | |
| |
| |
End User Awareness | |
| |
| |
Security Council Commitment | |
| |
| |
Suggested Reading | |
| |
| |
| |
Managing Risk to an Acceptable Level | |
| |
| |
Risk in Our Daily Lives | |
| |
| |
Accepting Organizational Risk | |
| |
| |
Just Another Set of Risks | |
| |
| |
Management Owns the Risk Decision | |
| |
| |
Qualitative versus Quantitative Risk Analysis | |
| |
| |
Risk Management Process | |
| |
| |
Risk Analysis Involvement | |
| |
| |
Step 1: Categorize the System | |
| |
| |
Step 2: Identify Potential Dangers (Threats) | |
| |
| |
Human Threats | |
| |
| |
Environmental/Physical Threats | |
| |
| |
Technical Threats | |
| |
| |
Step 3: Identify Vulnerabilities That Could Be Exploited | |
| |
| |
Step 4: Identify Existing Controls | |
| |
| |
Step 5: Determine Exploitation Likelihood Given Existing Controls | |
| |
| |
Step 6: Determine Impact Severity | |
| |
| |
Step 7: Determine Risk Level | |
| |
| |
Step 8: Determine Additional Controls | |
| |
| |
Risk Mitigation Options | |
| |
| |
Risk Assumption | |
| |
| |
Risk Avoidance | |
| |
| |
Risk Limitation | |
| |
| |
Risk Planning | |
| |
| |
Risk Research | |
| |
| |
Risk Transference | |
| |
| |
Conclusion | |
| |
| |
Suggested Reading | |
| |
| |
| |
Creating Effective Information Security Policies | |
| |
| |
Why Information Security Policies Are Important | |
| |
| |
Avoiding Shelfware | |
| |
| |
Electronic Policy Distribution | |
| |
| |
Canned Security Policies | |
| |
| |
Policies, Standards, Guidelines Definitions | |
| |
| |
Policies Are Written at a High Level | |
| |
| |
Policies | |
| |
| |
Security Policy Best Practices | |
| |
| |
Types of Security Policies | |
| |
| |
Standards | |
| |
| |
Procedures | |
| |
| |
Baselines | |
| |
| |
Guidelines | |
| |
| |
Combination of Policies, Standards, Baselines, Procedures, and Guidelines | |
| |
| |
Policy Analogy | |
| |
| |
An Approach for Developing Information Security Policies | |
| |
| |
Utilizing the Security Council for Policies | |
| |
| |
The Policy Review Process | |
| |
| |
Information Security Policy Process | |
| |
| |
Suggested Reading | |
| |
| |
| |
Security Compliance Using Control Frameworks | |
| |
| |
Security Control Frameworks Defined | |
| |
| |
Security Control Frameworks and Standards Examples | |
| |
| |
Heath Insurance Portability and Accountability Act (HIPAA) | |
| |
| |
Federal Information Security Management Act of2002 (FISMA) | |
| |
| |
National Institute of Standards and Technology (NIST) Recommended Security Controls for Federal Information Systems (800-53) | |
| |
| |
Federal Information System Controls Audit Manual (FISCAM) | |
| |
| |
ISO/IEC 27001:2005 Information Security Management Systems-Requirements | |
| |
| |
ISO/IEC 27002:2005 Information Technology-Security Techniques-Code of Practice for Information Security Management | |
| |
| |
Control Objectives for Information and Related Technology (COBIT) | |
| |
| |
Payment Card Industry Data Security Standard (PCI DSS) | |
| |
| |
Information Technology Infrastructure Library (ITIL) | |
| |
| |
Security Technical Implementation Guides (STIGs) and National Security Agency (NSA) Guides | |
| |
| |
Federal Financial Institutions Examination Council (FFIEC) IT Examination Handbook | |
| |
| |
The World Operates on Standards | |
| |
| |
Standards Are Dynamic | |
| |
| |
The How Is Typically Left Up to Us | |
| |
| |
Key Question: Why Does the Standard Exist? | |
| |
| |
Compliance Is Not Security, But It Is a Good Start | |
| |
| |
Integration of Standards and Control Frameworks | |
| |
| |
Auditing Compliance | |
| |
| |
Adoption Rate of Various Standards | |
| |
| |
ISO 27001/2 Certification | |
| |
| |
NIST Certification | |
| |
| |
Control Framework Convergence | |
| |
| |
The 11-Factor Compliance Assurance Manifesto | |
| |
| |
The Standards/Framework Value Proposition | |
| |
| |
Suggested Reading | |
| |
| |
| |
Managerial Controls: Practical Security Considerations | |
| |
| |
Security Control Convergence | |
| |
| |
Security Control Methodology | |
| |
| |
Security Assessment and Authorization Controls | |
| |
| |
Planning Controls | |
| |
| |
Risk Assessment Controls | |
| |
| |
System and Services Acquisition Controls | |
| |
| |
Program Management Controls | |
| |
| |
Suggested Reading | |
| |
| |
| |
Technical Controls: Practical Security Considerations | |
| |
| |
Access Control Controls | |
| |
| |
Audit and Accountability Controls | |
| |
| |
Identification and Authentication | |
| |
| |
System and Communications Protections | |
| |
| |
Suggested Reading | |
| |
| |
| |
Operational Controls: Practical Security Considerations | |
| |
| |
Awareness and Training Controls | |
| |
| |
Configuration Management Controls | |
| |
| |
Contingency Planning Controls | |
| |
| |
Incident Response Controls | |
| |
| |
Maintenance Controls | |
| |
| |
Media Protection Controls | |
| |
| |
Physical and Environmental Protection Controls | |
| |
| |
Personnel Security Controls | |
| |
| |
System and Information Integrity Controls | |
| |
| |
Suggested Reading | |
| |
| |
| |
The Auditors Have Arrived, Now What? | |
| |
| |
Anatomy of an Audit | |
| |
| |
Audit Planning Phase | |
| |
| |
Preparation of Document Request List | |
| |
| |
Gather Audit Artifacts | |
| |
| |
Provide Information to Auditors | |
| |
| |
On-Site Arrival Phase | |
| |
| |
Internet Access | |
| |
| |
Reserve Conference Rooms | |
| |
| |
Physical Access | |
| |
| |
Conference Phones | |
| |
| |
Schedule Entrance, Exit, Status Meetings | |
| |
| |
Set Up Interviews | |
| |
| |
Audit Execution Phase | |
| |
| |
Additional Audit Meetings | |
| |
| |
Establish Auditor Communication Protocol | |
| |
| |
Establish Internal Company Protocol | |
| |
| |
Media Handling | |
| |
| |
Audit Coordinator Quality Review | |
| |
| |
The Interview Itself | |
| |
| |
Entrance, Exit, and Status Conferences | |
| |
| |
Entrance Meeting | |
| |
| |
Exit Meeting | |
| |
| |
Status Meetings | |
| |
| |
Report Issuance and Finding Remediation Phase | |
| |
| |
Suggested Reading | |
| |
| |
| |
Effective Security Communications | |
| |
| |
Why a Chapter Dedicated to Security Communications? | |
| |
| |
End User Security Awareness Training | |
| |
| |
Awareness Definition | |
| |
| |
Delivering the Message | |
| |
| |
Step 1: Security Awareness Needs Assessment | |
| |
| |
New or Changed Policies | |
| |
| |
Past Security Incidents | |
| |
| |
Systems Security Plans | |
| |
| |
Audit Findings and Recommendations | |
| |
| |
Event Analysis | |
| |
| |
Industry Trends | |
| |
| |
Management Concerns | |
| |
| |
Organizational Changes | |
| |
| |
Step 2: Program Design | |
| |
| |
Target Audience | |
| |
| |
Frequency of Sessions | |
| |
| |
Number of Users | |
| |
| |
Method of Delivery | |
| |
| |
Resources Required | |
| |
| |
Step 3: Develop Scope | |
| |
| |
Determine Participants Needing Training | |
| |
| |
Business Units | |
| |
| |
Select Theme | |
| |
| |
Step 4: Content Development | |
| |
| |
Step 5: Communication and Logistics Plan | |
| |
| |
Step 6: Awareness Delivery | |
| |
| |
Step 7: Evaluation/Feedback Loops | |
| |
| |
Security Awareness Training Does Not Have to Be Boring | |
| |
| |
Targeted Security Training | |
| |
| |
Continuous Security Reminders | |
| |
| |
Utilize Multiple Security Awareness Vehicles | |
| |
| |
Security Officer Communication Skills | |
| |
| |
Talking versus Listening | |
| |
| |
Roadblocks to Effective Listening | |
| |
| |
Generating a Clear Message | |
| |
| |
Influencing and Negotiating Skills | |
| |
| |
Written Communication Skills | |
| |
| |
Presentation Skills | |
| |
| |
Applying Personality Type to Security Communications | |
| |
| |
The Four Myers-Briggs Type Indicator (MBTI) Preference Scales | |
| |
| |
Extraversion versus Introversion Scale | |
| |
| |
Sensing versus Intuition Scale | |
| |
| |
Thinking versus Feeling Scale | |
| |
| |
Judging versus Perceiving Scale | |
| |
| |
Determining Individual MBTI Personality | |
| |
| |
Summing Up the MBTI for Security | |
| |
| |
Suggested Reading | |
| |
| |
| |
The Law and Information Security | |
| |
| |
Civil Law versus Criminal Law | |
| |
| |
Electronic Communications Privacy Act of 1986 (ECPA) | |
| |
| |
The Computer Security Act of 1987 | |
| |
| |
The Privacy Act of 1974 | |
| |
| |
Sarbanes-Oxley Act of 2002 (SOX) | |
| |
| |
Gramm-Leach-Bliley Act (GLBA) | |
| |
| |
Health Insurance Portability and Accountability Act of 1996 | |
| |
| |
Health Information Technology for Economic and Clinical Health (HITECH) Act | |
| |
| |
Federal Information Security Management Act of 2002 (FISMA) | |
| |
| |
Summary | |
| |
| |
Suggested Reading | |
| |
| |
| |
Learning from Information Security Incidents | |
| |
| |
Recent Security Incidents | |
| |
| |
Texas State Comptroller | |
| |
| |
Sony PlayStation Network | |
| |
| |
Student Loan Social Security Numbers Stolen | |
| |
| |
Social Security Numbers Printed on Outside of Envelopes | |
| |
| |
Valid E-Mail Addresses Exposed | |
| |
| |
Office Copier Hard Disk Contained Confidential Information | |
| |
| |
Advanced Persistent Threat Targets Security Token | |
| |
| |
Who Will Be Next? | |
| |
| |
Every Control Could Result in an Incident | |
| |
| |
Suggested Reading | |
| |
| |
| |
17 Ways to Dismantle Information Security Governance Efforts | |
| |
| |
Final Thoughts | |
| |
| |
Suggested Reading | |
| |
| |
Index | |