A practical guide to managing information security / Steve Purser.

Format:

Book

Author/Creator:

Purser, Steve.

Series:

Artech House technology management and professional development library

Language:

English

Subjects (All):

Computer security--Management.

Computer security.

Physical Description:

xvii, 259 pages : illustrations ; 26 cm.

Place of Publication:

Norwood, MA : Artech House, [2004]

Summary:

With an emphasis on the use of simple, pragmatic risk management as a tool for decision-making, this groundbreaking guide helps professionals master the management of information security, concentrating on the proactive development and implementation of IT security for the enterprise.

Contents:

1 The need for a proactive approach 1

1.2 The reality of the modern enterprise 3

1.3 Evolution of organizational structures 4

1.4 Evolution of technical infrastructure 5

1.5 Limitations of policy-driven decision making 7

1.6 Education and awareness 9

1.6.1 Management awareness 9

1.6.2 The technology trap 10

1.6.3 Awareness of end users 10

1.7 Operational issues 11

1.7.1 Complexity 11

1.7.2 Scalability 13

1.8 New challenges 14

1.8.1 Trust 14

1.8.2 Privacy 16

1.9 Introducing The (not so) Secure Bank 17

2 Management techniques 23

2.1 Knowledge and experience 23

2.2 Information relating to security incidents and vulnerabilities 25

2.3 Risk analysis and risk management 27

2.4 Strategy and planning 30

2.5 Policy and standards 32

2.6 Processes and procedures 34

2.7 Methodologies and frameworks 36

2.8 Awareness and training 38

2.9 Audits 40

2.10 Contracts 41

2.11 Outsourcing 42

3 Technical tools 47

3.2 Classification of security tools 48

3.3 Host-oriented tools 49

3.3.1 Security layers 49

3.3.2 The native operating system security subsystem 50

3.3.3 Authentication and authorization 51

3.3.4 System integrity 52

3.3.5 System access control 56

3.3.6 System security monitoring 58

3.3.7 Data confidentiality and integrity 60

3.4 Network-oriented tools 62

3.4.1 Network authentication and authorization 62

3.4.2 Network integrity 65

3.4.3 Network access control 68

3.4.4 Network security monitoring 71

3.4.5 Data confidentiality and integrity 72

3.5 Supporting infrastructure 74

3.5.1 PKI 74

3.5.2 Smart cards and cryptographic modules 76

3.5.3 Authentication devices 79

4 A proactive approach: Overview 85

4.2 The consolidation period and strategic-planning cycles 86

4.3 Deciding on a personal strategy 87

4.4 The consolidation period 89

4.4.1 Planning 89

4.4.2 Establishing contact with stakeholders 90

4.4.3 Identifying major issues 91

4.4.4 Classifying issues 92

4.4.5 Implementing short-term solutions 95

4.4.6 Identifying quick wins 98

4.4.7 Implementing initial management-control mechanisms 99

4.5 The strategic-planning cycle 100

4.5.2 Definition of a strategy 101

4.5.3 Production of a strategic plan 102

4.5.4 Execution of the strategic plan 102

4.5.5 Monitoring for further improvement 104

4.6 The core deliverables 105

5 The information-security strategy 109

5.1 The need for a strategy 109

5.2 Planning 110

5.3 Analysis of the current situation 111

5.4 Identification of business strategy requirements 114

5.5 Identification of legal and regulatory requirements 117

5.6 Identification of requirements due to external trends 119

5.7 Definition of the target situation 122

5.8 Definition and prioritization of strategic initiatives 123

5.9 Distribution of the draft strategy 126

5.10 Agreement and publication of final strategy 127

6 Policy and standards 131

6.1 Some introductory remarks on documentation 131

6.2 Designing the documentation set 132

6.3 Policy 135

6.3.1 The purpose of policy statements 135

6.3.2 Identifying required policy statements 136

6.3.3 Design and implementation 137

6.3.4 The Secure Bank

Policy statements 139

6.4 Establishing a control framework 140

6.5 Standards 143

6.5.1 Types of standards 143

6.5.2 External standards 144

6.5.3 Internal standards 147

6.5.4 Agreement and distribution of standards 148

6.6 Guidelines and working papers 150

7 Process design and implementation 155

7.1 Requirements for stable processes 155

7.2 Why processes fail to deliver 156

7.2.1 Productivity issues 156

7.2.2 Adaptability issues 157

7.2.3 Acceptance issues 158

7.3 Process improvement 159

7.3.1 Methods for process improvement 159

7.3.2 Improving productivity 161

7.3.3 Improving adaptability 165

7.3.4 Improving acceptance 166

7.4 The Secure Bank: Improving the authorization and access-control procedure 168

7.4.1 Planning 168

7.4.2 The current process 168

7.4.3 Identifying the target situation 171

7.4.4 Planning incremental improvements 172

7.4.5 Implementing improvements 174

7.5 Continuous improvement 176

8 Building an IT security architecture 181

8.1 Evolution of enterprise IT infrastructure 181

8.2 Problems associated with system-focused approaches 182

8.3 A three-phased approach 184

8.4 The design phase 185

8.4.1 Planning 185

8.4.2 Agreeing on basic design principles 186

8.4.3 Modeling the IT infrastructure 187

8.4.4 Risk analysis 192

8.4.5 Identifying logical components 194

8.4.6 Obtaining signoff of the concept 198

8.5 The implementation phase 198

8.5.1 Planning considerations 198

8.5.2 Production of a phased implementation plan 200

8.5.3 Preparing proposals 202

8.5.4 Selection of commercial packages 203

8.5.5 Testing and integration 205

8.5.6 SLAs and support contracts 206

8.5.7 Technical training 208

8.6 Administration and maintenance phase 208

8.6.1 Routine administration and maintenance 209

8.6.2 Managing vulnerabilities 209

8.6.3 Managing incidents 210

8.6.4 Managing risk using risk indicators 212

9 Creating a security-minded culture 215

9.2 Techniques for introducing cultural change 217

9.3 Internal marketing and sales 219

9.4 Support and feedback 221

9.5 Security-awareness training 222

9.5.1 The security-awareness program 222

9.5.2 Planning considerations 223

9.5.3 Defining the objectives 224

9.5.4 Identifying the audience 224

9.5.5 Identifying the message 227

9.5.6 Developing the material 228

9.5.7 Defining tracking and follow-up procedures 231

9.5.8 Delivering the pilot phase 231

9.6 Security skills training 232

9.6.2 The information-security team 233

9.6.3 Other staff 236

9.7 Involvement initiatives 237

Appendix Fast risk analysis 241.

Notes:

Includes bibliographical references and index.

ISBN:

1580537022

OCLC:

54046152