You are previewing Information Security A Practical Guide: Bridging the Gap between IT and Management.
O'Reilly logo
Information Security A Practical Guide: Bridging the Gap between IT and Management

Book Description

Information Security A Practical Guide - Bridging the gap between IT and management “One of the most impressive…..This book is well worth an hour of your time, whether as a refresher, or if you are finding yourself facing more work on the info-security side. Recommended.” Mark Rowe, Editor at Professional Security Magazine Corporate information security is often hindered by a lack of adequate communication between the security team and the rest of the organization . Information security affects the whole company and is a responsibility shared by all staff, so failing to obtain wider acceptance can endanger the security of the entire organization . Many consider information security a block, not a benefit, however, and view security professionals with suspicion if not outright hostility. As a security professional, how can you get broader buy-in from your colleagues? Information Security: A Practical Guide addresses that issue by providing an overview of basic information security practices that will enable your security team to better engage with their peers to address the threats facing the organization as a whole. Product overview Covering everything from your first day at work as an information security professional to developing and implementing enterprise-wide information security processes, Information Security: A Practical Guide explains the basics of information security, and how to explain them to management and others so that security risks can be appropriately addressed. Topics covered include: How to understand the security culture of the organization Getting to know the organization and building relationships with key personnel How to identify gaps in the organization’s security set-up The impact of compromise on the organization Identifying, categorising and prioritising risks The five levels of risk appetite and how to apply risk treatments via security controls Understanding the threats facing your organization and how to communicate them How to raise security awareness and engage with specific peer groups System mapping and documentation (including control boundaries and where risks exist) The importance of conducting regular penetration testing and what to do with the results Information security policies and processes A standards-based approach to information security If you’re starting a new job as an information security professional, Information Security: A Practical Guide contains all you need to know. About the author Tom Mooney has over ten years’ IT experience working with sensitive information. His current role is as a security risk advisor for the UK Government, where he works with project teams and the wider organisation to deliver key business systems securely. His key responsibility is to act as an intermediary between management and IT teams to ensure appropriate security controls are put in place. His extensive experience has led him to develop many skills and techniques to converse with people who are not technical or information security experts. Many of these skills and techniques are found in this book. He has a BSc (Hons) in information and computer security, and is also a CESG certified professional.

Table of Contents

  1. Cover
  2. Title
  3. Copyright
  4. Contents
  5. Chapter 1: Day One as a Security Professional
    1. Chapter Overview
    2. Objectives
    3. Your First Day
    4. Confidentiality, Integrity and Availability (CIA)
    5. Getting to Know the Business
    6. Key IT Personnel
    7. What is the Security Culture?
    8. Identifying the Gaps in Security
  6. Chapter 2: Business Impact of Breaches
    1. Chapter Overview
    2. Objectives
    3. How to Assess the Impact
    4. Data Types
    5. Impacts
    6. Reputational Damage
    7. Personal Impact
    8. Contractual Impact
    9. Financial Impact
    10. Legal Impacts
  7. Chapter 3: Business Risk Appetite
    1. Chapter Overview
    2. Objectives
    3. Risk Appetite
    4. Risk Treatments
  8. Chapter 4: Threats
    1. Chapter Overview
    2. Objectives
    3. Types of Threats
    4. Hackers
    5. Malware Writers
    6. Script Kiddies
    7. Journalists
    8. Criminals
    9. Physical Intruder
    10. Researchers
    11. Hacktivists
    12. Disgruntled Employees
  9. Chapter 5: Quick and Dirty Risk Assessment
    1. Chapter Overview
    2. Objectives
    3. Identifying Risks
    4. Defining the Risk Level
    5. Risk Table
    6. Realigning the Risk Level
  10. Chapter 6: Getting Buy-in From Your Peers
    1. Chapter Overview
    2. Objectives
    3. Points of Contact with your Peers
    4. How to Engage with your Peers
  11. Chapter 7: Documenting the System For Everyone
    1. Chapter Overview
    2. Objectives
    3. Setting the Scene
    4. Entities
    5. Service Overview
    6. Adding Boundaries
    7. Showing Information Flow
    8. Adding the Threats
  12. Chapter 8: Mapping Data in the System
    1. Chapter Overview
    2. Objectives
    3. Mapping Data
  13. Chapter 9: Penetration Testing
    1. Chapter Overview
    2. Objectives
    3. Types of Penetration Test
    4. Scoping the test
    5. Trusting the Testers
    6. Implementing Fixes
  14. Chapter 10: Information Security Policy
    1. Chapter Overview
    2. Objectives
    3. The Advantages of Security Policies
    4. Giving Your Policies Teeth
    5. Key Security Policies
    6. Ways of Ensuring Your Policy is Read
  15. ITG Resources