You are previewing Managing Information Security: Studies from real life.
O'Reilly logo
Managing Information Security: Studies from real life

Book Description

A comprehensive guide to managing an information security incident Even when organisations take precautions, they may still be at risk of a data breach. Information security incidents do not just affect small businesses: major companies and government departments suffer from them as well. Completely up to date with ISO/IEC 27001:2013, Managing Information Security Breaches sets out a strategic framework for handling this kind of emergency. The book provides a general discussion and education about information security breaches, how they can be treated and what ISO 27001 can offer in that regard, spiced with a number of real-life stories of information security incidents and breaches. These case studies enable an in-depth analysis of the situations companies face in real life, and contain valuable lessons that your organisation can learn from when putting appropriate measures in place to prevent a breach. Understand what your top information security priorities should be The author explains what your top priorities should be the moment you realise a breach has occurred, making this book essential reading for IT security managers, chief security officers, chief information officers and chief executive officers. It will also be of use to personnel in non-IT roles, in an effort to make this unwieldy subject more comprehensible to those who, in a worst-case scenario, will be on the receiving end of requests for six- or seven-figure excess budgets to cope with severe incidents. About the author Michael Krausz studied physics, computer science and law at the Vienna University of Technology, Vienna University and Webster University. Over the last 20 years he has become an accomplished professional investigator, IT expert and ISO 27001 auditor, investigating over a hundred cases of information security breaches. He has delivered over 5,000 hours of professional and academic training, and has provided consulting or investigation services in 21 countries. Buy this book today and better understand how to manage information security breaches in your organisation.

Table of Contents

  1. Cover
  2. Title
  3. Copyright
  4. Foreword
  5. Preface
  6. About the Author
  7. Acknowledgements
  8. Contents
  9. Introduction
  10. Part 1 – General
    1. Chapter 1: Why Risk does Not Depend on Company Size
      1. Risk effect
      2. Propagation of damage (downstream effects)
      3. Culture
      4. Information security staff
      5. Cash reserves / cash at hand
      6. Ability to improvise / make quick decisions
      7. Preparedness
      8. Contacts with authority
    2. Chapter 2: Getting your Risk Profile Right
      1. Intuitive risk analysis
      2. Formal risk analysis
      3. Residual risks
    3. Chapter 3: What is a Breach?
      1. Confidentiality breach
      2. Availability breach
      3. Integrity breach
    4. Chapter 4: General Avoidance and Mitigation Strategies
      1. Introduction – general aspects, avoidance and related ISO27001 controls
      2. People
      3. Processes
      4. Technology
      5. Strategies and tactics for treating breaches
      6. Dimensions of treatment / mitigation of information security breaches
  11. Part 2 – Case studies
    1. Chapter 5: Notes from the Field
      1. Privacy
      2. Cost
      3. The practicalities of surveillance
      4. The truth vs. company policy
    2. Chapter 6: Motives and Reasons
      1. Greed
      2. Despair
      3. Revenge
      4. Business advantage
    3. Chapter 7: Case Studies from Small Companies
      1. Foreword to the case studies
      2. The stolen backup
      3. Eavesdropping on faxes
      4. A stolen laptop
    4. Chapter 8: Case Studies from Medium-sized Companies
      1. A case of intrigue – the missing contract
      2. The sales manager who changed jobs
      3. The project manager who became a friend, and then an enemy
      4. The lost customers – how a sales manager cost a company 10% of revenue
      5. The flood – how not to learn about risk management
    5. Chapter 9: Case Studies from Large Corporations
      1. Who wants my data? – a case of data theft
      2. Who wants my data? – a more complicated case
      3. Hard disk for sale – beware of your contractors
      4. Unauthorised domain links – it is easy to harm a company’s reputation
      5. The trusted guard who was not
      6. Insider badmouthing
      7. The software vulnerability that was not – a case of blackmail
  12. Part 3 – A Sample Treatment Process
    1. Chapter 10: A Sample Treatment Process
      1. Step 1 Gather information
      2. Step 2 Determine extent and damage
      3. Step 3 Establish and conduct investigation
      4. Step 4 Determine mitigation
      5. Step 5 Implement mitigation
      6. Step 6 Follow up on investigation results
      7. Step 7 Determine degree of resolution achieved
  13. Abbreviations and Acronyms
  14. ITG Resources