In this e-centric day and age organizations have come to rely on IT infrastructures not just as an aid to business, but for some, as the core of their business. Safe, secure, and reliable computing and telecommunications are essential to these organizations. As these organizations begin to understand the importance of information security, they are developing security programs that are often under the direction of the CIO.
An information security program includes more than just people and technology. The programs involve policies, procedures, audits, monitoring, and an investment of time and money. This book is meant to provide organizations with a broad overview of the security program, what it should be, who it should include, what it entails, and how it should fit into the overall organization.
This book is for the security professional who must answer to management about the security of the organization. In today’s economy, many organizations do not have the ability to hire a person and dedicate that person to security. Often the person who is given this job is an IT professional with no specific security training. This book will provide the road map for such individuals.
The book is divided into four main parts plus some good information in appendices:
Part I: Guiding Principles in Plan Development Part I is intended to provide guidance on
fundamental issues with security planning. In this part we cover the basic concepts of the role
of information security, laws and regulations, and risk identification.
• Chapter 1: The Role of the Information Security Program Chapter 1 discusses the
overall importance of the information security program. It describes where it fits into
the organization and who should establish its charter, mission, responsibilities, and
authority. It further talks about the relationship of the information security manager
(and the department) to the rest of the organization. It is impossible to build a program
in a vacuum or with bad relationships throughout the organization.
• Chapter 2: Laws and Regulations Many industries have federal or state regulations
that must be followed. Some of these regulations may affect the security program. It is
therefore important for the security department to understand the regulation
requirements. In some cases the existence of the information security program is
clearly dictated by laws and regulations.
• Chapter 3: Assessments This chapter focuses on how organizations go about
identifying the state of their information security efforts. It includes information on
various types of assessments and when they should and should not be used.
Part II: Plan Implementation Part II discusses the basics of risk management and
mitigation. Once risk has been identified, the mitigation steps must be taken. While the exact
plan will vary for each organization, this part of the book provides the basics.
• Chapter 4: Establishing Policies and Procedures This chapter discusses the
importance of policies and procedures and describes policies and procedures that need
to be created for the organization. The primary focus of this chapter is the order that
they should be created and the approach to use in getting the organization to buy into
what is created.
• Chapter 5: Implementing the Security Plan Policies are nice documents but if they
are not implemented, they do no good. This chapter talks about general guidelines for
implementing good policies.
• Chapter 6: Deploying New Projects and Technologies No organization can afford
to develop everything internally. Security is no different in this regard. Since it is
likely that products will be purchased for the organization and new projects will be
developed internally, this chapter covers how to manage the risk to the organization
through the development process.
• Chapter 7: Security Training and Awareness This chapter discusses the programs
and classes that must be established to make the organization aware of security issues.
Security awareness is one of the most cost-effective components of the information
security program. In a recent speech, Richard Clark, the President’s cyber-security
advisor, noted that the awareness of employees was critical to an organization’s
security program. He also noted that he and the federal government would be stressing
this topic to industry in the coming months.
• Chapter 8: Monitoring Security The security program is in place. How do you know
that it is working? The only way to know is to monitor it. This chapter discusses the
more useful methods for monitoring.
Part III: Plan Administration Security programs are no different than any other program
within an organization. Once they are set up and working properly, they must be managed and
administered properly. This part talks about these tasks.
• Chapter 9: Budgeting for Security Just about every organization has a budget
process. The security department must go through it with every other department.
Therefore, it is important for the security department to do it well.
• Chapter 10: The Security Staff Not every security program has a staff but many do.
Choosing the correct individuals for the staff and the correct mix of skills can make or
break the program. This chapter talks about the mix of the team and how to find good
• Chapter 11: Reporting Finally, there is reporting. Without some type of reporting
there is no way for the organization to gauge the effectiveness of the security
department. There is rarely an ROI for security (but this is changing) and thus there
must be other metrics to use to measure the performance of the department.
Part IV: How to Respond to Incidents All of the planning, risk identification, risk
mitigation, and administration tasks can help an organization to manage risk. However, no
one can ever completely remove risk. This part of the book discusses how to deal with
incidents and disasters when they occur.
• Chapter 12: Incident Response Bad things happen. The security program works
diligently to try to prevent them but they happen anyway. When they do, the security
department must be ready to take the lead in the response.
• Chapter 13: Developing Contingency Plans Disasters of all shapes and sizes occur
to businesses. Because organizations have become so dependent on their IT
infrastructures it is essential that they develop an IT Disaster Recovery Plan and keep
it up to date. This plan will provide policies, procedures, roles, and responsibilities for
preparing for, responding to, and recovering from a variety of disasters. This chapter
explains the key steps in developing an IT DRP.
• Chapter 14: Responding to Disasters How an organization responds to a disaster is
just as important as how an organization plans for a disaster. Often, the response to a
disaster deviates from the plan due to unforeseen circumstances. This chapter
discusses the proper response during a serious disaster.
Part V: Appendixes Part V provides three sections that complement the purpose of the book.
These sections are intended to assist the reader in answering particular questions about
security and implementing a strong program.
• Appendix A: Handling Audits Audits are a fact of life. Every organization goes
through them. They may be internal audits or external. The security team must be a
part of these audits and the organization’s response.
• Appendix B: Outsourcing Security The outsourcing of security has become a lively
topic recently. Many new security firms exist that sell some type of service. This may
impact the security of the organization or it may be a cost-effective way to fulfill the
responsibilities of the security department.
• Appendix C: Managing New Security Projects This appendix is a continuation of
Chapter 6 that talks specifically about building new security projects as opposed to
security in new business projects.