This groundbreaking book helps you master the management of information security, concentrating on the recognition and resolution of the practical issues of developing and implementing IT security for the enterprise. Drawing upon the authors' wealth of valuable experience in high-risk commercial environments, the work focuses on the need to align the information security process as a whole with the requirements of the modern enterprise, which involves empowering business managers to manage information security-related risk. Throughout, the book places emphasis on the use of simple, pragmatic risk management as a tool for decision-making. The first book to cover the strategic issues of IT security, it helps you to: understand the difference between more theoretical treatments of information security and operational reality; learn how information security risk can be measured and subsequently managed; define and execute an information security strategy design and implement a security architecture; and ensure that limited resources are used optimally. Illustrated by practical examples, this topical volume reveals the current problem areas in IT security deployment and management. Moreover, it offers guidelines for writing scalable and flexible procedures for developing an IT security strategy and monitoring its implementation. You discover an approach for reducing complexity and risk, and find tips for building a successful team and managing communications issues within the organization. This essential resource provides practical insight into contradictions in the current approach to securing enterprise-wide IT infrastructures, recognizes the need to continually challenge dated concepts, demonstrates the necessity of using appropriate risk management techniques, and evaluates whether or not a given risk is acceptable in pursuit of future business opportunities.
The Need for a New Approach -Introduction. The Reality of the Modern Enterprise. Evolution of Organizational Structures. Technical Considerations. Common Weaknesses of Traditional Approaches. The Human Element. A New Process Model. Summary.; Management Tools - The Team: Knowledge, Skill Sets and Experience. Strategy and Planning. Policy and Standards. Processes and Procedures. Methodologies. User Awareness. Risk Analysis and Risk Management. Insurance.; Technical Tools - Overview and Classification. Native Operating System Security Subsystem. Access Control Managers. Security Scanners. Privilege Managers. Log Management Tools. Intrusion Detection Systems. Cryptographic Tools and Protocols. Public Key Infrastructure. Tools for Managing Malicious Code. Web and Mail Filters. Authorization Servers and Remote Access Servers. Tamper-Resistant Equipment and Smart Cards. Firewalls.; A Pro-Active Approach - Overview. Starting Out - Winning Credibility. Managing Change - Short, Medium and Long-Term Goals. The Principles. Manage Risk, Don 't Implement Technology. Rapid Turnaround. Balance of Long-Term and Short-Term Gains. Placing Responsibility Where it Belongs - Ownership and Residual Risk. The Need to Take More Risk. Use of Risk Management and Residual Risk. Structured Approach With Checkpoints. Engineering Process. Buy-In of Stakeholders. Strategy, Planning, Execution, Monitoring. An Overview of the Approach. Summary.; Developing a Strategy - Personal Strategy. Getting the Buy-In: Buying Credibility. When to Write a Strategy: Time to Learn. Preparing For the Strategy. Challenge Everything. Guidelines for Effective Strategies. Examples. Checking the Result. Publishing and Marketing. Benefits. Summary.; Policy and Standards - The Importance of the Information Security Policy. Mandatory and Optional Requirements. The Need for Standards. Designing a Documentation Set. If It Won 't Be Read, Don 't Write It. Security Baselines. Certifications and Accreditations. Summary.; Developing Stable Processes - Why Processes Fail To Be Stable. The Target: Control, Scalability, and Flexibility. Risk, Requirements and Reality. Risk Acceptance as a Tool. Examples. Monitoring and Improvement. Publishing. Compliance With Standards, For Example, ISO 9000.; Designing and Implementing an IT Security Architecture - Why Deploy a Security Architecture. Planning the Exercise. Modeling the IT Infrastructure. Performing an Architectural Risk Analysis. Deriving Security Services and Procedures. Mapping Security Services to Components. Selecting Components. Implementation and Rollout. Maintenance.; Putting It All Together - Risk Management As a Driver. Managing Communications: Business, Technical, Audit. Managing Expectations. Planning and Execution. Monitoring and Feedback. Using Risk Indicators. Developing Teams and Skill Sets. Keeping Up-To-Date. ; Appendix A - Fast Risk Analysis.; Appendix B - A Sample Documentation Set.;
-
Steve Purser
Steve Purser is the manager of ICSD Security Support & Administration for Clearstream Services, where he is responsible for all aspects of IT security. Formerly, he was head of IT security for Banque Generale du Luxembourg and an expert consultant in the areas of IT and Networking to the European Commission. He holds a Ph.D. in chemical physics from the University of East Anglia.