Book Image

Information Security Handbook

By : Darren Death
Book Image

Information Security Handbook

By: Darren Death

Overview of this book

Having an information security mechanism is one of the most crucial factors for any organization. Important assets of organization demand a proper risk management and threat model for security, and so information security concepts are gaining a lot of traction. This book starts with the concept of information security and shows you why it’s important. It then moves on to modules such as threat modeling, risk management, and mitigation. It also covers the concepts of incident response systems, information rights management, and more. Moving on, it guides you to build your own information security framework as the best fit for your organization. Toward the end, you’ll discover some best practices that can be implemented to make your security framework strong. By the end of this book, you will be well-versed with all the factors involved in information security, which will help you build a security framework that is a perfect fit your organization’s requirements.

Related Content you might be interested in

Current Title:

Small book image
Information Security Handbook
Darren Death
Dec, 2017 | 330 pages
Small book image
Mastering Information Security Compliance Management
Adarsh Nair | Greeshma M R
Aug, 2023 | 236 pages
Small book image
ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide
Shobhit Mehta
Sep, 2023 | 316 pages
Small book image
Cybersecurity Leadership Demystified
Erdal Ozkaya
Jan, 2022 | 274 pages
Table of Contents (19 chapters)
Title Page
Title Page
Credits
Credits
About the Author
About the Author
About the Reviewers
About the Reviewers
www.PacktPub.com
www.PacktPub.com
Customer Feedback
Customer Feedback
Preface
Preface
Free Chapter
1
Information and Data Security Fundamentals
Information and Data Security Fundamentals
Information security challenges
Evolution of cybercrime
The modern role of information security
Organizational information security assessment
Risk management
Information security standards
Policies
Training
Summary
2
Defining the Threat Landscape
Defining the Threat Landscape
What is important to your organization and who wants it?
Hackers and hacking
Closing information system vulnerabilities
Vulnerability management
Summary
3
Preparing for Information and Data Security
Preparing for Information and Data Security
Establishing an information security program
Information security policies
Recommended operational policies
Summary
4
Information Security Risk Management
Information Security Risk Management
What is risk?
Who owns organizational risk?
Where is your valuable data?
Performing a quick risk assessment
Risk management is an organization-wide activity
Security control selection
Security control implementation
Assessing implemented security controls
Authorizing information systems to operate
Monitoring information system security controls
Calculating risk
Summary
5
Developing Your Information and Data Security Plan
Developing Your Information and Data Security Plan
Determine your information security program objectives
Elements for a successful information security program
Helping to guarantee success
Key information security program plan elements
Defining enforcement authority
Pulling it all together
Summary
6
Continuous Testing and Monitoring
Continuous Testing and Monitoring
Types of technical testing
SDLC considerations for testing
Continuous monitoring
Vulnerability assessment
Penetration testing
Difference between vulnerability assessment and penetration testing
Examples of successful attacks in the news
Summary
7
Business Continuity/Disaster Recovery Planning
Business Continuity/Disaster Recovery Planning
Scope of BCDR plan
Designing the BCDR plan
Requirements and context gathering – business impact assessment
Define technical disasters recovery mechanisms
Develop your plan
Test the BCDR plan
Summary
8
Incident Response Planning
Incident Response Planning
Do I need an incident response plan?
Components of an incident response plan
Preparing the incident response plan
Identification – detection and analysis
Identification – incident response tools
Remediation – containment/recovery/mitigation
Remediation - incident response tools
Post incident activity
Summary
9
Developing a Security Operations Center
Developing a Security Operations Center
Responsibilities of the SOC
Management of security operations center tools
Security operation center toolset design
Security operations center roles
Processes and procedures
Security operations center tools
Summary
10
Developing an Information Security Architecture Program
Developing an Information Security Architecture Program
Information security architecture and SDLC/SELC
Conducting an initial information security analysis
Developing a security architecture advisement program
Summary
11
Cloud Security Consideration
Cloud Security Consideration
Cloud computing characteristics
Cloud computing service models
Cloud computing deployment models
Cloud computing management models
Cloud computing special consideration
Summary
12
Information and Data Security Best Practices
Information and Data Security Best Practices
Information security best practices
Application security
Network security
Summary

Organizational information security assessment

We must remember that information security is meant to compliment the business/mission process, and that each process owner will have to determine what risk is acceptable for their organization. We, as information security experts, can only offer recommendations (fixes, mitigations, and so on), but the business/mission owner is ultimately the individual who makes such decisions.

It is important to understand that in most cases, organizations must share information in today's digital economy in order to be successful. The key to a successful information security program is to properly categorize data and ensure that only those that are authorized to access the data have the rights to do so. This means that you need to look at data and your organization's staff members, business partners, vendors, and customers, and determine who should have access to the various types of data within your organization.

There are two main ways to conduct an assessment of your organization's IT and business process as they relate to information security:

  • Internal assessment: An internal assessment can be viewed in two ways:
    • An initial assessment could be used to provide the context for the inclusion of a third-party assessment. This would be an appropriate course of action if your information security program lacked the skills to conduct a thorough information security assessment, or your organization prefers third-party assessments over internal assessments.
    • If your organization does not require a third-party assessment, and if you have the resources and skills to complete an information security assessment, the internal information security program can conduct its own assessment.
  • Third-party assessment: The third-party assessment can be viewed in two ways:
    • A third-party assessment provides an objective view and can often be used to arbitrate between the information security group and IT operations. The third party brings in an unbiased observer to develop the organization's assessment, alleviating internal infighting.
    • While this has benefits over an initial assessment, this is usually the only mechanism for an assessment that is tied to compliance.

Note

Recommendation In my experience, the best way to start your information security program is to take a hybrid approach to conducting your initial assessment.

The following is an abbreviated example to begin the process of performing an internal assessment:

  1. Conduct an initial internal assessment:
    1. As an information security leader you need to understand the organization you work in:
      1. Meet with business and IT leaders:
        1. Depending on the business function of your organization, acquire all past audit (PCI, HIPPA, and so on) reports, to determine what was found, addressed, not addressed, and so on.
      2. Meet with subject matter experts.
      3. Document areas for improvement and places where you can celebrate current successes.
      4. Brief leadership on your findings.
    2. Based on your findings recommend to leadership that a third party be brought in to dig deeper:
      1. No matter the results of the internal review, a third-party validator should be brought in, at least on a biannual basis to test your security program. This includes:
        1. Information security program reviews.
        2. Red team penetration test capability.
  2. Conduct a third-party assessment:
    1. Work with IT leadership and subject matter experts to discuss the purpose of the assessment:
      1. Make sure that the assessment is non-punitive:
        1. Ensure that everyone understands that you are conducting an assessment to build a plan and roadmap. The purpose is not to fire individuals or to point out mistakes.
    2. Ensure that the third-party assessment has management buy-in and support:
      1. Without top-level support (Board, CEO), it might be easy for individuals to ignore your assessors.
    3. Ensure that the third party has access to the internal resources required:
      1. Make sure that there is a clear plan and that this plan is communicated to everyone that will be involved in the assessment.
    4. Conduct the assessment and produce the findings.
    5. A plan of action and milestones should then be developed with each business owner, to allow those owners to build their strategies of risk management, risk acceptance, or risk transfer.
Previous Section
End of Section 5
Next Section