eBook - ePub
Building a Practical Information Security Program
Jason Andress,Mark Leary
This is a test
- 202 páginas
- English
- ePUB (apto para móviles)
- Disponible en iOS y Android
eBook - ePub
Building a Practical Information Security Program
Jason Andress,Mark Leary
Detalles del libro
Vista previa del libro
Índice
Citas
Información del libro
Building a Practical Information Security Program provides users with a strategic view on how to build an information security program that aligns with business objectives. The information provided enables both executive management and IT managers not only to validate existing security programs, but also to build new business-driven security programs. In addition, the subject matter supports aspiring security engineers to forge a career path to successfully manage a security program, thereby adding value and reducing risk to the business. Readers learn how to translate technical challenges into business requirements, understand when to "go big or go home, " explore in-depth defense strategies, and review tactics on when to absorb risks. This book explains how to properly plan and implement an infosec program based on business strategy and results.
- Provides a roadmap on how to build a security program that will protect companies from intrusion
- Shows how to focus the security program on its essential mission and move past FUD (fear, uncertainty, and doubt) to provide business value
- Teaches how to build consensus with an effective business-focused program
Preguntas frecuentes
¿Cómo cancelo mi suscripción?
¿Cómo descargo los libros?
Por el momento, todos nuestros libros ePub adaptables a dispositivos móviles se pueden descargar a través de la aplicación. La mayor parte de nuestros PDF también se puede descargar y ya estamos trabajando para que el resto también sea descargable. Obtén más información aquí.
¿En qué se diferencian los planes de precios?
Ambos planes te permiten acceder por completo a la biblioteca y a todas las funciones de Perlego. Las únicas diferencias son el precio y el período de suscripción: con el plan anual ahorrarás en torno a un 30 % en comparación con 12 meses de un plan mensual.
¿Qué es Perlego?
Somos un servicio de suscripción de libros de texto en línea que te permite acceder a toda una biblioteca en línea por menos de lo que cuesta un libro al mes. Con más de un millón de libros sobre más de 1000 categorías, ¡tenemos todo lo que necesitas! Obtén más información aquí.
¿Perlego ofrece la función de texto a voz?
Busca el símbolo de lectura en voz alta en tu próximo libro para ver si puedes escucharlo. La herramienta de lectura en voz alta lee el texto en voz alta por ti, resaltando el texto a medida que se lee. Puedes pausarla, acelerarla y ralentizarla. Obtén más información aquí.
¿Es Building a Practical Information Security Program un PDF/ePUB en línea?
Sí, puedes acceder a Building a Practical Information Security Program de Jason Andress,Mark Leary en formato PDF o ePUB, así como a otros libros populares de Negocios y empresa y Gestión de la información. Tenemos más de un millón de libros disponibles en nuestro catálogo para que explores.
Información
Categoría
Negocios y empresaCategoría
Gestión de la informaciónChapter 1
Develop an Information Security Strategy
Abstract
Information security strategy and planning is critical to set the foundation of an effective information security program. In this chapter, the discipline and rigor of information security strategy and planning are discussed, as well as the importance of tying information strategy to business strategy and stakeholder engagement.
Keywords
Information security plan; Information security road map; Operational planning; Stakeholder engagement for information security; Strategic information security planning; Strategic planning; Tactical planning
Information in this chapter:
▪ Information security strategic planning principles
▪ Information security organizational vision and mission statements
▪ Setting the context through describing the information security environment
▪ Delivering the Information Security Strategic Plan
▪ Stakeholder engagement in information security strategic planning
Strategy is the plan for achieving an organization’s business, mission, and objectives. In today’s dynamic and rapidly shifting technological environment, strategic planning has been deemphasized and often criticized as to be no longer relevant. At the pace of technology adoption, planning from a strategy perspective has become an annual exercise rather than a disciplined formulation of near to long-term action planning along a defined three to five planning horizon.
Perhaps such long-range planning is no longer practical for those companies that heavily depend on technology, or are influenced by rapid changes in the market, but strategic planning still remains an essential part of defining clear objectives for the organization. Irrespective of the planning horizon, strategic planning defines clear business objectives, the respective goals to reach those objectives, strengths and weaknesses that act as tailwinds or headwinds, the key actions necessary to capitalize on these strengths or close critical gaps, and roles and responsibilities of those who are empowered to execute the actions to achieve the plan.
Information Security Strategic Planning Principles
Business strategy is generally created at the upper levels of an organization, depending on the size and market focus of the company. Companies with a singular market focus and defined set of products or services may have a very narrowly focused strategic plan. Large corporations that participate in multiple markets with numerous products or services may have several business segment strategic plans that then roll up to a high-level corporate strategic plan. In either case, the degree of detail, specificity, and format is largely subjective. Some organizations have detailed documents that are very descriptive and lengthy; others may simply use a set of five or six presentation slides.
Creating an information security strategy and strategic plan is not any different from the planning process for the business. A clear and concise information security strategic plan allows business leadership, information security executives, information security managers, and their staff to understand what is the vision, mission, objectives, and plan for the organization and their role in its fulfillment. This provides the foundation of what is the direction and desired end state from “top down.” The additional benefit is that the strategic plan creates the annualized organizational goals that are further flowed down to the individual employee, providing traceability in performance goal planning at the organizational and individual levels. A discussion of performance planning and metrics will be covered later in Chapter 10.
Develop the Organizational Vision and Mission Statements
A vision statement declares the objectives of the organization. Often an internal statement, a clear and concise vision communicates the organizational goals to management and staff. The vision statement should paint the picture of what leadership believes is the ideal state or value that it delivers to the business. Vision statements define what the leadership wants the business to become, in terms of market focus, growth, values, or contributions to society.
The vision statement for an information security organization should lay out the goals at a high level and should support or enable the business leadership’s vision statement. A vision statement can be also reflective of the organizational culture. For example, if innovation is a goal of the overall business, the information security vision should in some way support that goal. If lacking a higher-level business vision statement, the information security leadership should still attempt to relate the information security organizational vision statement back to the overall business’s objectives and goals. An example of an information security organization’s vision statement is provided.
Information security will provide world-class, innovative, value-added solutions and services to our company; create a work environment where our employees are proud to work, and make a positive impact on our community.
Vision statements and mission statements are very different. Mission statements define the organization’s purpose. These statements explain why information security exists as an organization or function. Similar to vision statements, mission statements should be short, clear, and powerful. An example mission statement is provided as follows.
Through cost effective and innovative solutions, our mission is to educate and empower our employees to make informed risk-based decisions, work securely and safely, and reduce the technology risks associated with our business.
Ensure that the vision and mission statements are short, concise, clear, focused and even inspiring. Long, complex vision and mission statements tend to be “everything and the kitchen sink,” which may not be reasonable or even attainable. They should be easy on the tongue and natural. They should be easy to memorize for both managers and staff who are all ambassadors of the information security organization back to the business. Lastly, vision and mission statements should be revaluated as the business changes; information security strategy can quickly become stale and irrelevant if it does not reflect the changes in business strategy.
Describe the Information Security Environment
To formulate the strategy and plan, the information security leadership needs to understand the environment that surrounds the business with a focus on its mission and goals. The information security strategy and strategic plan are based on the higher-order, strategic influences that create the function for protecting the business. Businesses generate their understanding of the environment and formulate strategies based on this understanding using several techniques, methods, or tools.
▪ Strengths-weaknesses-opportunities-threats or SWOT analysis
▪ Threat-opportunities-weaknesses-strengths or TOWS analysis
▪ Political-economic-social-technological or PEST analysis
▪ Porter’s five factors
▪ Critical success factors
Originated by Albert Humphrey in the 1960s for Stanford Research Institute, the SWOT analysis is a well-known method of strategic planning. A SWOT analysis can also be a method for understanding the security environment or posture through the lens of internal strengths and weaknesses, as well as external opportunities and potential threat. The use of an information security aligned SWOT analysis supports the business strategy by addressing information security factors, issues, and challenges unique to the business and therefore complements the overall business strategy.
▪ Strengths—the most effective information security factors of the business
▪ Weaknesses—challenges, shortfalls, or gaps in the information security program
▪ Opportunities—factors that can help the company improve its information security
▪ Threats—man-made or natural factors that may exploit company information security weaknesses
An application of a SWOT analysis is provided—the management of an imaginary professional services firm that advises companies on financial services needs to start its information security program. The firm has 100 consultants and associates that either work from home or travel to customer locations to perform these services nationwide. The company employees are highly reliant on three core IT services—office productivity, collaboration, and human resources applications, which are offered as cloud-hosted Software as a Service. The company uses a Bring Your Own Device approach to end computing. The new information security leader is developing a company strategy using a SWOT analysis. After the security leader’s analysis, a SWOT-based list of current information security factors is developed as in Fig. 1.1.
Figure 1.1 Basic SWOT analysis quadrant.
For Strengths, the information security leader lists the most effective information security characteristics, for example, experienced security leadership, strong security practices in their cloud providers, and, since financial community is highly regulated in information security, a very compliance-focused culture. These strengths would be capitalized upon in the strategy development. In evaluating information security Weaknesses, the security leader noted that their employees are buying a wide variety of laptops and cell phones without any guidance on minimum features, such as security software, e.g., antivirus. Also there were no formal policies on handling company information on personal devices or security awareness program informing them of any policies or restrictions. Lastly, a weakness in the contractual relationship between the cloud provider and the company exists when and to whom security incidents are reported. These factors should be improved.
Opportunities identified in our exemplar by the security leader are factors—generally external, but can be internal—that can help the company improve its security. In our example, these may be security training and awareness products that can be bought commercially, subscription to the cloud provider’s additional data protection security services, and specially discounted end-point protection software for various device platforms. Threats are those factors that exploit the company’s information security weaknesses, and are either of a man-made or natural environmental source. For instance, as a financial services firm, there are regulatory requirements in protecting customer financial data. Likewise, these companies are often targeted by the most motivated and sophisticated threat actors, unusual organized cyber cr...
Índice
- Cover image
- Title page
- Table of Contents
- Copyright
- About the Authors
- Chapter 0. Why We Need Security Programs
- Chapter 1. Develop an Information Security Strategy
- Chapter 2. Integrate Security Into the Organization
- Chapter 3. Establish a Security Organization
- Chapter 4. Why Information Security Policies?
- Chapter 5. Manage the Risks
- Chapter 6. Protect the Data
- Chapter 7. Manage the Security of Third Parties and Vendors
- Chapter 8. Conduct Security Awareness and Training
- Chapter 9. Security Compliance Management and Auditing
- Chapter 10. Information Security Program Metrics
- Index
Estilos de citas para Building a Practical Information Security Program
APA 6 Citation
Andress, J., & Leary, M. (2016). Building a Practical Information Security Program ([edition unavailable]). Elsevier Science. Retrieved from https://www.perlego.com/book/1809358/building-a-practical-information-security-program-pdf (Original work published 2016)
Chicago Citation
Andress, Jason, and Mark Leary. (2016) 2016. Building a Practical Information Security Program. [Edition unavailable]. Elsevier Science. https://www.perlego.com/book/1809358/building-a-practical-information-security-program-pdf.
Harvard Citation
Andress, J. and Leary, M. (2016) Building a Practical Information Security Program. [edition unavailable]. Elsevier Science. Available at: https://www.perlego.com/book/1809358/building-a-practical-information-security-program-pdf (Accessed: 15 October 2022).
MLA 7 Citation
Andress, Jason, and Mark Leary. Building a Practical Information Security Program. [edition unavailable]. Elsevier Science, 2016. Web. 15 Oct. 2022.