Skip to Main Content
Have library access? Log in through your library
Information Security A Practical Guide

Information Security A Practical Guide: Bridging the gap between IT and management

Copyright Date: 2015
Published by: IT Governance Publishing
Pages: 116
  • Cite this Item
  • Book Info
    Information Security A Practical Guide
    Book Description:

    How do you engage with your peers when they think you're there to stop them working?

    Corporate information security is often hindered by a lack of adequate communication between the security team and the rest of the organisation . Information security affects the whole company and is a responsibility shared by all staff, so failing to obtain wider acceptance can endanger the security of the entire organisation . Many consider information security a block, not a benefit, however, and view security professionals with suspicion if not outright hostility. As a security professional, how can you get broader buy-in from your colleagues?

    Information Security: A Practical Guideaddresses that issue by providing an overview of basic information security practices that will enable your security team to better engage with their peers to address the threats facing the organisation as a whole.

    Product overview

    Covering everything from your first day at work as an information security professional to developing and implementing enterprise-wide information security processes,Information Security: A Practical Guideexplains the basics of information security, and how to explain them to management and others so that security risks can be appropriately addressed.

    Topics covered include:

    How to understand the security culture of the organisationGetting to know the organisation and building relationships with key personnelHow to identify gaps in the organisation's security set-upThe impact of compromise on the organisationIdentifying, categorising and prioritising risksThe five levels of risk appetite and how to apply risk treatments via security controlsUnderstanding the threats facing your organisation and how to communicate themHow to raise security awareness and engage with specific peer groupsSystem mapping and documentation (including control boundaries and where risks exist)The importance of conducting regular penetration testing and what to do with the resultsInformation security policies and processesA standards-based approach to information security

    If you're starting a new job as an information security professional,Information Security: A Practical Guidecontains all you need to know.

    About the author

    Tom Mooneyhas over 10 years' IT experience working with sensitive information. Currently HM Land Registry's information security risk advisor, where he works with project teams and the wider business to deliver key business systems securely, his key responsibility is to act as an intermediary between management and IT teams to ensure appropriate security controls are put in place. His extensive experience has led him to develop many skills and techniques to converse with people who are not technical or information security experts. Many of these are found in this book.

    He has a BSc (Hons) in information and computer security, and is also a CESG certified professional.

    eISBN: 978-1-84928-741-8
    Subjects: Technology

Table of Contents

  1. Front Matter
    (pp. 2-4)
    (pp. 5-5)
    (pp. 6-6)
  4. Table of Contents
    (pp. 7-9)
    (pp. 10-11)

    When I started my career in information security many years ago the thing that struck me most was the lack of engagement with people who weren’t of the information security profession. IT in other departments would shy away from speaking to me as they feared security would stick its nose in and either stop their work or make things more difficult. The business viewed it as a dark art and as long as their security guy said it was okay then that was fine. Most people regarded security as a blocker rather than an enabler. I resolved to change that;...

    (pp. 12-30)

    This chapter gives you guidance on bedding yourself into your new role in security. It will help you to get your bearings and explains some of the early tasks you need to carry out to understand your role much better.

    The chapter first reinforces the confidentiality, integrity and availability (CIA) mantra, explaining its meaning and how to use it in your role. I then describe the people you should look to meet as soon as possible so that you know what is going on within the organisation and who you will need as allies. The chapter then explores how you...

    (pp. 31-40)

    One of the key issues when joining an organisation is understanding the value of the data the organisation has. As you speak to different members of the business they will insist that nothing is more important than their data. This is of course not true in all cases, and the real challenge is to prioritise the importance of all the information so you know where you need to focus your efforts and time.

    The best way to understand the value of data is to assess the impact on the business should that data be compromised. Impact on the business comes...

    (pp. 41-46)

    The business’ risk appetite is perhaps the most important thing to know when working to secure a system. When I began my career in security I understood how to secure a system; I had a wealth of knowledge, tools and techniques for protecting different systems. What I did not understand at that stage, however, was how do I know which controls to implement and how secure should each system be. What I did not understand was the risk appetite, which is (defined by ISO31000) how much risk is the business willing to accept in trying to achieve its goals. Of...

    (pp. 47-55)

    This chapter discusses the potential threats to your organisation, and describes the threats as people with motivations and their capabilities. When conversing with the business it is difficult to describe the threats and risks to a system using technical language. I was giving a presentation on the importance of website security to a business when I was asked, “Why would anyone ever want to attack our system?” I realised at that moment that although they understood the concept of website security I had failed to convince them of the need for it. By using the following technique of creating threat...

    (pp. 56-62)

    There are many risk assessment processes, but many are long and overly complicated. More and more organisations are moving to a more agile working environment, developing systems iteratively, changing functionality to meet the users’ requirements. This sort of working can make it very difficult to follow a complex risk management process. Traditionally these processes have been written favouring a waterfall development methodology.

    In the modern digital age organisations need to be flexible to take advantage of opportunities as they present themselves. Depending on the organisation’s culture and risk appetite the decision on whether to proceed with a new service may...

    (pp. 63-70)

    Rationale: Lots of books discuss how to get management buy-in. In the context of this book you already have management buy-in because they’re either reading this book or you’ve been employed by management and they’re paying your wages. Often it is other IT professionals who need to be won over. They often see security as a barrier and look to go around that barrier rather than engage properly with security. Any good security professional must have buy-in from their peers, as without it you cannot implement effective security controls.

    Content: This chapter discusses how to get buy-in from your peers...

    (pp. 71-86)

    Rationale: Systems have many technical designs that IT teams use to develop and maintain the system. However, these systems are very hard to understand for members of staff who are not technical, typically management. This can be a real barrier for management, especially when they need to make a key decision based on risk.

    Content: To help management understand the system you can re-document the system into a kind of entity relationship diagram. This diagram will be a high-level view of staff, networks, systems and so on, and each entity will be connected with an arrow showing the flow of...

    (pp. 87-89)

    Ask why a system needs to be secure and the answer will almost always be the data that resides on that system. Add in the fact that most services consist of more than one system and we can assume that our data could reside in multiple places and we may have more than one dataset with a different level of value. So if it’s the data we are trying to protect and it may be in more than one place then it makes sense that we need to map where it is. This chapter uses a similar technique to the...

    (pp. 90-102)

    Poor penetration testing frustrates me, and I have come across a few organisations that fail to get the basics right. Good penetration testing offers a high degree of assurance that the systems you have implemented have been done so securely, but you only get this assurance if your testing is thorough. This chapter starts with explaining the difference between white box and black box. Both tests have their pros and cons, so it’s important to know what these are so that you can select the right sort of testing. I also explain the sorts of tests you can do, which...

    (pp. 103-111)

    This chapter introduces the topic of security policies, explaining their importance giving you a baseline from which to build a strong foundation. If you are looking to attain ISO27001 certification then you will need to produce security policies to form your information security management system (ISMS). This chapter is not intended to advise you on how to achieve this level of maturity, but give you an appreciation for why these policies exist and how they can be used to achieve your organisation’s goals and objectives.

    It is important that security policies are created in line with the organisation’s culture; they...

    (pp. 112-116)