Strategic Information Security

The new emphasis on physical security resulting from the terrorist threat has forced many information security professionals to struggle to maintain their organization's focus on protecting information assets. In order to command attention, they need to emphasize the broader role of information security in the strategy of their companies. Until now, however, most books about strategy and planning have focused on the production side of the business, rather than operations. Strategic Information Security integrates the importance of sound security policy with the strategic goals of an organization. It provides IT professionals and management with insight into the issues surrounding the goals of protecting valuable information assets. This text reiterates that an effective information security program relies on more than policies or hardware and software, instead it hinges on having a mindset that security is a core part of the business and not just an afterthought. Armed with the content contained in this book, security specialists can redirect the discussion of security towards the terms and concepts that management understands. This increases the likelihood of obtaining the funding and managerial support that is needed to build and maintain airtight security programs.

Table of Contents:
Introduction to Strategic Information Security What Does It Mean to Be Strategic? Information Security Defined The Security Professional's View of Information Security The Business View of Information Security Changes Affecting Business and Risk Management Strategic Security Strategic Security or Security Strategy? Monitoring and Measurement Moving Forward ORGANIZATIONAL ISSUES The Life Cycles of Security Managers Introduction The Information Security Manager's Responsibilities The Evolution of Data Security to Information Security The Repository Concept Changing Job Requirements Business Life Cycles and the Evolution of an Information Security Program The Introductory Phase The Early Growth Phase The Rapid Growth Phase The Maturity Phase Skill Changes over Time Conclusion Chief Security Officer or Chief Information Security Officer Introduction Organizational Issues Justifying the Importance and Role of Security in Business Risk Management Issues Affecting Organizational Models Chief Information Security Officer (CISO) Role Defined The Chief Security Officer (CSO) Role Defined Organizational Models and Issues Organization Structure and Reporting Models Choosing the Right Organization Model RISK MANAGEMENT TOPICS Information Security and Risk Management Introduction The Information Technology View of Threats, Vulnerabilities, and Risks Business View of Threats, Vulnerabilities, and Risks The Economists' Approach to Understanding Risk Total Risk Technology Risk Information Risk Information Risk Formula Protection Mechanisms and Risk Reduction Matching Protection Mechanisms to Risks The Risk Protection Matrix Conclusion Establishing Information Ownership Establishing Information Ownership Centralized Information Security Local Administrators vs. Information Owners Transferring Ownership Operations Orientation of Information Ownership Information Ownership in Larger Organizations Information as an Asset Decentralized vs. Centralized Information Security Controls Ownership and Information Flow Information Ownership Hierarchy Functional Owners of Information Income Statement Information Owners Information Value Statement of Condition Information Owners Conclusion The Network as the Enterprise Database Introduction A Historical View of Data and Data Management Management Information Systems (MIS) Executive Information Systems (EIS) The Evolving Network The Network as the Database Conclusion Risk Reduction Strategies Introduction Information Technology Risks Evaluating the Alternatives Improving Security from the Bottom Up: Moving Toward a New Way of Enforcing Security Policy Encouraging Personal Accountability for Corporate Information Security Policy Background The Problem The Role of the Chief Information Security Officer (CISO) in Improving Security Centralized Management vs. Decentralized Management Security Policy and Enforcement Alternatives Policy Compliance and the Human Resources Department Personal Accountability Conclusion Authentication Models and Strategies Introduction to Authentication Authentication Defined Authentication Choices Public Key Infrastructure Administration and Authentication: Management Issues Identity Theft Risks and Threats Associated with Authentication Schemes Other Strategic Issues Regarding Authentication Systems Conclusion INFORMATION SECURITY PRINCIPLES AND PRACTICES Single Sign-On Security Overview The Authentication Dilemma The Many Definitions of Single Sign-On Risks Associated with Single Sign-On Single Sign-On Alternative: A More In-Depth Review User Provisioning Authentication and Single Sign-On Crisis Management: A Strategic Viewpoint Introduction Crisis Defined Benefits from a Formal Crisis Management Process Escalation and Notification Organizational Issues and Structures for Dealing with Crisis Management Strategies for Managing through a Crisis Creating a Formalized Response for Crisis Management Conclusion Business Continuity Planning Introduction Types of Outages and Disasters Outages Planning for a Disaster Roles and Responsibilities Plan Alternatives and Decision Criteria Risk Mitigation vs. Risk Elimination Preparation: Writing the Plan Testing and Auditing the Plan Issues for Executive Management Conclusion Security Monitoring: Advanced Security Management Introduction. Monitoring vs. Auditing Activity Monitoring and Audit Trails How Security Information Management Systems Work Other Security Information Monitoring Sources Privacy and Security Monitoring Reactions to Security Monitoring Information Problems with Security Monitoring Senior Management Issues and Security Monitoring Auditing and Testing a Strategic Control Process Introduction: The Role of Auditing and Testing Auditing and Security Management Security Audits Information Protection Audit Logs and Audit Trails Security Testing and Analysis Application Controls and Strategic Security Goals Reporting of Security Problems and the Role of the Auditor Auditing, Testing, and Strategic Security Outsourcing Security: Strategic Management Issues Information Security Operations and Security Management Management Issues Regarding the Outsourcing Decision Outsourced Security Alternatives Return on Investment (ROI) with Outsourced Services Contract Issues for Security Outsourcing Integration of Outsourcing with Internal Operational Functions Risks Associated with Outsourcing Security Functions Business Continuity Planning and Security Outsourcing Strategic Management Issues with Outsourced Security Final Thoughts on Strategic Security Executive Management and Security Management The Future of Information Security and the Challenges Ahead Appendix Helpful Internet Resources