Stories
Slash Boxes
Comments
typodupeerror delete not in
  • Preferences

Comments: 56 +-   Stepping Through the InfoSec Program on Monday August 11 2008, @12:59PM

Posted by samzenpus on Monday August 11 2008, @12:59PM
from the read-all-about-it dept.
security
books
media
bookreview
Ben Rothke writes "For those who want to stay current in information security, Stepping Through the InfoSec Program is a great book to read after The Pragmatic CSO: 12 Steps to Being a Security Master. While The Pragmatic CSO provides a first-rate overview of the higher-level steps to being a CSO and building an information security program, Stepping Through the InfoSec Program provides the low-level details and nitty-gritty elements on just how to do that." Keep reading for the rest of Ben's review.
Stepping Through the InfoSec Program
author J.L. Bayuk
pages 238
publisher ISACA
rating 9
reviewer Ben Rothke
ISBN 1604200308
summary The low-down on how to build an information security program
Author Jennifer Bayuk spent over a decade at a large brokerage firm building their information security program. Her experience in managing and designing security there is manifest in the book and it is clear throughout the book that she is writing a deep pool of from real-world experience.

The first part of the book contains 3 sections and in just under 150 densely packed pages, the book walks you through the process in which to build an effective information security program. The book details 6 steps in which to facilitate this, namely: strategy, policy, awareness, implementation, monitoring and remediation.

The book starts out and begins to develop the context for an information security program. It astutely notes that an information security program exists only in the context of an organizational management structure. Anyone building an information security program for its own sake, removed from the organizational management structure will quickly find themselves devoid of a budget, and often shortly after that, out of a job.

The books attention to detail and specific definitions are superb. In the opening section, it defines the objectives, prerequisites, typical tasks and performance measures for over 10 different jobs within information security. It then creates a segregation of duties matrix for these jobs. Such detailed information is invaluable to anyone attempting to build a security program.

The main part of the book is in section 2 which steps through what an information security program is, how it is created, how it operates and what resources are required to maintain it. The beauty of the book is that the author understands that information security is not a monolithic undertaking. Rather it must be developed and customized according to the specific needs and requirements of the particular organization. These differences are made clear in the chapter when it details 9 unique information security reporting hierarchies; and deciding on the appropriate reporting hierarchy is not a trivial undertaking.

The book writes that successful information security program development, by definition, must align with organization goals. This alignment can only be achieved if the CISO has an open, two-way communication path to each manager with information security responsibilities. While this is a necessary and realistic goal, far too few CISO's have such communications paths at their disposal, and even less have constituent ears that are receptive to such communications.

Section two provides an excellent overview of metrics and how they can be effectively used. In the last few years, metrics has been the rage in the security community. Individuals such as Pete Lindstrom and groups such as Security Metrics have been at the forefront of such efforts.

But the book notes that metrics for their own sake can also be taken too far. The book references a volume on metrics that has over 900 possible things to measure that would provide security metrics, including such silly metrics as "number of times, by fiscal year, that fines and jail sentences were imposed for altering, destroying, mutilating, concealing or falsifying financial records". Bayuk perceptively observes that any CISO who is measuring these types of concerns and analyzing them for feedback on how to improve their information security program should realistically look for a different job.

Section 3 concludes the main part of the book with a security program case study. The point of the case study is to show how an information security program evolves around changes in the organization it supports. The case study shows that all of the six steps on which the book is premised are indeed necessary.

The final 100 pages of the book detail various sample security policies, standards, procedures and guidelines. All of the policies, standards, procedures and guidelines are well-written and it would have been nice if these would have been available in electronic format.

The book notes that the information security professional has evolved from computer operator to chief information security officer; from controlling punched cards to negotiating strategic plans, defining policies, documenting processes, managing technology, measuring performance, controlling costs, supporting business recovery and demonstrating regulatory compliance. For those that want to make that transition, Stepping Through the InfoSec Program is a most valuable guide to get you there.

The book is written by an author who has significant amounts of real-world experience in a leading edge organization. That unique knowledge and experience is evident after reading the first few pages of the book. The book provides the reader with a comprehensive overview of how to build an effective information security organization.

One final note, don't judge a book by the cover. On the cover are three busy looking executives, all smiling and looking refreshed. The reality is that most people who have taken the time to build effective security programs often emerge from that battle exhausted and battle weary.

For anyone contemplation entering the information security field, or those in it already that need effective direction, Stepping Through the InfoSec Program should be on their required reading list.

Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know.

You can purchase Stepping Through the InfoSec Program from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
story

Related Stories

The Pragmatic CSO 100 comments
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Stepping Through the InfoSec Program 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • the problem with books on this topic (Score:3, Insightful)

    by pha7boy (1242512) on Monday August 11 2008, @01:24PM (#24558497)

    I think the danger with books on this topic is that by the time you get them to the publisher, and printed, and distributed, half the content is about to be out of date, and the other half will not be current after one year.

    I'm not knocking the book, but in tech matters, I rather keep up via web/new media. tech-philosophy books, now that I like and buy.

    • If it's in technical specifics, that could be true. But if the book covers more conceptual ways of handling security matters or security philosophy, it could be very useful for some time. Topics like how to stop social engineering or creating effective security policy never go out of style.

      I got a lot out of The Cuckoo's Egg and that was published forever ago.

    • Re:the problem with books on this topic (Score:5, Insightful)

      by Major Byte (669826) on Monday August 11 2008, @02:03PM (#24558953) Journal

      I think the danger with books on this topic is that by the time you get them ... half the content is about to be out of date, and the other half will not be current after one year.

      Sorry to knock your opinion man, but the fact is that building an information security program is really quite distinct from the technology. For example, the Certified Information Systems Auditor (CISA) examination requires a vast knowledge of organizational processes, legal requirements, and risk assessment, but really very little about Linux or Vista or OS de jour. A really talented CSO attempts to define a technology-independent computer security plan, and so it is a given that the technology changes very fast.

    • Well, if the book is about Windows XP, then yes. but core concepts of security, CIA triad, etc., they are timeless. Well, not timeless, but you know what I mean. First Ed. of 'Security Enginnering' by ross anderson is 8 years old. my guess is that at least 90% of it is still 100% relevent.

    • In case you missed it, recordings [slashdot.org] have been released from The Last HOPE [thelasthope.org] conference, including Myrcurial's InfoSec talk "From a Black Hat to a Black Suit - How to Climb the Corporate Security Ladder Without Losing Your Soul" [thelasthope.org] [direct link to large 64kbps MP3 file].

    • Re: (Score:3, Insightful)

      by Darkness404 (1287218)

      Business-side executives who think they can manage without understanding anything at all about the technical details are just as arrogant and dangerous to the bottom line as techies who think they don't need to understand anything about the business.

      Even though this is totally off topic, you are totally wrong. Business-side executives who think they can manage without understanding technology are more dangerous then a tech guy who doesn't understand a business.

      The executives usually are the ones setting easy passwords or demand insecurities, while the tech guy usually wants to make everything secure. A good tech guy needs to understand nothing about the business because he should be in *gasp* technology not running a business.

      • Re: (Score:3, Insightful)

        by profplump (309017)

        Unless you mean "help-desk drone" or some other position that only requires following instructions provided by others, you can't be a "good tech guy" and know nothing about business, because businesses define "good tech guys" as people who help them achieve their business goals, not as people with l33t technical skills.

        • Unless you mean "help-desk drone" or some other position that only requires following instructions provided by others, you can't be a "good tech guy" and know nothing about business, because businesses define "good tech guys" as people who help them achieve their business goals, not as people with l33t technical skills.

          Business executives think highly of people that understand them and can relate to them, big surprise there. Those that live "in between" certainly knows the value of a tech guy who delivers, and should relate that upwards when needed. Honestly, a business exec has no understanding of whether you're a SQL guru or thedailywtf material. You probably got very little idea if he's a PHB or a CEO in the making either. Very few achieve "fame" outside their own field, in business or elsewhere. The best you can usual

  • For those who want to stay current in information security, Stepping Through the InfoSec Program is a great book to read

    Yah, really current, books on technology are never current. Even some magazines aren't current, let alone books. Seriously, anyone who wants to be current should subscribe to a mailing list, or at least use magazines which are usually only 1-2 months out of date rather than a book which at best are 3-4 months out of date.

  • What I want to know (Score:5, Interesting)

    by OriginalArlen (726444) on Monday August 11 2008, @01:48PM (#24558763)

    I work in the field. There's only one question I really care about - the rest is just a simple question of reading man pages and documentation and textbooks and writing policies and having meetings and reviewing designs and, and, and. You know. Stuff that you can do.

    What I want to know is, how can I make my senior management care?

    Seriously. Yes, I've tried all the known things. All I have to cling to now are customer requirements. Show them a pot of gold and, like Valerie Solanos' view of men and sex, they'd wade through a river of warm puke up to their nostrils to get to it, and if that means tossing some budget at security, they'll do it. (So, to answer my own question -- folks who are involved in assessing suppliers - for heaven's sake, ask them about their security, and I mean really ask - don't believe the marketing bullshit, look for independent reviews and certifications. Hell, even an ISO 27001 cert is better than nothing (and that has very little to do with real, on-the-metal infosec.)

    • >>>>What I want to know is, how can I make my senior management care?

      Absolutely zero you can do.

      either they get it and take action on it, or else they are clueless.

      don't try to have them get security, if they don't get it, they won't.

    • >>What I want to know is, how can I make my senior management care?

      I take back my comment.

      run a pen test and they will get it.

      a good pen test team has at least a 95% success rate.
      A really good pen test team has a 99% success rate.

      Hack em and then scare them and then you got them!

      • Nah, we do them all the time. It doesn't help.

        • who do you use for your pen testing?

          some firms have bettter reports that get more receptiomn from the execs

          • We've used several firms. Execs would never read the reports, no matter how much teh shiny and drool-proof the paper is. (Well OK, the IT management get it, all the way up to the level of "our" exec VP, who's tried many times to get the Board to give a fuck, without success.) But it's the Board, who sign off on budget, who we need to get through to.
    • >What I want to know is, how can I make my senior management care? You can't. That doesn't mean you have no recourse. First, realize that you are not asking a security question. Your question is about your organization, its goals, values, and mission. It is a question about resources and priorities, and there isn't a single employee, department, or division -- that isn't always asking the same kind of question (albeit, likely in a different form). Information Security is all about the business, commun

      • Management has no need to care about IT security -- that is the CIO's job

        We don't have a CIO, any more than we have an IT Director or other exec post where you'd expect security to naturally sit.

        If I'm the CEO of a commodity organization, I probably wouldn't care either.

        We're not a "commodity organisation", we're an IT services / outsourcing firm with turnover in the $100m range. We handle lots of sensitive data from our large number of well-known business customers. We even tout security in our marketing. Yes, it makes me alternately angry and sick and incredibly anxious. Yes, I'm wondering whether it'll soon be time to bail out.

    • If you really believe that striving towards the ISO27001 certification is not real InfoSec, then you're in the wrong line of business.

      Information Security is not about technology.

      • ISO (or any other cert) is not orthogonal to really good security practices. It's rather like industry certs - be it MCSE, CCIE or CISSP. It's possible for drooling halfwits to get the letters after their name (OK, less so with CCIE, I grant you.) The cert tells you that the person in front of you at the interview has the basic minimum level of competence required to get them. I'm sure we all know people with letters who were clueless fuckwits, just as there are people with no letters with more knowledge ex

  • have created this monster with the presence of too much information, in the way of X degrees of seperation? Why do VP's copy 10 different people on an email? Then those 10 people copy another 10 other people on the response. Why do they even use email, esp unencrypted when communicating overseas?

    Perhaps high level executives should have closed meetings, not use email. Plus email could be compartmentalized so that certain levels of employees could communicate to their bosses and amongst themselves, but n

  • Step one: Admit you are powerless over security--that your systems have become unmanageable.

  • Not an Objective Review (Score:3, Informative)

    by Anonymous Coward on Monday August 11 2008, @06:13PM (#24561631)

    I'm always skeptical about the people who somehow have the time to read and publish all of these online reviews - many of the are raves for books that nobody has heard of before.

    So I Googled Bayuk (author) and Rothke (reviewer) and came up with a presentation they've done together:

    www.bayuk.com/publications/BayukSOX.pdf

    So, I guess this is nothing more than Ben trying to get us to buy his friend's book.

Search
Those who can't write, write manuals.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.