Stepping Through the InfoSec Program 56
Ben Rothke writes "For those who want to stay current in information security,
Stepping Through the InfoSec Program is a
great book to read after
The
Pragmatic CSO: 12 Steps to Being a Security
Master. While
The Pragmatic CSO provides a first-rate
overview of the higher-level steps to being a CSO and building an information
security program, Stepping Through the InfoSec
Program provides the low-level details and nitty-gritty
elements on just how to do that." Keep reading for the rest of Ben's review.
Author Jennifer Bayuk spent over a decade at a large brokerage
firm building their information security program.
Her experience in managing and designing security there is
manifest in the book and it is clear throughout the book that she is writing a
deep pool of from real-world experience.
Stepping Through the InfoSec Program | |
author | J.L. Bayuk |
pages | 238 |
publisher | ISACA |
rating | 9 |
reviewer | Ben Rothke |
ISBN | 1604200308 |
summary | The low-down on how to build an information security program |
The first part of the book contains 3 sections and in just under 150 densely packed pages, the book walks you through the process in which to build an effective information security program. The book details 6 steps in which to facilitate this, namely: strategy, policy, awareness, implementation, monitoring and remediation.
The book starts out and begins to develop the context for an information security program. It astutely notes that an information security program exists only in the context of an organizational management structure. Anyone building an information security program for its own sake, removed from the organizational management structure will quickly find themselves devoid of a budget, and often shortly after that, out of a job.
The books attention to detail and specific definitions are superb. In the opening section, it defines the objectives, prerequisites, typical tasks and performance measures for over 10 different jobs within information security. It then creates a segregation of duties matrix for these jobs. Such detailed information is invaluable to anyone attempting to build a security program.
The main part of the book is in section 2 which steps through what an information security program is, how it is created, how it operates and what resources are required to maintain it. The beauty of the book is that the author understands that information security is not a monolithic undertaking. Rather it must be developed and customized according to the specific needs and requirements of the particular organization. These differences are made clear in the chapter when it details 9 unique information security reporting hierarchies; and deciding on the appropriate reporting hierarchy is not a trivial undertaking.
The book writes that successful information security program development, by definition, must align with organization goals. This alignment can only be achieved if the CISO has an open, two-way communication path to each manager with information security responsibilities. While this is a necessary and realistic goal, far too few CISO's have such communications paths at their disposal, and even less have constituent ears that are receptive to such communications.
Section two provides an excellent overview of metrics and how they can be effectively used. In the last few years, metrics has been the rage in the security community. Individuals such as Pete Lindstrom and groups such as Security Metrics have been at the forefront of such efforts.
But the book notes that metrics for their own sake can also be taken too far. The book references a volume on metrics that has over 900 possible things to measure that would provide security metrics, including such silly metrics as "number of times, by fiscal year, that fines and jail sentences were imposed for altering, destroying, mutilating, concealing or falsifying financial records". Bayuk perceptively observes that any CISO who is measuring these types of concerns and analyzing them for feedback on how to improve their information security program should realistically look for a different job.
Section 3 concludes the main part of the book with a security program case study. The point of the case study is to show how an information security program evolves around changes in the organization it supports. The case study shows that all of the six steps on which the book is premised are indeed necessary.
The final 100 pages of the book detail various sample security policies, standards, procedures and guidelines. All of the policies, standards, procedures and guidelines are well-written and it would have been nice if these would have been available in electronic format.
The book notes that the information security professional has evolved from computer operator to chief information security officer; from controlling punched cards to negotiating strategic plans, defining policies, documenting processes, managing technology, measuring performance, controlling costs, supporting business recovery and demonstrating regulatory compliance. For those that want to make that transition, Stepping Through the InfoSec Program is a most valuable guide to get you there.
The book is written by an author who has significant amounts of real-world experience in a leading edge organization. That unique knowledge and experience is evident after reading the first few pages of the book. The book provides the reader with a comprehensive overview of how to build an effective information security organization.
One final note, don't judge a book by the cover. On the cover are three busy looking executives, all smiling and looking refreshed. The reality is that most people who have taken the time to build effective security programs often emerge from that battle exhausted and battle weary.
For anyone contemplation entering the information security field, or those in it already that need effective direction, Stepping Through the InfoSec Program should be on their required reading list.
Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know.
You can purchase Stepping Through the InfoSec Program from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
Re: (Score:1)
alas, the 7 seas are a verity of the past, mythology, there are certainly more than 7 seas now.
the problem with books on this topic (Score:3, Insightful)
I think the danger with books on this topic is that by the time you get them to the publisher, and printed, and distributed, half the content is about to be out of date, and the other half will not be current after one year.
I'm not knocking the book, but in tech matters, I rather keep up via web/new media. tech-philosophy books, now that I like and buy.
Re: (Score:3, Insightful)
I got a lot out of The Cuckoo's Egg and that was published forever ago.
Re: (Score:1)
published in 1990. Way before slashdot
Re:the problem with books on this topic (Score:5, Insightful)
I think the danger with books on this topic is that by the time you get them ... half the content is about to be out of date, and the other half will not be current after one year.
Sorry to knock your opinion man, but the fact is that building an information security program is really quite distinct from the technology. For example, the Certified Information Systems Auditor (CISA) examination requires a vast knowledge of organizational processes, legal requirements, and risk assessment, but really very little about Linux or Vista or OS de jour. A really talented CSO attempts to define a technology-independent computer security plan, and so it is a given that the technology changes very fast.
Re: (Score:1)
Straight from the horse's mouth (Score:1)
In case you missed it, recordings [slashdot.org] have been released from The Last HOPE [thelasthope.org] conference, including Myrcurial's InfoSec talk "From a Black Hat to a Black Suit - How to Climb the Corporate Security Ladder Without Losing Your Soul" [thelasthope.org] [direct link to large 64kbps MP3 file].
Re: (Score:3, Informative)
Re: (Score:1)
dude - different book
Re: (Score:1)
as to the 80's, i heard they were going to use pat benatar on the cover but could not get the rights :)
Re: (Score:3, Insightful)
Business-side executives who think they can manage without understanding anything at all about the technical details are just as arrogant and dangerous to the bottom line as techies who think they don't need to understand anything about the business.
Even though this is totally off topic, you are totally wrong. Business-side executives who think they can manage without understanding technology are more dangerous then a tech guy who doesn't understand a business.
The executives usually are the ones setting easy passwords or demand insecurities, while the tech guy usually wants to make everything secure. A good tech guy needs to understand nothing about the business because he should be in *gasp* technology not running a business.
Re: (Score:3, Insightful)
Unless you mean "help-desk drone" or some other position that only requires following instructions provided by others, you can't be a "good tech guy" and know nothing about business, because businesses define "good tech guys" as people who help them achieve their business goals, not as people with l33t technical skills.
Re: (Score:2)
Unless you mean "help-desk drone" or some other position that only requires following instructions provided by others, you can't be a "good tech guy" and know nothing about business, because businesses define "good tech guys" as people who help them achieve their business goals, not as people with l33t technical skills.
Business executives think highly of people that understand them and can relate to them, big surprise there. Those that live "in between" certainly knows the value of a tech guy who delivers, and should relate that upwards when needed. Honestly, a business exec has no understanding of whether you're a SQL guru or thedailywtf material. You probably got very little idea if he's a PHB or a CEO in the making either. Very few achieve "fame" outside their own field, in business or elsewhere. The best you can usual
Current? (Score:2)
For those who want to stay current in information security, Stepping Through the InfoSec Program is a great book to read
Yah, really current, books on technology are never current. Even some magazines aren't current, let alone books. Seriously, anyone who wants to be current should subscribe to a mailing list, or at least use magazines which are usually only 1-2 months out of date rather than a book which at best are 3-4 months out of date.
Re: (Score:3, Informative)
True, technology books ARE always out of date, but whilst it's a truism that things are always changing, it's also true that there's an linear relationship with the degree to which they stay the same. (I believe the French have a neat saying that encapsulates this notion.)
The MULTICS pentest paper [ucdavis.edu] and it's review 30 years later [acsac.org] are cases in point. See also Thompson, K., "Reflections on Trusting Trust [acm.org]", a matter which Kaminsky, D., has recently demonstrated is as true today as it was then [doxpara.com] (in a context whi
Re: (Score:1)
didn't someone say above that this is NOT that type of book.
What I want to know (Score:5, Interesting)
I work in the field. There's only one question I really care about - the rest is just a simple question of reading man pages and documentation and textbooks and writing policies and having meetings and reviewing designs and, and, and. You know. Stuff that you can do.
What I want to know is, how can I make my senior management care?
Seriously. Yes, I've tried all the known things. All I have to cling to now are customer requirements. Show them a pot of gold and, like Valerie Solanos' view of men and sex, they'd wade through a river of warm puke up to their nostrils to get to it, and if that means tossing some budget at security, they'll do it. (So, to answer my own question -- folks who are involved in assessing suppliers - for heaven's sake, ask them about their security, and I mean really ask - don't believe the marketing bullshit, look for independent reviews and certifications. Hell, even an ISO 27001 cert is better than nothing (and that has very little to do with real, on-the-metal infosec.)
Re: (Score:1)
>>>>What I want to know is, how can I make my senior management care?
Absolutely zero you can do.
either they get it and take action on it, or else they are clueless.
don't try to have them get security, if they don't get it, they won't.
Re: (Score:1)
>>What I want to know is, how can I make my senior management care?
I take back my comment.
run a pen test and they will get it.
a good pen test team has at least a 95% success rate.
A really good pen test team has a 99% success rate.
Hack em and then scare them and then you got them!
Re: (Score:2)
Re: (Score:1)
who do you use for your pen testing?
some firms have bettter reports that get more receptiomn from the execs
Re: (Score:2)
Re: (Score:1)
Have then run some DoS attacks, take down a prod. server.
then... they will understand.
Re: (Score:1)
Re: (Score:2)
Management has no need to care about IT security -- that is the CIO's job
We don't have a CIO, any more than we have an IT Director or other exec post where you'd expect security to naturally sit.
If I'm the CEO of a commodity organization, I probably wouldn't care either.
We're not a "commodity organisation", we're an IT services / outsourcing firm with turnover in the $100m range. We handle lots of sensitive data from our large number of well-known business customers. We even tout security in our marketing. Yes, it makes me alternately angry and sick and incredibly anxious. Yes, I'm wondering whether it'll soon be time to bail out.
Re: (Score:1)
If you really believe that striving towards the ISO27001 certification is not real InfoSec, then you're in the wrong line of business.
Information Security is not about technology.
Re: (Score:2)
Has anyone thought that we might (Score:2)
have created this monster with the presence of too much information, in the way of X degrees of seperation? Why do VP's copy 10 different people on an email? Then those 10 people copy another 10 other people on the response. Why do they even use email, esp unencrypted when communicating overseas?
Perhaps high level executives should have closed meetings, not use email. Plus email could be compartmentalized so that certain levels of employees could communicate to their bosses and amongst themselves, but n
Twelve step program? (Score:2)
Step one: Admit you are powerless over security--that your systems have become unmanageable.
Re: (Score:1)
Re: (Score:2)
Step four: Throw money at a group like (ISC)2 which happened to pick a name for maximum confusion with legitimate groups and then convinced the world they are the security training experts.
Re: (Score:1)
>>>ISC)2 which happened to pick a name for maximum confusion with legitimate groups
What is the confusion with a legitimate group?
Re: (Score:1)
you mean an MSSP :)
Not an Objective Review (Score:3, Informative)
I'm always skeptical about the people who somehow have the time to read and publish all of these online reviews - many of the are raves for books that nobody has heard of before.
So I Googled Bayuk (author) and Rothke (reviewer) and came up with a presentation they've done together:
www.bayuk.com/publications/BayukSOX.pdf
So, I guess this is nothing more than Ben trying to get us to buy his friend's book.
Re: (Score:1)
dude, not exacatly a smoking gun......
presentation was in 2004 and book is written in 2008.