Information Security A Practical Guide
eBook - ePub

Information Security A Practical Guide

Bridging the gap between IT and management

  1. 116 pages
  2. English
  3. ePUB (mobile friendly)
  4. Available on iOS & Android
eBook - ePub

Information Security A Practical Guide

Bridging the gap between IT and management

About this book

How do you engage with your peers when they think you're there to stop them working?

Corporate information security is often hindered by a lack of adequate communication between the security team and the rest of the organisation. Information security affects the whole company and is a responsibility shared by all staff, so failing to obtain wider acceptance can endanger the security of the entire organisation. Many consider information security a block, not a benefit, however, and view security professionals with suspicion if not outright hostility. As a security professional, how can you get broader buy-in from your colleagues?

Information Security: A Practical Guide addresses that issue by providing an overview of basic information security practices that will enable your security team to better engage with their peers to address the threats facing the organisation as a whole.

Product overview

Covering everything from your first day at work as an information security professional to developing and implementing enterprise-wide information security processes, Information Security: A Practical Guide explains the basics of information security, and how to explain them to management and others so that security risks can be appropriately addressed.

Topics covered include:

  • How to understand the security culture of the organisation
  • Getting to know the organisation and building relationships with key personnel
  • How to identify gaps in the organisation's security set-up
  • The impact of compromise on the organisation
  • Identifying, categorising and prioritising risks
  • The five levels of risk appetite and how to apply risk treatments via security controls
  • Understanding the threats facing your organisation and how to communicate them
  • How to raise security awareness and engage with specific peer groups
  • System mapping and documentation (including control boundaries and where risks exist)
  • The importance of conducting regular penetration testing and what to do with the results
  • Information security policies and processes
  • A standards-based approach to information security

If you're starting a new job as an information security professional, Information Security: A Practical Guide contains all you need to know.

About the author

Tom Mooney has over 10 years' IT experience working with sensitive information. Currently HM Land Registry's information security risk advisor, where he works with project teams and the wider business to deliver key business systems securely, his key responsibility is to act as an intermediary between management and IT teams to ensure appropriate security controls are put in place. His extensive experience has led him to develop many skills and techniques to converse with people who are not technical or information security experts. Many of these are found in this book.

He has a BSc (Hons) in information and computer security, and is also a CESG certified professional.

Frequently asked questions

Yes, you can cancel anytime from the Subscription tab in your account settings on the Perlego website. Your subscription will stay active until the end of your current billing period. Learn how to cancel your subscription.
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
Perlego offers two plans: Essential and Complete
  • Essential is ideal for learners and professionals who enjoy exploring a wide range of subjects. Access the Essential Library with 800,000+ trusted titles and best-sellers across business, personal growth, and the humanities. Includes unlimited reading time and Standard Read Aloud voice.
  • Complete: Perfect for advanced learners and researchers needing full, unrestricted access. Unlock 1.4M+ books across hundreds of subjects, including academic and specialized titles. The Complete Plan also includes advanced features like Premium Read Aloud and Research Assistant.
Both plans are available with monthly, semester, or annual billing cycles.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, weā€™ve got you covered! Learn more here.
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Yes! You can use the Perlego app on both iOS or Android devices to read anytime, anywhere ā€” even offline. Perfect for commutes or when youā€™re on the go.
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app.
Yes, you can access Information Security A Practical Guide by Tom Mooney in PDF and/or ePUB format, as well as other popular books in Computer Science & Business General. We have over one million books available in our catalogue for you to explore.

CHAPTER 1: DAY ONE AS A SECURITY PROFESSIONAL

Chapter Overview

This chapter gives you guidance on bedding yourself into your new role in security. It will help you to get your bearings and explains some of the early tasks you need to carry out to understand your role much better.
The chapter first reinforces the confidentiality, integrity and availability (CIA) mantra, explaining its meaning and how to use it in your role. I then describe the people you should look to meet as soon as possible so that you know what is going on within the organisation and who you will need as allies. The chapter then explores how you can begin to understand the organisationā€™s security culture in order to realise how much influence you have in your role.

Objectives

In this chapter you will learn the following:
ā€¢ How to build a foundation for communication using CIA
ā€¢ How to understand the security culture of the organisation
ā€¢ Building relationships with key personnel
ā€¢ Identifying the gaps in the organisationā€™s security set up.

Your First Day

Your first day in an information security role can be extremely daunting, especially if you are new to the profession. Often information security is seen as a dark art performed by some elite person, and your peers will have a higher expectation of you and your knowledge of information systems. During a security incident even senior managers will look to you for advice and guidance, so you should be prepared to take on this responsibility and lead when needed.
It is important that you have an overall understanding of the organisationā€™s IT strategy and what systems are being changed and deployed. Remember, in security the attackers only have to win once, whereas you have to win every time. This means there only needs to be one mistake or oversight and a vulnerability could be exploited in your organisation that could have a tremendous impact.
From day one you must get to know the organisation as quickly as possible, its people, its strategy and its culture. You will not be effective in your role until you understand those things.

Confidentiality, Integrity and Availability (CIA)

The CIA mantra is the bread and butter for every information security professional. These three key areas form the foundation of information security. Think of CIA as your weapon when discussing security with IT and business staff alike. Set this foundation for anyone you are going to work with regularly, as it will allow you to develop a mutual understanding. In my experience people pick up the CIA mantra extremely easily.
Confidentiality means that only those who should have access to the data do, and those who do not have a need to access the data cannot. Data is protected from unauthorised access, and this is the traditional view of security.
Integrity means that the data is accurate and that we can rely upon it. Data that is incorrect or suspected of being incorrect has no value as we cannot rely upon it. When discussing integrity ask how much of the dataā€™s integrity would need to be compromised before confidence is lost in its entirety, as this will help you gauge how important integrity is.
Availability relates to the information being available to those who are authorised to access it when they need to access it. Information that is not available for use is of no use to us. You may have heard the anecdote of taking the data, putting it in a safe and then dropping that safe to the bottom of the ocean. If thatā€™s what we have to do to protect the data then why keep it at all? We canā€™t make any use of the data, and it is a liability not an asset. This is the part people have most difficulty in understanding. Sometimes people think of the data as a physical asset, so for example if the data is stolen, they assume we no longer have access to it. In fact, theft could be a mixture of both availability and confidentiality. It is important to be clear that availability is about whether we can or cannot access the data.

Getting to Know the Business

It is often easy to forget that you and the IT department are there to serve the business; you are a tool and resource to be used for the business to achieve its objectives. This is why it is important to understand the business and what it wants to achieve. In this section I will introduce the different roles and explain their importance.

Senior Managers

When I talk about senior managers in this context I am referring to those who are one level under the Board; typically this will be heads of departments or divisions. Senior managers will often have high-level responsibility in ensuring their department is working to fulfil the organisationā€™s business objectives. The key for you is to ensure information security is on their radar, that when they are overseeing the implementation of their objectives that they consider security. If you donā€™t have buy-in from the top, you will find it difficult to prioritise security within the various IT teams.
Explain to them the CIA mantra so that they understand what each of the three points mean, and it will help if you apply CIA to a specific area. They will then be able to conceptualise security at a high level.
Senior managers are important when trying to change the culture of the organisation and the way it works. Unfortunately people are often resistant to change, but by ensuring senior management buy-in you will have high-level backing to get things done when you encounter resistance.

Business Analysts

Building strong working relationships with business analysts will provide a great insight into the views of the wider organisation. They spend most of their time understanding the business and its needs and then translating this into requirements for IT systems. By understanding their findings you can implement more effective security controls. For example, you implement a new password policy that means passwords now have to be at least 15 characters long. People in the organisation have trouble remembering their passwords so they begin writing them down and attaching them to a sticky note under their keyboards. This security control would actually increase the risk to the organisation of a security breach rather than reduce it. However, as the person responsible for security, people are unlikely to volunteer that they are willingly breaking this rule, so this is where your relationship with business analysts is important. By understanding their work you can better understand the security culture of the organisation and improve it over time, as well as ensuring they factor in security concerns.

Senior Information Risk Owner

The senior information risk owner (SIRO) is a role that you may have not come across before. It is often found in UK government. The SIRO is typically a Board member who has overall responsibility for ensuring effective information security and that it remains a priority on the organisationā€™s agenda. If you are fortunate to work in an organisation that values information security then it may be worth suggesting this role to the Board.
Although the SIRO will champion information security at Board and strategic levels, it is unlikely they will have any in-depth knowledge of information security. Ensure the SIRO understands CIA so that you can develop a common understanding. The SIRO will be key in changing the organisationā€™s security culture as they can raise your concerns at the highest possible level. The SIRO will often come to you with their concerns and rely on you to understand and explain the wider impact on the organisation.

Lawyers

The lawyers or legal team are often forgotten about, but they can be as much of an asset as an enemy. They have great power within an organisation as it is their job to ensure the organisation remains compliant with the law. Ensuring compliance with various laws can be a minefield, hence the need for a legal team. If you are fortunate enough to have a legal team within your organisation, I recommend you meet them as soon as possible. It is useful to build a relationship based on mutual respect: security professionals often have a high-level understanding of the various IT-related laws but it is the lawyers who interpret the law to its fullest. Use the legal team as a resource for advice and also an escalation point when you have legal concerns. As part of this relationship the legal department should ensure it keeps you informed of any proposed new legislation. By having early sight of legal changes you can make sure any security considerations are made early and that the organisation is prepared.

Key IT Personnel

The next step in acclimatising to your new role is to meet the IT staff you will be working with on a more regular basis. Your organisation likely has slightly different roles based on its size, but I would expect the following roles to be covered even if you have people covering several roles.
In this section I will introduce the different roles and their importance. This is also a two-way relationship. If you can build a rapport with these people then they will keep you in the loop with the work going on in the IT department. This is much more important than you think, since when an organisationā€™s security resource is limited you wonā€™t be able to be as involved with all aspects of the department as you would like. This can often be troublesome as teams go about their business without considering security and its requirements. By meeting these people and teaching them the CIA mantra you will give them the tools to realise when there is a need for security and encourage them to approach you when you might not have been involved with the work.

Change Management Team

Who
How organisations manage change and deploy IT systems varies widely. Some organisations and small silo teams take care of their changes, whereas others have one overall change-management team with responsibility for all changes. Either way this team or teams have responsibility for determining what and when IT changes and deployments happen.

What they do

Deploying or changing IT systems is rarely a simple task. Who the change affects, what other systems the change will affect, what to do if it all goes horribly wrong and when to implement the change all need to be considered. The change-management team takes the lead on informing the people who the change will affect and if needed provides advice and guidance on the new system. They are also aware of other systems that it affects; for example, if we were upgrading our email system, any IT systems that send email would be affected, not just the users. Also, if we allowed everyone to change systems whenever they wanted, weā€™d have chaos and probably a broken IT infrastructure. By grouping and scheduling changes we can make small changes to IT systems over time, which also means that if a change breaks a system then we can quickly identify the change and fix it.

Why they are important

The change-management team are the final step in any change-management process. They should keep a record of changes that have been and will be implemented. By understanding their change schedule you can ensure no changes that could introduce weaknesses into IT systems are implemented. I recommend you insist on becoming part of the approval process for changes. By this stage you should be aware of any changes, but this final step will be a catch all for anything that has slipped past.

Network Team

Who
The network team is an obvious one for most people, as this is the team responsible for managing the network. They have a better understanding of the network and the infrastructure it connects than most in the organisation.

What they do

The network team have more responsibility than just the day to day running of the network. They often have the following responsibilities as well: firewall set-up and monitoring, intrusion detection/prevention system (IDS and IPS) and overseeing the efficient running of the network. Monitoring of the IDS and IPS is extremely involved, and because of their understanding of the network the team are best placed to understand the result of this monitoring system. As useful as these systems are, without constant tweaks they flag up a lot of false positives and will not be configured to recognise the latest threats.

Why they are important

Your relationship with the network team will centre around three key areas. Firewall maintenance, in particular rule changes, IDS/IPS changes to ensure they are up to date, and finally any network changes.
When firewalls are installed effort goes into configuring the rules to ensure maximum protection, but over time these rules can be weakened as new systems are implemented. Often the network team are aware of the potential for introducing weaknesses into the network by changing firewall rules, but they may come under pressure from other teams. By forging a strong relationship you can ensure that weaknesses arenā€™t introduced and that more secure solutions are found instead.
IDS and IPS changes will be more of a hands-off role for yourself, as it is likely you will not have the deep technical understanding that the networks team have. Where you can help the networks team is by keeping an eye on trends within security and ensuring they are aware of the latest attacks, as well as which attacks are being most commonly us...

Table of contents

  1. Cover
  2. Title
  3. Copyright
  4. Contents
  5. Chapter 1: Day One as a Security Professional
  6. Chapter 2: Business Impact of Breaches
  7. Chapter 3: Business Risk Appetite
  8. Chapter 4: Threats
  9. Chapter 5: Quick and Dirty Risk Assessment
  10. Chapter 6: Getting Buy-in From Your Peers
  11. Chapter 7: Documenting the System For Everyone
  12. Chapter 8: Mapping Data in the System
  13. Chapter 9: Penetration Testing
  14. Chapter 10: Information Security Policy
  15. ITG Resources