Available:*
Library | Item Barcode | Call Number | Material Type | Item Category 1 | Status |
|---|---|---|---|---|---|
Searching... | 30000010132703 | HF5548.37 G46 2006 | Open Access Book | Book | Searching... |
On Order
Summary
Summary
The CISO Handbook: A Practical Guide to Securing Your Company provides unique insights and guidance into designing and implementing an information security program, delivering true value to the stakeholders of a company. The authors present several essential high-level concepts before building a robust framework that will enable you to map the concepts to your company's environment.
The book is presented in chapters that follow a consistent methodology - Assess, Plan, Design, Execute, and Report. The first chapter, Assess, identifies the elements that drive the need for infosec programs, enabling you to conduct an analysis of your business and regulatory requirements. Plan discusses how to build the foundation of your program, allowing you to develop an executive mandate, reporting metrics, and an organizational matrix with defined roles and responsibilities. Design demonstrates how to construct the policies and procedures to meet your identified business objectives, explaining how to perform a gap analysis between the existing environment and the desired end-state, define project requirements, and assemble a rough budget. Execute emphasizes the creation of a successful execution model for the implementation of security projects against the backdrop of common business constraints. Report focuses on communicating back to the external and internal stakeholders with information that fits the various audiences.
Each chapter begins with an Overview, followed by Foundation Concepts that are critical success factors to understanding the material presented. The chapters also contain a Methodology section that explains the steps necessary to achieve the goals of the particular chapter.
Author Notes
Mike Gentile is on a mission to change the status quo in Information Security as we know it. His goal is to translate the discipline from one that is often misunderstood, inefficiently applied, and painful to one that is seamless, collaborative, and repeatable in organizations across the globe. Delphiis is the encapsulation of this mission.
Mike brings balance of business acumen and technical skill-set anchored by years in the field and his core focus over the past 15 years has been his practice, Coastline Consulting services. As the Founder and President, Coastline has developed enterprise security programs for countless leading public, private, and government organizations, including many within the Global 1000 and Fortune 500. During that time he also became Co-Founder and Editor for CISOHandbook.com, the leading portal for security leaders.
As a researcher, Mike has contributed numerous publications within the Information technology, project management, and security communities. He is also a senior researcher with Computer Economics in the Information Security domain and has written articles for the ISSA Journal, Computer Economics, RSA Conference and Secure World Expo.
As a writer he is the co-author of The CISO Handbook: A Practical Guide to Securing Your Company as well as CISO Soft Skills: Securing Organizations Impaired by Employee Politics, Apathy, and Intolerant Perspectives. The CISO Handbook is used as course material for numerous advanced education and Master's programs on security leadership around the world. Mr. Gentile serves on multiple advisory boards, including being on the Board of Advisors for Savant, a malware protection company, as well an active member of the RSA Program Committee since 2009.
Mr. Gentile is a sought after speaker on security, project management, and information technology topics. For the last 3 years he has been a top rated speaker at RSA, the most prestigious security conference in the United states and has been keynote speaker for the CXO Summits conference series. He has also presented over the years for the Project Management Institute, Secure World Expo, ISSA, Symantec, and many more. Mike lives in Southern California with his wife Tiffany and their two boys.
Table of Contents
| Forward | p. xiii |
| Acknowledgments | p. xv |
| Team Acknowledgment | p. xv |
| Organizations We Would Like to Thank | p. xvi |
| Introduction | p. xvii |
| Overview | p. xvii |
| 1 Assess | p. 1 |
| Overview | p. 1 |
| Foundation Concepts | p. 2 |
| Critical Skills | p. 2 |
| Consultative Sales Skills | p. 2 |
| Enabling New Business Opportunities | p. 2 |
| Reducing Business Risk | p. 3 |
| Critical Knowledge | p. 4 |
| Understanding Your Business | p. 4 |
| Understanding Risk | p. 6 |
| Understanding Your Enterprise Differentiators | p. 8 |
| Understanding Your Legal and Regulatory Environment | p. 9 |
| Understanding Your Organizational Structure | p. 10 |
| Understanding Your Organizational Dynamics | p. 11 |
| Enterprise Culture | p. 14 |
| Understanding Your Enterprise's View of Technology | p. 15 |
| Assessment Methodology | p. 16 |
| Identifying Your Program's Primary Driver | p. 17 |
| Why Are You Here? | p. 17 |
| Stakeholders | p. 18 |
| Types of Stakeholders | p. 18 |
| Identifying Your External Drivers | p. 22 |
| Regulatory/Audit Environment | p. 22 |
| Other External Drivers | p. 26 |
| Identifying Your Internal Drivers | p. 27 |
| Political Climate | p. 27 |
| Who Is on Your Team? | p. 29 |
| The Enterprise's Business | p. 31 |
| Financial Environment | p. 33 |
| Technical Environment | p. 35 |
| Industry | p. 42 |
| Assessment Checklist | p. 46 |
| 2 Plan | p. 55 |
| Overview | p. 55 |
| Foundation Concepts | p. 55 |
| Critical Skills | p. 56 |
| Visioning | p. 56 |
| Strategic Planning | p. 57 |
| Negotiating | p. 57 |
| Marketing | p. 58 |
| Talent Assessment | p. 58 |
| Critical Skills Summary | p. 58 |
| Critical Knowledge | p. 59 |
| ISC[superscript 2] Common Body of Knowledge (CBK) | p. 59 |
| Other Security Industry Resources | p. 60 |
| Planning Methodology | p. 62 |
| Understanding Your Program's Mandate | p. 63 |
| Determining Your Program Mission | p. 64 |
| Mission Statements | p. 64 |
| Building Your Mission Statement | p. 66 |
| Determining Your Program's Structure | p. 68 |
| Operational Versus Non-Operational | p. 68 |
| Size of Your Enterprise | p. 74 |
| Political Climate | p. 74 |
| Centralized Versus Decentralized | p. 75 |
| Common Reasons for Choosing a Centralized Model | p. 80 |
| Common Reasons for Choosing a De-Centralized Model | p. 80 |
| Security Pipeline | p. 81 |
| Architecture | p. 81 |
| Maintenance | p. 83 |
| Inspection | p. 84 |
| Size of Your Program | p. 85 |
| Large Program Considerations | p. 85 |
| Small Program Considerations | p. 88 |
| Conclusion | p. 91 |
| Common Security Responsibilities | p. 91 |
| Information Security Program Structure Summary | p. 92 |
| Determining Your Program's Staffing | p. 92 |
| Define the Roles and Responsibilities of Your Team Members | p. 93 |
| Critical Attributes | p. 93 |
| Security Roles and Responsibilities | p. 97 |
| Influence on Staffing by the Information Security Program Structure | p. 101 |
| Perform a Gap Analysis | p. 102 |
| Evaluate Talent | p. 103 |
| Planning Summary | p. 106 |
| Planning Checklist | p. 106 |
| 3 Design | p. 111 |
| Overview | p. 111 |
| Foundation Concepts | p. 111 |
| Critical Skills | p. 112 |
| Analytical Skills | p. 112 |
| Discovery | p. 112 |
| Evaluation | p. 112 |
| Strategy | p. 112 |
| Formulation | p. 114 |
| Organizational Skills | p. 114 |
| Sales | p. 114 |
| Financial Planning and Budgeting | p. 114 |
| Critical Skills Summary | p. 115 |
| Critical Knowledge | p. 115 |
| Opportunity Cost | p. 115 |
| Security Documents | p. 115 |
| Policies | p. 116 |
| Standards | p. 117 |
| Procedures | p. 117 |
| Guidelines | p. 118 |
| Example | p. 118 |
| Risks, Threats, and Vulnerabilities ... Oh My! | p. 118 |
| Example | p. 119 |
| Types of Security Controls | p. 119 |
| Preventive Controls | p. 119 |
| Detective Controls | p. 121 |
| Gap Analysis | p. 121 |
| SMART Statements | p. 123 |
| Types of Projects | p. 123 |
| People Projects | p. 123 |
| Process Projects | p. 124 |
| Technology Projects | p. 124 |
| Methodology | p. 124 |
| Preview | p. 124 |
| Security Document Development | p. 125 |
| Project Portfolio Development | p. 125 |
| Communication Plan Development | p. 125 |
| Incorporating Your Enterprise Drivers | p. 125 |
| Constraints | p. 126 |
| Laws and Regulations | p. 127 |
| Corporate Responsibility/Code of Conduct | p. 127 |
| Enablers | p. 127 |
| Requirements | p. 128 |
| Business Requirements | p. 129 |
| Example | p. 129 |
| Example | p. 130 |
| Functional Requirement | p. 130 |
| Example | p. 131 |
| Business Requirements of PCSC | p. 131 |
| Functional Requirement | p. 131 |
| Analysis | p. 132 |
| Methods for Creating Functional Requirements | p. 132 |
| Requirements Summary | p. 133 |
| Gap Analysis | p. 133 |
| Building Security Policies, Standards, Procedures, and Guidelines | p. 135 |
| The Theory of Security Policies | p. 135 |
| Drafting Your Information Security Policies | p. 136 |
| Ratifying the Security Policies | p. 138 |
| Standards, Procedures, and Guidelines | p. 138 |
| Build Security Documents Summary | p. 139 |
| Building the Security Project Portfolio | p. 140 |
| Performing the Policy Gap Analysis | p. 140 |
| Example | p. 142 |
| Analysis | p. 142 |
| Defining Ambiguities | p. 142 |
| Evaluating Controls (Gap Analysis) | p. 143 |
| Risk and Exposure Statements | p. 145 |
| Risk Rating | p. 145 |
| Risk Rating - High | p. 146 |
| Deriving the Security Projects | p. 146 |
| Quantitative Evaluation | p. 146 |
| Qualitative Evaluation | p. 148 |
| Cursory Project Scoping | p. 151 |
| Projects Versus Core | p. 152 |
| Scheduling (First Three Years) | p. 152 |
| Capital Budgeting | p. 153 |
| Approval of the Security Project Portfolio | p. 155 |
| Believe in Your Product | p. 155 |
| Ensure That Your Logic for Prioritization Is Understood | p. 155 |
| Know Your Product | p. 155 |
| Know What Others Are Buying | p. 156 |
| Identify the Buyers and the Roadblocks | p. 156 |
| Those Who Will Buy Your Offerings | p. 156 |
| Those Who Will Not Buy Any of Your Offerings | p. 156 |
| Those Who Can Apply Pressure to Individuals Who Won't Buy Your Offerings | p. 157 |
| Sell through Momentum | p. 157 |
| Sell through Others | p. 157 |
| Ensure That It's Sold before You Attempt to Sell It | p. 157 |
| Always Present in Person | p. 157 |
| Summary | p. 157 |
| Annual Portfolio Review | p. 158 |
| Build the Communication Plan | p. 158 |
| Potential Channels for the Communication Plan | p. 159 |
| Chapter Summary | p. 161 |
| Design Checklist | p. 161 |
| 4 Execute | p. 165 |
| Overview | p. 165 |
| Foundation Concepts | p. 166 |
| Preview | p. 166 |
| Critical Skills | p. 167 |
| Executor | p. 167 |
| Commander | p. 168 |
| Communication | p. 168 |
| Tactician | p. 168 |
| Research | p. 168 |
| Analysis | p. 169 |
| Critical Skills Summary | p. 169 |
| Critical Knowledge | p. 169 |
| Overview of Project Management Methodologies | p. 169 |
| Benefits of a Project Mentality for Your Information Security Program | p. 170 |
| The Project Management Triangle | p. 172 |
| Technical Control Layers | p. 175 |
| Summary | p. 177 |
| Methodology | p. 178 |
| Preview | p. 178 |
| Project Execution | p. 178 |
| Development Methodology Structure | p. 178 |
| Critical Success Factors for a Project | p. 183 |
| Business, Functional, and Technical Requirements | p. 188 |
| Marketing Metrics | p. 193 |
| Project Governance Model | p. 196 |
| Management Support - Sponsorship | p. 196 |
| Establish a Team | p. 197 |
| Shared Vision | p. 197 |
| Formalized Project Plan (Gantt Chart) | p. 198 |
| Identifying and Working through the Lull of Doom | p. 199 |
| Critical Success Factors Summary | p. 200 |
| Warning Signs for Projects | p. 200 |
| Train Wrecks | p. 200 |
| Project Types and Their Intricacies | p. 204 |
| Common Guidelines for All Projects | p. 204 |
| Common Guidelines for People Projects | p. 205 |
| Common Guidelines for Process Projects | p. 206 |
| Common Guidelines for Technology Projects | p. 207 |
| Project Type Summary | p. 208 |
| Incorporating Security into Projects | p. 208 |
| Tools for Adding Security into a Properly Structured Project | p. 209 |
| Deploy | p. 213 |
| Tools for Adding Security into a Project with Missing Components | p. 214 |
| Vendor Evaluation/Selection | p. 217 |
| Preparing the Marketing Material | p. 223 |
| Chapter Summary | p. 224 |
| 5 Report | p. 225 |
| Overview | p. 225 |
| Foundation Concepts | p. 226 |
| Critical Skills | p. 227 |
| Writer | p. 227 |
| Presenter | p. 227 |
| Critical Knowledge | p. 227 |
| Primary Principle of Reporting | p. 227 |
| Basic Reporting Components | p. 228 |
| Delivery Mechanisms | p. 229 |
| Marketing | p. 229 |
| Branding | p. 230 |
| Metrics | p. 231 |
| Damage Control | p. 231 |
| Summary | p. 232 |
| Methodology | p. 232 |
| Report Construction Process | p. 233 |
| Identifying the Need | p. 234 |
| Determine Intent | p. 235 |
| Desired Reaction | p. 236 |
| Determine Target Audience | p. 238 |
| Internal Audiences | p. 238 |
| Executive Management/Board of Directors | p. 239 |
| Technical Engineering Staff | p. 245 |
| Employees | p. 247 |
| Internal Audit/Regulatory Compliance Office | p. 248 |
| External Audiences | p. 250 |
| Government Agencies/Independent Auditors/Regulators | p. 250 |
| Stockholders and Owners | p. 252 |
| Customers and Clients | p. 252 |
| Target Audience Summary | p. 253 |
| Delivery Mechanisms | p. 253 |
| Administrative Reporting | p. 254 |
| Operational Reporting | p. 261 |
| Types of Delivery | p. 267 |
| Follow up on the Message | p. 270 |
| Close the Deal | p. 270 |
| Chapter Summary | p. 271 |
| 6 The Final Phase | p. 273 |
| Overview | p. 273 |
| Back to the Beginning | p. 275 |
| Parting Thoughts | p. 276 |
| Appendices | |
| A Design Chapter Worksheets | p. 277 |
| B Report Creation Process Worksheet | p. 281 |
| C Requirements Sample | p. 285 |
| D SDLC Checklist | p. 289 |
| E Recommended Reading | p. 313 |
| Index | p. 315 |
