While information security is an ever-present challenge for all types of organizations today, most focus on providing security without addressing the necessities of staff, time, or budget in a practical manner.
Information Security Cost Management offers a pragmatic approach to implementing information security, taking budgetary and real-world constraints into consideration. By providing frameworks, step-by-step processes, and project management breakdowns, this book demonstrates how to design the best security strategy with the resources you have available.
Organized into five sections, the book-
Demonstrating strategies to maximize a limited security budget without compromising the quality of risk management initiatives, Information Security Cost Management helps you save your organization time and money. It provides the tools required to implement policies, processes, and training that are crucial to the success of a company's security.
SECTION 1: SECURITY STRATEGY-THINKING PRACTICALLY
Goals and Filters
You Cannot Secure Everything. What Is Information Security? The Three Pragmatic Filters. Filter One: Focus on High-Risk Areas. Eye on the Ball. References
Building Your Strategy
Creating a Risk-Based Security Strategy. Creating and Showing Value
High-Impact Initiatives. Taking the Next Steps. Reference
SECTION 2: SECURITY ORGANIZATION DESIGN-
The Right People for the Right Jobs
Introduction. The Essentials of a Security Organization. Security Functions. Security Roles. Start at the Top-CISO. Supporting the CISO-Security Management. Technical Heavyweights-Security Architect and Security Engineers. Process Excellence-Security Analysts and Security Specialists. Operational Maturity-the Key to Successful Security. Looking at the Bigger Picture-Positioning
Information Security. What about Physical Security?
Reducing Costs for Routine Tasks. Insourcing versus Outsourcing. Onshoring versus Offshoring. Common Considerations
SECTION 3: SECURITY MANAGEMENT-EFFECTIVELY ENFORCING YOUR STRATEGY
Policies, Standards, and Procedures
Introduction. Terminology Primer. Organizational Tips. Managing Exceptions. A Question of Authority
Training and Awareness
Introduction. Determine Your Key Messages and Target Audiences. Create an Awareness Road Map. Keep it Creative, Simple, and Loud
Maximize Channels of Communication. Use Positive Reinforcement
Be Opportunistic. Make Awareness Everyone's Responsibility
Cost-Effective Audit Management
Introduction. Step 1-Set Expectations. Step 2-Prepare Your Workspace. Step 3-Document, Document, Document. Winning "Comfort" Points
Reporting Your Value
Introduction. How to Make Reports Relevant. How to Make Reports Consistent. How to Make Reports Comprehensible
SECTION 4: SECURITY TECHNOLOGIES-ESTABLISHING A SOUND FOUNDATION
Introduction: The Truth about Risk Assessments. Strategy for Conducting Annual Internal. Risk Assessments. Tactical Perspective for Security Assessment. Remediation Strategy
Security Design Review
Introduction. The Analysis Phase. The Requirements Phase. Define Information Protection Requirements. The Design Phase. The Build and Test Phases. The Deployment Phase. The Postproduction Phase.
What Is Exploit Protection? Security Incidents and the Business. Loss of Information Assets. Disruptions to the Business. Anatomy of Security Threats. Outsider Threat. Insider Threats. Automated Attacks. Cost Management and Exploit ProtectionExploit Protection and Security Operations. References
SECTION 5: SECURITY OPERATIONS-MAINTAINING
Identity and Access Management
Introduction. The Big Picture. Key Control Points. Implementation Problems and Pitfalls. Making User Management Operational in its Current State. Getting Off to the Right Start-Approvals. Keeping it Clean-Terminations. Managing the User's Life Cycle-Transfers. Mitigating Control-User Recertification. Monitor Solutions. What about Nonuser Accounts? Summary
Cost-Effective Incident Response
Introduction. The Price of Not Planning. Start with Objectives. Assembling the CSIRT. The Big Picture. The Frontline. Initial Response Team (IRT)-the Primary Experts. Executive Incident Team (EIT)-the Decision Makers. Responders-the Recovery Experts. Investigators-the Root Cause Analysts. Postmortem of an Incident. Recap of the Incident Response Process.