Strategic Information Security: 1st Edition (Hardback) book cover

Strategic Information Security

1st Edition

By John Wylder

Auerbach Publications

240 pages | 4 B/W Illus.

Purchasing Options:$ = USD
Hardback: 9780849320415
pub: 2003-11-24
eBook (VitalSource) : 9780429209864
pub: 2003-11-24
from $28.98

FREE Standard Shipping!


The new emphasis on physical security resulting from the terrorist threat has forced many information security professionals to struggle to maintain their organization's focus on protecting information assets. In order to command attention, they need to emphasize the broader role of information security in the strategy of their companies. Until now, however, most books about strategy and planning have focused on the production side of the business, rather than operations.

Strategic Information Security integrates the importance of sound security policy with the strategic goals of an organization. It provides IT professionals and management with insight into the issues surrounding the goals of protecting valuable information assets. This text reiterates that an effective information security program relies on more than policies or hardware and software, instead it hinges on having a mindset that security is a core part of the business and not just an afterthought.

Armed with the content contained in this book, security specialists can redirect the discussion of security towards the terms and concepts that management understands. This increases the likelihood of obtaining the funding and managerial support that is needed to build and maintain airtight security programs.


"[A]n interesting book rooted in experience … . [The] author offers … philosophical considerations [in understanding] computer and information security not as [a] technical issue but [as a] strategic and management issue. … [A] calm reading for [the] strategic and tactical manager that offers a broad vision … . "

- Dr. Jeimy Cano, Universidad de los Andes, Bogota, Columbia

Table of Contents

Introduction to Strategic Information Security

What Does It Mean to Be Strategic?

Information Security Defined

The Security Professional's View of Information Security

The Business View of Information Security

Changes Affecting Business and Risk Management

Strategic Security

Strategic Security or Security Strategy?

Monitoring and Measurement

Moving Forward


The Life Cycles of Security Managers


The Information Security Manager's Responsibilities

The Evolution of Data Security to Information Security

The Repository Concept

Changing Job Requirements

Business Life Cycles and the Evolution of an Information

Security Program

The Introductory Phase

The Early Growth Phase

The Rapid Growth Phase

The Maturity Phase

Skill Changes over Time


Chief Security Officer or Chief Information Security Officer


Organizational Issues

Justifying the Importance and Role of Security in Business

Risk Management Issues Affecting Organizational Models

Chief Information Security Officer (CISO) Role Defined

The Chief Security Officer (CSO) Role Defined

Organizational Models and Issues

Organization Structure and Reporting Models

Choosing the Right Organization Model


Information Security and Risk Management


The Information Technology View of Threats, Vulnerabilities,

and Risks

Business View of Threats, Vulnerabilities, and Risks

The Economists' Approach to Understanding Risk

Total Risk

Technology Risk

Information Risk

Information Risk Formula

Protection Mechanisms and Risk Reduction

Matching Protection Mechanisms to Risks

The Risk Protection Matrix


Establishing Information Ownership

Establishing Information Ownership

Centralized Information Security

Local Administrators vs. Information Owners

Transferring Ownership

Operations Orientation of Information Ownership

Information Ownership in Larger Organizations

Information as an Asset

Decentralized vs. Centralized Information Security Controls

Ownership and Information Flow

Information Ownership Hierarchy

Functional Owners of Information

Income Statement Information Owners

Information Value

Statement of Condition Information Owners


The Network as the Enterprise Database


A Historical View of Data and Data Management

Management Information Systems (MIS)

Executive Information Systems (EIS)

The Evolving Network

The Network as the Database


Risk Reduction Strategies


Information Technology Risks

Evaluating the Alternatives

Improving Security from the Bottom Up: Moving Toward

a New Way of Enforcing Security Policy

Encouraging Personal Accountability for Corporate Information

Security Policy


The Problem

The Role of the Chief Information Security Officer (CISO) in

Improving Security

Centralized Management vs. Decentralized Management

Security Policy and Enforcement Alternatives

Policy Compliance and the Human Resources Department

Personal Accountability


Authentication Models and Strategies

Introduction to Authentication

Authentication Defined

Authentication Choices

Public Key Infrastructure

Administration and Authentication: Management Issues

Identity Theft

Risks and Threats Associated with Authentication Schemes

Other Strategic Issues Regarding Authentication Systems




Single Sign-On Security


The Authentication Dilemma

The Many Definitions of Single Sign-On

Risks Associated with Single Sign-On

Single Sign-On Alternative: A More In-Depth Review

User Provisioning

Authentication and Single Sign-On

Crisis Management: A Strategic Viewpoint


Crisis Defined

Benefits from a Formal Crisis Management Process

Escalation and Notification

Organizational Issues and Structures for Dealing with Crisis


Strategies for Managing through a Crisis

Creating a Formalized Response for Crisis Management


Business Continuity Planning


Types of Outages and Disasters Outages

Planning for a Disaster

Roles and Responsibilities

Plan Alternatives and Decision Criteria

Risk Mitigation vs. Risk Elimination

Preparation: Writing the Plan

Testing and Auditing the Plan

Issues for Executive Management


Security Monitoring: Advanced Security Management


Monitoring vs. Auditing

Activity Monitoring and Audit Trails

How Security Information Management Systems Work

Other Security Information Monitoring Sources

Privacy and Security Monitoring

Reactions to Security Monitoring Information

Problems with Security Monitoring

Senior Management Issues and Security Monitoring

Auditing and Testing a Strategic Control Process

Introduction: The Role of Auditing and Testing

Auditing and Security Management

Security Audits

Information Protection

Audit Logs and Audit Trails

Security Testing and Analysis

Application Controls and Strategic Security Goals

Reporting of Security Problems and the Role of the Auditor

Auditing, Testing, and Strategic Security

Outsourcing Security: Strategic Management Issues

Information Security Operations and Security Management

Management Issues Regarding the Outsourcing Decision

Outsourced Security Alternatives

Return on Investment (ROI) with Outsourced Services

Contract Issues for Security Outsourcing

Integration of Outsourcing with Internal Operational


Risks Associated with Outsourcing Security Functions

Business Continuity Planning and Security Outsourcing

Strategic Management Issues with Outsourced Security

Final Thoughts on Strategic Security

Executive Management and Security Management

The Future of Information Security and the Challenges Ahead

Appendix Helpful Internet Resources

Subject Categories

BISAC Subject Codes/Headings:
COMPUTERS / Information Technology
COMPUTERS / Security / General