Slashdot Mirror

← Back to Stories (view on slashdot.org)

Stepping Through the InfoSec Program

Posted by samzenpus on from the read-all-about-it dept.

Ben Rothke writes "For those who want to stay current in information security, Stepping Through the InfoSec Program is a great book to read after The Pragmatic CSO: 12 Steps to Being a Security Master. While The Pragmatic CSO provides a first-rate overview of the higher-level steps to being a CSO and building an information security program, Stepping Through the InfoSec Program provides the low-level details and nitty-gritty elements on just how to do that." Keep reading for the rest of Ben's review. Stepping Through the InfoSec Program author J.L. Bayuk pages 238 publisher ISACA rating 9 reviewer Ben Rothke ISBN 1604200308 summary The low-down on how to build an information security program Author Jennifer Bayuk spent over a decade at a large brokerage firm building their information security program. Her experience in managing and designing security there is manifest in the book and it is clear throughout the book that she is writing a deep pool of from real-world experience.

The first part of the book contains 3 sections and in just under 150 densely packed pages, the book walks you through the process in which to build an effective information security program. The book details 6 steps in which to facilitate this, namely: strategy, policy, awareness, implementation, monitoring and remediation.

The book starts out and begins to develop the context for an information security program. It astutely notes that an information security program exists only in the context of an organizational management structure. Anyone building an information security program for its own sake, removed from the organizational management structure will quickly find themselves devoid of a budget, and often shortly after that, out of a job.

The books attention to detail and specific definitions are superb. In the opening section, it defines the objectives, prerequisites, typical tasks and performance measures for over 10 different jobs within information security. It then creates a segregation of duties matrix for these jobs. Such detailed information is invaluable to anyone attempting to build a security program.

The main part of the book is in section 2 which steps through what an information security program is, how it is created, how it operates and what resources are required to maintain it. The beauty of the book is that the author understands that information security is not a monolithic undertaking. Rather it must be developed and customized according to the specific needs and requirements of the particular organization. These differences are made clear in the chapter when it details 9 unique information security reporting hierarchies; and deciding on the appropriate reporting hierarchy is not a trivial undertaking.

The book writes that successful information security program development, by definition, must align with organization goals. This alignment can only be achieved if the CISO has an open, two-way communication path to each manager with information security responsibilities. While this is a necessary and realistic goal, far too few CISO's have such communications paths at their disposal, and even less have constituent ears that are receptive to such communications.

Section two provides an excellent overview of metrics and how they can be effectively used. In the last few years, metrics has been the rage in the security community. Individuals such as Pete Lindstrom and groups such as Security Metrics have been at the forefront of such efforts.

But the book notes that metrics for their own sake can also be taken too far. The book references a volume on metrics that has over 900 possible things to measure that would provide security metrics, including such silly metrics as "number of times, by fiscal year, that fines and jail sentences were imposed for altering, destroying, mutilating, concealing or falsifying financial records". Bayuk perceptively observes that any CISO who is measuring these types of concerns and analyzing them for feedback on how to improve their information security program should realistically look for a different job.

Section 3 concludes the main part of the book with a security program case study. The point of the case study is to show how an information security program evolves around changes in the organization it supports. The case study shows that all of the six steps on which the book is premised are indeed necessary.

The final 100 pages of the book detail various sample security policies, standards, procedures and guidelines. All of the policies, standards, procedures and guidelines are well-written and it would have been nice if these would have been available in electronic format.

The book notes that the information security professional has evolved from computer operator to chief information security officer; from controlling punched cards to negotiating strategic plans, defining policies, documenting processes, managing technology, measuring performance, controlling costs, supporting business recovery and demonstrating regulatory compliance. For those that want to make that transition, Stepping Through the InfoSec Program is a most valuable guide to get you there.

The book is written by an author who has significant amounts of real-world experience in a leading edge organization. That unique knowledge and experience is evident after reading the first few pages of the book. The book provides the reader with a comprehensive overview of how to build an effective information security organization.

One final note, don't judge a book by the cover. On the cover are three busy looking executives, all smiling and looking refreshed. The reality is that most people who have taken the time to build effective security programs often emerge from that battle exhausted and battle weary.

For anyone contemplation entering the information security field, or those in it already that need effective direction, Stepping Through the InfoSec Program should be on their required reading list.

Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know.

You can purchase Stepping Through the InfoSec Program from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

35 of 56 comments (clear)

  1. the problem with books on this topic by pha7boy · · Score: 2, Insightful

    I think the danger with books on this topic is that by the time you get them to the publisher, and printed, and distributed, half the content is about to be out of date, and the other half will not be current after one year.

    I'm not knocking the book, but in tech matters, I rather keep up via web/new media. tech-philosophy books, now that I like and buy.

    --
    -- All this knowledge is giving me a raging brainer.
    1. Re:the problem with books on this topic by KernelMuncher · · Score: 3, Insightful

      If it's in technical specifics, that could be true. But if the book covers more conceptual ways of handling security matters or security philosophy, it could be very useful for some time. Topics like how to stop social engineering or creating effective security policy never go out of style.

      I got a lot out of The Cuckoo's Egg and that was published forever ago.

    2. Re:the problem with books on this topic by Major+Byte · · Score: 5, Insightful

      I think the danger with books on this topic is that by the time you get them ... half the content is about to be out of date, and the other half will not be current after one year.

      Sorry to knock your opinion man, but the fact is that building an information security program is really quite distinct from the technology. For example, the Certified Information Systems Auditor (CISA) examination requires a vast knowledge of organizational processes, legal requirements, and risk assessment, but really very little about Linux or Vista or OS de jour. A really talented CSO attempts to define a technology-independent computer security plan, and so it is a given that the technology changes very fast.

    3. Re:the problem with books on this topic by Jansingal · · Score: 1

      Well, if the book is about Windows XP, then yes. but core concepts of security, CIA triad, etc., they are timeless. Well, not timeless, but you know what I mean. First Ed. of 'Security Enginnering' by ross anderson is 8 years old. my guess is that at least 90% of it is still 100% relevent.

    4. Re:the problem with books on this topic by Jansingal · · Score: 1

      published in 1990. Way before slashdot

  2. Re:Dupe by everynerd · · Score: 3, Informative

    If you read anything above you would realise that this is in fact a review of a completely separate book, the tagline only references the one reviewed in the link you posted.

  3. Current? by Darkness404 · · Score: 1

    For those who want to stay current in information security, Stepping Through the InfoSec Program is a great book to read

    Yah, really current, books on technology are never current. Even some magazines aren't current, let alone books. Seriously, anyone who wants to be current should subscribe to a mailing list, or at least use magazines which are usually only 1-2 months out of date rather than a book which at best are 3-4 months out of date.

    --
    Taxation is legalized theft, no more, no less.
    1. Re:Current? by OriginalArlen · · Score: 2, Informative

      True, technology books ARE always out of date, but whilst it's a truism that things are always changing, it's also true that there's an linear relationship with the degree to which they stay the same. (I believe the French have a neat saying that encapsulates this notion.)

      The MULTICS pentest paper and it's review 30 years later are cases in point. See also Thompson, K., "Reflections on Trusting Trust", a matter which Kaminsky, D., has recently demonstrated is as true today as it was then (in a context which is completely different, yet exactly the same.)

      --

      Everything I needed to know about life, I learnt from Blake's Seven
    2. Re:Current? by Jansingal · · Score: 1

      didn't someone say above that this is NOT that type of book.

  4. What I want to know by OriginalArlen · · Score: 4, Interesting

    I work in the field. There's only one question I really care about - the rest is just a simple question of reading man pages and documentation and textbooks and writing policies and having meetings and reviewing designs and, and, and. You know. Stuff that you can do.

    What I want to know is, how can I make my senior management care?

    Seriously. Yes, I've tried all the known things. All I have to cling to now are customer requirements. Show them a pot of gold and, like Valerie Solanos' view of men and sex, they'd wade through a river of warm puke up to their nostrils to get to it, and if that means tossing some budget at security, they'll do it. (So, to answer my own question -- folks who are involved in assessing suppliers - for heaven's sake, ask them about their security, and I mean really ask - don't believe the marketing bullshit, look for independent reviews and certifications. Hell, even an ISO 27001 cert is better than nothing (and that has very little to do with real, on-the-metal infosec.)

    --

    Everything I needed to know about life, I learnt from Blake's Seven
    1. Re:What I want to know by Jansingal · · Score: 1

      >>>>What I want to know is, how can I make my senior management care?

      Absolutely zero you can do.

      either they get it and take action on it, or else they are clueless.

      don't try to have them get security, if they don't get it, they won't.

    2. Re:What I want to know by Jansingal · · Score: 1

      >>What I want to know is, how can I make my senior management care?

      I take back my comment.

      run a pen test and they will get it.

      a good pen test team has at least a 95% success rate.
      A really good pen test team has a 99% success rate.

      Hack em and then scare them and then you got them!

    3. Re:What I want to know by OriginalArlen · · Score: 1

      Nah, we do them all the time. It doesn't help.

      --

      Everything I needed to know about life, I learnt from Blake's Seven
    4. Re:What I want to know by bbasgen · · Score: 1

      >What I want to know is, how can I make my senior management care? You can't. That doesn't mean you have no recourse. First, realize that you are not asking a security question. Your question is about your organization, its goals, values, and mission. It is a question about resources and priorities, and there isn't a single employee, department, or division -- that isn't always asking the same kind of question (albeit, likely in a different form). Information Security is all about the business, communication, information flow, etc. If you start talking on those terms, you'll find that you can serve the institution in various in sundry ways. Some folks tilt at Windmills, trying to convince upper management about why Packet X must be stopped, but that misses the point. Management has no need to care about IT security -- that is the CIO's job. Management does need to care about information security, but you can't make any progress speaking in terms of IT security. Management that doesn't care about a properly presented case on information security likely doesn't care about a whole host of departments and organizational functions. If I'm the CEO of a commodity organization, I probably wouldn't care either.

    5. Re:What I want to know by maestro371 · · Score: 1

      If you really believe that striving towards the ISO27001 certification is not real InfoSec, then you're in the wrong line of business.

      Information Security is not about technology.

    6. Re:What I want to know by Jansingal · · Score: 1

      who do you use for your pen testing?

      some firms have bettter reports that get more receptiomn from the execs

    7. Re:What I want to know by OriginalArlen · · Score: 1

      Management has no need to care about IT security -- that is the CIO's job

      We don't have a CIO, any more than we have an IT Director or other exec post where you'd expect security to naturally sit.

      If I'm the CEO of a commodity organization, I probably wouldn't care either.

      We're not a "commodity organisation", we're an IT services / outsourcing firm with turnover in the $100m range. We handle lots of sensitive data from our large number of well-known business customers. We even tout security in our marketing. Yes, it makes me alternately angry and sick and incredibly anxious. Yes, I'm wondering whether it'll soon be time to bail out.

      --

      Everything I needed to know about life, I learnt from Blake's Seven
    8. Re:What I want to know by OriginalArlen · · Score: 1

      ISO (or any other cert) is not orthogonal to really good security practices. It's rather like industry certs - be it MCSE, CCIE or CISSP. It's possible for drooling halfwits to get the letters after their name (OK, less so with CCIE, I grant you.) The cert tells you that the person in front of you at the interview has the basic minimum level of competence required to get them. I'm sure we all know people with letters who were clueless fuckwits, just as there are people with no letters with more knowledge experience and skill in their little finger than I'll ever have. Thus, a cert is "better than nothing", but certainly doesn't mean I rely on it. (I've been thru the 27001 process and know how far bullshit and bluster and having the right paperwork carries you -- a hell of a long way, especially if your sales droids don't mention (and the customers don't ask) what the scope of the cert actually is...

      --

      Everything I needed to know about life, I learnt from Blake's Seven
    9. Re:What I want to know by OriginalArlen · · Score: 1

      We've used several firms. Execs would never read the reports, no matter how much teh shiny and drool-proof the paper is. (Well OK, the IT management get it, all the way up to the level of "our" exec VP, who's tried many times to get the Board to give a fuck, without success.) But it's the Board, who sign off on budget, who we need to get through to.

      --

      Everything I needed to know about life, I learnt from Blake's Seven
    10. Re:What I want to know by Jansingal · · Score: 1

      Have then run some DoS attacks, take down a prod. server.

      then... they will understand.

  5. Re:We can be guilty as well by Darkness404 · · Score: 2, Insightful

    Business-side executives who think they can manage without understanding anything at all about the technical details are just as arrogant and dangerous to the bottom line as techies who think they don't need to understand anything about the business.

    Even though this is totally off topic, you are totally wrong. Business-side executives who think they can manage without understanding technology are more dangerous then a tech guy who doesn't understand a business.

    The executives usually are the ones setting easy passwords or demand insecurities, while the tech guy usually wants to make everything secure. A good tech guy needs to understand nothing about the business because he should be in *gasp* technology not running a business.

    --
    Taxation is legalized theft, no more, no less.
  6. Has anyone thought that we might by LM741N · · Score: 1

    have created this monster with the presence of too much information, in the way of X degrees of seperation? Why do VP's copy 10 different people on an email? Then those 10 people copy another 10 other people on the response. Why do they even use email, esp unencrypted when communicating overseas?

    Perhaps high level executives should have closed meetings, not use email. Plus email could be compartmentalized so that certain levels of employees could communicate to their bosses and amongst themselves, but no one else.

    I would hope that all of government does this, but then perhaps I'm in a dream world. Well Bush did say that he never uses emails with his staff. Perhaps the smartest thing he has ever done in office.

  7. Re:We can be guilty as well by profplump · · Score: 2, Insightful

    Unless you mean "help-desk drone" or some other position that only requires following instructions provided by others, you can't be a "good tech guy" and know nothing about business, because businesses define "good tech guys" as people who help them achieve their business goals, not as people with l33t technical skills.

  8. Twelve step program? by Chris+Mattern · · Score: 1

    Step one: Admit you are powerless over security--that your systems have become unmanageable.

  9. Re:Dupe by Jansingal · · Score: 1

    dude - different book

  10. Re:Twelve step program? by Naked+Jaybird · · Score: 1

    Step two: Come to believe a third party vendor can restore your security.

  11. Not an Objective Review by Anonymous Coward · · Score: 3, Informative

    I'm always skeptical about the people who somehow have the time to read and publish all of these online reviews - many of the are raves for books that nobody has heard of before.

    So I Googled Bayuk (author) and Rothke (reviewer) and came up with a presentation they've done together:

    www.bayuk.com/publications/BayukSOX.pdf

    So, I guess this is nothing more than Ben trying to get us to buy his friend's book.

    1. Re:Not an Objective Review by Jansingal · · Score: 1

      dude, not exacatly a smoking gun......

      presentation was in 2004 and book is written in 2008.

  12. Re:Twelve step program? by thogard · · Score: 1

    Step four: Throw money at a group like (ISC)2 which happened to pick a name for maximum confusion with legitimate groups and then convinced the world they are the security training experts.

  13. Re:frsit spsot by Jansingal · · Score: 1

    alas, the 7 seas are a verity of the past, mythology, there are certainly more than 7 seas now.

  14. Re:Did we go back in time? by Jansingal · · Score: 1

    as to the 80's, i heard they were going to use pat benatar on the cover but could not get the rights :)

  15. Re:Twelve step program? by Jansingal · · Score: 1

    you mean an MSSP :)

  16. Re:Twelve step program? by Jansingal · · Score: 1

    >>>ISC)2 which happened to pick a name for maximum confusion with legitimate groups

    What is the confusion with a legitimate group?

  17. Re:We can be guilty as well by Kjella · · Score: 1

    Unless you mean "help-desk drone" or some other position that only requires following instructions provided by others, you can't be a "good tech guy" and know nothing about business, because businesses define "good tech guys" as people who help them achieve their business goals, not as people with l33t technical skills.

    Business executives think highly of people that understand them and can relate to them, big surprise there. Those that live "in between" certainly knows the value of a tech guy who delivers, and should relate that upwards when needed. Honestly, a business exec has no understanding of whether you're a SQL guru or thedailywtf material. You probably got very little idea if he's a PHB or a CEO in the making either. Very few achieve "fame" outside their own field, in business or elsewhere. The best you can usually get is those that depend on you saying "You can have him over my cold dead body".

    --
    Live today, because you never know what tomorrow brings
  18. Straight from the horse's mouth by SST-206 · · Score: 1

    In case you missed it, recordings have been released from The Last HOPE conference, including Myrcurial's InfoSec talk "From a Black Hat to a Black Suit - How to Climb the Corporate Security Ladder Without Losing Your Soul" [direct link to large 64kbps MP3 file].

    --
    Co-operation beats competition