Discover millions of ebooks, audiobooks, and so much more with a free trial

Only $11.99/month after trial. Cancel anytime.

How to Cheat at Managing Information Security
How to Cheat at Managing Information Security
How to Cheat at Managing Information Security
Ebook452 pages5 hours

How to Cheat at Managing Information Security

Rating: 0 out of 5 stars

()

Read preview

About this ebook

This is the only book that covers all the topics that any budding security manager needs to know! This book is written for managers responsible for IT/Security departments from mall office environments up to enterprise networks.

These individuals do not need to know about every last bit and byte, but they need to have a solid understanding of all major, IT security issues to effectively manage their departments. This book is designed to cover both the basic concepts of security, non – technical principle and practices of security and provides basic information about the technical details of many of the products - real products, not just theory.

Written by a well known Chief Information Security Officer, this book gives the information security manager all the working knowledge needed to: • Design the organization chart of his new security organization • Design and implement policies and strategies • Navigate his way through jargon filled meetings • Understand the design flaws of his E-commerce and DMZ infrastructure

* A clearly defined guide to designing the organization chart of a new security organization and how to implement policies and strategies

* Navigate through jargon filled meetings with this handy aid

* Provides information on understanding the design flaws of E-commerce and DMZ infrastructure
LanguageEnglish
Release dateAug 22, 2006
ISBN9780080508283
How to Cheat at Managing Information Security

Read more from Mark Osborne

Related to How to Cheat at Managing Information Security

Titles in the series (10)

View More

Related ebooks

Security For You

View More

Related articles

Reviews for How to Cheat at Managing Information Security

Rating: 0 out of 5 stars
0 ratings

0 ratings0 reviews

What did you think?

Tap to rate

Review must be at least 10 words

    Book preview

    How to Cheat at Managing Information Security - Mark Osborne

    messages.

    Preface

    Mark Osborne, 2006

    Sometimes I’m asked why I wrote this book, and my answer can be summed up by a very simple story. While I worked for a large audit firm, I was phoned up by an auditor I vaguely knew. Hi, I have an interview for the position of security manager next week, he said with obvious enthusiasm. I know it’s got a lot to do with passwords and hackers, but can you give me more details?

    He must have thought I hung up by mistake because he phoned back—twice!

    This book isn’t the most comprehensive security text ever written, but I think it contains many of the things you need to understand to be a good IT security manager. It’s exactly the kind of book my auditing chum would never buy.

    Introduction

    Information security is different from many other disciplines both within main-stream information technology and other business areas. Even though there are now many good books on various areas, getting the breadth of knowledge across the many subareas is still difficult, but it is essential to success.

    Unlike so many functions of IT, security is an area that requires practitioners to operate across the whole organization. A chief information security officer (CISO) or a security manager is likely to be asked advice on many aspects of security in situations where there is no alternative but to give some sort of counsel. Sometimes your best shot may be the best hope available. So the sensible security officer strives to have a good foundation in most areas; unfortunately, however, many don’t and rely not on knowledge (either formal or self-taught) but instead use an authoritative tone, tactical Google searches, or the various mantras about security policy. Those experts who know everything about everything but whose advice needs to be reversed 50 percent of the time often cost companies hundreds of thousands of pounds in project delays and even fines.

    This book can’t possibly prepare you for everything you are likely to come across. And in its defense, no other single volume can either, but this book is designed to be a rather good start for that preparation.

    This book is designed to cover both the basic concepts of security (i.e., the nontechnical principles and practices) and basic information about the technical details of many of the products—real products, not just theory.

    Throughout the book, I have tried to explain why we do things the way we do. I don’t know this because I’m very clever; let’s say I know this because I’m slightly older than you and was in on the ground floor while people were still trying to work things out.

    Chapter 1

    The Security Organization

    The purpose of this chapter is to:

    ■ Review typical positions of the information security function and the benefits of each

    ■ Define the role of the security function

    ■ Discuss the qualities of a good CISO

    Anecdote

    To be a chief information security officer (CISO), you must demonstrate certain key qualities to an employer. At the interview for my last position, I sat down, miscalculating the touch-down so the arm of the chair slid neatly into my pants pocket with a ripping sound. My Top-Shelf consultancy suite was now complete with air-conditioning.

    I immediately announced, I’ve ripped my trousers—so my interviewers would know the exact source of the sound that had so obviously come from my seat. Then I said, "Now you can see that I’m not talking out of the seat of my pants.

    Now that’s the voice of experience!

    Introduction

    No two organizations are the same; they are always different culturally and in terms of size, industrial sector, and staff. Consequently, there is no right (but probably plenty of wrong) answer to the question, Where should we position the head of security and the security team(s) in an organization? Separation of the position of the operational security teams away from the head of security is often a purposeful and commercial decision.

    This chapter reviews how organizations, both big and small, set up their security functions. It is based on my observations gained during 10 years experience in security consulting at both a strategic and a technical detailed level to many of the United Kingdom’s leading blue–chip companies.

    I have never seen this subject covered in any textbook or manual.

    Where to Put the Security Team

    Figure 1.1 shows a typical firm with a number of potential positions for the security function. We will analyze the pros and cons of each position to answer the age-old question, where should information security sit?

    Figure 1.1 An Information Security Organization’s Hierarchy of Personnel

    Where Should Security Sit? Below the IT Director Report

    The most common position for the CISO and the security function is reporting up through the IT director or the head of computer operations. Certainly the latter organizational structure is common in small firms where there is no regulatory requirement for security. If the company is regulated or even quoted on an exchange, the authorities may encourage a more elevated position. Strangely enough, it is also common in more visionary firms that have had a security team for 20 years—perhaps because the team evolved from a solid team of Resource Access Control Facility (RACF) administrators (RACF is security software for IBM mainframes)!

    Visit any organization with this structure and you will, within a very short time, recognize these benefits and failings.

    Pros

    Advantages of positioning the security team below the IT director include:

    ■ The information security function will not receive much outsider resistance when it makes IT decisions, simply because it is part of the computer department. Therefore, it isn’t external interference.

    ■ Operational computer security tasks (firewall installs, router access lists, and the like) will tend to be carried out by the team rather than by producing a specification for another team to execute. As a result, the team will become acknowledged local experts.

    ■ Technical security staff can be allowed to specialize and work closely with other technical areas. Therefore, not only will there be skill transfer, but relationships should generally be better.

    Cons

    Disadvantages of positioning the security team below the IT director report include:

    ■ Security will not have a powerful voice.

    ■ Security will probably be under-funded.

    ■ Security will not be independent; it will always be seen as taking the easiest route for the IT department. Typically, because of the low-ranking positions and the fact that it is embedded in the IT department, the focus will tend to be on computer security rather than information security. Business risk techniques to assess loss and impact will tend not to play a key role.

    Obviously, in some situations this positioning will not be a big disadvantage. One of the largest U.K. banks is organized exactly in this manner. But when you are a direct report to an IT director who is responsible for 5,000 people and you have over 100 security staff reporting to you, you probably won’t feel that your punch lacks power. Similarly, if the organization has nearly all its problems within the IT department and IT is the core business (such as with an Internet company), placement here could be a significant advantage.

    Generally, however, good all-round risk management cannot prosper in this layout. The scope of the role will allow the security function to manage digital and computer security very effectively, but influence over information risk management for nondigital assets may be advisory at best. This fact will have significant drawbacks at times (such as in the security of paper files), but computing is ubiquitous these days, so the influence of the role may still be considerable. As discussed later in the chapter, sound partnering with other departments may reduce this drawback considerably.

    Where Should Security Sit? Below the Head of Audit

    Another far from ideal place to position a security team is to have it report to the head of the audit function. In my experience, this is where security teams are often dumped when they grow up and move from being a subdepartment of the computing department to having a wider scope.

    But if you have any sort of life, you don’t want to spend it with auditors, I promise you.

    Pros

    Advantages of positioning the security team below the head of auditing include:

    ■ The team is independent from the computer department.

    ■ The team will benefit from whole business governance mandate of the audit department. If the accounts team members are sharing passwords and you catch them, they will no longer excuse it by saying, Oh, it’s just IT.

    ■ Your boss (the head of auditing) will insist that you take a holistic information security approach rather than just apply computer security.

    ■ The security team will have powerful friends such as regulators or the audit committee.

    Cons

    Disadvantages of positioning the security team below the head of auditing include:

    ■ Nobody is ever pleased to see an auditor. The team will tend to be perceived as judgmental and reactive, not proactive fixers or problem solvers.

    ■ Auditors are often jacks-of-all-trades, not uncommonly struggling technically to do the jobs they do. The team will never be recognized as subject matter experts.

    Where Should Security Sit? Below the CEO, CTO, or CFO

    Placing security below the CEO, CTO, or CFO is the best of all the basic positions. This reporting position ensures that other departments will take notice of your findings, yet it is independent from any operational department.

    Pros

    Advantages of positioning the security team below the CEO/CTO/CFO include:

    ■ The security team is endowed with power.

    ■ It is independent.

    ■ The position is high enough to have a whole business remit.

    ■ It shows everyone that your organization is taking security seriously.

    Cons

    Disadvantages of positioning the security team below the CEO/CTO/CFO include:

    ■ The security team will be accused of being in an ivory tower (but so what).

    ■ The security team will find it hard to look into the IT director’s business and organization.

    Your Mission: If You Choose to Accept It

    So what does a good security team do? What are the team’s objectives? The answers to these questions will change from organization to organization, dependent on the particular information security strategy. The factors that may influence the answers, detailed at length in the next chapter, include legal requirements, regulatory requirements, and supplier and customer information security requirements.

    This section describes the common activities of an information security department.

    Role of the Security Function: What’s in a Job?

    Figure 1.2 shows the well-respected security team of a live organization

    Figure 1.2 A Large Information Security Team

    This chart provides a good example of the roles or skills required within a security team that are needed to manage information risk. Management of information risk includes the following duties:

    ■ Incident management

    ■ Legal and regulatory requirements

    ■ Architecture and research

    ■ Policy, standards, and baseline development

    ■ Security consultancy

    ■ Assessments and governance

    ■ Operational security

    The following sections review each of these functions in turn.

    Incident Management and Investigations

    Every organization needs to deal with a number of categories of security incident. These can vary considerably in their nature and impact on the organization. Typically, the team will be involved in the full range of computer misuse activities,

    Enjoying the preview?
    Page 1 of 1