IT Security Management 100 Success Secrets 100 Most Asked Questions: The Missing IT Security Management Control, Plan, Implementation, Evaluation and Maintenance Guide Lance Batten
IT Security Management 100 Success Secrets Copyright 2008 Notice of rights All rights reserved. No part of this book may be reproduced or transmitted in any form by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of the publisher. Notice of Liability The information in this book is distributed on an As Is basis without warranty. While every precaution has been taken in the preparation of the book, neither the author nor the publisher shall have any liability to any person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by the instructions contained in this book or by the products described in it. Trademarks Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this book, and the publisher was aware of a trademark claim, the designations appear as requested by the owner of the trademark. All other product names and services identified throughout this book are used in editorial fashion only and for the benefit of such companies with no intention of infringement of the trademark. No such use, or the use of any trade name, is intended to convey endorsement or other affiliation with this book.
IT Security Management 100 Success Secrets There has never been an IT Security Management Guide like this. 100 Success Secrets is not about the ins and outs of IT Security Management. Instead, it answers the top 100 questions that we are asked and those we come across in forums, our consultancy and education programs. It tells you exactly how to deal with those questions, with tips that have never before been offered in print. This book is also not about IT Security Management s best practice and standards details. Instead, it introduces everything you want to know to be successful with IT Security Management.
Table of Contents Institute of Information Security Professionals: Providing a Venue for Security Specialists to Enhance Their Skills...12 War-free World: The British American Security Council...14 BS7799: The British Standard on Information Security Management (ISMS)...15 Certified Information Systems Security Professional: Securing Information...16 Important Tasks of Information Security Specialist...18 Information Security Standards: Helping Companies Defend their Information Network...20 Important Considerations for Building Information Security Strategy...22 Information Security Survey: Showing the Current State of Network Security...24 Information Security Threats: A Growing Corporate Concern...26 How to Become a Member of Institute of Information Security Professionals...28 Important Features of IT Network Security...30 How to Conduct IT Security Audit in 3 Simple Steps...32 Start-up IT Security Companies: Providing Dedicated Security Service for Businesses...34
IT Security Conference: Providing Security Solutions Against New Threats... 36 The Benefits of IT Security Consultancy Services... 38 Factors to Consider Before Hiring IT Security Consultants... 40 IT Security Courses: Building Security Capabilities of IT Staff.. 42 Best Sources of IT Security Information... 44 The Need to Standardize Ethical IT Security Issues... 45 IT Security Job: Is It the Hottest IT Job Today?... 46 Two Critical Areas of IT Security Management... 47 The Need for IT Security Manager... 49 Why the IT Security Market is Growing... 51 IT Security News Portals: Delivering Up to Date Information to IT Professionals... 52 Functions of an IT Security Officer... 54 Features of Good IT Security Policies... 55 What are the Important IT Security Qualifications... 56 IT Security Recruitment Agencies: Providing Expert Manpower for Companies... 58 IT Security Risk Manuals: Giving IT Managers Valuable Assistance... 60 Expected Growth of IT Security Sales... 62 IT Security Services: Making Security Management Easier... 63 IT Security Software: The Building Block of Security Network 65 3 Steps to Determine the Acquisition of IT Security Solutions... 67
The Benefit of Having IT Security Systems...69 Get IT Security Training and be Hired...70 MSC computer security and What it Offers...72 Learn More about Physical Computer Security...73 Revocation information for the security certificate and How it Happens...74 What is Computer Security in Layman's World...76 What is Information vs. Computer Security?...78 Data Safety with Gartner IT Security...80 The Need for Information Security Awareness...82 The Usefulness of Information Security Breaches Survey...84 The Demands for Information Security Consultancy...86 Information Security Courses and their Importance to an Organization...88 Tasks and Importance of the Head of Information Security...90 Basic Info on Information Security Breaches...91 The Essence of Information Security Conference to Different Organizations...93 The Responsibilities of an Information Security Consultant...95 What is Information Security Forum?...97 Computer Security Courses: Demand for Good Computer Security...99 Computer Security Jobs: Many Types of Jobs Available...100 Computer Security Policy: The Two Policies...102
Computer Security Test: Two ways to Test the Security Programs... 104 DTI Information Security: Cooperation between the Government, Business and Anti-virus Makers... 106 Computer Security Issues: Viruses that are Dangerous to Computers... 108 Computer Security News: Promoting and Enhancing the Whole Community... 110 Computer Security Products: Measures to Take... 112 Computer Security Threats: Computer Security Versus the Threats... 114 Free Computer Security Software: Free Anti-virus Software for Domestic Users... 116 What is Information Security Governance All About?... 118 Wide Coverage of Information Security Jobs... 119 Having an Information Security Management System in your Organization... 121 Formulation and Review of Information Security Policies... 123 Information Security Recruitment is Recruiting... 125 Help from the Information Security Group... 126 Read it on Information Security Magazine... 128 Top Priority Qualifications of an Information Security Manager... 130 Certified Information Security Professional... 132
Importance of Information Security Risk Assessment...134 Understanding Airport Security Information...136 What are Computer Security Cables?...138 Information Security Officer: How Tough the Job Is?...140 Information Security Risk: How to manage it effectively...142 Information Systems Security and its Primary Components...144 IT Security in UK How Effective is it?...146 IT Security Policy and its Three-Way Process...147 Security for Computer: How Important Is It?...149 Cryptography: The Best Computer Security Yet...151 Computer Security Check A Better Way to Reduce Risk...152 Understanding the Information Security Policy...153 Information Security Training...155 Information Technology Security: How to Do it the Best Possible Way...156 IT Security Jobs Continue to Grow...158 MSC Information Security: What is it?...160 The Basic Concepts of Information Security...161 The Importance of Computer Security...163 IT Security Protecting your Computer from Viruses...165 Computer Data Security The Need to Back-up Critical Data.167 Computer Internet Security Towards a Better Browsing Experience...168 Optimizing Computer Network Security...170
Computer Security Software - The Best Line of Defense against Threats... 172 Information Security Management Managing Data Confidentiality... 174 Computer Security Training The Start of Something B-I-G... 176 Say NO to Free Computer Security... 178 When Security of Information is at Stake... 179 The CIA Triad of Computer Security Systems... 180 Maximizing Information Security Solutions to Computer Systems... 182 Symantec Information Foundation What does it Offer Aside from Mail Security?... 184 Information Security Jobs Are you IN to IT?... 186
11
12 Institute of Information Security Professionals: Providing a Venue for Security Specialists to Enhance Their Skills The Institute of Information Security Professionals is a non-profit organization which aims to develop professionalism in the information security sector. This institute was organized by security specialists in order to provide a venue for standardizing the practice of network security implementations and protocols. Security specialists seek recognition from the Institute to formalize their entry in the profession and gain certification from their peers. Membership in the Institute of Information Security signifies that a security specialist is an accredited practitioner and can handle security management of information systems. Members of the Institute will be provided with an exclusive professional email address with multiple forwarding capabilities. This can give them a unique electronic identification which highlights their professional accreditation. The Institute is also the source of global directory of security professionals which can be accessed by members. In this way, security professionals will be able to establish contact with other practitioners and network with them. Another highlight of membership in the Institute is access to the rich discussion board and lounge on the IISP website. This forum is exclusively available to security specialists and current concerns are discussed on it as well as new techniques in facing security issues. This could significantly widen the knowledge of security professionals and allow them to implement latest innovations in security protocols.
13 The Institute of Information Security can also provide job resource for its members through access to the networks of its corporate partners. It can also give mentoring services for members conducted by advanced practitioners of network security.
14 War-free World: The British American Security Council National Security is a major issue in many countries especially in Super Powers like US. Remember what happened that fateful September of 2001 when the Twin Towers went down and a part of Pentagon was also destroyed? Nowadays, a lot of countries go out of their way to ensure that national and international security is protected. There are also a lot of bomb threats which different governments all over the world have to deal with. And what is more galling is the fact that weapons are not limited to bombs but there is also a threat for nuclear weapons and biochemical weapons. It will probably take long for some extremist to come up with a weapon that has something to do with manipulating weather. This may sound a little overboard right now, but years ago the thought of man landing on the moon was also overboard. The US and UK have collaborated to form an independent body which examines and researches about global security issues. Its aim is to have a more peaceful and safe world that is free from nuclear weapons and war like for some countries who have a lot of victims of war like Iraq for example. The British American Information Council is also known as BASIC, with London and Washington, DC as its base for the two countries. BASIC is a non-government organization that also deals with many other organizations like NATO and is well-respected through its research and studies. As such, it has become an avenue by which security issues have been promoted to the public in a simpler way
15 BS7799: The British Standard on Information Security Management (ISMS) Information risk and security is a major issue that most companies face today. Many companies are spending a lot of their time and resources to ensure that information security is kept intact. The British Standards Institution came up with a security standard. Before going into detail about security standard, standard is a written guideline to do things to make it more efficient. It could be called in a layman's term as "instruction". In 1995, BSI came up with a security standard that was adapted by the government's Department of Trade and Industry. This is what is known as the B7799. Later in 2000 when ISO introduced the standardization for Information Technology, B7799 was adapted. Today, it is on its 3rd revision. Today, what was BS7799 and now a part of the ISO/IEC 27001:2005 and it sets the standard for best practices in terms of Information Management. Today, BS7799 is now on its third revision and it has helped a lot of companies follow the best practices for Information Management and increase the awareness of such. It has grown into a broader horizon which is not only limited to information security, confidentiality but also the importance of privacy of all information within its organization. Indeed it can be said that BS7799 paved way for the international standardization of Information Security Management and still taking it to a higher level. Although it can never the eliminate the danger of security breach, BS7799 can help minimize such risk.
16 Certified Information Systems Security Professional: Securing Information Security Information has been deemed as very important integral part of any organization that for many IT Professionals, it has become a specialty. One of the certifications given is that is known as the Certified Information Systems Security Professional or otherwise known as CISSP which is given by the International Information Systems Security Consortium or ISC to many IT professionals. The ISC and the CISSP are known in 120 countries all over the world. In 2004, this programmed was able to earn ISO/IEC Standardization 17024:2003. As such this is the first IT do succeed in doing so. What is the CISSP? It is a curriculum that covers various topics on Information Security topics which are very vital for any organization. At the end of the curriculum, there is an examination wherein the questions are based on CBK or Common Body of Knowledge, which is a collection of topics about information security from professionals in different parts of the world. The CBK is compromised of 10 domains which are the following: Access Control, Application Security, Business Continuity and Disaster Recovery Planning, Cryptography, Information Security and Risk Management, Legal, Regulations, Compliance and Investigations, Operations Security, Physical and Environmental, Security, Security Architecture and Design and Telecommunications and Network Security Getting the CISSP certification though is not easy as one might think. One of the requirements that must be met by the applicants is that they have been in operation for a minimum of five years in the business with a clean record, no criminal record
17 or such. Also the passing rate is very high. They must score 700 or higher. Certification though, is valid for three years.
18 Important Tasks of Information Security Specialist Information security specialists are responsible for planning, organizing, and maintaining the security and integrity of organizational and corporate IT networks. The tasks of information security specialists are critical. Computer use, especially networked systems, has become an integral part of any organization s operations. In fact, some organizations or companies rely heavily on their IT networks to function properly and conduct business. Without their wide network of interconnected systems and individual workstations, these companies would not be able to produce meaningful output. A single glitch in their network therefore can trigger a major disaster for their operations. That is why information security specialists are in place to secure the integrity and continuous operation of their organization s network. In the past, network security has been neglected by companies. They rely on the built-in security systems of their programs and IT infrastructure. With the advent of network security attacks such as hacking, information theft, fraud, and malicious disruptions, the old model for network security has become inutile. That is why companies have instituted new method and models for network security and IT systems integrity. Security specialists are assigned to monitor and keep the network secure. They maintain regular diagnostic check-ups on their network firewalls, encryption technology, and server security. They are also responsible for educating personnel in the correct use of computers and proper protocols when utilizing networks. Information security specialists can also investigate systems at-
19 tacks, gather data on fraudulent activities, and catch security hackers. The data they gather can be used to prosecute cyber crimes or to produce evidences so that authorities can track and catch network security threats.