Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Free Learning
Arrow right icon
Information Security Handbook
Information Security Handbook

Information Security Handbook: Develop a threat model and incident response strategy to build a strong information security framework

eBook
$27.98 $39.99
Paperback
$48.99
Subscription
Free Trial
Renews at $19.99p/m

What do you get with a Packt Subscription?

Free for first 7 days. $19.99 p/m after that. Cancel any time!
Product feature icon Unlimited ad-free access to the largest independent learning library in tech. Access this title and thousands more!
Product feature icon 50+ new titles added per month, including many first-to-market concepts and exclusive early access to books as they are being written.
Product feature icon Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.
Product feature icon Thousands of reference materials covering every tech concept you need to stay up to date.
Subscribe now
View plans & pricing
Table of content icon View table of contents Preview book icon Preview Book

Information Security Handbook

Information and Data Security Fundamentals

Computers have been instrumental to human progress for more than half a century. As these devices have become more sophisticated they have come under increasing attack from those looking to disrupt organizations using these systems. From the first boot sector virus to advanced, highly-complex, nation-state threats, the ability for an adversary to negatively impact an organization has never been greater. While the attacker has become more sophisticated, our ability to prepare for and defend against the attacker has also become very sophisticated. Throughout this book, I will discuss what it takes to establish an information security program that helps to ensure an organization is properly defended.

The first chapter will provide the reader with an overview of key concepts that will be examined throughout this book. The reader will learn the history, key concepts, components of information, and data security. Additionally, the reader will understand how these concepts should balance with business needs.

The topics covered in this chapter include the following:

  • Information security challenges
  • The evolution of cybercrime
  • The modern role of information security:
    • IT security engineering
    • Information assurance
    • The CIA triad
  • Organizational information security assessments
  • Risk management
  • Information security standards
  • Policies
  • Training

Information security challenges

The threats faced by today's organizations are highly complex and represent a real danger. The ability to mount an attack has become very simple due to many factors including the following:

  • End user: End users that use our information systems are prone to clicking on website URLs and launching attachments in emails
  • Malware kits: Paying hackers for DIY kits to easily develop your own malware
  • Cloud computing: Cheap and easy access to computing resources helps to ensure easy access to processing power
  • Exploit subscription services: Underground services that an attacker can subscribe to, to get the latest exploits

An attacker can take these tools, string them together with tutorials found online (as well as their own knowledge and resources), and build a sophisticated attack that could affect millions of computers worldwide.

Modern computer systems were never really developed to be secure. From the very beginning, computers have had an inherent trust factor built into them. Designers did not take into account the fact that adversaries might exploit their systems to harvest the valuable assets they contained. Security therefore, came in the form of bolt-ons or bandages, for solving an inherent problem. This still continues to this day. If you look at a modern computer science program, cybersecurity is often not included. This leads us to the modern internet, overflowing with vulnerable software and operating systems that require constant patches because security has always been an afterthought. Instead of security being built into an information system from the beginning, we are faced with an epidemic of vulnerable systems around the world.

The computer power of the average individual has greatly increased over the past few decades. This has resulted in an increase of sanctioned, and unsanctioned, personally-owned devices processing organizational data and being connected to corporate networks. All of these unmanaged devices are often set up to accommodate speed and convenience for a personal user and do not take into account the requirements of corporate information security.

Many organizations see information security as a hindrance to productivity. It is common to see business leaders, as well as IT personnel, avoid the discussion surrounding security with the fear that security will prevent the corporation from achieving its mission. Implementing security within a project Systems Development Life Cycle (SDLC) may be fought against, as team members may believe security will prevent a project from being completed on time or viewed as an impediment to a business' financial gain. Tools such as multi-factor authentication (MFA) or Virtual Private Networks (VPN) may be resisted as the business might not want to invest the capital for such solutions, due to not understanding the technology and how it would minimize the cyber risk posture of the organization.

Overcoming these challenges requires that the information security leader has a strong understanding of the organizations that they work for and that communication is effectively maintained. The information security professional must integrate with all functional/business owners within their organization. This will allow the security professional to help determine the risk posture of each business area, and help the business owner make sound risk-based decisions. Information security must offer solutions to the business leader's challenges versus adding new challenges for the business leader to solve. Additionally, the information security professional must work and collaborate effectively with their counterparts in information technology. Many information security professionals focus on dictating policy without discussing what is actually needed. Work to foster a relationship where the information security group is sought out for answers rather than avoided.

Evolution of cybercrime

As computer systems have now become integral to the daily functioning of businesses, organizations, governments, and individuals we have learned to put a tremendous amount of trust in these systems. As a result, we have placed incredibly important and valuable information on them. History has shown, that things of value will always be a target for a criminal. Cybercrime is no different. As people flood their personal computers, phones, and so on with valuable data, they put a target on that information for the criminal to aim for, in order to gain some form of profit from the activity. In the past, in order for a criminal to gain access to an individual's valuables, they would have to conduct a robbery in some shape or form. In the case of data theft, the criminal would need to break into a building, sifting through files looking for the information of greatest value and profit. In our modern world, the criminal can attack their victims from a distance, and due to the nature of the internet, these acts would most likely never meet retribution.

In the 70s, we saw criminals taking advantage of the tone system used on phone networks. The attack was called phreaking, where the attacker reverse-engineered the tones used by the telephone companies to make long distance calls.

In 1988, the first computer worm made its debut on the internet and caused a great deal of destruction to organizations. This first worm was called the Morris worm, after its creator Robert Morris. While this worm was not originally intended to be malicious it still caused a great deal of damage. The U.S. Government Accountability Office in 1980 estimated that the damage could have been as high as $10,000,000.00.

1989 brought us the first known ransomware attack, which targeted the healthcare industry. Ransomware is a type of malicious software that locks a user's data, until a small ransom is paid, which will result in the issuance of a cryptographic unlock key. In this attack, an evolutionary biologist named Joseph Popp distributed 20,000 floppy disks across 90 countries, and claimed the disk contained software that could be used to analyze an individual's risk factors for contracting the AIDS virus. The disk however contained a malware program that when executed, displayed a message requiring the user to pay for a software license. Ransomware attacks have evolved greatly over the years with the healthcare field still being a very large target.

The 90s brought the web browser and email to the masses, which meant new tools for cybercriminals to exploit. This allowed the cybercriminal to greatly expand their reach. Up till this time, the cybercriminal needed to initiate a physical transaction, such as providing a floppy disk. Now cybercriminals could transmit virus code over the internet in these new, highly vulnerable web browsers. Cybercriminals took what they had learned previously and modified it to operate over the internet, with devastating results. Cybercriminals were also able to reach out and con people from a distance with phishing attacks. No longer was it necessary to engage with individuals directly. You could attempt to trick millions of users simultaneously. Even if only a small percentage of people took the bait you stood to make a lot of money as a cybercriminal.

The 2000s brought us social media and saw the rise of identity theft. A bullseye was painted for cybercriminals with the creation of databases containing millions of users' personal identifiable information (PII), making identity theft the new financial piggy bank for criminal organizations around the world.

This information coupled with a lack of cybersecurity awareness from the general public allowed cybercriminals to commit all types of financial fraud such as opening bank accounts and credit cards in the name of others.

Today we see that cybercriminal activity has only gotten worse. As computer systems have gotten faster and more complex we see that the cybercriminal has become more sophisticated and harder to catch. Today we have botnets, which are a network of private computers that are infected with malicious software and allow the criminal element to control millions of infected computer systems across the globe. These botnets allow the criminal element to overload organizational networks and hide the origin of the criminals:

  • We see constant ransomware attacks across all sectors of the economy
  • People are constantly on the lookout for identity theft and financial fraud
  • Continuous news reports regarding the latest point of sale attack against major retailers and hospitality organizations

The modern role of information security

The role that information security plays has changed over the years and today, with information security professionals being brought in at the executive level of organizations, they have become critical members that contribute to the overall success of business operations. When information security first became a discipline, its focus was all about securing IT configurations and putting security tools in place. As time has progressed, it became apparent that you cannot properly secure an IT environment without first understanding the needs of an organization's business leaders. Now, information security leaders work to ensure that the business maintains its ability to serve its customers by tying cybersecurity to the business' functions.

IT security engineering

IT security engineering is the application of security principles to information technology. In our modern world, this really can mean just about anything, from a server to a refrigerator, once you start to consider the Internet of Things (IoT). There are so many new devices being built daily that are IP addressable, essentially making them mini-servers, which introduces potential vulnerabilities. Additionally, it is important to consider the security needs for devices that are non-networked or may be air gapped. Nonnetworked, or air-gapped, environments still have the capability to communicate through out-of-band means, such as a USB thumb drive, allowing an attacker to communicate with them. A mature organization should have staff specifically targeted at looking at information technology security concerns, working with business and information technology leadership to secure IT systems and protect the environment from attackers.

Information assurance

Information assurance is the act of working with business and IT leadership to ensure that the confidentiality, integrity, and availability requirements for a given asset are fully understood. Those requirements should be fully tested in a test environment prior to being integrated into the production environment, in order to ensure that they are secure and do not cause interoperability issues.

The activities associated with information assurance inform the activities associated with IT security regarding the specific technical controls needed to properly protect a given asset. Requirements are driven by the business/mission owner.

For example, a medical device might be deemed by a business/mission owner to be confidentiality-high, integrity-high, and availability-moderate (because they can revert to old school medical techniques):

Relationship between Information Assurance and IT Security

The CIA triad

The CIA triad is a key tenet at the core of information security. This tool is used to help the information security professional think about how to best protect organizational data:

  • Confidentiality: It has to do with whether or not information is kept secret or private. Mechanisms should be employed, such as encryption, which will render the data useless if it was accessed in an unauthorized manner.
  • Integrity: It has to do with whether the information is kept accurate. Information should not be modified in an unauthorized manner and safeguards should be put in place that allows for detectable and timely unauthorized changes.
  • Availability: It has to do with ensuring that information is available when it is needed. This control can be accomplished by implementing tools ranging from battery backup at the data center, to a content distribution network in the cloud:

Organizational information security assessment

We must remember that information security is meant to compliment the business/mission process, and that each process owner will have to determine what risk is acceptable for their organization. We, as information security experts, can only offer recommendations (fixes, mitigations, and so on), but the business/mission owner is ultimately the individual who makes such decisions.

It is important to understand that in most cases, organizations must share information in today's digital economy in order to be successful. The key to a successful information security program is to properly categorize data and ensure that only those that are authorized to access the data have the rights to do so. This means that you need to look at data and your organization's staff members, business partners, vendors, and customers, and determine who should have access to the various types of data within your organization.

There are two main ways to conduct an assessment of your organization's IT and business process as they relate to information security:

  • Internal assessment: An internal assessment can be viewed in two ways:
    • An initial assessment could be used to provide the context for the inclusion of a third-party assessment. This would be an appropriate course of action if your information security program lacked the skills to conduct a thorough information security assessment, or your organization prefers third-party assessments over internal assessments.
    • If your organization does not require a third-party assessment, and if you have the resources and skills to complete an information security assessment, the internal information security program can conduct its own assessment.
  • Third-party assessment: The third-party assessment can be viewed in two ways:
    • A third-party assessment provides an objective view and can often be used to arbitrate between the information security group and IT operations. The third party brings in an unbiased observer to develop the organization's assessment, alleviating internal infighting.
    • While this has benefits over an initial assessment, this is usually the only mechanism for an assessment that is tied to compliance.
Recommendation

In my experience, the best way to start your information security program is to take a hybrid approach to conducting your initial assessment.

The following is an abbreviated example to begin the process of performing an internal assessment:

  1. Conduct an initial internal assessment:
    1. As an information security leader you need to understand the organization you work in:
      1. Meet with business and IT leaders:
        1. Depending on the business function of your organization, acquire all past audit (PCI, HIPPA, and so on) reports, to determine what was found, addressed, not addressed, and so on.
      2. Meet with subject matter experts.
      3. Document areas for improvement and places where you can celebrate current successes.
      4. Brief leadership on your findings.
    2. Based on your findings recommend to leadership that a third party be brought in to dig deeper:
      1. No matter the results of the internal review, a third-party validator should be brought in, at least on a biannual basis to test your security program. This includes:
        1. Information security program reviews.
        2. Red team penetration test capability.
  2. Conduct a third-party assessment:
    1. Work with IT leadership and subject matter experts to discuss the purpose of the assessment:
      1. Make sure that the assessment is non-punitive:
        1. Ensure that everyone understands that you are conducting an assessment to build a plan and roadmap. The purpose is not to fire individuals or to point out mistakes.
    2. Ensure that the third-party assessment has management buy-in and support:
      1. Without top-level support (Board, CEO), it might be easy for individuals to ignore your assessors.
    3. Ensure that the third party has access to the internal resources required:
      1. Make sure that there is a clear plan and that this plan is communicated to everyone that will be involved in the assessment.
    4. Conduct the assessment and produce the findings.
    5. A plan of action and milestones should then be developed with each business owner, to allow those owners to build their strategies of risk management, risk acceptance, or risk transfer.

Risk management

After having conducted a security assessment of the organization it will then become necessary to take your security assessment data and conduct a risk assessment. In conducting a risk assessment you can begin to prioritize the activities that you want to implement first, second, and so on, as you build your security program. During the risk assessment, you will want to take what you learned from the organization's leaders and ensure your prioritization serves the organization's goals so that you effectively describe your assessment and plan in business terms. Ultimately, the introduction of an information security program is one of organizational change. You want to ensure that you are presenting the changes you wish to make in organizational terms versus IT terms. This will help you to win the approval of leadership, which will provide you with the needed authority and funding to make changes to the organization.

Managing an information security program is really about risk management. Ultimately, how an organization deals with specific vulnerabilities in its IT systems, business processes, and staff has to do with its ability to manage risk. Organizational leaders are going to want to understand how vulnerabilities found in the assessment are going to impact the organization's ability to conduct business or serve their customers. Leadership will also want to understand the likelihood of a risk occurring and what the potential impact could be if this occurred.

It is important to identify the possible business impact of the risk. Each business owner will have its own risk concerns, and each business risk will be tied to a business function/dollar amount. Recommendations for fixes, mitigations, and so on, should tie into the return on investment (ROI). For example:

  • A HIPPA violation could cost an organization millions, however, a solution to the risk might only cost $38,000 annually, which will mitigate the risk and lower the overall risk posture.
  • If you break that $38,000 down by the number of users who have access to the data, say 11,000, you come down to $3.45 per user for minimizing the risk posture. Your return on investment is easy to argue, and gain leadership support for.

Armed with this information, you can build out a plan that describes the specific IT implementations that need to be carried out in an organization based on the assessments that were previously conducted and the risk assessment that followed. The plan contains the priorities identified in the risk assessment process.

Based on the risk assessment, you will know the following:

  • What the top risks are in the organization
  • What the most valuable assets are for your organization
  • What risks are most likely to occur
  • What the impacts will be when a risk occurs

With this information, you have everything necessary to build a well-supported evidence-based plan to move your organization forward as it changes to implement modern information security practices.

Information security standards

Information security standards are published works by various professional organizations which attempt to encapsulate the guidance necessary to properly secure an IT system. Different standards have applicability to different industries, such as payment card versus healthcare, but tend to cover the full breadth of applicable system-related components, such as network devices, workstations, servers, software, user interaction with systems, system process interactions, data transmission, and storage. It is very important to understand that information security standards are not checklists.

When implementing a security standard for your organization you must look at the standard and decide how you will implement it for you organization. In most cases, the standard information is not prescriptive in that it does not tell you what tools to implement and how to implement them. You need to work with your IT and business teams to determine the best tools for the job and how they should be implemented within your infrastructure. It is also important to note that implementing a standard does not mean that you have effectively secured your organization. This is the trap of thinking of a standard as a checklist. You must look at an information security standard as a place to start. It is up to the information security professional to implement a standard in an effective way that properly secures the organization and mitigates risk to acceptable levels.

The following are some popular standards that are used around the globe:

  • ISO 27001 and 27002 (https://www.iso.org/isoiec-27001-information-security.html):
    • A set of requirements which provide a framework for an organization to plan, and assess their security.
    • It has a very specific mechanism. An organization can contract a third party to verify their security controls and so be deemed compliant with 27001.
  • Voluntary NIST Cybersecurity Framework (https://www.nist.gov/cyberframework):
    • Guidance developed to help private sector entities and critical infrastructure develop an effective risk-based approach to implementing cybersecurity.
    • Provides information security activities, outcomes, references, and detailed guidance necessary for planning a well-functioning information security program.
    • Voluntary.
  • HIPPA (https://www.hhs.gov/hipaa/):
    • The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the secretary of the U.S. department of Health and Human Services (HHS) to develop regulations protecting the privacy and security of certain health information.
    • To fulfill this requirement, HHS published what is commonly known as the HIPAA Privacy Rule and the HIPAA Security Rule. The Privacy Rule, or standards for privacy of individually identifiable health information, establishes national standards for the protection of certain health information. The security standards for the protection of electronic protected health information (the Security Rule) establish a national set of security standards for protecting certain health information that is held or transferred in electronic form.
    • Mandatory requirement for any organization processing HIPPA-related data (Personal Health Information (PHI)).
  • PCI DSS (https://www.pcisecuritystandards.org/):
    • The PCI Data Security Standard (DSS) provides a framework for developing a payment card data security process, which includes prevention, detection, and incident response to security incidents.
    • Mandatory requirement for any organization processing payment card data.

Policies

A policy is a foundational aspect to the development of a strong information security program. When developing a policy, you should ensure that you follow a few key principles:

  • Receive board-level / CEO approval and support:
    • Without CEO or board-level backing, a security program is doomed to fail
  • You should only create a policy that you intend to follow:
    • This means do not create a policy for the sake of the documentation. A policy that sits on the shelf and is never used does not help anyone.
    • Policies that you don't follow will be used by an auditor to show that you are deficient:
      • If you have policies follow them.
  • Ensure your policies are implementable:
    • There are many ways that a security standard can be met, and your policies should reflect the way that your organization wants to implement a standard
    • Do not describe four points in a policy if you intend to only implement two of them if those two provide adequate risk mitigation
  • A policy needs to take into account the organization's appetite for accepting risk:
    • Consider the value of the information that your organization owns.
    • Consider what would happen to the organization if you lost control over the confidentiality, integrity, and/or availability of the information:
      • Are you trying to safeguard trade secrets or sensitive proprietary information (confidentiality)?
      • Does information need to be accurate at all times (integrity)?
      • Could the organization effectively operate without its information (availability)?
    • Answers to questions like these, combined with an understanding of you organizations risk appetite, will inform your policy development.

Training

In our modern era, human interaction is a key vector used to exploit an information system. Whether you are looking at attacks such as ransomware, or exploits against critical infrastructure, the easiest avenue into a system is by tricking the user to run a piece of software. The key way that we can make sure that our users are prepared for these attacks is by implementing an effective training and awareness program.

Key components of an effective training and awareness program

An effective training and awareness program is necessary to ensure successful implementation of your information security program. A training and awareness program will be the primary mechanism used to communicate organizational user roles and responsibilities from an information security perspective:

  • Secondary media products:
    • This includes things like giveaways (squeezy balls), alert notifications, posters, or social media.
    • These serve to remind users about information security principles that you are communicating through other mechanisms.
    • The key here is to keep information brief and manageable. If you need to read for more than ten seconds, it is too long.
  • Primary media products:
    • This includes things such as email newsletters, websites, and inclusions in corporate magazines.
    • These have more contact and are distributed on a periodic basis.
    • The key here is to not overwhelm the user. If you send out an email newsletter every week, you may find your newsletter in the spam folder.
  • Yearly information security awareness training:
    • This is training provided every year, where you communicate all of your information security requirements for the user into a single presentation
    • The preferred method for implementing this training is computer-based, through a learning management system:
      • This helps you to easily record users that have completed training and their scores
    • This training should include a mechanism to test the users' understanding:
      • The test should not be an information security vocabulary test:
        • The user should know not to click on URLs and attachments they do not trust
        • The user does not need to be test on the difference between phishing or spear phishing
    • Use the yearly training as an opportunity to have your users validate or revalidate their acceptance of your organization's acceptable use policy:
      • The training should cover every aspect of the Acceptable Use Policy
  • Events:
    • This includes lunch time presentations, webinars, and presenting at corporate, divisional, or team meetings
    • It is very important to deliver the information security message to your organization in person where possible:
      • Webinars are useful in geographically-distributed organizations
    • Getting 15 minutes to speak at the finance or HR teams quarterly meeting is a great way to answer questions that an entire group may have

For example, payroll and benefit processors may have questions on PII handling and protections.

References:

Summary

In this chapter, we covered introductory topics on implementing an effective information security program. We discussed the following:

  • Information security challenges faced by the organization and the information security program
  • The evolution of cybercrime over time and its impact
  • The role of information security in the organization
  • The concept of confidentiality, integrity, and availability
  • An introduction to information security assessments
  • An introduction to risk management
  • The roles of information security standards and training
  • How awareness and training benefit the organization

In the next chapter, we will define the threat landscape. We will be discussing the people, processes, and technologies that need to be defended against to ensure your organization's continued security.

Left arrow icon Right arrow icon

Key benefits

  • ?Learn to build your own information security framework, the best fit for your organization
  • ?Build on the concepts of threat modeling, incidence response, and security analysis
  • ?Practical use cases and best practices for information security

Description

Having an information security mechanism is one of the most crucial factors for any organization. Important assets of organization demand a proper risk management and threat model for security, and so information security concepts are gaining a lot of traction. This book starts with the concept of information security and shows you why it’s important. It then moves on to modules such as threat modeling, risk management, and mitigation. It also covers the concepts of incident response systems, information rights management, and more. Moving on, it guides you to build your own information security framework as the best fit for your organization. Toward the end, you’ll discover some best practices that can be implemented to make your security framework strong. By the end of this book, you will be well-versed with all the factors involved in information security, which will help you build a security framework that is a perfect fit your organization’s requirements.

Who is this book for?

This book is for security analysts and professionals who deal with security mechanisms in an organization. If you are looking for an end to end guide on information security and risk analysis with no prior knowledge of this domain, then this book is for you.

What you will learn

  • Things you will learn:
  • • Develop your own information security framework
  • • Build your incident response mechanism
  • • Discover cloud security considerations
  • • Get to know the system development life cycle
  • • Get your security operation center up and running
  • • Know the various security testing types
  • • Balance security as per your business needs
  • • Implement information security best practices

Product Details

Country selected
Publication date, Length, Edition, Language, ISBN-13
Publication date : Dec 08, 2017
Length: 330 pages
Edition : 1st
Language : English
ISBN-13 : 9781788478830
Category :

What do you get with a Packt Subscription?

Free for first 7 days. $19.99 p/m after that. Cancel any time!
Product feature icon Unlimited ad-free access to the largest independent learning library in tech. Access this title and thousands more!
Product feature icon 50+ new titles added per month, including many first-to-market concepts and exclusive early access to books as they are being written.
Product feature icon Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.
Product feature icon Thousands of reference materials covering every tech concept you need to stay up to date.
Subscribe now
View plans & pricing

Product Details

Publication date : Dec 08, 2017
Length: 330 pages
Edition : 1st
Language : English
ISBN-13 : 9781788478830
Category :

Packt Subscriptions

See our plans and pricing
Modal Close icon
$19.99 billed monthly
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Simple pricing, no contract
$199.99 billed annually
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just $5 each
Feature tick icon Exclusive print discounts
$279.99 billed in 18 months
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just $5 each
Feature tick icon Exclusive print discounts

Frequently bought together


Stars icon
Total $ 188.97
Metasploit Revealed: Secrets of the Expert Pentester
$89.99
Information Security Handbook
$48.99
Cybersecurity - Attack and Defense Strategies
$49.99
Total $ 188.97 Stars icon
Banner background image

Table of Contents

12 Chapters
Information and Data Security Fundamentals Chevron down icon Chevron up icon
Defining the Threat Landscape Chevron down icon Chevron up icon
Preparing for Information and Data Security Chevron down icon Chevron up icon
Information Security Risk Management Chevron down icon Chevron up icon
Developing Your Information and Data Security Plan Chevron down icon Chevron up icon
Continuous Testing and Monitoring Chevron down icon Chevron up icon
Business Continuity/Disaster Recovery Planning Chevron down icon Chevron up icon
Incident Response Planning Chevron down icon Chevron up icon
Developing a Security Operations Center Chevron down icon Chevron up icon
Developing an Information Security Architecture Program Chevron down icon Chevron up icon
Cloud Security Consideration Chevron down icon Chevron up icon
Information and Data Security Best Practices Chevron down icon Chevron up icon

Customer reviews

Top Reviews
Rating distribution
Full star icon Full star icon Full star icon Full star icon Half star icon 4.3
(8 Ratings)
5 star 62.5%
4 star 25%
3 star 0%
2 star 0%
1 star 12.5%
Filter icon Filter
Top Reviews

Filter reviews by




J S Mar 19, 2018
Full star icon Full star icon Full star icon Full star icon Full star icon 5
Darren Death's "Information Security Handbook" is an up-to-date and comprehensive guide to information security in the twenty-first century. I would absolutely recommend this reading for any business executives or technology managers who desire an in-depth, comprehensive education in "all things" information security -- from disaster recovery, cloud computing, and data storage to user account control, vulnerability assessments, and ISO 27001 compliance. As Death articulates within, "this book is well suited for anyone looking to understand the key aspects of an information security program and how they should be implemented within an organizational culture."
Amazon Verified review Amazon
Amazon Customer May 05, 2018
Full star icon Full star icon Full star icon Full star icon Full star icon 5
Great read. This book covers the basics of Information Security and does so in a logical and easy to understand manner. The details provided are well thought out and pertinent to the chapter they are in each time. Darren has a wealth of knowledge in Information Security and it shows. This book is worth the price as it provides the essentials of today's Information Security needs and practices.
Amazon Verified review Amazon
ALVARO Nov 21, 2022
Full star icon Full star icon Full star icon Full star icon Full star icon 5
Thanks a lot! Book has arrived in excellent condition!!
Amazon Verified review Amazon
Leandros Maglaras Mar 11, 2018
Full star icon Full star icon Full star icon Full star icon Full star icon 5
A very good and detailed book. Must read for all information security professionals.
Amazon Verified review Amazon
Amazon Customer Mar 27, 2018
Full star icon Full star icon Full star icon Full star icon Full star icon 5
For a bit about my background, I have many years of experience working with various aspects of information security in addition to even more years experience as a technical writer and editor with networking and software companies as well as other organizations involved with information that must be kept secure. Additionally, I'm studying to pass the CISSP exam.My review of this book is from my perspective and your mileage may vary.This book is a comfortable read, especially after all the other sources I've read on information security. The chapter arrangement follows a logical pattern that at many times does not fit what I've seen in reality with the information security projects I've been involved with. However, since the book is based on a cyclic process, I feel that one could jump into an information security project at any stage with this book as a reference and the information presented here would be helpful. As a technical editor, however, I saw that there were a few typos throughout the book. These typos do not and should not, however, detract from the overall content of the book, because the content is what's most important and it seems to be all there.The intended audience for this book could range from those who are minimally experienced to the more advanced security professional. If you're at entry-level with security or merely interested in becoming a security professional, you may find some of the material difficult to understand. However, if you're an expert in IT security, you may find this book too basic. I think this book would be an excellent additional reference for those who are responsible for starting and establishing information security management systems for their organizations, particularly if they are just beginning with this process.If you're interested in information security and want to become more familiar with the jargon and further strengthen your understanding of IT security, this would be a good book for you. As for me, after reading this book the first time from cover to cover and adding notes as well as recording them in a separate notebook, I plan on keeping this book as another reference on my bookshelves for when I'm involved in future information security projects and need a quick source of relevant guidance. The book is also a handy reference for a rounded understanding of information security that will be useful for passing my CISSP exam.
Amazon Verified review Amazon
Get free access to Packt library with over 7500+ books and video courses for 7 days!
Start Free Trial

FAQs

What is included in a Packt subscription? Chevron down icon Chevron up icon

A subscription provides you with full access to view all Packt and licnesed content online, this includes exclusive access to Early Access titles. Depending on the tier chosen you can also earn credits and discounts to use for owning content

How can I cancel my subscription? Chevron down icon Chevron up icon

To cancel your subscription with us simply go to the account page - found in the top right of the page or at https://subscription.packtpub.com/my-account/subscription - From here you will see the ‘cancel subscription’ button in the grey box with your subscription information in.

What are credits? Chevron down icon Chevron up icon

Credits can be earned from reading 40 section of any title within the payment cycle - a month starting from the day of subscription payment. You also earn a Credit every month if you subscribe to our annual or 18 month plans. Credits can be used to buy books DRM free, the same way that you would pay for a book. Your credits can be found in the subscription homepage - subscription.packtpub.com - clicking on ‘the my’ library dropdown and selecting ‘credits’.

What happens if an Early Access Course is cancelled? Chevron down icon Chevron up icon

Projects are rarely cancelled, but sometimes it's unavoidable. If an Early Access course is cancelled or excessively delayed, you can exchange your purchase for another course. For further details, please contact us here.

Where can I send feedback about an Early Access title? Chevron down icon Chevron up icon

If you have any feedback about the product you're reading, or Early Access in general, then please fill out a contact form here and we'll make sure the feedback gets to the right team. 

Can I download the code files for Early Access titles? Chevron down icon Chevron up icon

We try to ensure that all books in Early Access have code available to use, download, and fork on GitHub. This helps us be more agile in the development of the book, and helps keep the often changing code base of new versions and new technologies as up to date as possible. Unfortunately, however, there will be rare cases when it is not possible for us to have downloadable code samples available until publication.

When we publish the book, the code files will also be available to download from the Packt website.

How accurate is the publication date? Chevron down icon Chevron up icon

The publication date is as accurate as we can be at any point in the project. Unfortunately, delays can happen. Often those delays are out of our control, such as changes to the technology code base or delays in the tech release. We do our best to give you an accurate estimate of the publication date at any given time, and as more chapters are delivered, the more accurate the delivery date will become.

How will I know when new chapters are ready? Chevron down icon Chevron up icon

We'll let you know every time there has been an update to a course that you've bought in Early Access. You'll get an email to let you know there has been a new chapter, or a change to a previous chapter. The new chapters are automatically added to your account, so you can also check back there any time you're ready and download or read them online.

I am a Packt subscriber, do I get Early Access? Chevron down icon Chevron up icon

Yes, all Early Access content is fully available through your subscription. You will need to have a paid for or active trial subscription in order to access all titles.

How is Early Access delivered? Chevron down icon Chevron up icon

Early Access is currently only available as a PDF or through our online reader. As we make changes or add new chapters, the files in your Packt account will be updated so you can download them again or view them online immediately.

How do I buy Early Access content? Chevron down icon Chevron up icon

Early Access is a way of us getting our content to you quicker, but the method of buying the Early Access course is still the same. Just find the course you want to buy, go through the check-out steps, and you’ll get a confirmation email from us with information and a link to the relevant Early Access courses.

What is Early Access? Chevron down icon Chevron up icon

Keeping up to date with the latest technology is difficult; new versions, new frameworks, new techniques. This feature gives you a head-start to our content, as it's being created. With Early Access you'll receive each chapter as it's written, and get regular updates throughout the product's development, as well as the final course as soon as it's ready.We created Early Access as a means of giving you the information you need, as soon as it's available. As we go through the process of developing a course, 99% of it can be ready but we can't publish until that last 1% falls in to place. Early Access helps to unlock the potential of our content early, to help you start your learning when you need it most. You not only get access to every chapter as it's delivered, edited, and updated, but you'll also get the finalized, DRM-free product to download in any format you want when it's published. As a member of Packt, you'll also be eligible for our exclusive offers, including a free course every day, and discounts on new and popular titles.