Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Free Learning
Arrow right icon
Information Security Handbook
Information Security Handbook

Information Security Handbook: Develop a threat model and incident response strategy to build a strong information security framework

eBook
€20.98 €29.99
Paperback
€36.99
Subscription
Free Trial
Renews at €18.99p/m

What do you get with Print?

Product feature icon Instant access to your digital eBook copy whilst your Print order is Shipped
Product feature icon Paperback book shipped to your preferred address
Product feature icon Download this book in EPUB and PDF formats
Product feature icon Access this title in our online reader with advanced features
Product feature icon DRM FREE - Read whenever, wherever and however you want
OR
Modal Close icon
Payment Processing...
tick Completed

Shipping Address

Billing Address

Shipping Methods
Table of content icon View table of contents Preview book icon Preview Book

Information Security Handbook

Information and Data Security Fundamentals

Computers have been instrumental to human progress for more than half a century. As these devices have become more sophisticated they have come under increasing attack from those looking to disrupt organizations using these systems. From the first boot sector virus to advanced, highly-complex, nation-state threats, the ability for an adversary to negatively impact an organization has never been greater. While the attacker has become more sophisticated, our ability to prepare for and defend against the attacker has also become very sophisticated. Throughout this book, I will discuss what it takes to establish an information security program that helps to ensure an organization is properly defended.

The first chapter will provide the reader with an overview of key concepts that will be examined throughout this book. The reader will learn the history, key concepts, components of information, and data security. Additionally, the reader will understand how these concepts should balance with business needs.

The topics covered in this chapter include the following:

  • Information security challenges
  • The evolution of cybercrime
  • The modern role of information security:
    • IT security engineering
    • Information assurance
    • The CIA triad
  • Organizational information security assessments
  • Risk management
  • Information security standards
  • Policies
  • Training

Information security challenges

The threats faced by today's organizations are highly complex and represent a real danger. The ability to mount an attack has become very simple due to many factors including the following:

  • End user: End users that use our information systems are prone to clicking on website URLs and launching attachments in emails
  • Malware kits: Paying hackers for DIY kits to easily develop your own malware
  • Cloud computing: Cheap and easy access to computing resources helps to ensure easy access to processing power
  • Exploit subscription services: Underground services that an attacker can subscribe to, to get the latest exploits

An attacker can take these tools, string them together with tutorials found online (as well as their own knowledge and resources), and build a sophisticated attack that could affect millions of computers worldwide.

Modern computer systems were never really developed to be secure. From the very beginning, computers have had an inherent trust factor built into them. Designers did not take into account the fact that adversaries might exploit their systems to harvest the valuable assets they contained. Security therefore, came in the form of bolt-ons or bandages, for solving an inherent problem. This still continues to this day. If you look at a modern computer science program, cybersecurity is often not included. This leads us to the modern internet, overflowing with vulnerable software and operating systems that require constant patches because security has always been an afterthought. Instead of security being built into an information system from the beginning, we are faced with an epidemic of vulnerable systems around the world.

The computer power of the average individual has greatly increased over the past few decades. This has resulted in an increase of sanctioned, and unsanctioned, personally-owned devices processing organizational data and being connected to corporate networks. All of these unmanaged devices are often set up to accommodate speed and convenience for a personal user and do not take into account the requirements of corporate information security.

Many organizations see information security as a hindrance to productivity. It is common to see business leaders, as well as IT personnel, avoid the discussion surrounding security with the fear that security will prevent the corporation from achieving its mission. Implementing security within a project Systems Development Life Cycle (SDLC) may be fought against, as team members may believe security will prevent a project from being completed on time or viewed as an impediment to a business' financial gain. Tools such as multi-factor authentication (MFA) or Virtual Private Networks (VPN) may be resisted as the business might not want to invest the capital for such solutions, due to not understanding the technology and how it would minimize the cyber risk posture of the organization.

Overcoming these challenges requires that the information security leader has a strong understanding of the organizations that they work for and that communication is effectively maintained. The information security professional must integrate with all functional/business owners within their organization. This will allow the security professional to help determine the risk posture of each business area, and help the business owner make sound risk-based decisions. Information security must offer solutions to the business leader's challenges versus adding new challenges for the business leader to solve. Additionally, the information security professional must work and collaborate effectively with their counterparts in information technology. Many information security professionals focus on dictating policy without discussing what is actually needed. Work to foster a relationship where the information security group is sought out for answers rather than avoided.

Evolution of cybercrime

As computer systems have now become integral to the daily functioning of businesses, organizations, governments, and individuals we have learned to put a tremendous amount of trust in these systems. As a result, we have placed incredibly important and valuable information on them. History has shown, that things of value will always be a target for a criminal. Cybercrime is no different. As people flood their personal computers, phones, and so on with valuable data, they put a target on that information for the criminal to aim for, in order to gain some form of profit from the activity. In the past, in order for a criminal to gain access to an individual's valuables, they would have to conduct a robbery in some shape or form. In the case of data theft, the criminal would need to break into a building, sifting through files looking for the information of greatest value and profit. In our modern world, the criminal can attack their victims from a distance, and due to the nature of the internet, these acts would most likely never meet retribution.

In the 70s, we saw criminals taking advantage of the tone system used on phone networks. The attack was called phreaking, where the attacker reverse-engineered the tones used by the telephone companies to make long distance calls.

In 1988, the first computer worm made its debut on the internet and caused a great deal of destruction to organizations. This first worm was called the Morris worm, after its creator Robert Morris. While this worm was not originally intended to be malicious it still caused a great deal of damage. The U.S. Government Accountability Office in 1980 estimated that the damage could have been as high as $10,000,000.00.

1989 brought us the first known ransomware attack, which targeted the healthcare industry. Ransomware is a type of malicious software that locks a user's data, until a small ransom is paid, which will result in the issuance of a cryptographic unlock key. In this attack, an evolutionary biologist named Joseph Popp distributed 20,000 floppy disks across 90 countries, and claimed the disk contained software that could be used to analyze an individual's risk factors for contracting the AIDS virus. The disk however contained a malware program that when executed, displayed a message requiring the user to pay for a software license. Ransomware attacks have evolved greatly over the years with the healthcare field still being a very large target.

The 90s brought the web browser and email to the masses, which meant new tools for cybercriminals to exploit. This allowed the cybercriminal to greatly expand their reach. Up till this time, the cybercriminal needed to initiate a physical transaction, such as providing a floppy disk. Now cybercriminals could transmit virus code over the internet in these new, highly vulnerable web browsers. Cybercriminals took what they had learned previously and modified it to operate over the internet, with devastating results. Cybercriminals were also able to reach out and con people from a distance with phishing attacks. No longer was it necessary to engage with individuals directly. You could attempt to trick millions of users simultaneously. Even if only a small percentage of people took the bait you stood to make a lot of money as a cybercriminal.

The 2000s brought us social media and saw the rise of identity theft. A bullseye was painted for cybercriminals with the creation of databases containing millions of users' personal identifiable information (PII), making identity theft the new financial piggy bank for criminal organizations around the world.

This information coupled with a lack of cybersecurity awareness from the general public allowed cybercriminals to commit all types of financial fraud such as opening bank accounts and credit cards in the name of others.

Today we see that cybercriminal activity has only gotten worse. As computer systems have gotten faster and more complex we see that the cybercriminal has become more sophisticated and harder to catch. Today we have botnets, which are a network of private computers that are infected with malicious software and allow the criminal element to control millions of infected computer systems across the globe. These botnets allow the criminal element to overload organizational networks and hide the origin of the criminals:

  • We see constant ransomware attacks across all sectors of the economy
  • People are constantly on the lookout for identity theft and financial fraud
  • Continuous news reports regarding the latest point of sale attack against major retailers and hospitality organizations

The modern role of information security

The role that information security plays has changed over the years and today, with information security professionals being brought in at the executive level of organizations, they have become critical members that contribute to the overall success of business operations. When information security first became a discipline, its focus was all about securing IT configurations and putting security tools in place. As time has progressed, it became apparent that you cannot properly secure an IT environment without first understanding the needs of an organization's business leaders. Now, information security leaders work to ensure that the business maintains its ability to serve its customers by tying cybersecurity to the business' functions.

IT security engineering

IT security engineering is the application of security principles to information technology. In our modern world, this really can mean just about anything, from a server to a refrigerator, once you start to consider the Internet of Things (IoT). There are so many new devices being built daily that are IP addressable, essentially making them mini-servers, which introduces potential vulnerabilities. Additionally, it is important to consider the security needs for devices that are non-networked or may be air gapped. Nonnetworked, or air-gapped, environments still have the capability to communicate through out-of-band means, such as a USB thumb drive, allowing an attacker to communicate with them. A mature organization should have staff specifically targeted at looking at information technology security concerns, working with business and information technology leadership to secure IT systems and protect the environment from attackers.

Information assurance

Information assurance is the act of working with business and IT leadership to ensure that the confidentiality, integrity, and availability requirements for a given asset are fully understood. Those requirements should be fully tested in a test environment prior to being integrated into the production environment, in order to ensure that they are secure and do not cause interoperability issues.

The activities associated with information assurance inform the activities associated with IT security regarding the specific technical controls needed to properly protect a given asset. Requirements are driven by the business/mission owner.

For example, a medical device might be deemed by a business/mission owner to be confidentiality-high, integrity-high, and availability-moderate (because they can revert to old school medical techniques):

Relationship between Information Assurance and IT Security

The CIA triad

The CIA triad is a key tenet at the core of information security. This tool is used to help the information security professional think about how to best protect organizational data:

  • Confidentiality: It has to do with whether or not information is kept secret or private. Mechanisms should be employed, such as encryption, which will render the data useless if it was accessed in an unauthorized manner.
  • Integrity: It has to do with whether the information is kept accurate. Information should not be modified in an unauthorized manner and safeguards should be put in place that allows for detectable and timely unauthorized changes.
  • Availability: It has to do with ensuring that information is available when it is needed. This control can be accomplished by implementing tools ranging from battery backup at the data center, to a content distribution network in the cloud:

Organizational information security assessment

We must remember that information security is meant to compliment the business/mission process, and that each process owner will have to determine what risk is acceptable for their organization. We, as information security experts, can only offer recommendations (fixes, mitigations, and so on), but the business/mission owner is ultimately the individual who makes such decisions.

It is important to understand that in most cases, organizations must share information in today's digital economy in order to be successful. The key to a successful information security program is to properly categorize data and ensure that only those that are authorized to access the data have the rights to do so. This means that you need to look at data and your organization's staff members, business partners, vendors, and customers, and determine who should have access to the various types of data within your organization.

There are two main ways to conduct an assessment of your organization's IT and business process as they relate to information security:

  • Internal assessment: An internal assessment can be viewed in two ways:
    • An initial assessment could be used to provide the context for the inclusion of a third-party assessment. This would be an appropriate course of action if your information security program lacked the skills to conduct a thorough information security assessment, or your organization prefers third-party assessments over internal assessments.
    • If your organization does not require a third-party assessment, and if you have the resources and skills to complete an information security assessment, the internal information security program can conduct its own assessment.
  • Third-party assessment: The third-party assessment can be viewed in two ways:
    • A third-party assessment provides an objective view and can often be used to arbitrate between the information security group and IT operations. The third party brings in an unbiased observer to develop the organization's assessment, alleviating internal infighting.
    • While this has benefits over an initial assessment, this is usually the only mechanism for an assessment that is tied to compliance.
Recommendation

In my experience, the best way to start your information security program is to take a hybrid approach to conducting your initial assessment.

The following is an abbreviated example to begin the process of performing an internal assessment:

  1. Conduct an initial internal assessment:
    1. As an information security leader you need to understand the organization you work in:
      1. Meet with business and IT leaders:
        1. Depending on the business function of your organization, acquire all past audit (PCI, HIPPA, and so on) reports, to determine what was found, addressed, not addressed, and so on.
      2. Meet with subject matter experts.
      3. Document areas for improvement and places where you can celebrate current successes.
      4. Brief leadership on your findings.
    2. Based on your findings recommend to leadership that a third party be brought in to dig deeper:
      1. No matter the results of the internal review, a third-party validator should be brought in, at least on a biannual basis to test your security program. This includes:
        1. Information security program reviews.
        2. Red team penetration test capability.
  2. Conduct a third-party assessment:
    1. Work with IT leadership and subject matter experts to discuss the purpose of the assessment:
      1. Make sure that the assessment is non-punitive:
        1. Ensure that everyone understands that you are conducting an assessment to build a plan and roadmap. The purpose is not to fire individuals or to point out mistakes.
    2. Ensure that the third-party assessment has management buy-in and support:
      1. Without top-level support (Board, CEO), it might be easy for individuals to ignore your assessors.
    3. Ensure that the third party has access to the internal resources required:
      1. Make sure that there is a clear plan and that this plan is communicated to everyone that will be involved in the assessment.
    4. Conduct the assessment and produce the findings.
    5. A plan of action and milestones should then be developed with each business owner, to allow those owners to build their strategies of risk management, risk acceptance, or risk transfer.

Risk management

After having conducted a security assessment of the organization it will then become necessary to take your security assessment data and conduct a risk assessment. In conducting a risk assessment you can begin to prioritize the activities that you want to implement first, second, and so on, as you build your security program. During the risk assessment, you will want to take what you learned from the organization's leaders and ensure your prioritization serves the organization's goals so that you effectively describe your assessment and plan in business terms. Ultimately, the introduction of an information security program is one of organizational change. You want to ensure that you are presenting the changes you wish to make in organizational terms versus IT terms. This will help you to win the approval of leadership, which will provide you with the needed authority and funding to make changes to the organization.

Managing an information security program is really about risk management. Ultimately, how an organization deals with specific vulnerabilities in its IT systems, business processes, and staff has to do with its ability to manage risk. Organizational leaders are going to want to understand how vulnerabilities found in the assessment are going to impact the organization's ability to conduct business or serve their customers. Leadership will also want to understand the likelihood of a risk occurring and what the potential impact could be if this occurred.

It is important to identify the possible business impact of the risk. Each business owner will have its own risk concerns, and each business risk will be tied to a business function/dollar amount. Recommendations for fixes, mitigations, and so on, should tie into the return on investment (ROI). For example:

  • A HIPPA violation could cost an organization millions, however, a solution to the risk might only cost $38,000 annually, which will mitigate the risk and lower the overall risk posture.
  • If you break that $38,000 down by the number of users who have access to the data, say 11,000, you come down to $3.45 per user for minimizing the risk posture. Your return on investment is easy to argue, and gain leadership support for.

Armed with this information, you can build out a plan that describes the specific IT implementations that need to be carried out in an organization based on the assessments that were previously conducted and the risk assessment that followed. The plan contains the priorities identified in the risk assessment process.

Based on the risk assessment, you will know the following:

  • What the top risks are in the organization
  • What the most valuable assets are for your organization
  • What risks are most likely to occur
  • What the impacts will be when a risk occurs

With this information, you have everything necessary to build a well-supported evidence-based plan to move your organization forward as it changes to implement modern information security practices.

Information security standards

Information security standards are published works by various professional organizations which attempt to encapsulate the guidance necessary to properly secure an IT system. Different standards have applicability to different industries, such as payment card versus healthcare, but tend to cover the full breadth of applicable system-related components, such as network devices, workstations, servers, software, user interaction with systems, system process interactions, data transmission, and storage. It is very important to understand that information security standards are not checklists.

When implementing a security standard for your organization you must look at the standard and decide how you will implement it for you organization. In most cases, the standard information is not prescriptive in that it does not tell you what tools to implement and how to implement them. You need to work with your IT and business teams to determine the best tools for the job and how they should be implemented within your infrastructure. It is also important to note that implementing a standard does not mean that you have effectively secured your organization. This is the trap of thinking of a standard as a checklist. You must look at an information security standard as a place to start. It is up to the information security professional to implement a standard in an effective way that properly secures the organization and mitigates risk to acceptable levels.

The following are some popular standards that are used around the globe:

  • ISO 27001 and 27002 (https://www.iso.org/isoiec-27001-information-security.html):
    • A set of requirements which provide a framework for an organization to plan, and assess their security.
    • It has a very specific mechanism. An organization can contract a third party to verify their security controls and so be deemed compliant with 27001.
  • Voluntary NIST Cybersecurity Framework (https://www.nist.gov/cyberframework):
    • Guidance developed to help private sector entities and critical infrastructure develop an effective risk-based approach to implementing cybersecurity.
    • Provides information security activities, outcomes, references, and detailed guidance necessary for planning a well-functioning information security program.
    • Voluntary.
  • HIPPA (https://www.hhs.gov/hipaa/):
    • The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the secretary of the U.S. department of Health and Human Services (HHS) to develop regulations protecting the privacy and security of certain health information.
    • To fulfill this requirement, HHS published what is commonly known as the HIPAA Privacy Rule and the HIPAA Security Rule. The Privacy Rule, or standards for privacy of individually identifiable health information, establishes national standards for the protection of certain health information. The security standards for the protection of electronic protected health information (the Security Rule) establish a national set of security standards for protecting certain health information that is held or transferred in electronic form.
    • Mandatory requirement for any organization processing HIPPA-related data (Personal Health Information (PHI)).
  • PCI DSS (https://www.pcisecuritystandards.org/):
    • The PCI Data Security Standard (DSS) provides a framework for developing a payment card data security process, which includes prevention, detection, and incident response to security incidents.
    • Mandatory requirement for any organization processing payment card data.

Policies

A policy is a foundational aspect to the development of a strong information security program. When developing a policy, you should ensure that you follow a few key principles:

  • Receive board-level / CEO approval and support:
    • Without CEO or board-level backing, a security program is doomed to fail
  • You should only create a policy that you intend to follow:
    • This means do not create a policy for the sake of the documentation. A policy that sits on the shelf and is never used does not help anyone.
    • Policies that you don't follow will be used by an auditor to show that you are deficient:
      • If you have policies follow them.
  • Ensure your policies are implementable:
    • There are many ways that a security standard can be met, and your policies should reflect the way that your organization wants to implement a standard
    • Do not describe four points in a policy if you intend to only implement two of them if those two provide adequate risk mitigation
  • A policy needs to take into account the organization's appetite for accepting risk:
    • Consider the value of the information that your organization owns.
    • Consider what would happen to the organization if you lost control over the confidentiality, integrity, and/or availability of the information:
      • Are you trying to safeguard trade secrets or sensitive proprietary information (confidentiality)?
      • Does information need to be accurate at all times (integrity)?
      • Could the organization effectively operate without its information (availability)?
    • Answers to questions like these, combined with an understanding of you organizations risk appetite, will inform your policy development.

Training

In our modern era, human interaction is a key vector used to exploit an information system. Whether you are looking at attacks such as ransomware, or exploits against critical infrastructure, the easiest avenue into a system is by tricking the user to run a piece of software. The key way that we can make sure that our users are prepared for these attacks is by implementing an effective training and awareness program.

Key components of an effective training and awareness program

An effective training and awareness program is necessary to ensure successful implementation of your information security program. A training and awareness program will be the primary mechanism used to communicate organizational user roles and responsibilities from an information security perspective:

  • Secondary media products:
    • This includes things like giveaways (squeezy balls), alert notifications, posters, or social media.
    • These serve to remind users about information security principles that you are communicating through other mechanisms.
    • The key here is to keep information brief and manageable. If you need to read for more than ten seconds, it is too long.
  • Primary media products:
    • This includes things such as email newsletters, websites, and inclusions in corporate magazines.
    • These have more contact and are distributed on a periodic basis.
    • The key here is to not overwhelm the user. If you send out an email newsletter every week, you may find your newsletter in the spam folder.
  • Yearly information security awareness training:
    • This is training provided every year, where you communicate all of your information security requirements for the user into a single presentation
    • The preferred method for implementing this training is computer-based, through a learning management system:
      • This helps you to easily record users that have completed training and their scores
    • This training should include a mechanism to test the users' understanding:
      • The test should not be an information security vocabulary test:
        • The user should know not to click on URLs and attachments they do not trust
        • The user does not need to be test on the difference between phishing or spear phishing
    • Use the yearly training as an opportunity to have your users validate or revalidate their acceptance of your organization's acceptable use policy:
      • The training should cover every aspect of the Acceptable Use Policy
  • Events:
    • This includes lunch time presentations, webinars, and presenting at corporate, divisional, or team meetings
    • It is very important to deliver the information security message to your organization in person where possible:
      • Webinars are useful in geographically-distributed organizations
    • Getting 15 minutes to speak at the finance or HR teams quarterly meeting is a great way to answer questions that an entire group may have

For example, payroll and benefit processors may have questions on PII handling and protections.

References:

Summary

In this chapter, we covered introductory topics on implementing an effective information security program. We discussed the following:

  • Information security challenges faced by the organization and the information security program
  • The evolution of cybercrime over time and its impact
  • The role of information security in the organization
  • The concept of confidentiality, integrity, and availability
  • An introduction to information security assessments
  • An introduction to risk management
  • The roles of information security standards and training
  • How awareness and training benefit the organization

In the next chapter, we will define the threat landscape. We will be discussing the people, processes, and technologies that need to be defended against to ensure your organization's continued security.

Left arrow icon Right arrow icon

Key benefits

  • ?Learn to build your own information security framework, the best fit for your organization
  • ?Build on the concepts of threat modeling, incidence response, and security analysis
  • ?Practical use cases and best practices for information security

Description

Having an information security mechanism is one of the most crucial factors for any organization. Important assets of organization demand a proper risk management and threat model for security, and so information security concepts are gaining a lot of traction. This book starts with the concept of information security and shows you why it’s important. It then moves on to modules such as threat modeling, risk management, and mitigation. It also covers the concepts of incident response systems, information rights management, and more. Moving on, it guides you to build your own information security framework as the best fit for your organization. Toward the end, you’ll discover some best practices that can be implemented to make your security framework strong. By the end of this book, you will be well-versed with all the factors involved in information security, which will help you build a security framework that is a perfect fit your organization’s requirements.

Who is this book for?

This book is for security analysts and professionals who deal with security mechanisms in an organization. If you are looking for an end to end guide on information security and risk analysis with no prior knowledge of this domain, then this book is for you.

What you will learn

  • Things you will learn:
  • • Develop your own information security framework
  • • Build your incident response mechanism
  • • Discover cloud security considerations
  • • Get to know the system development life cycle
  • • Get your security operation center up and running
  • • Know the various security testing types
  • • Balance security as per your business needs
  • • Implement information security best practices
Estimated delivery fee Deliver to Cyprus

Premium delivery 7 - 10 business days

€32.95
(Includes tracking information)

Product Details

Country selected
Publication date, Length, Edition, Language, ISBN-13
Publication date : Dec 08, 2017
Length: 330 pages
Edition : 1st
Language : English
ISBN-13 : 9781788478830
Category :

What do you get with Print?

Product feature icon Instant access to your digital eBook copy whilst your Print order is Shipped
Product feature icon Paperback book shipped to your preferred address
Product feature icon Download this book in EPUB and PDF formats
Product feature icon Access this title in our online reader with advanced features
Product feature icon DRM FREE - Read whenever, wherever and however you want
OR
Modal Close icon
Payment Processing...
tick Completed

Shipping Address

Billing Address

Shipping Methods
Estimated delivery fee Deliver to Cyprus

Premium delivery 7 - 10 business days

€32.95
(Includes tracking information)

Product Details

Publication date : Dec 08, 2017
Length: 330 pages
Edition : 1st
Language : English
ISBN-13 : 9781788478830
Category :

Packt Subscriptions

See our plans and pricing
Modal Close icon
€18.99 billed monthly
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Simple pricing, no contract
€189.99 billed annually
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just €5 each
Feature tick icon Exclusive print discounts
€264.99 billed in 18 months
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just €5 each
Feature tick icon Exclusive print discounts

Frequently bought together


Stars icon
Total 142.97
Metasploit Revealed: Secrets of the Expert Pentester
€67.99
Information Security Handbook
€36.99
Cybersecurity - Attack and Defense Strategies
€37.99
Total 142.97 Stars icon
Banner background image

Table of Contents

12 Chapters
Information and Data Security Fundamentals Chevron down icon Chevron up icon
Defining the Threat Landscape Chevron down icon Chevron up icon
Preparing for Information and Data Security Chevron down icon Chevron up icon
Information Security Risk Management Chevron down icon Chevron up icon
Developing Your Information and Data Security Plan Chevron down icon Chevron up icon
Continuous Testing and Monitoring Chevron down icon Chevron up icon
Business Continuity/Disaster Recovery Planning Chevron down icon Chevron up icon
Incident Response Planning Chevron down icon Chevron up icon
Developing a Security Operations Center Chevron down icon Chevron up icon
Developing an Information Security Architecture Program Chevron down icon Chevron up icon
Cloud Security Consideration Chevron down icon Chevron up icon
Information and Data Security Best Practices Chevron down icon Chevron up icon

Customer reviews

Top Reviews
Rating distribution
Full star icon Full star icon Full star icon Full star icon Half star icon 4.3
(8 Ratings)
5 star 62.5%
4 star 25%
3 star 0%
2 star 0%
1 star 12.5%
Filter icon Filter
Top Reviews

Filter reviews by




J S Mar 19, 2018
Full star icon Full star icon Full star icon Full star icon Full star icon 5
Darren Death's "Information Security Handbook" is an up-to-date and comprehensive guide to information security in the twenty-first century. I would absolutely recommend this reading for any business executives or technology managers who desire an in-depth, comprehensive education in "all things" information security -- from disaster recovery, cloud computing, and data storage to user account control, vulnerability assessments, and ISO 27001 compliance. As Death articulates within, "this book is well suited for anyone looking to understand the key aspects of an information security program and how they should be implemented within an organizational culture."
Amazon Verified review Amazon
Amazon Customer May 05, 2018
Full star icon Full star icon Full star icon Full star icon Full star icon 5
Great read. This book covers the basics of Information Security and does so in a logical and easy to understand manner. The details provided are well thought out and pertinent to the chapter they are in each time. Darren has a wealth of knowledge in Information Security and it shows. This book is worth the price as it provides the essentials of today's Information Security needs and practices.
Amazon Verified review Amazon
ALVARO Nov 21, 2022
Full star icon Full star icon Full star icon Full star icon Full star icon 5
Thanks a lot! Book has arrived in excellent condition!!
Amazon Verified review Amazon
Leandros Maglaras Mar 11, 2018
Full star icon Full star icon Full star icon Full star icon Full star icon 5
A very good and detailed book. Must read for all information security professionals.
Amazon Verified review Amazon
Amazon Customer Mar 27, 2018
Full star icon Full star icon Full star icon Full star icon Full star icon 5
For a bit about my background, I have many years of experience working with various aspects of information security in addition to even more years experience as a technical writer and editor with networking and software companies as well as other organizations involved with information that must be kept secure. Additionally, I'm studying to pass the CISSP exam.My review of this book is from my perspective and your mileage may vary.This book is a comfortable read, especially after all the other sources I've read on information security. The chapter arrangement follows a logical pattern that at many times does not fit what I've seen in reality with the information security projects I've been involved with. However, since the book is based on a cyclic process, I feel that one could jump into an information security project at any stage with this book as a reference and the information presented here would be helpful. As a technical editor, however, I saw that there were a few typos throughout the book. These typos do not and should not, however, detract from the overall content of the book, because the content is what's most important and it seems to be all there.The intended audience for this book could range from those who are minimally experienced to the more advanced security professional. If you're at entry-level with security or merely interested in becoming a security professional, you may find some of the material difficult to understand. However, if you're an expert in IT security, you may find this book too basic. I think this book would be an excellent additional reference for those who are responsible for starting and establishing information security management systems for their organizations, particularly if they are just beginning with this process.If you're interested in information security and want to become more familiar with the jargon and further strengthen your understanding of IT security, this would be a good book for you. As for me, after reading this book the first time from cover to cover and adding notes as well as recording them in a separate notebook, I plan on keeping this book as another reference on my bookshelves for when I'm involved in future information security projects and need a quick source of relevant guidance. The book is also a handy reference for a rounded understanding of information security that will be useful for passing my CISSP exam.
Amazon Verified review Amazon
Get free access to Packt library with over 7500+ books and video courses for 7 days!
Start Free Trial

FAQs

What is the delivery time and cost of print book? Chevron down icon Chevron up icon

Shipping Details

USA:

'

Economy: Delivery to most addresses in the US within 10-15 business days

Premium: Trackable Delivery to most addresses in the US within 3-8 business days

UK:

Economy: Delivery to most addresses in the U.K. within 7-9 business days.
Shipments are not trackable

Premium: Trackable delivery to most addresses in the U.K. within 3-4 business days!
Add one extra business day for deliveries to Northern Ireland and Scottish Highlands and islands

EU:

Premium: Trackable delivery to most EU destinations within 4-9 business days.

Australia:

Economy: Can deliver to P. O. Boxes and private residences.
Trackable service with delivery to addresses in Australia only.
Delivery time ranges from 7-9 business days for VIC and 8-10 business days for Interstate metro
Delivery time is up to 15 business days for remote areas of WA, NT & QLD.

Premium: Delivery to addresses in Australia only
Trackable delivery to most P. O. Boxes and private residences in Australia within 4-5 days based on the distance to a destination following dispatch.

India:

Premium: Delivery to most Indian addresses within 5-6 business days

Rest of the World:

Premium: Countries in the American continent: Trackable delivery to most countries within 4-7 business days

Asia:

Premium: Delivery to most Asian addresses within 5-9 business days

Disclaimer:
All orders received before 5 PM U.K time would start printing from the next business day. So the estimated delivery times start from the next day as well. Orders received after 5 PM U.K time (in our internal systems) on a business day or anytime on the weekend will begin printing the second to next business day. For example, an order placed at 11 AM today will begin printing tomorrow, whereas an order placed at 9 PM tonight will begin printing the day after tomorrow.


Unfortunately, due to several restrictions, we are unable to ship to the following countries:

  1. Afghanistan
  2. American Samoa
  3. Belarus
  4. Brunei Darussalam
  5. Central African Republic
  6. The Democratic Republic of Congo
  7. Eritrea
  8. Guinea-bissau
  9. Iran
  10. Lebanon
  11. Libiya Arab Jamahriya
  12. Somalia
  13. Sudan
  14. Russian Federation
  15. Syrian Arab Republic
  16. Ukraine
  17. Venezuela
What is custom duty/charge? Chevron down icon Chevron up icon

Customs duty are charges levied on goods when they cross international borders. It is a tax that is imposed on imported goods. These duties are charged by special authorities and bodies created by local governments and are meant to protect local industries, economies, and businesses.

Do I have to pay customs charges for the print book order? Chevron down icon Chevron up icon

The orders shipped to the countries that are listed under EU27 will not bear custom charges. They are paid by Packt as part of the order.

List of EU27 countries: www.gov.uk/eu-eea:

A custom duty or localized taxes may be applicable on the shipment and would be charged by the recipient country outside of the EU27 which should be paid by the customer and these duties are not included in the shipping charges been charged on the order.

How do I know my custom duty charges? Chevron down icon Chevron up icon

The amount of duty payable varies greatly depending on the imported goods, the country of origin and several other factors like the total invoice amount or dimensions like weight, and other such criteria applicable in your country.

For example:

  • If you live in Mexico, and the declared value of your ordered items is over $ 50, for you to receive a package, you will have to pay additional import tax of 19% which will be $ 9.50 to the courier service.
  • Whereas if you live in Turkey, and the declared value of your ordered items is over € 22, for you to receive a package, you will have to pay additional import tax of 18% which will be € 3.96 to the courier service.
How can I cancel my order? Chevron down icon Chevron up icon

Cancellation Policy for Published Printed Books:

You can cancel any order within 1 hour of placing the order. Simply contact [email protected] with your order details or payment transaction id. If your order has already started the shipment process, we will do our best to stop it. However, if it is already on the way to you then when you receive it, you can contact us at [email protected] using the returns and refund process.

Please understand that Packt Publishing cannot provide refunds or cancel any order except for the cases described in our Return Policy (i.e. Packt Publishing agrees to replace your printed book because it arrives damaged or material defect in book), Packt Publishing will not accept returns.

What is your returns and refunds policy? Chevron down icon Chevron up icon

Return Policy:

We want you to be happy with your purchase from Packtpub.com. We will not hassle you with returning print books to us. If the print book you receive from us is incorrect, damaged, doesn't work or is unacceptably late, please contact Customer Relations Team on [email protected] with the order number and issue details as explained below:

  1. If you ordered (eBook, Video or Print Book) incorrectly or accidentally, please contact Customer Relations Team on [email protected] within one hour of placing the order and we will replace/refund you the item cost.
  2. Sadly, if your eBook or Video file is faulty or a fault occurs during the eBook or Video being made available to you, i.e. during download then you should contact Customer Relations Team within 14 days of purchase on [email protected] who will be able to resolve this issue for you.
  3. You will have a choice of replacement or refund of the problem items.(damaged, defective or incorrect)
  4. Once Customer Care Team confirms that you will be refunded, you should receive the refund within 10 to 12 working days.
  5. If you are only requesting a refund of one book from a multiple order, then we will refund you the appropriate single item.
  6. Where the items were shipped under a free shipping offer, there will be no shipping costs to refund.

On the off chance your printed book arrives damaged, with book material defect, contact our Customer Relation Team on [email protected] within 14 days of receipt of the book with appropriate evidence of damage and we will work with you to secure a replacement copy, if necessary. Please note that each printed book you order from us is individually made by Packt's professional book-printing partner which is on a print-on-demand basis.

What tax is charged? Chevron down icon Chevron up icon

Currently, no tax is charged on the purchase of any print book (subject to change based on the laws and regulations). A localized VAT fee is charged only to our European and UK customers on eBooks, Video and subscriptions that they buy. GST is charged to Indian customers for eBooks and video purchases.

What payment methods can I use? Chevron down icon Chevron up icon

You can pay with the following card types:

  1. Visa Debit
  2. Visa Credit
  3. MasterCard
  4. PayPal
What is the delivery time and cost of print books? Chevron down icon Chevron up icon

Shipping Details

USA:

'

Economy: Delivery to most addresses in the US within 10-15 business days

Premium: Trackable Delivery to most addresses in the US within 3-8 business days

UK:

Economy: Delivery to most addresses in the U.K. within 7-9 business days.
Shipments are not trackable

Premium: Trackable delivery to most addresses in the U.K. within 3-4 business days!
Add one extra business day for deliveries to Northern Ireland and Scottish Highlands and islands

EU:

Premium: Trackable delivery to most EU destinations within 4-9 business days.

Australia:

Economy: Can deliver to P. O. Boxes and private residences.
Trackable service with delivery to addresses in Australia only.
Delivery time ranges from 7-9 business days for VIC and 8-10 business days for Interstate metro
Delivery time is up to 15 business days for remote areas of WA, NT & QLD.

Premium: Delivery to addresses in Australia only
Trackable delivery to most P. O. Boxes and private residences in Australia within 4-5 days based on the distance to a destination following dispatch.

India:

Premium: Delivery to most Indian addresses within 5-6 business days

Rest of the World:

Premium: Countries in the American continent: Trackable delivery to most countries within 4-7 business days

Asia:

Premium: Delivery to most Asian addresses within 5-9 business days

Disclaimer:
All orders received before 5 PM U.K time would start printing from the next business day. So the estimated delivery times start from the next day as well. Orders received after 5 PM U.K time (in our internal systems) on a business day or anytime on the weekend will begin printing the second to next business day. For example, an order placed at 11 AM today will begin printing tomorrow, whereas an order placed at 9 PM tonight will begin printing the day after tomorrow.


Unfortunately, due to several restrictions, we are unable to ship to the following countries:

  1. Afghanistan
  2. American Samoa
  3. Belarus
  4. Brunei Darussalam
  5. Central African Republic
  6. The Democratic Republic of Congo
  7. Eritrea
  8. Guinea-bissau
  9. Iran
  10. Lebanon
  11. Libiya Arab Jamahriya
  12. Somalia
  13. Sudan
  14. Russian Federation
  15. Syrian Arab Republic
  16. Ukraine
  17. Venezuela