Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Information Security Handbook

You're reading from   Information Security Handbook Develop a threat model and incident response strategy to build a strong information security framework

Arrow left icon
Product type Paperback
Published in Dec 2017
Publisher
ISBN-13 9781788478830
Length 330 pages
Edition 1st Edition
Arrow right icon
Author (1):
Arrow left icon
Darren Death Darren Death
Author Profile Icon Darren Death
Darren Death
Arrow right icon
View More author details
Toc

Table of Contents (13) Chapters Close

Preface 1. Information and Data Security Fundamentals FREE CHAPTER 2. Defining the Threat Landscape 3. Preparing for Information and Data Security 4. Information Security Risk Management 5. Developing Your Information and Data Security Plan 6. Continuous Testing and Monitoring 7. Business Continuity/Disaster Recovery Planning 8. Incident Response Planning 9. Developing a Security Operations Center 10. Developing an Information Security Architecture Program 11. Cloud Security Consideration 12. Information and Data Security Best Practices

Organizational information security assessment

We must remember that information security is meant to compliment the business/mission process, and that each process owner will have to determine what risk is acceptable for their organization. We, as information security experts, can only offer recommendations (fixes, mitigations, and so on), but the business/mission owner is ultimately the individual who makes such decisions.

It is important to understand that in most cases, organizations must share information in today's digital economy in order to be successful. The key to a successful information security program is to properly categorize data and ensure that only those that are authorized to access the data have the rights to do so. This means that you need to look at data and your organization's staff members, business partners, vendors, and customers, and determine who should have access to the various types of data within your organization.

There are two main ways to conduct an assessment of your organization's IT and business process as they relate to information security:

  • Internal assessment: An internal assessment can be viewed in two ways:
    • An initial assessment could be used to provide the context for the inclusion of a third-party assessment. This would be an appropriate course of action if your information security program lacked the skills to conduct a thorough information security assessment, or your organization prefers third-party assessments over internal assessments.
    • If your organization does not require a third-party assessment, and if you have the resources and skills to complete an information security assessment, the internal information security program can conduct its own assessment.
  • Third-party assessment: The third-party assessment can be viewed in two ways:
    • A third-party assessment provides an objective view and can often be used to arbitrate between the information security group and IT operations. The third party brings in an unbiased observer to develop the organization's assessment, alleviating internal infighting.
    • While this has benefits over an initial assessment, this is usually the only mechanism for an assessment that is tied to compliance.
Recommendation

In my experience, the best way to start your information security program is to take a hybrid approach to conducting your initial assessment.

The following is an abbreviated example to begin the process of performing an internal assessment:

  1. Conduct an initial internal assessment:
    1. As an information security leader you need to understand the organization you work in:
      1. Meet with business and IT leaders:
        1. Depending on the business function of your organization, acquire all past audit (PCI, HIPPA, and so on) reports, to determine what was found, addressed, not addressed, and so on.
      2. Meet with subject matter experts.
      3. Document areas for improvement and places where you can celebrate current successes.
      4. Brief leadership on your findings.
    2. Based on your findings recommend to leadership that a third party be brought in to dig deeper:
      1. No matter the results of the internal review, a third-party validator should be brought in, at least on a biannual basis to test your security program. This includes:
        1. Information security program reviews.
        2. Red team penetration test capability.
  2. Conduct a third-party assessment:
    1. Work with IT leadership and subject matter experts to discuss the purpose of the assessment:
      1. Make sure that the assessment is non-punitive:
        1. Ensure that everyone understands that you are conducting an assessment to build a plan and roadmap. The purpose is not to fire individuals or to point out mistakes.
    2. Ensure that the third-party assessment has management buy-in and support:
      1. Without top-level support (Board, CEO), it might be easy for individuals to ignore your assessors.
    3. Ensure that the third party has access to the internal resources required:
      1. Make sure that there is a clear plan and that this plan is communicated to everyone that will be involved in the assessment.
    4. Conduct the assessment and produce the findings.
    5. A plan of action and milestones should then be developed with each business owner, to allow those owners to build their strategies of risk management, risk acceptance, or risk transfer.
You have been reading a chapter from
Information Security Handbook
Published in: Dec 2017
Publisher:
ISBN-13: 9781788478830
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime
Banner background image