IT Security Management
100 Success Secrets
100 Most Asked Questions: The Missing IT
Se-curity Management Control, Plan,
Implementa-tion, Evaluation and Maintenance Guide
Lance Batten
IT Security Management 100 Success Secrets Copyright © 2008
Notice of rights
All rights reserved. No part of this book may be reproduced or transmitted in any form by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of the publisher.
Notice of Liability
The information in this book is distributed on an “As Is” basis without warranty. While every precaution has been taken in the preparation of the book, neither the author nor the publisher shall have any liability to any person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by the instructions contained in this book or by the products described in it.
Trademarks
Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this book, and the publisher was aware of a trademark claim, the designations appear as requested by the owner of the trademark. All other product names and services identified throughout this book are used in editorial fashion only and for the benefit of such companies with no intention of infringement of the trademark. No such use, or the use of any trade name, is intended to convey endorsement or other affiliation with this book.
IT Security Management 100 Success Secrets
There has never been an IT Security Management Guide like this. 100 Success Secrets is not about the ins and outs of IT Security Management. Instead, it answers the top 100 questions that we are asked and those we come across in forums, our consultancy and education programs. It tells you exactly how to deal with those questions, with tips that have never before been offered in print.
This book is also not about IT Security Management’s best practice and standards details. Instead, it introduces everything you want to know to be successful with IT Security Management.
Table of Contents
Institute of Information Security Professionals: Providing a Venue for Security Specialists to Enhance Their Skills...12 War-free World: The British American Security Council ...14 BS7799: The British Standard on Information Security
Management (ISMS) ...15 Certified Information Systems Security Professional: Securing Information ...16 Important Tasks of Information Security Specialist...18 Information Security Standards: Helping Companies Defend their Information Network ...20 Important Considerations for Building Information Security Strategy...22 Information Security Survey: Showing the Current State of Network Security ...24 Information Security Threats: A Growing Corporate Concern...26 How to Become a Member of Institute of Information Security Professionals ...28 Important Features of IT Network Security...30 How to Conduct IT Security Audit in 3 Simple Steps...32 Start-up IT Security Companies: Providing Dedicated Security Service for Businesses...34
IT Security Conference: Providing Security Solutions Against
New Threats... 36
The Benefits of IT Security Consultancy Services ... 38
Factors to Consider Before Hiring IT Security Consultants... 40
IT Security Courses: Building Security Capabilities of IT Staff.. 42
Best Sources of IT Security Information... 44
The Need to Standardize Ethical IT Security Issues ... 45
IT Security Job: Is It the Hottest IT Job Today?... 46
Two Critical Areas of IT Security Management ... 47
The Need for IT Security Manager ... 49
Why the IT Security Market is Growing... 51
IT Security News Portals: Delivering Up to Date Information to IT Professionals... 52
Functions of an IT Security Officer... 54
Features of Good IT Security Policies... 55
What are the Important IT Security Qualifications... 56
IT Security Recruitment Agencies: Providing Expert Manpower for Companies... 58
IT Security Risk Manuals: Giving IT Managers Valuable Assistance ... 60
Expected Growth of IT Security Sales ... 62
IT Security Services: Making Security Management Easier... 63
IT Security Software: The Building Block of Security Network 65 3 Steps to Determine the Acquisition of IT Security Solutions... 67
The Benefit of Having IT Security Systems...69
Get IT Security Training and be Hired ...70
MSC computer security and What it Offers...72
Learn More about Physical Computer Security ...73
Revocation information for the security certificate and How it Happens ...74
What is Computer Security in Layman's World ...76
What is Information vs. Computer Security? ...78
Data Safety with Gartner IT Security ...80
The Need for Information Security Awareness...82
The Usefulness of Information Security Breaches Survey ...84
The Demands for Information Security Consultancy...86
Information Security Courses and their Importance to an Organization ...88
Tasks and Importance of the Head of Information Security ...90
Basic Info on Information Security Breaches ...91
The Essence of Information Security Conference to Different Organizations ...93
The Responsibilities of an Information Security Consultant...95
What is Information Security Forum?...97
Computer Security Courses: Demand for Good Computer Security ...99
Computer Security Jobs: Many Types of Jobs Available ...100
Computer Security Test: Two ways to Test the Security
Programs... 104
DTI Information Security: Cooperation between the Government, Business and Anti-virus Makers... 106
Computer Security Issues: Viruses that are Dangerous to Computers... 108
Computer Security News: Promoting and Enhancing the Whole Community ... 110
Computer Security Products: Measures to Take ... 112
Computer Security Threats: Computer Security Versus the Threats ... 114
Free Computer Security Software: Free Anti-virus Software for Domestic Users ... 116
What is Information Security Governance All About?... 118
Wide Coverage of Information Security Jobs... 119
Having an Information Security Management System in your Organization ... 121
Formulation and Review of Information Security Policies... 123
Information Security Recruitment is Recruiting... 125
Help from the Information Security Group ... 126
Read it on Information Security Magazine... 128
Top Priority Qualifications of an Information Security Manager ... 130
Importance of Information Security Risk Assessment ...134
Understanding Airport Security Information...136
What are Computer Security Cables? ...138
Information Security Officer: How Tough the Job Is?...140
Information Security Risk: How to manage it effectively...142
Information Systems Security and its Primary Components ....144
IT Security in UK – How Effective is it? ...146
IT Security Policy and its Three-Way Process ...147
Security for Computer: How Important Is It? ...149
Cryptography: The Best Computer Security Yet...151
Computer Security Check – A Better Way to Reduce Risk...152
Understanding the Information Security Policy ...153
Information Security Training...155
Information Technology Security: How to Do it the Best Possible Way ...156
IT Security Jobs Continue to Grow...158
MSC Information Security: What is it? ...160
The Basic Concepts of Information Security ...161
The Importance of Computer Security ...163
IT Security – Protecting your Computer from Viruses ...165
Computer Data Security – The Need to Back-up Critical Data.167 Computer Internet Security – Towards a Better Browsing Experience ...168
Computer Security Software - The Best Line of Defense against Threats ... 172 Information Security Management – Managing Data
Confidentiality... 174 Computer Security Training – The Start of Something B-I-G... 176 Say “NO” to Free Computer Security ... 178 When Security of Information is at Stake ... 179 The CIA Triad of Computer Security Systems ... 180 Maximizing Information Security Solutions to Computer
Systems ... 182 Symantec Information Foundation – What does it Offer Aside from Mail Security?... 184 Information Security Jobs – Are you IN to IT? ... 186
12
Institute of Information Security
Profes-sionals: Providing a Venue for Security
Specialists to Enhance Their Skills
The Institute of Information Security Professionals is a non-profit organization which aims to develop professionalism in the information security sector. This institute was organized by security specialists in order to provide a venue for standardiz-ing the practice of network security implementations and proto-cols. Security specialists seek recognition from the Institute to formalize their entry in the profession and gain certification from their peers. Membership in the Institute of Information Security signifies that a security specialist is an accredited practitioner and can handle security management of information systems.
Members of the Institute will be provided with an exclu-sive professional email address with multiple forwarding capa-bilities. This can give them a unique electronic identification which highlights their professional accreditation. The Institute is also the source of global directory of security professionals which can be accessed by members. In this way, security professionals will be able to establish contact with other practitioners and network with them.
Another highlight of membership in the Institute is access to the rich discussion board and lounge on the IISP website. This forum is exclusively available to security specialists and current concerns are discussed on it as well as new techniques in facing security issues. This could significantly widen the knowl-edge of security professionals and allow them to implement latest innovations in security protocols.
13
The Institute of Information Security can also provide job resource for its members through access to the networks of its corporate partners. It can also give mentoring services for members conducted by advanced practitioners of network security.
14
War-free World: The British American
Security Council
National Security is a major issue in many countries espe-cially in Super Powers like US. Remember what happened that fateful September of 2001 when the Twin Towers went down and a part of Pentagon was also destroyed? Nowadays, a lot of coun-tries go out of their way to ensure that national and international security is protected. There are also a lot of bomb threats which different governments all over the world have to deal with. And what is more galling is the fact that weapons are not limited to bombs but there is also a threat for nuclear weapons and bio-chemical weapons. It will probably take long for some extremist to come up with a weapon that has something to do with ma-nipulating weather. This may sound a little overboard right now, but years ago the thought of man landing on the moon was also overboard.
The US and UK have collaborated to form an independent body which examines and researches about global security issues. Its aim is to have a more peaceful and safe world that is free from nuclear weapons and war like for some countries who have a lot of victims of war like Iraq for example. The British American Information Council is also known as BASIC , with London and Washington, DC as its base for the two countries.
BASIC is a non-government organization that also deals with many other organizations like NATO and is well-respected through its research and studies. As such, it has become an avenue by which security issues have been promoted to the public in a simpler way
15
BS7799: The British Standard on
Informa-tion Security Management (ISMS)
Information risk and security is a major issue that most companies face today. Many companies are spending a lot of their time and resources to ensure that information security is kept intact. The British Standards Institution came up with a security standard. Before going into detail about security stan-dard, standard is a written guideline to do things to make it more efficient. It could be called in a layman's term as "instruction".
In 1995, BSI came up with a security standard that was adapted by the government's Department of Trade and Industry. This is what is known as the B7799. Later in 2000 when ISO introduced the standardization for Information Technology, B7799 was adapted. Today, it is on its 3rd revision. Today, what was BS7799 and now a part of the ISO/IEC 27001:2005 and it sets the standard for best practices in terms of Information Management.
Today, BS7799 is now on its third revision and it has helped a lot of companies follow the best practices for Informa-tion Management and increase the awareness of such. It has grown into a broader horizon which is not only limited to infor-mation security, confidentiality but also the importance of privacy of all information within its organization.
Indeed it can be said that BS7799 paved way for the inter-national standardization of Information Security Management and still taking it to a higher level. Although it can never the eliminate the danger of security breach, BS7799 can help mini-mize such risk.
16
Certified Information Systems Security
Professional: Securing Information
Security Information has been deemed as very important integral part of any organization that for many IT Professionals, it has become a specialty. One of the certifications given is that is known as the Certified Information Systems Security Profes-sional or otherwise known as CISSP which is given by the “International Information Systems Security Consortium” or ISC to many IT professionals. The ISC and the CISSP are known in 120 countries all over the world. In 2004, this programmed was able to earn ISO/IEC Standardization 17024:2003. As such this is the first IT do succeed in doing so.
What is the CISSP? It is a curriculum that covers various topics on Information Security topics which are very vital for any organization. At the end of the curriculum, there is an examina-tion wherein the quesexamina-tions are based on CBK or Common Body of Knowledge, which is a collection of topics about information security from professionals in different parts of the world. The CBK is compromised of 10 domains which are the following: “Access Control”, “Application Security”, “Business Continuity and Disaster Recovery Planning”, “Cryptography”, “Information Security and Risk Management”, “Legal, Regulations, Compli-ance and Investigations”, “Operations Security”, “Physical and Environmental”, “ Security”, “Security Architecture and Design” and “Telecommunications and Network Security”
Getting the CISSP certification though is not easy as one might think. One of the requirements that must be met by the applicants is that they have been in operation for a minimum of five years in the business with a clean record, no criminal record
17
or such. Also the passing rate is very high. They must score 700 or higher. Certification though, is valid for three years.
18
Important Tasks of Information Security
Specialist
Information security specialists are responsible for plan-ning, organizing, and maintaining the security and integrity of organizational and corporate IT networks. The tasks of informa-tion security specialists are critical. Computer use, especially networked systems, has become an integral part of any organiza-tion’s operations. In fact, some organizations or companies rely heavily on their IT networks to function properly and conduct business. Without their wide network of interconnected systems and individual workstations, these companies would not be able to produce meaningful output. A single glitch in their network therefore can trigger a major disaster for their operations. That is why information security specialists are in place to secure the integrity and continuous operation of their organization’s net-work.
In the past, network security has been neglected by com-panies. They rely on the built-in security systems of their pro-grams and IT infrastructure. With the advent of network security attacks such as hacking, information theft, fraud, and malicious disruptions, the old model for network security has become inutile.
That is why companies have instituted new method and models for network security and IT systems integrity. Security specialists are assigned to monitor and keep the network secure. They maintain regular diagnostic check-ups on their network firewalls, encryption technology, and server security. They are also responsible for educating personnel in the correct use of computers and proper protocols when utilizing networks. In-formation security specialists can also investigate systems
at-19
tacks, gather data on fraudulent activities, and catch security hackers. The data they gather can be used to prosecute cyber crimes or to produce evidences so that authorities can track and catch network security threats.
