Stepping Through the InfoSec Program [Paperback]

Jennifer L. Bayuk (Author), CISA (Author), CISM (Author)

Book Description

Publication Date: November 1, 2007

The information security professional has evolved from computer operator to chief information security officer; from controlling punched cards to negotiating strategic plans, defining policies, documenting processes, managing technology, measuring performance, controlling costs, supporting business recovery and demonstrating regulatory compliance. This publication includes a case study and steps to:

• Compose an information security program
• Cement a relationship between an information security program and IT governance
• Design roles and responsibilities to ensure accountability
• Identify and allocate resources to achieve information security program objectives
• Determine if an information security program is achieving objectives

Editorial Reviews

Review

This is the author's second "Stepping Through..." book. The first book, Stepping Through the IS Audit, was written to help both auditors and auditees through the intricacies of the information systems (IS) audit process. The second book, Stepping Through the InfoSec Program, tackles the broader and, in some ways, more challenging topic of establishing and running an information security program.
Although the second book is clearly directed at the information security manager, it could provide value to a number of constituencies. For one, IS auditors may find the book useful as a basis for determining what an ideal information security program should be. Business unit managers may benefit greatly from this book, particularly when dealing with the information security group, and less technical readers will find the case study helpful to understand they key aspects of an information security program in operation.
If my experience is typical, the information security professional tasked with setting up an information security program starts out by writing policy. Once the security policy and standards have been dutifully copied from one of the many available sources, what should be done next? Without a realistic guide to the next steps, information security professionals may find themselves at a loss. This book is one such guide and can help professionals get over the hurdle.
Stepping Through the InfoSec Program consists of three sections; the context in which information security programs are developed, the components of the information security program itself and a case study in the form of a chatty but substantive dialog. Notably, the first part focuses on individuals, whereas the second and third parts focus on the program.
The first part provides a comprehensive background and a practical context, including

• A description of the history leading up to today's information security programs
• An enumeration of the various job functions that relate to information and physical security
• Descriptions of the roles and responsibilities of those within the various functions
• A list of respected certifications in the field
• A discussion of metrics used to determine performance of the information security function

The second part presents the components of an information security program. It guides the reader through the following:

• Creation of the information security program
• Relating the information security program to information technology governance
• Ensuring accountability through roles and responsibilities
• Identification and location of resources to achieve objectives
• Determination that the program is meeting objectives

Because the second part is so full of information, issues and advice, it may require careful reading and rereading to internalize some of the most critical areas, but it is well worth the effort. Having conquered information in the second part, the reader may find it to be somewhat of a relief to move into the third part, the case study.
The case study brings home the many lessons of the second part in a lighter, more readily digestible form. One gets the impression from the keenly crafted scenes that the author has actually lived through many of the scenarios described. This incorporation of dialog, which is a technique that was also used in the first book, is unusual for books of this type, but works well in reiterating the many concepts previously presented.
Following the three sections that comprise the body of the book are a number of useful appendices. Sample policy, standard, procedure and guideline documents are included. These serve not only as examples, but are also valid documents that could be used directly.

--C. Warren Axelrod, Ph.D, CISM, CISSP - ISACA Journal, Volume 3, 2008

Product Details

• Paperback: 238 pages
• Publisher: Isaca; 1st edition (November 1, 2007)
• Language: English
• ISBN-10: 1604200308
• ISBN-13: 978-1604200300
• Product Dimensions: 8.8 x 6 x 0.6 inches
• Shipping Weight: 11.2 ounces
• Average Customer Review: 4.3 out of 5 stars  See all reviews (3 customer reviews)
• Amazon Best Sellers Rank: #818,181 in Books (See Top 100 in Books)

More About the Author

Jennifer L. Bayuk is an information security roadmap consultant engaged in projects ranging from technical architecture requirements to governance strategies. She is also an industry professor at the Stevens Institute of Technology. She has been a Wall Street chief information security officer, a manager of information systems internal audit, a Price Waterhouse security principal consultant and auditor, and a security software engineer at AT&T Bell Laboratories. She is a Certified Information Security Manager, a Certified Information Systems Security Professional, a Certified Information Security Auditor, and Certified in the Governance of Enterprise IT. She can be reached at www.bayuk.com.

Customer Reviews

Most Helpful Customer Reviews

7 of 8 people found the following review helpful:

4.0 out of 5 stars Provides the low-level details and nitty-gritty elements on how to build a security program, August 11, 2008

By 

Ben Rothke "Author of 'Computer Security: 20 ... (USA) - See all my reviews
(REAL NAME)   

This review is from: Stepping Through the InfoSec Program (Paperback)

For those who want to stay current in information security, Stepping Through the InfoSec Program is a great book to read as it provides the low-level details and nitty-gritty elements on just how to do that.

Author Jennifer Bayuk spent over a decade at a large brokerage firm building their information security program. Her experience in managing and designing security there is manifest in the book and it is clear throughout the book that she is writing a deep pool of from real-world experience.

The first part of the book contains 3 sections and in just under 150 densely packed pages, the book walks you through the process in which to build an effective information security program. The book details 6 steps in which to facilitate this, namely: strategy, policy, awareness, implementation, monitoring and remediation.

The book starts out and begins to develop the context for an information security program. It astutely notes that an information security program exists only in the context of an organizational management structure. Anyone building an information security program for its own sake, removed from the organizational management structure will quickly find themselves devoid of a budget, and often shortly after that, out of a job.

The books attention to detail and specific definitions are superb. In the opening section, it defines the objectives, prerequisites, typical tasks and performance measures for over 10 different jobs within information security. It then creates a segregation of duties matrix for these jobs. Such detailed information is invaluable to anyone attempting to build a security program.

The main part of the book is in section 2 which steps through what an information security program is, how it is created, how it operates and what resources are required to maintain it. The beauty of the book is that the author understands that information security is not a monolithic undertaking. Rather it must be developed and customized according to the specific needs and requirements of the particular organization. These differences are made clear in the chapter when it details 9 unique information security reporting hierarchies; and deciding on the appropriate reporting hierarchy is not a trivial undertaking.

The book writes that successful information security program development, by definition, must align with organization goals. This alignment can only be achieved if the CISO has an open, two-way communication path to each manager with information security responsibilities. While this is a necessary and realistic goal, far too few CISO's have such communications paths at their disposal, and even less have constituent ears that are receptive to such communications.

Section two provides an excellent overview of metrics and how they can be effectively used. In the last few years, metrics has been the rage in the security community. Individuals such as Pete Lindstrom and groups such as Security Metrics have been at the forefront of such efforts.

But the book notes that metrics for their own sake can also be taken too far. The book references a volume on metrics that has over 900 possible things to measure that would provide security metrics, including such silly metrics as "number of times, by fiscal year, that fines and jail sentences were imposed for altering, destroying, mutilating, concealing or falsifying financial records". Bayuk perceptively observes that any CISO who is measuring these types of concerns and analyzing them for feedback on how to improve their information security program should realistically look for a different job.

Section 3 concludes the main part of the book with a security program case study. The point of the case study is to show how an information security program evolves around changes in the organization it supports. The case study shows that all of the six steps on which the book is premised are indeed necessary.

The final 100 pages of the book detail various sample security policies, standards, procedures and guidelines. All of the policies, standards, procedures and guidelines are well-written and it would have been nice if these would have been available in electronic format.

The book notes that the information security professional has evolved from computer operator to chief information security officer; from controlling punched cards to negotiating strategic plans, defining policies, documenting processes, managing technology, measuring performance, controlling costs, supporting business recovery and demonstrating regulatory compliance. For those that want to make that transition, Stepping Through the InfoSec Program is a most valuable guide to get you there.

The book is written by an author who has significant amounts of real-world experience in a leading edge organization. That unique knowledge and experience is evident after reading the first few pages of the book. The book provides the reader with a comprehensive overview of how to build an effective information security organization.

One final note, don't judge a book by the cover. On the cover are three busy looking executives, all smiling and looking refreshed. The reality is that most people who have taken the time to build effective security programs often emerge from that battle exhausted and battle weary.

For anyone contemplation entering the information security field, or those in it already that need effective direction, Stepping Through the InfoSec Program should be on their required reading list.

2 of 2 people found the following review helpful:

4.0 out of 5 stars Great Reading for all Infosec Professionals, November 21, 2008

By 

Frederick Jorgensen "Bill" (West Palm Beach, Florida, USA) - See all my reviews

This review is from: Stepping Through the InfoSec Program (Paperback)

This is an excellent book for all computer security professionals, including senior management who has Infosec directors report to them. For beginners it gives you a concise picture of what elements are involved in an effective Infosec program. The author, Jennifer Bayuk, presents a brief history of Infosec to give you a sense of perspective. Then she outlines the process in which you should approach implementing an Infosec program. These are real world processes, not just theory.

For the experienced IT security professional, this book is a quick refresher that will give you numerous items that you can take away for your own work. For the experienced physical security professional looking to expand into the Infosec, this book provides the foundation you will need to broaden your scope.

Senior management can also benefit from this book by better understanding what processes should be in place within their organization.

The book is only 150 pages, which is incredibly short for security books. But don't let the size fool you. It is well organized and provides a thorough discussion on what process should be included in your Infosec program.

The last third of the book is devoted to a case study, sample policies, standards, guidelines and procedures. The case study is a good example of how these components should work in a real world IT department.

This is not a technical book. Don't buy this book if you are looking for a technical manual that tells you what routers to use or what intrusion protection system to implement. The author sticks to her title by providing straight forward information to understand what is needed to organize your Infosec program, she explains why it is needed, and tips on how to accomplish each component.

What makes this book something you will keep and refer to in the future is that it applies to all IT security practitioners, young and old. I found it a refreshing review even after my 25+ years in the industry. I highly recommend this book to those just starting out in IT security; especially those who have taken all the theory, passed the technical exams, but have never really implemented a security program in the real world. It helps tie in all the theoretical concepts into a workable program. Even the experienced professional, like myself, will find a lot of helpful information that you may want to review in your own program. I have also used this book as a required reading for my security staff to ensure that they have a common understanding of the overall Infosec process.

1 of 1 people found the following review helpful:

5.0 out of 5 stars Very well written - very important info, June 12, 2010

By 

CJ Rhoads (Philadelphia, PA United States) - See all my reviews

This review is from: Stepping Through the InfoSec Program (Paperback)

Jennifer has clearly communicated the essence of what decision makers need to know about information security. Excellent book! I only wish it could have been part of The Entrepreneur's Guide To... series because it is definitely someone everyone should know about.