Information Security Roles & Responsibilities Made Easy, Version 2 (Hardcover)

by Charles Cresson Wood (Author) "The total cost of ownership (TCO) models developed by a variety of industry analysts such as the Gartner Group indicate that labor represents anywhere from..." (more)
Key Phrases: Responsibilities Made Easy, Information Technology Department, Human Resources Department (more...)

Editorial Reviews

Product Description
Information Security Roles and Responsibilities Made Easy, Version 2 is the new and updated version of the best-selling security resource by Charles Cresson Wood, CISSP, CISA, CISM. ISR&R V2 is based on the 20 year consulting and security experience of Mr. Wood and contains these features to help you save money while establishing a due-care information security organization: 1. Over 70 pre-written, time-saving information security documents including: • 29 information-security-related committee, board, and department mission statements, with information security responsibilities reflecting the latest technical and legal requirements. • Over 40 information-security-related job descriptions • 12 separate information security organization structures with discussions of pros and cons of each. • Specification and discussion of 29 critical information security documents that every organization should have. 2. Justification to help increase managements awareness and funding of information security, including: • How to persuade management to properly document information security roles and responsibilities, including an easily-customized sample management memorandum. • Reducing the total cost of information security services by properly documented roles and responsibilities. • Discussion of responsibility and liability as it relates to documented information security roles, including citations supporting the legal notion of the standard of due care. • Information security staffing data and analysis to help gain management support for additional resources. • Common mistakes many organizations make and how to avoid them. 3. Specific advice on how to plan, document and execute an information security infrastructure project including: • Information on how to properly review and update information security roles and responsibilities, including department interview techniques. • How to schedule project resources and time lines for documenting roles and responsibilities. • Detailed discussion of the Data Owner, Custodian and User roles. • Actions you should take to reduce your organization's exposure to workers in information security related positions of trust. • The synergy between role based access control (RBAC) and clarification of information security roles and responsibilities. 4. Practical advice on how to maintain security when dealing with third parties, including: • Pros and cons of outsourcing security functions, including validation and security when outsourcing. • The security roles and responsibilities of software and hardware vendors. • Decision-making criteria for releasing or withholding roles and responsibilities documentation to/from various external parties. 5. Valuable staffing advice and descriptions for information security professionals including: • Characteristics of effective information security professionals, including discussion about the pros and cons of hiring hackers and others who have been on the wrong side of the law. • Specific performance criteria for individuals and teams. • An expanded list of new information professional certifications with web sites, phone numbers, and addresses for each. Information Security Roles and Responsibilities Made Easy, Version 2.0 contains easily customized documents in MS-Word format. All contents come on a fully indexed and searchable CD-ROM with linked cross-references. All contents © 2005, Information Shield, Inc. – All Rights Reserved

About the Author
Charles Cresson Wood, CISA, CISSP is an author and independent information security consultant based in Sausalito California. In the information security field on a full-time basis since 1979, he has worked as an information security management consultant at SRI International (formerly Stanford Research Institute) as well as lead network security consultant at Bank of America. He has done information security work with over 120 organizations, many of them Fortune 500 companies, including a large number of financial institutions and high-tech companies. His consulting work has taken him to over twenty different countries around the world. He is noted for his ability to integrate competing objectives (like ease-of-use, speed, flexibility and security) in customized and practical compromises that are acceptable to all parties involved. Acknowledging that information security is multi-disciplinary, multi-departmental, and often multi-organizational, he is additionally noted for his ability to synthesize a large number of complex considerations and then to document these in security architectures, system security requirements, risk assessments, project plans, policy statements, and other clear and action-oriented documents. He has published over 225 technical articles and five books in the information security field. In addition to TV and radio appearances, he has been quoted as an expert in publications such as Business Week, Christian Science Monitor, Computerworld, IEEE Spectrum, Infoworld, LA Times, Network Computing, Network World, PC Week, The Wall Street Journal, and Time. He has also presented cutting-edge information security ideas at over 100 technical and professional conferences around the globe. Mr. Wood is Senior North American Editor for the journals "Computers & Security" and "Computer Fraud & Security Bulletin", as well as a monthly columnist for "Computer Security Alert". He holds an MBA in financial information systems, an MSE in computer science, and a BSE in accounting from the Wharton School of Business at the University of Pennsylvania. He has passed the Certified Public Accountant (CPA) examination and is both a Certified Information Systems Auditor (CISA) and a Certified Information Systems Security Professional (CISSP). In November 1996 he received the Lifetime Achievement Award from the Computer Security Institute for "sincere dedication to the computer security profession."

Product Details

• Hardcover: 288 pages
• Publisher: Information Shield (June 1, 2005)
• ISBN-10: 1881585123
• ISBN-13: 978-1881585121
• Product Dimensions: 11.3 x 8.5 x 0.8 inches
• Shipping Weight: 2.1 pounds (View shipping rates and policies)
• Average Customer Review: 4.7 out of 5 stars See all reviews (3 customer reviews)
• Amazon.com Sales Rank: #1,220,201 in Books (See Bestsellers in Books)

Customer Reviews

Most Helpful Customer Reviews

2 of 2 people found the following review helpful:

4.0 out of 5 stars Every IT/IT Security Shop should have one, October 3, 2005

By	Stephen Northcutt (Kauai, HI USA) - See all my reviews (REAL NAME)

This is a difficult book to review because it is meant to be a resource, not something you read on an airplane. I have passed this around to some of students and fellow SANS instructors and tried to get some of their feedback as well.

The greatest contribution this book makes is a discussion of organization structure, who should report to who and why. This is something that has been desparately needed in the industry and if this book is successful in the marketplace, I would like to see some additional research and have this already excellent resource expanded.

The job descriptions are also wonderful, we have many names for the same position and I would hope that over time, this book can help us develop a common terminology.

Who needs this book? It is designed to be licensed to organizations and as a rough rule of thumb, any organization with an IT department of 25 people or more could benefit from this book.

5.0 out of 5 stars Great reference book, August 21, 2006

By	NewYorker - See all my reviews

We had to create a security organization for a financial institution and as a part of the job, we had to define the roles and responsbilities. This book was extremely useful for me.

5.0 out of 5 stars Excellent book ; completely Hands-On, March 17, 2006

By	Cesar Bravo V "CISO" (Central America) - See all my reviews (REAL NAME)

I am the CISO of a regional Latin American Bank, and I used this book almost inmediately to define a project of defining information security roles in my organization. Even though some of the roles have to be changed due to the nature of the organization, and the internal politics that are at stake, I consider this book almost a "best practice" for information security. It helps you implement Information security infraestructure, and to show the importance of it to top management. Now, my organization is paying more attention to InfoSec, and the roles of the people are clearer in respecto to InfoSec.