General information security management

 Keep up with information security entries on the NoticeBored Blog.

 The SANS Internet Storm Center’s Handler’s Diary provides a wonderful source of up-to-date information on current Internet security threats, aimed at information security managers, information technologists and power users. If you are in one of these select groups, consider setting your browser’s home page to the latest Handler’s Diary page to keep up with current events at least once daily.

 Rob Slade from British Columbia is an enormously prolific and entertaining writer on viruses and other information security topics. He maintains a good hyperlinked information security glossary and reviews a huge number of information security books. His book reviews are sharp as broken glass - not so much beating about the bush as beating about the head - no holds barred. Check Rob’s reviews before buying your information security books, perhaps from Amazon.com, or for that matter before writing one of your own.

 A growing collection of security checklists (also known as baseline standards, platform hardening guides etc.) is available at NIST’s Computer Security Resource Center website checklists.nist.gov.

 Computer Security Handbook (4^th edition) edited by Seymour Bosworth and Mich Kabay (~$77 from Amazon) is the recommended course text in at least one Masters degree in information assurance.

The Handbook of Information Security: Key Concepts, Infrastructure, Standards, and Protocols, edited by Hossain Bidgoli (~$900 from Amazon), is a huge triple-volume 3,366-page classic textbook comprising 207 chapters on a wide range of information security management topics by 200 acknowledged subject matter experts. This is a properly researched and peer-reviewed collection of top-notch material that is suitable both as a practitioners’ reference and as the course book for information security Masters degrees. If you are seriously interested in information security management and have the budget, this is your Bible.

The ISM Community’s top ten information security issues come with suggested solutions. Handy.

The Handbook of Information Security Management by Micki Krause and Harold F. Tipton is available online through Clément Dupuis’ excellent CCcure.org website. The book is getting a little long-in-the-tooth but is one of a number of useful resources for those studying towards CISSP and similar information security qualifications.

A page linking to several papers on security management at the Carnegie Mellon Software Engineering Institute CERT is well worth a look. 

A NERC presentation about addressing common information security problems with SCADA systems in the electrical industry deserves a wider audience. It proposes basic, intermediate and advanced approaches to address each of ten common issues, suggesting a maturity-model process.

Small/Medium-sized Enterprises (SMEs) can seldom afford to have dedicated IT support let alone information security managers. “Security appliances” such as those sold by St. Bernard hold certain attractions for the SME marketplace, most notably the idea that one can simply plug the appliance in and ‘be secure’. If that is all their customers do, they are clearly naive: as we are so often told, there are no magic bullets.  On the other hand having decent ‘anti-everything’ is a Jolly Good Thing ... at least when compared to doing nothing at all.

We have published a case study expounding the business value of implementing ISO/IEC 27002. The case reveals some surprising linkages between information security management and general business management, plus several indirect benefits that are seldom mentioned elsewhere.

Don Jones has written The Definitive Guide to Securing Windows in the Enterprise - a practical guide to Windows security for system and security administrators. The book is being published online chapter-by -chapter for free by Realtime Publishers. [Having written Windows security policies and standards ourselves, it will be interesting to see how this eBook turns out.]

According to Computerworld, companies are turning to Security Information Management (SIM) software to simplify management of their antivirus, firewalls, IDS and other security systems. SIM products apparently sit above the individual subsystems in the security architecture, just as Tivoli and similar systems management systems sit above the individual operating systems and so forth. Expect to see the best-of-breed vs. integrated wall-to-wall security products battle continue (if indeed SIM ever sees the light of day).

Security Management magazine from ASIS and CSO Magazine from CXO Media Inc. are aimed directly at security managers, information security managers, chief security officers, chief information security officers and others with an interest in managing information security.

The Information Security Forum is effectively a trade association for information security managers. The ISF Standard of Good Practice for Information Security [6.7 Mb] is a useful benchmark and their regular Information Security Status Surveys provide insight to the issues underlying the statistics. It’s a real shame that ISF membership is effectively restricted to large multinationals due to the high cost.

The World Bank InfoDev project published an information technology security handbook of nearly 300 pages of well-written good practice advice. According to the authors, it focuses on the needs of “individuals, small businesses, governments and system and network administrators in developing countries” although the guidance seems equally applicable anywhere. It emphasizes commonplace security technologies such as antivirus and firewalls rather than security awareness, but at least ‘security culture’ gets a (brief) mention.

Information security & risk management standards

 One section of ISO/IEC standard ISO/IEC 27002 (formerly known at BS 7799 Part 1 and then ISO/IEC 17799) offers best practice guidelines on how to organize the information security management function, including a senior management forum for a strategic view on information security. The rest of the standard in effect describes the role and remit of the function. ISO/IEC 27001 describes the Information Security Management System as a whole. Read more about the ISO/IEC 27000-series information security standards.

Information Security Management Maturity Model (ISM-cubed) is a developing method that seeks to apply ISO 9000-style quality management and capability maturity model processes to information security management.

The US Postal Service published what some have described as the most comprehensive security manual on the web. It may be a useful model if you find ISO/IEC 27002 is not enough. Here’s another from Australia.

The five parts of ISO 13335 describe fundamental concepts, management and operational issues for ICT security.

ISO 21827 describes a Capability Maturity Model for systems security engineering, in other words a benchmark for comparing and improving the organization’s competence in this area.

Australian & New Zealand standard AS/NZS 4360:2004 and the associated companion handbook cover risk management. They provide generic guidance for establishing and implementing effective risk management processes in any organization. They demonstrate how to establish the proper context, and then how to identify, analyze, evaluate, treat, communicate and monitor risks.

The IT Infrastructure Library (ITIL) describes best practices for managing IT services. In How ITIL can improve information security, the benefits of ITIL on service quality are emphasized specifically in relation to information security management. ITIL stresses what processes should be adopted both within IT and in to manage relationships with the IT user departments. 

A number of organizations are using ISACA’s COBIT framework to structure their information security management, and indeed broader IT governance and information management processes.

The systems security engineering capability maturity model provides a structured framework for benchmarking and improving information security.

Outsourcing Information Security (~$76 from Amazon) has a broader remit than the title suggests. The bulk of the book gives sound advice on outsourcing in general.

NB: we do not necessarily endorse or agree with the third party websites accessible through the links. Use at your own risk. Please let us know about new or broken links.