Rating: 5 out of 5 stars
5/5
Ebook158 pages2 hours
Information Security A Practical Guide: Bridging the gap between IT and management
By Tom Mooney
Rating: 5 out of 5 stars
5/5
()
About this ebook
Provides an overview of basic information security practices that will enable your security team to better engage with their peers to address the threats facing the organisation as a whole.
Author
Tom Mooney
Tom Mooney has over 10 years’ IT experience working with sensitive information. Currently HM Land Registry’s information security risk advisor, where he works with project teams and the wider business to deliver key business systems securely, his key responsibility is to act as an intermediary between management and IT teams to ensure appropriate security controls are put in place. His extensive experience has led him to develop many skills and techniques to converse with people who are not technical or information security experts. Many of these are found in this book. He has a BSc (Hons) in information and computer security, and is also a CESG certified professional.
Related to Information Security A Practical Guide
Related ebooks
Building a Practical Information Security Program Managing Information Security Breaches: Studies from real life Rating: 0 out of 5 stars0 ratingsInfosec Management Fundamentals Rating: 5 out of 5 stars5/5Nine Steps to Success: An ISO27001:2013 Implementation Overview Rating: 1 out of 5 stars1/5Building Effective Cybersecurity Programs: A Security Manager’s Handbook Rating: 4 out of 5 stars4/5Security Risk Management: Building an Information Security Risk Management Program from the Ground Up Rating: 5 out of 5 stars5/5Selling Information Security to the Board: A Primer Rating: 0 out of 5 stars0 ratingsSecurity Operations in Practice Rating: 0 out of 5 stars0 ratingsSecurity Operations: CISSP, #7 Rating: 0 out of 5 stars0 ratingsBecoming a Global Chief Security Executive Officer: A How to Guide for Next Generation Security Leaders Rating: 5 out of 5 stars5/5Cyber Breach Response That Actually Works: Organizational Approach to Managing Residual Risk Rating: 0 out of 5 stars0 ratingsWe Need To Talk: 52 Weeks To Better Cyber-Security Rating: 0 out of 5 stars0 ratingsAn Introduction to Information Security and ISO27001:2013: A Pocket Guide Rating: 4 out of 5 stars4/5Cyber Security Awareness for Corporate Directors and Board Members Rating: 1 out of 5 stars1/5How to Define and Build an Effective Cyber Threat Intelligence Capability Rating: 4 out of 5 stars4/5Security Operations Center - SIEM Use Cases and Cyber Threat Intelligence Rating: 0 out of 5 stars0 ratings7 Rules to Influence Behaviour and Win at Cyber Security Awareness Rating: 5 out of 5 stars5/5Corporate Security Management: Challenges, Risks, and Strategies Rating: 5 out of 5 stars5/5The Chief Security Officer’s Handbook: Leading Your Team into the Future Rating: 0 out of 5 stars0 ratingsThe Chief Information Security Officer: Insights, tools and survival skills Rating: 1 out of 5 stars1/5The Psychology of Information Security: Resolving conflicts between security compliance and human behaviour Rating: 5 out of 5 stars5/5Building an Effective Cybersecurity Program, 2nd Edition Rating: 0 out of 5 stars0 ratingsFundamentals of Adopting the NIST Cybersecurity Framework Rating: 0 out of 5 stars0 ratingsBuild a Security Culture Rating: 0 out of 5 stars0 ratingsBuilding a Life and Career in Security Rating: 5 out of 5 stars5/5Information Security for Small and Midsized Businesses Rating: 0 out of 5 stars0 ratingsIT Induction and Information Security Awareness: A Pocket Guide Rating: 0 out of 5 stars0 ratingsUse of Cyber Threat Intelligence in Security Operation Center Rating: 0 out of 5 stars0 ratingsFundamentals of Information Security Risk Management Auditing: An introduction for managers and auditors Rating: 5 out of 5 stars5/5
Computers For You
The Invisible Rainbow: A History of Electricity and Life Rating: 4 out of 5 stars4/5Elon Musk Rating: 4 out of 5 stars4/5Slenderman: Online Obsession, Mental Illness, and the Violent Crime of Two Midwestern Girls Rating: 4 out of 5 stars4/5Standard Deviations: Flawed Assumptions, Tortured Data, and Other Ways to Lie with Statistics Rating: 4 out of 5 stars4/5The ChatGPT Millionaire Handbook: Make Money Online With the Power of AI Technology Rating: 0 out of 5 stars0 ratingsSQL QuickStart Guide: The Simplified Beginner's Guide to Managing, Analyzing, and Manipulating Data With SQL Rating: 4 out of 5 stars4/5101 Awesome Builds: Minecraft® Secrets from the World's Greatest Crafters Rating: 4 out of 5 stars4/5Mastering ChatGPT: 21 Prompts Templates for Effortless Writing Rating: 5 out of 5 stars5/5Everybody Lies: Big Data, New Data, and What the Internet Can Tell Us About Who We Really Are Rating: 4 out of 5 stars4/5Practical Lock Picking: A Physical Penetration Tester's Training Guide Rating: 5 out of 5 stars5/5Dark Aeon: Transhumanism and the War Against Humanity Rating: 5 out of 5 stars5/5The Hacker Crackdown: Law and Disorder on the Electronic Frontier Rating: 4 out of 5 stars4/5How to Create Cpn Numbers the Right way: A Step by Step Guide to Creating cpn Numbers Legally Rating: 4 out of 5 stars4/5CompTIA IT Fundamentals (ITF+) Study Guide: Exam FC0-U61 Rating: 0 out of 5 stars0 ratingsThe Professional Voiceover Handbook: Voiceover training, #1 Rating: 5 out of 5 stars5/5Procreate for Beginners: Introduction to Procreate for Drawing and Illustrating on the iPad Rating: 0 out of 5 stars0 ratingsGrokking Algorithms: An illustrated guide for programmers and other curious people Rating: 4 out of 5 stars4/5CompTIA Security+ Practice Questions Rating: 2 out of 5 stars2/5Alan Turing: The Enigma: The Book That Inspired the Film The Imitation Game - Updated Edition Rating: 4 out of 5 stars4/5Deep Search: How to Explore the Internet More Effectively Rating: 5 out of 5 stars5/5Ultimate Guide to Mastering Command Blocks!: Minecraft Keys to Unlocking Secret Commands Rating: 5 out of 5 stars5/5Computer Science: A Concise Introduction Rating: 4 out of 5 stars4/5Master Builder Roblox: The Essential Guide Rating: 4 out of 5 stars4/5Creating Online Courses with ChatGPT | A Step-by-Step Guide with Prompt Templates Rating: 4 out of 5 stars4/5
Related podcast episodes
Cybersecurity and Hacking with Kevin Mitnick 0% found this document usefulIs enhanced hardware security the answer to ransomware? [CyberWire-X] 100% found this document usefulcybersecurity maturity model certification (CMMC) (noun) [Word Notes] 0% found this document usefulCyberWire Pro Interview Selects: Jaclyn Miller from NTT, Ltd. 0% found this document usefulCybersecurity Trends and Practices 0% found this document usefulStudy Guide for SC-200: Microsoft Security Opertions Analyst 100% found this document usefulBonus: Afternoon Cyber Tea: IoT-Based Infrastructures 0% found this document usefulMITRE ATT&CK (noun) [Word Notes] 0% found this document usefulHow To Overcome Challenges Every DPO Faces 0% found this document usefulCISSP Training - Domain 1 - Lecture 1 0% found this document usefulBig breaches (and how to avoid them): with Neil Daswani 0% found this document usefulMobile Forensics 0% found this document useful
Related articles
Everything You May Have Wanted to Know About Ethical/Whitehat Hackers TechfastlyArticle
Everything You May Have Wanted to Know About Ethical/Whitehat Hackers
Oct 21, 2020
5 min readStaying Safe In The Cloud NZBusiness and ManagementArticle
Staying Safe In The Cloud
Jul 22, 2019
4 min readCyber Security IS A SHARED RESPONSIBILITY AT THE C-LEVEL Inc.Article
Cyber Security IS A SHARED RESPONSIBILITY AT THE C-LEVEL
Sep 21, 2016
Data breaches can have far-reaching repercussions; protecting against them is a companywide mandate
2 min readCybersecurity: It Might Be The Small Stuff That Gets You NZBusiness and ManagementArticle
Cybersecurity: It Might Be The Small Stuff That Gets You
Jan 16, 2020
2 min readVulnerability Assessments PC Pro MagazineArticle
Vulnerability Assessments
Jan 7, 2021
3 min readCybersecurity Firm Fireeye Says Was Hacked By Nation State TechLife NewsArticle
Cybersecurity Firm Fireeye Says Was Hacked By Nation State
Dec 12, 2020
3 min readTop Eight Cybersecurity Predictions For 2022-23 NZBusiness and ManagementArticle
Top Eight Cybersecurity Predictions For 2022-23
Jul 20, 2022
3 min readArtificial Intelligence: The Next Step for Cybersecurity Cannabis & Tech TodayArticle
Artificial Intelligence: The Next Step for Cybersecurity
Apr 1, 2019
3 min readHow to Protect Your Small Business Against a Cyber Attack EntrepreneurArticle
How to Protect Your Small Business Against a Cyber Attack
Feb 1, 2013
8 min read“DORA Is A Force For Good And Will Help Businesses To Make Better Decisions, Faster” PC Pro MagazineArticle
“DORA Is A Force For Good And Will Help Businesses To Make Better Decisions, Faster”
Apr 10, 2022
6 min readBuilding a Cybersecurity Fence Residential Tech TodayArticle
Building a Cybersecurity Fence
Jan 30, 2019
4 min readWhat Should You Know About Cloud Security Solutions? HWM SingaporeArticle
What Should You Know About Cloud Security Solutions?
Apr 9, 2021
3 min readWhy Leaders Need To Take A Risk-based Approach To Data Security NZBusiness and ManagementArticle
Why Leaders Need To Take A Risk-based Approach To Data Security
Jul 21, 2021
5 min readBuilding A Career In IT PC Pro MagazineArticle
Building A Career In IT
Aug 7, 2022
8 min readCyber Safe Facility ManagementArticle
Cyber Safe
Dec 23, 2018
4 min readZero Trust PC Pro MagazineArticle
Zero Trust
Sep 11, 2022
2 min read“Why Are The Stupid Rules There In The First Place? Because Someone Had To Tick A Compliance Box” PC Pro MagazineArticle
“Why Are The Stupid Rules There In The First Place? Because Someone Had To Tick A Compliance Box”
Jul 9, 2022
I hate passwords with a vengeance. In the main because they are so badly abused, from a security perspective, by so many people. I’m not just talking about the person on the Clapham omnibus who keeps their passwords simple and shared between multiple
7 min readLeading in the Age of Disruption: Five Critical Skills Rotman ManagementArticle
Leading in the Age of Disruption: Five Critical Skills
Jan 1, 2022
10 min readDETER, DETECT, DELAY: Thwarting The Digital Intruders The European Business ReviewArticle
DETER, DETECT, DELAY: Thwarting The Digital Intruders
Nov 25, 2021
6 min readReal World Computing PC Pro MagazineArticle
Real World Computing
May 11, 2023
The tale of Chicken Licken provides Davey with some perspective on the likelihood of a cyber-attack bringing everything crashing down I’m going to kick off this month with some potentially patronising home truth-telling, so apologies in advance. It’s
7 min readHow Do You Know You Are Okay? NZBusiness and ManagementArticle
How Do You Know You Are Okay?
May 27, 2019
2 min readCybersecurity Made Simple: Taming The Password The European Business ReviewArticle
Cybersecurity Made Simple: Taming The Password
Mar 1, 2022
8 min readWeb App Security Linux FormatArticle
Web App Security
Jun 29, 2021
8 min readSearching For Privacy NZ MarketingArticle
Searching For Privacy
Dec 8, 2021
6 min read“When Someone Asks Me To Prepare A Privacy Notice, I Find It Hard To Meet Their Expectations” PC Pro MagazineArticle
“When Someone Asks Me To Prepare A Privacy Notice, I Find It Hard To Meet Their Expectations”
Mar 7, 2024
6 min read11 Sources of Disruption Rotman ManagementArticle
11 Sources of Disruption
Jan 1, 2021
You have observed a troubling tendency that often leads to the disruption of business models. Please describe it. All too often, business strategies fail to effectively account for external change in the world. When faced with deep uncertainty, leade
6 min readJON SPINAGE “There’s Risk In Any Decision You Make, And The Profile Of That Risk Changes Over Time” PC Pro MagazineArticle
JON SPINAGE “There’s Risk In Any Decision You Make, And The Profile Of That Risk Changes Over Time”
Sep 7, 2023
7 min readThree Simple Rules for Protecting Your Data The AtlanticArticle
Three Simple Rules for Protecting Your Data
Sep 12, 2023
3 min readThe Roots of Entrepreneurial Success Rotman ManagementArticle
The Roots of Entrepreneurial Success
Jan 1, 2020
You have been involved in start-ups for many years as a founder, co-founder and Chief Technology Officer. In your experience, does entrepreneurship demand specific traits, or can anyone with a great idea do it? I don’t subscribe to the idea that it t
6 min readEverything Is About to Change EntrepreneurArticle
Everything Is About to Change
Jan 16, 2024
4 min read
Reviews for Information Security A Practical Guide
Rating: 5 out of 5 stars
5/5
1 rating0 reviews
Book preview
Information Security A Practical Guide - Tom Mooney
strength.
CHAPTER 1: DAY ONE AS A SECURITY PROFESSIONAL
Chapter Overview
This chapter gives you guidance on bedding yourself into your new role in security. It will help you to get your bearings and explains some of the early tasks you need to carry out to understand your role much better.
The chapter first reinforces the confidentiality, integrity and availability (CIA) mantra, explaining its meaning and how to use it in your role. I then describe the people you should look to meet as soon as possible so that you know what is going on within the organisation and who you will need as allies. The chapter then explores how you can begin to understand the organisation’s security culture in order to realise how much influence you have in your role.
Objectives
In this chapter you will learn the following:
• How to build a foundation for communication using CIA
• How to understand the security culture of the organisation
• Building relationships with key personnel
• Identifying the gaps in the organisation’s security set up.
Your First Day
Your first day in an information security role can be extremely daunting, especially if you are new to the profession. Often information security is seen as a dark art performed by some elite person, and your peers will have a higher expectation of you and your knowledge of information systems. During a security incident even senior managers will look to you for advice and guidance, so you should be prepared to take on this responsibility and lead when needed.
It is important that you have an overall understanding of the organisation’s IT strategy and what systems are being changed and deployed. Remember, in security the attackers only have to win once, whereas you have to win every time. This means there only needs to be one mistake or oversight and a vulnerability could be exploited in your organisation that could have a tremendous impact.
From day one you must get to know the organisation as quickly as possible, its people, its strategy and its culture. You will not be effective in your role until you understand those things.
Confidentiality, Integrity and Availability (CIA)
The CIA mantra is the bread and butter for every information security professional. These three key areas form the foundation of information security. Think of CIA as your weapon when discussing security with IT and business staff alike. Set this foundation for anyone you are going to work with regularly, as it will allow you to develop a mutual understanding. In my experience people pick up the CIA mantra extremely easily.
Confidentiality means that only those who should have access to the data do, and those who do not have a need to access the data cannot. Data is protected from unauthorised access, and this is the traditional view of security.
Integrity means that the data is accurate and that we can rely upon it. Data that is incorrect or suspected of being incorrect has no value as we cannot rely upon it. When discussing integrity ask how much of the data’s integrity would need to be compromised before confidence is lost in its entirety, as this will help you gauge how important integrity is.
Availability relates to the information being available to those who are authorised to access it when they need to access it. Information that is not available for use is of no use to us. You may have heard the anecdote of taking the data, putting it in a safe and then dropping that safe to the bottom of the ocean. If that’s what we have to do to protect the data then why keep it at all? We can’t make any use of the data, and it is a liability not an asset. This is the part people have most difficulty in understanding. Sometimes people think of the data as a physical asset, so for example if the data is stolen, they assume we no longer have access to it. In fact, theft could be a mixture of both availability and confidentiality. It is important to be clear that availability is about whether we can or cannot access the data.
Getting to Know the Business
It is often easy to forget that you and the IT department are there to serve the business; you are a tool and resource to be used for the business to achieve its objectives. This is why it is important to understand the business and what it wants to achieve. In this section I will introduce the different roles and explain their importance.
Senior Managers
When I talk about senior managers in this context I am referring to those who are one level under the Board; typically this will be heads of departments or divisions. Senior managers will often have high-level responsibility in ensuring their department is working to fulfil the organisation’s business objectives. The key for you is to ensure information security is on their radar, that when they are overseeing the implementation of their objectives that they consider security. If you don’t have buy-in from the top, you will find it difficult to prioritise security within the various IT teams.
Explain to them the CIA mantra so that they understand what each of the three points mean, and it will help if you apply CIA to a specific area. They will then be able to conceptualise security at a high level.
Senior managers are important when trying to change the culture of the organisation and the way it works. Unfortunately people are often resistant to change, but by ensuring senior management buy-in you will have high-level backing to get things done when you encounter resistance.
Business Analysts
Building strong working relationships with business analysts will provide a great insight into the views of the wider organisation. They spend most of their time understanding the business and its needs and then translating this into requirements for IT systems. By understanding their findings you can implement more effective security controls. For example, you implement a new password policy that means passwords now have to be at least 15 characters long. People in the organisation have trouble remembering their passwords so they begin writing them down and attaching them to a sticky note under their keyboards. This security control would actually increase the risk to the organisation of a security breach rather than reduce it. However, as the person responsible for security, people are unlikely to volunteer that they are willingly breaking this rule, so this is where your relationship with business analysts is important. By understanding their work you can better understand the security culture of the organisation and improve it over time, as well as ensuring they factor in security concerns.
Senior Information Risk Owner
The senior information risk owner (SIRO) is a role that you may have not come across before. It is often found in UK government. The SIRO is typically a Board member who has overall responsibility for ensuring effective information security and that it remains a priority on the organisation’s agenda. If you are fortunate to work in an organisation that values information security then it may be worth suggesting this role to the Board.
Although the SIRO will champion information security at Board and strategic levels, it is unlikely they will have any in-depth knowledge of information security. Ensure the SIRO understands CIA so that you can develop a common understanding. The SIRO will be key in changing the organisation’s security culture as they can raise your concerns at the highest possible level. The SIRO will often come to you with their concerns and rely on you to understand and explain the wider impact on the organisation.
Lawyers
The lawyers or legal team are often forgotten about, but they can be as much of an asset as an enemy. They have great power within an organisation as it is their
Enjoying the preview?
Page 1 of 1