Table of Contents

Introduction to Strategic Information Security
What Does It Mean to Be Strategic?
Information Security Defined
The Security Professional's View of Information Security
The Business View of Information Security
Changes Affecting Business and Risk Management
Strategic Security
Strategic Security or Security Strategy?
Monitoring and Measurement
Moving Forward

ORGANIZATIONAL ISSUES
The Life Cycles of Security Managers
Introduction
The Information Security Manager's Responsibilities
The Evolution of Data Security to Information Security
The Repository Concept
Changing Job Requirements
Business Life Cycles and the Evolution of an Information
Security Program
The Introductory Phase
The Early Growth Phase
The Rapid Growth Phase
The Maturity Phase
Skill Changes over Time
Conclusion

Chief Security Officer or Chief Information Security Officer
Introduction
Organizational Issues
Justifying the Importance and Role of Security in Business
Risk Management Issues Affecting Organizational Models
Chief Information Security Officer (CISO) Role Defined
The Chief Security Officer (CSO) Role Defined
Organizational Models and Issues
Organization Structure and Reporting Models
Choosing the Right Organization Model

RISK MANAGEMENT TOPICS
Information Security and Risk Management
Introduction
The Information Technology View of Threats, Vulnerabilities,
and Risks
Business View of Threats, Vulnerabilities, and Risks
The Economists' Approach to Understanding Risk
Total Risk
Technology Risk
Information Risk
Information Risk Formula
Protection Mechanisms and Risk Reduction
Matching Protection Mechanisms to Risks
The Risk Protection Matrix
Conclusion

Establishing Information Ownership
Establishing Information Ownership
Centralized Information Security
Local Administrators vs. Information Owners
Transferring Ownership
Operations Orientation of Information Ownership
Information Ownership in Larger Organizations
Information as an Asset
Decentralized vs. Centralized Information Security Controls
Ownership and Information Flow
Information Ownership Hierarchy
Functional Owners of Information
Income Statement Information Owners
Information Value
Statement of Condition Information Owners
Conclusion

The Network as the Enterprise Database
Introduction
A Historical View of Data and Data Management
Management Information Systems (MIS)
Executive Information Systems (EIS)
The Evolving Network
The Network as the Database
Conclusion

Risk Reduction Strategies
Introduction
Information Technology Risks
Evaluating the Alternatives

Improving Security from the Bottom Up: Moving Toward
a New Way of Enforcing Security Policy
Encouraging Personal Accountability for Corporate Information
Security Policy
Background
The Problem
The Role of the Chief Information Security Officer (CISO) in
Improving Security
Centralized Management vs. Decentralized Management
Security Policy and Enforcement Alternatives
Policy Compliance and the Human Resources Department
Personal Accountability
Conclusion

Authentication Models and Strategies
Introduction to Authentication
Authentication Defined
Authentication Choices
Public Key Infrastructure
Administration and Authentication: Management Issues
Identity Theft
Risks and Threats Associated with Authentication Schemes
Other Strategic Issues Regarding Authentication Systems
Conclusion

INFORMATION SECURITY PRINCIPLES AND
PRACTICES
Single Sign-On Security
Overview
The Authentication Dilemma
The Many Definitions of Single Sign-On
Risks Associated with Single Sign-On
Single Sign-On Alternative: A More In-Depth Review
User Provisioning
Authentication and Single Sign-On

Crisis Management: A Strategic Viewpoint
Introduction
Crisis Defined
Benefits from a Formal Crisis Management Process
Escalation and Notification
Organizational Issues and Structures for Dealing with Crisis
Management
Strategies for Managing through a Crisis
Creating a Formalized Response for Crisis Management
Conclusion

Business Continuity Planning
Introduction
Types of Outages and Disasters Outages
Planning for a Disaster
Roles and Responsibilities
Plan Alternatives and Decision Criteria
Risk Mitigation vs. Risk Elimination
Preparation: Writing the Plan
Testing and Auditing the Plan
Issues for Executive Management
Conclusion

Security Monitoring: Advanced Security Management
Introduction.
Monitoring vs. Auditing
Activity Monitoring and Audit Trails
How Security Information Management Systems Work
Other Security Information Monitoring Sources
Privacy and Security Monitoring
Reactions to Security Monitoring Information
Problems with Security Monitoring
Senior Management Issues and Security Monitoring

Auditing and Testing a Strategic Control Process
Introduction: The Role of Auditing and Testing
Auditing and Security Management
Security Audits
Information Protection
Audit Logs and Audit Trails
Security Testing and Analysis
Application Controls and Strategic Security Goals
Reporting of Security Problems and the Role of the Auditor
Auditing, Testing, and Strategic Security

Outsourcing Security: Strategic Management Issues
Information Security Operations and Security Management
Management Issues Regarding the Outsourcing Decision
Outsourced Security Alternatives
Return on Investment (ROI) with Outsourced Services
Contract Issues for Security Outsourcing
Integration of Outsourcing with Internal Operational
Functions
Risks Associated with Outsourcing Security Functions
Business Continuity Planning and Security Outsourcing
Strategic Management Issues with Outsourced Security

Final Thoughts on Strategic Security
Executive Management and Security Management
The Future of Information Security and the Challenges Ahead

Appendix Helpful Internet Resources