A Practical Guide to Managing Information Security -- Contents vii -- Preface xiii -- Acknowledgments xvii -- CHAPTER 1 The need for a proactive approach 1 -- 1.1 Introduction 1 -- 1.2 The reality of the modern enterprise 3 -- 1.3 Evolution of organizational structures 4 -- 1.4 Evolution of technical infrastructure 5 -- 1.5 Limitations of policy-driven decision making 7 -- 1.6 Education and awareness 9 -- 1.7 Operational issues 11 -- 1.8 New challenges 14 -- 1.9 Introducing The (not so) Secure Bank 17 -- 1.10 Summary 19 -- References 20 -- CHAPTER 2 Management techniques 23 -- 2.1 Knowledge and experience 23 -- 2.2 Information relating to security incidents and vulnerabilities 25 -- 2.3 Risk analysis and risk management 27 -- 2.4 Strategy and planning 30 -- 2.5 Policy and standards 32 -- 2.6 Processes and procedures 34 -- 2.7 Methodologies and frameworks 36 -- 2.8 Awareness and training 38 -- 2.9 Audits 40 -- 2.10 Contracts 41 -- 2.11 Outsourcing 42 -- 2.12 Summary 43 -- References 44 -- CHAPTER 3 Technical tools 47 -- 3.1 Overview 47 -- 3.2 Classification of security tools 48 -- 3.3 Host-oriented tools 49 -- 3.4 Network-oriented tools 62 -- 3.5 Supporting infrastructure 74 -- 3.6 Summary 80 -- References 81 -- CHAPTER 4 A proactive approach: Overview 85 -- 4.1 Introduction 85 -- 4.2 The consolidation period and strategic-planning cycles 86 -- 4.3 Deciding on a personal strategy 87 -- 4.4 The consolidation period 89 -- 4.5 The strategic-planning cycle 100 -- 4.6 The core deliverables 105 -- 4.7 Summary 106 -- References 107 -- CHAPTER 5 The information-security strategy 109 -- 5.1 The need for a strategy 109 -- 5.2 Planning 110 -- 5.3 Analysis of the current situation 111 -- 5.4 Identification of business strategy requirements 114 -- 5.5 Identification of legal and regulatory requirements 117.

5.6 Identification of requirements due to external trends 119 -- 5.7 Definition of the target situation 122 -- 5.8 Definition and prioritization of strategic initiatives 123 -- 5.9 Distribution of the draft strategy 126 -- 5.10 Agreement and publication of final strategy 127 -- 5.11 Summary 128 -- References 129 -- CHAPTER 6 Policy and standards 131 -- 6.1 Some introductory remarks on documentation 131 -- 6.2 Designing the documentation set 132 -- 6.3 Policy 135 -- 6.4 Establishing a control framework 140 -- 6.5 Standards 143 -- 6.6 Guidelines and working papers 150 -- 6.7 Summary 150 -- References 151 -- CHAPTER 7 Process design and implementation 155 -- 7.1 Requirements for stable processes 155 -- 7.2 Why processes fail to deliver 156 -- 7.3 Process improvement 159 -- 7.4 The Secure Bank: Improving the authorization and access-control procedure 168 -- 7.5 Continuous improvement 176 -- 7.6 Summary 177 -- References 178 -- CHAPTER 8 Building an IT security architecture 181 -- 8.1 Evolution of enterprise IT infrastructure 181 -- 8.2 Problems associated with system-focused approaches 182 -- 8.3 A three-phased approach 184 -- 8.4 The design phase 185 -- 8.5 The implementation phase 198 -- 8.6 Administration and maintenance phase 208 -- 8.7 Summary 213 -- References 213 -- CHAPTER 9 Creating a security-minded culture 215 -- 9.1 Introduction 215 -- 9.2 Techniques for introducing cultural change 217 -- 9.3 Internal marketing and sales 219 -- 9.4 Support and feedback 221 -- 9.5 Security-awareness training 222 -- 9.6 Security skills training 232 -- 9.7 Involvement initiatives 237 -- 9.8 Summary 238 -- References 239 -- Appendix: Fast risk analysis 241 -- A.1 Introduction 241 -- A.2 The method 241 -- A.3 A worked example 243 -- A.4 Comments 243 -- About the author 249 -- Index 251.