Developing A Comprehensive Security Program

This book is written for the first security hire in an organization, either an individual moving into this role from within the organization or hired into the role. More and more, organizations are realizing that information security requires a dedicated team with leadership distinct from information technology, and often the people who are placed into those positions have no idea where to start or how to prioritize. There are many issues competing for their attention, standards that say do this or do that, laws, regulations, customer demands, and no guidance on what is actually effective. This book offers guidance on approaches that work for how you prioritize and build a comprehensive information security program that protects your organization. While most books targeted at information security professionals explore specific subjects with deep expertise, this book explores the depth and breadth of the field. Instead of exploring a technology such as cloud security or a technique such as risk analysis, this book places those into the larger context of how to meet an organization's needs, how to prioritize, and what success looks like. Guides to the maturation of practice are offered, along with pointers for each topic on where to go for an in-depth exploration of each topic. Unlike more typical books on information security that advocate a single perspective, this book explores competing perspectives with an eye to providing the pros and cons of the different approaches and the implications of choices on implementation and on maturity, as often a choice on an approach needs to change as an organization grows and matures.

Developing a Comprehensive Security Program answers the question common among security managers, "What is a model security program, and how does our program compare to it?" In this seven-minute Proven Practices presentation, narrator Elizabeth Lancaster outlines the baseline elements of a security program, which have been defined by experienced Security Executive Council members and research. This presentation is not sector-specific--meaning it's applicable for all organizations and industries. In addition to the baseline security program elements, Lancaster also discusses business-aligned program elements, program characteristics, a program maturity model, and the skills and knowledge the security department needs to possess. Developing a Comprehensive Security Program may be used as a benchmark for existing programs and to educate senior management. It also provides a general understanding of the security function as it currently exists. Developing a Comprehensive Security Program is a part of Elsevier's Security Executive Council Risk Management Portfolio, a collection of real world solutions and "how-to" guidelines that equip executives, practitioners, and educators with proven information for successful security and risk management programs. The seven-minute, visual PowerPoint presentation with audio narration format is excellent for group learning Information is drawn from the many years of collective knowledge and experience of the Security Executive Council community Identifies program characteristics and the knowledge areas and skills security leaders should possess

This book explains the ongoing war between private business and cyber criminals, state-sponsored attackers, terrorists, and hacktivist groups. Further, it explores the risks posed by trusted employees that put critical information at risk through malice, negligence, or simply making a mistake. It clarifies the historical context of the current situation as it relates to cybersecurity, the challenges facing private business, and the fundamental changes organizations can make to better protect themselves. The problems we face are difficult, but they are not hopeless. Cybercrime continues to grow at an astounding rate. With constant coverage of cyber-attacks in the media, there is no shortage of awareness of increasing threats. Budgets have increased and executives are implementing stronger defenses. Nonetheless, breaches continue to increase in frequency and scope. Building a Comprehensive IT Security Program shares why organizations continue to fail to secure their critical information assets and explains the internal and external adversaries facing organizations today. This book supplies the necessary knowledge and skills to protect organizations better in the future by implementing a comprehensive approach to security. Jeremy Wittkop’s security expertise and critical experience provides insights into topics such as: Who is attempting to steal information and why? What are critical information assets? How are effective programs built? How is stolen information capitalized? How do we shift the paradigm to better protect our organizations? How we can make the cyber world safer for everyone to do business?

Engage Stakeholders with a Long-Term Solution The goal: Convince executive management to "buy in" to your security program, support it, and provide the largest possible amount of funding. The solution: Develop a meticulously detailed long-term plan that sells decision-makers on the dire need for your program, and then maps out its direction and required budget. Assess and Outline Security Risks to Map Out Mitigation Strategies This practical guide details how to construct a customized, comprehensive five-year corporate security plan that synchronizes with the strategies of any business or institution. The author explains how to develop a plan and implementation strategy that aligns with an organization’s particular philosophies, strategies, goals, programs, and processes. Readers learn how to outline risks and then formulate appropriate mitigation strategies. This guide provides tested, real-world solutions on how to: Conduct an effective, efficient assessment of the site and security personnel, meticulously addressing the particular needs of many different environments Make decisions about security philosophies, strategies, contract relationships, technology, and equipment replacement Interview executive and security management to determine their concerns, educate them, and ensure that they buy in to your plan Use all gathered data to construct and finalize the Security Master Plan and then implement it into the management of the business Apply Insights from an Expert with Global Experience at the Highest Level Author Tim Giles worked at IBM for 31 years serving as Director of Security for the company’s operations in the United States and Canada, as well as Latin America and Asia-Pacific. His immeasurable experience and insight provide readers with an extraordinarily comprehensive understanding that they can use to design and execute a highly effective, tailored security program.

There is growing concern about the possible use of toxic industrial chemicals or other hazardous chemicals by those seeking to perpetrate acts of terrorism. The U.S. Chemical Security Engagement Program (CSP), funded by the U.S. Department of State and run by Sandia National Laboratories, seeks to develop and facilitate cooperative international activities that promote best practices in chemical security and safe management of toxic chemicals, including: Partnering with host governments, chemical professionals, and industry to assess and fill gaps in chemical security abroad. Providing technical expertise and training to improve best practices in security and safety among chemical professionals and industry. Increasing transparency and accountability for dangerous chemical materials, expertise, and technologies. Providing opportunities for collaboration with the international professional chemical community. The Department of State called on the National Academies to assist in the CSP's efforts to promote chemical safety and security in developing countries.

All the Knowledge You Need to Build Cybersecurity Programs and Policies That Work Clearly presents best practices, governance frameworks, and key standards Includes focused coverage of healthcare, finance, and PCI DSS compliance An essential and invaluable guide for leaders, managers, and technical professionals Today, cyberattacks can place entire organizations at risk. Cybersecurity can no longer be delegated to specialists: success requires everyone to work together, from leaders on down. Developing Cybersecurity Programs and Policies offers start-to-finish guidance for establishing effective cybersecurity in any organization. Drawing on more than 20 years of real-world experience, Omar Santos presents realistic best practices for defining policy and governance, ensuring compliance, and collaborating to harden the entire organization. First, Santos shows how to develop workable cybersecurity policies and an effective framework for governing them. Next, he addresses risk management, asset management, and data loss prevention, showing how to align functions from HR to physical security. You’ll discover best practices for securing communications, operations, and access; acquiring, developing, and maintaining technology; and responding to incidents. Santos concludes with detailed coverage of compliance in finance and healthcare, the crucial Payment Card Industry Data Security Standard (PCI DSS) standard, and the NIST Cybersecurity Framework. Whatever your current responsibilities, this guide will help you plan, manage, and lead cybersecurity–and safeguard all the assets that matter. Learn How To · Establish cybersecurity policies and governance that serve your organization’s needs · Integrate cybersecurity program components into a coherent framework for action · Assess, prioritize, and manage security risk throughout the organization · Manage assets and prevent data loss · Work with HR to address human factors in cybersecurity · Harden your facilities and physical environment · Design effective policies for securing communications, operations, and access · Strengthen security throughout the information systems lifecycle · Plan for quick, effective incident response and ensure business continuity · Comply with rigorous regulations in finance and healthcare · Plan for PCI compliance to safely process payments · Explore and apply the guidance provided by the NIST Cybersecurity Framework

This revised edition presents ideas and concepts for designing or updating a comprehensive security program. Contains the most up-to-date information available on the essential elements for a sound program. Includes discussions of security basics, specific duties and responsibilities, and emergency preparedness. Useful staffing guidelines, sample forms, and checklists are included.