Information Protection Playbook
By Greg Kane
()
About this ebook
The primary goal of the Information Protection Playbook is to serve as a comprehensive resource for information protection (IP) professionals who must provide adequate information security at a reasonable cost. It emphasizes a holistic view of IP: one that protects the applications, systems, and networks that deliver business information from failures of confidentiality, integrity, availability, trust and accountability, and privacy.
Using the guidelines provided in the Information Protection Playbook, security and information technology (IT) managers will learn how to implement the five functions of an IP framework: governance, program planning, risk management, incident response management, and program administration. These functions are based on a model promoted by the Information Systems Audit and Control Association (ISACA) and validated by thousands of Certified Information Security Managers. The five functions are further broken down into a series of objectives or milestones to be achieved in order to implement an IP framework.
The extensive appendices included at the end of the book make for an excellent resource for the security or IT manager building an IP program from the ground up. They include, for example, a board of directors presentation complete with sample slides; an IP policy document checklist; a risk prioritization procedure matrix, which illustrates how to classify a threat based on a scale of high, medium, and low; a facility management self-assessment questionnaire; and a list of representative job descriptions for roles in IP.
The Information Protection Playbook is a part of Elsevier’s Security Executive Council Risk Management Portfolio, a collection of real world solutions and "how-to" guidelines that equip executives, practitioners, and educators with proven information for successful security and risk management programs.
- Emphasizes information protection guidelines that are driven by business objectives, laws, regulations, and industry standards
- Draws from successful practices in global organizations, benchmarking, advice from a variety of subject-matter experts, and feedback from the organizations involved with the Security Executive Council
- Includes 11 appendices full of the sample checklists, matrices, and forms that are discussed in the book
Related to Information Protection Playbook
Related ebooks
FISMA and the Risk Management Framework: The New Practice of Federal Cyber Security Rating: 0 out of 5 stars0 ratingsSecurity Controls Evaluation, Testing, and Assessment Handbook Rating: 5 out of 5 stars5/5Building a Practical Information Security Program Rating: 5 out of 5 stars5/5Building Effective Cybersecurity Programs: A Security Manager’s Handbook Rating: 4 out of 5 stars4/5The Chief Security Officer’s Handbook: Leading Your Team into the Future Rating: 0 out of 5 stars0 ratingsThe Manager's Handbook for Business Security Rating: 0 out of 5 stars0 ratingsBusiness Practical Security Rating: 0 out of 5 stars0 ratingsInformation Security Governance: A Practical Development and Implementation Approach Rating: 0 out of 5 stars0 ratingsApplication Security in the ISO27001 Environment Rating: 0 out of 5 stars0 ratingsSecurity Leader Insights for Effective Management: Lessons and Strategies from Leading Security Professionals Rating: 0 out of 5 stars0 ratingsInfosec Management Fundamentals Rating: 5 out of 5 stars5/5Information Security Auditor: Careers in information security Rating: 0 out of 5 stars0 ratingsSecurity Risk Assessment: Managing Physical and Operational Security Rating: 5 out of 5 stars5/5Information Risk Management: A practitioner's guide Rating: 5 out of 5 stars5/5Data Breach Preparation and Response: Breaches are Certain, Impact is Not Rating: 0 out of 5 stars0 ratingsSecurity Leader Insights for Risk Management: Lessons and Strategies from Leading Security Professionals Rating: 0 out of 5 stars0 ratingsAsset Security: CISSP, #2 Rating: 0 out of 5 stars0 ratingsThe Information Systems Security Officer's Guide: Establishing and Managing a Cyber Security Program Rating: 0 out of 5 stars0 ratingsHands-on Incident Response and Digital Forensics Rating: 0 out of 5 stars0 ratingsTotal Information Risk Management: Maximizing the Value of Data and Information Assets Rating: 0 out of 5 stars0 ratingsCISSP Study Guide Rating: 0 out of 5 stars0 ratingsBecoming a Global Chief Security Executive Officer: A How to Guide for Next Generation Security Leaders Rating: 5 out of 5 stars5/5Computer Incident Response and Forensics Team Management: Conducting a Successful Incident Response Rating: 4 out of 5 stars4/5Risk Management Framework: A Lab-Based Approach to Securing Information Systems Rating: 2 out of 5 stars2/5Authorizing Official Handbook: for Risk Management Framework (RMF) Rating: 0 out of 5 stars0 ratingsInformation Security Risk Management for ISO27001/ISO27002 Rating: 4 out of 5 stars4/5Cyber Essentials: A Pocket Guide Rating: 5 out of 5 stars5/5Security Metrics Management: Measuring the Effectiveness and Efficiency of a Security Program Rating: 0 out of 5 stars0 ratingsPhysical Security Strategy and Process Playbook Rating: 0 out of 5 stars0 ratings
Security For You
How to Be Invisible: Protect Your Home, Your Children, Your Assets, and Your Life Rating: 4 out of 5 stars4/5How to Become Anonymous, Secure and Free Online Rating: 5 out of 5 stars5/5Hacking: Ultimate Beginner's Guide for Computer Hacking in 2018 and Beyond: Hacking in 2018, #1 Rating: 4 out of 5 stars4/5Remote/WebCam Notarization : Basic Understanding Rating: 3 out of 5 stars3/5Mike Meyers CompTIA Security+ Certification Passport, Sixth Edition (Exam SY0-601) Rating: 5 out of 5 stars5/5Social Engineering: The Science of Human Hacking Rating: 3 out of 5 stars3/5CompTIA Network+ Review Guide: Exam N10-008 Rating: 0 out of 5 stars0 ratingsCybersecurity For Dummies Rating: 4 out of 5 stars4/5The Hacker Crackdown: Law and Disorder on the Electronic Frontier Rating: 4 out of 5 stars4/5Cybersecurity: The Beginner's Guide: A comprehensive guide to getting started in cybersecurity Rating: 5 out of 5 stars5/5CompTIA Security+ Study Guide: Exam SY0-601 Rating: 5 out of 5 stars5/5Network+ Study Guide & Practice Exams Rating: 4 out of 5 stars4/5Wireless Hacking 101 Rating: 4 out of 5 stars4/5CompTIA Network+ Certification Guide (Exam N10-008): Unleash your full potential as a Network Administrator (English Edition) Rating: 0 out of 5 stars0 ratingsHacking For Dummies Rating: 4 out of 5 stars4/5Practical Lock Picking: A Physical Penetration Tester's Training Guide Rating: 5 out of 5 stars5/5The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers Rating: 4 out of 5 stars4/5How to Hack Like a Pornstar Rating: 5 out of 5 stars5/5Dark Territory: The Secret History of Cyber War Rating: 4 out of 5 stars4/5Hacking : The Ultimate Comprehensive Step-By-Step Guide to the Basics of Ethical Hacking Rating: 5 out of 5 stars5/5CompTIA CySA+ Practice Tests: Exam CS0-002 Rating: 0 out of 5 stars0 ratingsTor and the Dark Art of Anonymity Rating: 5 out of 5 stars5/5Ethical Hacking 101 - How to conduct professional pentestings in 21 days or less!: How to hack, #1 Rating: 5 out of 5 stars5/5Mike Meyers' CompTIA Security+ Certification Guide, Third Edition (Exam SY0-601) Rating: 5 out of 5 stars5/5Ultimate Guide for Being Anonymous: Hacking the Planet, #4 Rating: 5 out of 5 stars5/5Make Your Smartphone 007 Smart Rating: 4 out of 5 stars4/5Hands on Hacking: Become an Expert at Next Gen Penetration Testing and Purple Teaming Rating: 3 out of 5 stars3/5
Reviews for Information Protection Playbook
0 ratings0 reviews
Book preview
Information Protection Playbook - Greg Kane
Information Protection Playbook
Edited by
Greg Kane
Lorna Koppel
RISK MANAGEMENT PORTFOLIO
Table of Contents
Cover image
Title page
Copyright
Acknowledgments
Executive Summary
What is a Playbook?
About the Information Protection Playbook
IP Program
Introduction
Assumptions
IP Strategy
Chapter 1. Information Protection Function One: Governance
Implementation One: Strategic Management
Implementation Two: Reporting and Communication
Implementation Three: Policies
Implementation Four: Regulations and Compliance Management
Implementation Five: Roles and Responsibilities
Implementation Six: Procedures and Guidelines
Implementation Seven: Portfolio Management
Governance Improvement
Additional Information
Chapter 2. Information Protection Function Two: Program Planning
BASELINES, STANDARDS, Procedures, and Guidelines
Accountability and Resources
Metrics
For More Information
Chapter 3. Information Protection Function Three: Risk Management
Risk Assessment
Risk Communication Procedure
Risk Management Methodologies
For More Information
Chapter 4. Information Protection Function Four: Incident Response Management
Process
Plans, Exercises, Activation, Documentation, and Improvement
For More Information
Chapter 5. Information Protection Function Five: Program Administration
Compliance
Metrics
Change Management
Awareness
Key Points
For More Information
Appendix A. Playbook Summary
What’s Here
How to Use This Appendix
Summary
Appendix B. Board of Directors Presentation
What’s Here
How to Use This Appendix
Example Presentation
Appendix C. Information Protection Policies Checklist
What’s Here
How to Use This Appendix
Example Policy Documents
Example Data Classification Policy Elements
Appendix D. An Example Roles and Responsibilities RACI Matrix
What’s Here
How to Use This Appendix
Example RACI Matrix
Appendix E. Risk Prioritization Procedure Matrix
What’s Here
How to Use This Appendix
Risk Prioritization Matrix
Appendix F. Security Awareness and Training Menu
What’s Here
How to Use This Appendix
Security Awareness and Training Delivery Methods
Security Awareness and Training Menu
Appendix G. Risk Assessment and Compliance Checklist
What’s Here
How to Use This Appendix
Risk Assessment and Compliance Checklist
Appendix H. Incident Response
What’s Here
How to Use This Appendix
Incident Response Planning
Incident Reaction
Appendix I. Facility Management Self-Assessment
What’s Here
How to Use This Appendix
Self-assessment Questionnaire
Appendix J. Roles in Information Protection
What’s Here
How to Use This Appendix
Example Positions
Appendix K. Measurement in Information Protection
What’s Here
How to Use This Appendix
Initial Measurement Program
Evolutionary Process Improvement
Additional Resources
References
About the Contributing Editors
About Elsevier’s Security Executive Council Risk Management Portfolio
Copyright
Elsevier
The Boulevard, Langford Lane, Kidlington, Oxford, OX5 1GB, UK
225 Wyman Street, Waltham, MA 02451, USA
First published 2013
Copyright © 2013 The Security Executive Council. Published by Elsevier Inc. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or any information storage and retrieval system, without permission in writing from the publisher. Details on how to seek permission, further information about the Publisher’s permissions policies and our arrangement with organizations such as the Copyright Clearance Center and the Copyright Licensing Agency, can be found at our website: www.elsevier.com/permissions
This book and the individual contributions contained in it are protected under copyright by the Publisher (other than as may be noted herein).
Notices
Knowledge and best practice in this field are constantly changing. As new research and experience broaden our understanding, changes in research methods, professional practices, or medical treatment may become necessary.
Practitioners and researchers must always rely on their own experience and knowledge in evaluating and using any information, methods, compounds, or experiments described herein. In using such information or methods they should be mindful of their own safety and the safety of others, including parties for whom they have a professional responsibility.
To the fullest extent of the law, neither the Publisher nor the authors, contributors, or editors, assume any liability for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions, or ideas contained in the material herein.
British Library Cataloguing in Publication Data
A catalogue record for this book is available from the British Library
Library of Congress Cataloging-in-Publication Data
A catalog record for this book is available from the Library of Congress
ISBN: 978-0-12-417232-6
For more publications in the Elsevier Risk Management and Security Collection, visit our website at store.elsevier.com/SecurityExecutiveCouncil.
Acknowledgments
The goal in creating this playbook was to provide current practices and the latest insights gathered from the collective knowledge of leading security and risk practitioners in the industry. We wish to thank everyone that made this possible by contributing their time, effort, and wisdom.
The following individuals provided assistance with the Elsevier edition of this playbook:
Herbert Mattord, Ph.D., CISM, CISSP
Michael Whitman, Ph.D., CISM, CISSP
The following individuals provided assistance with the initial version of this playbook, which was provided to the Security Executive Council community:
Michael Assante, CSO, Idaho Labs (currently at American Electric Power)
Anton Bommersbach, senior manager of global security, Wrigley (currently at Sony DADC)
Scott Day, CISO, Cargill
Greg Halvacs, DOS, Kraft (currently at Cardinal)
Bob Hayes, managing director, Security Executive Council
Stash Jarocki, senior VP and ISO, Bessemer Trust (currently at Phoenix Children’s Hospital)
Kathleen Kotwica, PhD, EVP and chief knowledge strategist, Security Executive Council
Jack McCarthy, emeritus faculty, Security Executive Council, former global director of corporate security for Texaco Inc.
John McClurg, VP global security, Honeywell (currently at Dell)
Carlos Mena, CISO; vice president, program management, Security Executive Council (currently at SanDisk)
John Pontrelli, VP and CSO, Tri-West Healthcare
Executive Summary
The Information Protection Playbook provides a framework and tools to create, manage, and execute all facets of an organization’s information protection (IP) program. In this playbook, we guide the security leader through the development, implementation, and maintenance of a successful IP program. The playbook begins with a detailed description of the concept and value of information protection, transitioning into a step-by-step guide to building or enhancing an IP program.
Using the instructions provided in this playbook, security managers will learn how to implement the five functions of an IP framework: governance, program planning, risk management, incident response management, and program administration. This playbook also explains how the security or business leader can maintain a successful IP program in the long term. Its