O'Reilly logo

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Information Security Handbook

Book Description

Implement information security effectively as per your organization’s needs.

About This Book

  • Learn to build your own information security framework, the best fit for your organization
  • Build on the concepts of threat modeling, incidence response, and security analysis
  • Practical use cases and best practices for information security

Who This Book Is For

This book is for security analysts and professionals who deal with security mechanisms in an organization. If you are looking for an end to end guide on information security and risk analysis with no prior knowledge of this domain, then this book is for you.

What You Will Learn

  • Develop your own information security framework
  • Build your incident response mechanism
  • Discover cloud security considerations
  • Get to know the system development life cycle
  • Get your security operation center up and running
  • Know the various security testing types
  • Balance security as per your business needs
  • Implement information security best practices

In Detail

Having an information security mechanism is one of the most crucial factors for any organization. Important assets of organization demand a proper risk management and threat model for security, and so information security concepts are gaining a lot of traction. This book starts with the concept of information security and shows you why it’s important.

It then moves on to modules such as threat modeling, risk management, and mitigation. It also covers the concepts of incident response systems, information rights management, and more. Moving on, it guides you to build your own information security framework as the best fit for your organization. Toward the end, you’ll discover some best practices that can be implemented to make your security framework strong.

By the end of this book, you will be well-versed with all the factors involved in information security, which will help you build a security framework that is a perfect fit your organization’s requirements.

Style and approach

This book takes a practical approach, walking you through information security fundamentals, along with information security best practices.

Downloading the example code for this book. You can download the example code files for all Packt books you have purchased from your account at http://www.PacktPub.com. If you purchased this book elsewhere, you can visit http://www.PacktPub.com/support and register to have the code file.

Table of Contents

  1. Preface
    1. What this book covers
    2. What you need for this book
    3. Who this book is for
    4. Conventions
    5. Reader feedback
    6. Customer support
      1. Downloading the color images of this book
      2. Errata
      3. Piracy
      4. Questions
  2. Information and Data Security Fundamentals
    1. Information security challenges
    2. Evolution of cybercrime
    3. The modern role of information security
      1. IT security engineering
      2. Information assurance
      3. The CIA triad
    4. Organizational information security assessment
    5. Risk management
    6. Information security standards
    7. Policies
    8. Training
      1. Key components of an effective training and awareness program
    9. Summary
  3. Defining the Threat Landscape
    1. What is important to your organization and who wants it?
      1. Compliance
    2. Hackers and hacking
      1. Black hat hacker
      2. White hat or ethical hacker
      3. Blue hat hacker
      4. Grey hat hacker
      5. Penetration testing
      6. Hacktivist
      7. Script kiddie
      8. Nation state
      9. Cybercrime
      10. Methods used by the attacker
        1. Exploits
        2. Hacker techniques
      11. Methods of conducting training and awareness
    3. Closing information system vulnerabilities
    4. Vulnerability management
      1. The case for vulnerability management
    5. Summary
  4. Preparing for Information and Data Security
    1. Establishing an information security program
      1. Don't start from scratch, use a framework
      2. Security program success factors
        1. Executive or board support
        2. Supporting the organization's mission
        3. Rightsizing information security for the organization
        4. Security awareness and training program
        5. Information security built into SDLC
      3. Information security program maturity
    2. Information security policies
      1. Information security program policy
      2. Operational policy
      3. System-specific policy
      4. Standards
      5. Procedures
      6. Guidelines
    3. Recommended operational policies
      1. Planning policy
      2. Access control policy
      3. Awareness and training policy
      4. Auditing and accountability policy
      5. Configuration management policy
      6. Contingency planning policy
      7. Identification and authentication policy
      8. Incident response policy
      9. Maintenance policy
      10. Media protection policy
      11. Personnel security policy
      12. Physical and environmental protection policy
      13. Risk assessment policy
      14. Security assessment policy
      15. System and communications protection policy
      16. System and information integrity policy
      17. Systems and services acquisitions policy
    4. Summary
  5. Information Security Risk Management
    1. What is risk?
    2. Who owns organizational risk?
      1. Risk ownership
      2. What is risk management?
    3. Where is your valuable data?
      1. What does my organization have that is worth protecting?
        1. Intellectual property trade secrets
        2. Personally Identifiable Information – PII
        3. Personal Health Information – PHI
        4. General questions
    4. Performing a quick risk assessment
    5. Risk management is an organization-wide activity
      1. Business operations
      2. IT operations
      3. Personnel
      4. External organization
      5. Risk management life cycle
      6. Information categorization
        1. Data classification looks to understand
      7. Data classification steps
      8. Determining information assets
      9. Finding information in the environment
      10. Disaster recovery considerations
      11. Backup storage considerations
        1. Types of storage options
        2. Questions you should ask your business users regarding their information's location
        3. Questions you should ask your IT organization regarding the information's location
      12. Organizing information into categories
      13. Examples of information type categories
        1. Publicly available information
        2. Credit card information
        3. Trade secrets
        4. Valuing the information and establishing impact
          1. Valuing information
          2. Establishing impact
    6. Security control selection
      1. Information security frameworks
    7. Security control implementation
    8. Assessing implemented security controls
    9. Authorizing information systems to operate
    10. Monitoring information system security controls
    11. Calculating risk
      1. Qualitative risk analysis
      2. Identifying your organizations threats
      3. Identifying your organizations vulnerabilities
      4. Pairing threats with vulnerabilities
      5. Estimating likelihood
      6. Estimating impact
      7. Conducting the risk assessment
      8. Management choices when it comes to risk
      9. Quantitative analysis
      10. Qualitative risk assessment example
    12. Summary
  6. Developing Your Information and Data Security Plan
    1. Determine your information security program objectives
      1. Example information security program activities
    2. Elements for a successful information security program
      1. Analysis to rightsizing your information security program
        1. Compliance requirements
        2. Is your organization centralized or decentralized?
          1. Centralized
          2. Decentralized
        3. What is your organization's business risk appetite?
        4. How mature is your organization?
    3. Helping to guarantee success
      1. Business alignment
      2. Information security is a business project not an IT project
      3. Organizational change management
    4. Key information security program plan elements
      1. Develop your information security program strategy
      2. Establish key initiatives
      3. Define roles and responsibilities
    5. Defining enforcement authority
    6. Pulling it all together
    7. Summary
  7. Continuous Testing and Monitoring
    1. Types of technical testing
    2. SDLC considerations for testing
      1. Project initiation
      2. Requirements analysis
      3. System design
      4. System implementation
      5. System testing
      6. Operations and maintenance
      7. Disposition
      8. SDLC summary
    3. Continuous monitoring
      1. Information security assessment automation
      2. Effective reporting of information security status
      3. Alerting of information security weakness
    4. Vulnerability assessment
      1. Business relationship with vulnerability assessment
      2. Vulnerability scanning
      3. Vulnerability scanning process
      4. Vulnerability resolution
    5. Penetration testing
      1. Phases of a penetration test
    6. Difference between vulnerability assessment and penetration testing
    7. Examples of successful attacks in the news
      1. Point of sale system attacks
      2. Cloud-based misconfigurations
    8. Summary
  8. Business Continuity/Disaster Recovery Planning
    1. Scope of BCDR plan
      1. Business continuity planning
      2. Disaster recovery planning
      3. Focus areas for BCDR planning
        1. Management
        2. Operational
        3. Technical
    2. Designing the BCDR plan
    3. Requirements and context gathering – business impact assessment
      1. Inputs to the BIA
      2. Outputs from the BIA
      3. Sample BIA form
    4. Define technical disasters recovery mechanisms
      1. Identify and document required resources
      2. Conduct a gap analysis
      3. Develop disaster recovery mechanisms
    5. Develop your plan
      1. Develop recovery teams
        1. Establish relocation plans
      2. Develop detailed recovery procedures
    6. Test the BCDR plan
    7. Summary
  9. Incident Response Planning
    1. Do I need an incident response plan?
    2. Components of an incident response plan
    3. Preparing the incident response plan
      1. Understanding what is important
      2. Prioritizing the incident response plan
      3. Determining what normal looks Like
        1. Observe, orient, decide, and act – OODA
      4. Incident response procedure development
    4. Identification – detection and analysis
    5. Identification – incident response tools
      1. Observational (OODA) technical tools
      2. Orientation (OODA) tools
      3. Decision (OODA) tools
    6. Remediation – containment/recovery/mitigation
    7. Remediation - incident response tools
      1. Act (Response) (OODA) tools
    8. Post incident activity
      1. Lessons-learned sessions
      2. Incident response plan testing
    9. Summary
  10. Developing a Security Operations Center
    1. Responsibilities of the SOC
    2. Management of security operations center tools
    3. Security operation center toolset design
      1. Using already implemented toolsets
    4. Security operations center roles
      1. Log or information aggregation
      2. Log or information analysis
    5. Processes and procedures
      1. Identification – detection and analysis
      2. Events versus alerts versus incidents
      3. False positive versus false negative/true positive versus true negative
      4. Remediation – containment/eradication/recovery
    6. Security operations center tools
      1. Security operations center advantages
      2. MSSP advantages
    7. Summary
  11. Developing an Information Security Architecture Program
    1. Information security architecture and SDLC/SELC
    2. Conducting an initial information security analysis
      1. Purpose and description of the information system
      2. Determining compliance requirements
        1. Compliance standards
      3. Documenting key information system and project roles
        1. Project roles
        2. Information system roles
      4. Defining the expected user types
      5. Documenting interface requirements
      6. Documenting external information systems access
      7. Conducting a business impact assessment
        1. Inputs to the BIA
      8. Conducting an information categorization
    3. Developing a security architecture advisement program
      1. Partnering with your business stakeholders
      2. Information security architecture process
        1. Example information security architecture process
    4. Summary
  12. Cloud Security Consideration
    1. Cloud computing characteristics
    2. Cloud computing service models
      1. Infrastructure as a Service – IaaS
      2. Platform as a Service – PaaS
      3. Software as a Service – SaaS
    3. Cloud computing deployment models
      1. Public cloud
      2. Private cloud
      3. Community cloud
      4. Hybrid cloud
    4. Cloud computing management models
      1. Managed service provider
      2. Cloud service provider
    5. Cloud computing special consideration
      1. Cloud computing data security
        1. Data location
        2. Data access
        3. Storage considerations
          1. Storage types
          2. Storage threats
          3. Storage threat mitigations
        4. Managing identification, authentication, and authorization in the cloud computing environment
          1. Identification considerations
          2. Authentication considerations
          3. Authorization considerations
        5. Integrating cloud services with the security operations center
        6. Cloud access security brokers
        7. Special business considerations
    6. Summary
  13. Information and Data Security Best Practices
    1. Information security best practices
      1. User accounts
        1. Limit administrator accounts
        2. Using a normal user account where possible
        3. Least privilege/role separation
        4. Password security
      2. Least functionality
      3. Updates and patches
      4. Secure configurations
        1. Step 1: Developing a policy that enforces secure configuration baselines
        2. Step 2: Developing secure configuration baselines
        3. Step 3: Integrating secure configuration baselines into the SDLC
        4. Step 4: Enforcing secure configuration baselines through automated testing and remediation
    2. Application security
      1. Conducting a web application inventory
      2. Least privileges
      3. Cookie security
      4. Web application firewalls
      5. Implementing a secure coding awareness program
    3. Network security
      1. Remote access
      2. Wireless
      3. Mobile devices
    4. Summary