[.uk] Stepping Through the InfoSec Program (ISBN 1604200308)

Provides the low-level details and nitty-gritty elements on how to build a security program:
For those who want to stay current in information security, Stepping Through the InfoSec Program is a great book to read as it provides the low-level details and nitty-gritty elements on just how to do that. Author Jennifer Bayuk spent over a decade at a large brokerage firm building their information security program. Her experience in managing and designing security there is manifest in the book and it is clear throughout the book that she is writing a deep pool of from real-world experience. The first part of the book contains 3 sections and in just under 150 densely packed pages, the book walks you through the process in which to build an effective information security program. The book details 6 steps in which to facilitate this, namely: strategy, policy, awareness, implementation, monitoring and remediation. The book starts out and begins to develop the context for an information security program. It astutely notes that an information security program exists only in the context of an organizational management structure. Anyone building an information security program for its own sake, removed from the organizational management structure will quickly find themselves devoid of a budget, and often shortly after that, out of a job. The books attention to detail and specific definitions are superb. In the opening section, it defines the objectives, prerequisites, typical tasks and performance measures for over 10 different jobs within information security. It then creates a segregation of duties matrix for these jobs. Such detailed information is invaluable to anyone attempting to build a security program. The main part of the book is in section 2 which steps through what an information security program is, how it is created, how it operates and what resources are required to maintain it. The beauty of the book is that the author understands that information security is not a monolithic undertaking. Rather it must be developed and customized according to the specific needs and requirements of the particular organization. These differences are made clear in the chapter when it details 9 unique information security reporting hierarchies; and deciding on the appropriate reporting hierarchy is not a trivial undertaking. The book writes that successful information security program development, by definition, must align with organization goals. This alignment can only be achieved if the CISO has an open, two-way communication path to each manager with information security responsibilities. While this is a necessary and realistic goal, far too few CISO's have such communications paths at their disposal, and even less have constituent ears that are receptive to such communications. Section two provides an excellent overview of metrics and how they can be effectively used. In the last few years, metrics has been the rage in the security community. Individuals such as Pete Lindstrom and groups such as Security Metrics have been at the forefront of such efforts. But the book notes that metrics for their own sake can also be taken too far. The book references a volume on metrics that has over 900 possible things to measure that would provide security metrics, including such silly metrics as "number of times, by fiscal year, that fines and jail sentences were imposed for altering, destroying, mutilating, concealing or falsifying financial records". Bayuk perceptively observes that any CISO who is measuring these types of concerns and analyzing them for feedback on how to improve their information security program should realistically look for a different job. Section 3 concludes the main part of the book with a security program case study. The point of the case study is to show how an information security program evolves around changes in the organization it supports. The case study shows that all of the six steps on which the book is premised are indeed necessary. The final 100 pages of the book detail various sample security policies, standards, procedures and guidelines. All of the policies, standards, procedures and guidelines are well-written and it would have been nice if these would have been available in electronic format. The book notes that the information security professional has evolved from computer operator to chief information security officer; from controlling punched cards to negotiating strategic plans, defining policies, documenting processes, managing technology, measuring performance, controlling costs, supporting business recovery and demonstrating regulatory compliance. For those that want to make that transition, Stepping Through the InfoSec Program is a most valuable guide to get you there. The book is written by an author who has significant amounts of real-world experience in a leading edge organization. That unique knowledge and experience is evident after reading the first few pages of the book. The book provides the reader with a comprehensive overview of how to build an effective information security organization. One final note, don't judge a book by the cover. On the cover are three busy looking executives, all smiling and looking refreshed. The reality is that most people who have taken the time to build effective security programs often emerge from that battle exhausted and battle weary. For anyone contemplation entering the information security field, or those in it already that need effective direction, Stepping Through the InfoSec Program should be on their required reading list.

Great Reading for all Infosec Professionals:
This is an excellent book for all computer security professionals, including senior management who has Infosec directors report to them. For beginners it gives you a concise picture of what elements are involved in an effective Infosec program. The author, Jennifer Bayuk, presents a brief history of Infosec to give you a sense of perspective. Then she outlines the process in which you should approach implementing an Infosec program. These are real world processes, not just theory. For the experienced IT security professional, this book is a quick refresher that will give you numerous items that you can take away for your own work. For the experienced physical security professional looking to expand into the Infosec, this book provides the foundation you will need to broaden your scope. Senior management can also benefit from this book by better understanding what processes should be in place within their organization. The book is only 150 pages, which is incredibly short for security books. But don't let the size fool you. It is well organized and provides a thorough discussion on what process should be included in your Infosec program. The last third of the book is devoted to a case study, sample policies, standards, guidelines and procedures. The case study is a good example of how these components should work in a real world IT department. This is not a technical book. Don't buy this book if you are looking for a technical manual that tells you what routers to use or what intrusion protection system to implement. The author sticks to her title by providing straight forward information to understand what is needed to organize your Infosec program, she explains why it is needed, and tips on how to accomplish each component. What makes this book something you will keep and refer to in the future is that it applies to all IT security practitioners, young and old. I found it a refreshing review even after my 25+ years in the industry. I highly recommend this book to those just starting out in IT security; especially those who have taken all the theory, passed the technical exams, but have never really implemented a security program in the real world. It helps tie in all the theoretical concepts into a workable program. Even the experienced professional, like myself, will find a lot of helpful information that you may want to review in your own program. I have also used this book as a required reading for my security staff to ensure that they have a common understanding of the overall Infosec process.