There are plenty of tools we could talk about for those who already have a security program in place. What have we got if you don’t?
(There are, of course, those long in the field, who seriously wish that they could start over from scratch. This book might act as a reminder that might get them out of the weeds long enough to see an approach or tool they might have overlooked.)
Walter Williams has taken on that task. What happens when you, as possibly the crack firewall expert on the tech team, are suddenly noticed by the boss, who, out of the blue, decides that the company needs a CISO, and you’re it. You’ve got the whole corporate infosec world in your hands, and you’d better not drop it.
Chapter one correctly states that you can start with either risk assessment or compliance, and lists, in detail, that tools available to you for both. Williams includes the top level security frameworks that can act as your guides into the labyrinth that is information security, and notes the strengths, and areas of emphasis, of each. This provides you with not only a starting point, but resources that will aid your throughout your security career.
From there, Williams moves into policy, and the supporting documentation around it. Without policy you can have no security, because you don’t know what it is you are protecting, and why. Included in this chapter is an initial foray into the importance of planning, which will come back in myriad forms as you move deeper into security processes.
Asset management jumps from the high level viewpoint down into the weeds and details. However, that is a jump that you frequently have to make in security. You have no security without an overall vision, but you have no protection without having the correct controls in place and working. Assets, and the controls meant to protect them, have vulnerabilities, and so managing those is vital as well.
Overall planning is important, but very soon you are going to be putting out fires, known in the trade as incidents. Note that Williams does not, at this point, give you a full guide to business continuity or disaster recovery planning, which would require an entire book of its own. He does, however, point you to yet more frameworks in the fields, which will get you started in that direction.
Then it’s back to assets, in this case the “endpoint,” or what the user tends to interact with. The author provides an overview of both the various problems which you will likely encounter in this realm, and a variety of protections you may wish to choose, depending upon your specific security posture. From there Williams moves to email security, an issue common to pretty much any end user these days.
From the user, it is back to the technical team, and the issues with your networking and telecommunications. Note that I say “issues”: the full range of every possible detail that you need to know would need a very fat book indeed, and several of those are available when you want to go there. Somewhat more detail, or at least the structures and processes that you will need, are addressed in the chapter on software development.
After the introduction to incidents, earlier in the work, Williams now turns to disasters, and disaster recovery. This is addressed from the disaster recovery, rather than the business continuity, angle, which is probably wise, as a company in the first round of a security program probably has neither the maturity, nor the resources, to prepare a full business continuity plan.
In the chapter on access control, Williams spends a good deal of time outlining some of the formal theories and models behind the controls. This is far from a waste of time. Tuning an access control system in terms of details can waste a good deal of effort and resources if those controls do not protect in the way you think or assume that they will. Looking at the formal models should get you used to understanding what a system will, and won’t, do for you.
Spend a lot of time with chapter twelve, “Human Issues.” As the author notes up front, too many security specialists take it for granted that people are the problem. People are your greatest weakness, in security, but they are, paradoxically and at the same time, your greatest security asset. Make your people aware, and get them onside.
Williams finishes with the concept of organizational maturity. This is an important concept, but readers may be distracted by the accompanying material on metrics and data presentation.
This is a solid, and comprehensive, guide for those who have to start securing an enterprise from square one. It may appear to jump around from topic to topic, and from the overall view to the details. Get used to it. That’s what security is like.
No comments:
Post a Comment