Information Security: A Strategic Approach
April 2006, Wiley-IEEE Computer Society Press
This publication is a reflection of the author's firsthand experience as an information security consultant, working for an array of clients in the private and public sectors. Readers discover how to work with their organizations to develop and implement a successful information security plan by improving management practices and by establishing information security as an integral part of overall strategic planning.
The book starts with an overview of basic concepts in strategic planning, information technology strategy, and information security strategy. A practical guide to defining an information security strategy is then provided, covering the "nuts and bolts" of defining long-term information security goals that effectively protect information resources. Separate chapters covering technology strategy and management strategy clearly demonstrate that both are essential, complementary elements in protecting information.
Following this practical introduction to strategy development, subsequent chapters cover the theoretical foundation of an information security strategy, including:
* Examination of key enterprise planning models that correspond to different uses of information and different strategies for securing information
* Review of information economics, an essential link between information security strategy and business strategy
* Role of risk in building an information security strategy
Two separate case studies are developed, helping readers understand how the development and implementation of information security strategies can work within their own organizations.
This is essential reading for information security managers, information technology executives, and consultants. By linking information security to general management strategy, the publication is also recommended for nontechnical executives who need to protect the value and security of their organization's information.
Strategy and Information Technology.
Strategy and Information Security.
An Information Security Strategic Planning Methodology.
The Business Environment.
The Strategic Planning Process.
The Technology Plan.
The Management Plan.
Theory and Practice.
2. Developing an Information Security Strategy.
An Information Security Strategy Development Methodology.
Formal Project Introduction.
General Background Information.
Strengths, Weaknesses, Opportunities, and Threats.
Business Systems Planning.
Critical Success Factors.
Benchmarks and Best Practices.
Analysis Focus Areas.
Organizational Mission and Goals.
Management Systems and Controls.
Information Technology Management.
Information Technology Architecture.
Draft Plan Presentation.
Final Plan Presentation.
Options for Plan Development.
A Plan Outline.
Selling the Strategy.
The Security Assessment and the Security Strategy.
What is a Tactical Plan?
Converting Strategic goals to Tactical Plans.
Turning Tactical Planning Outcomes into Ongoing Operations.
3. The Technology Strategy.
Thinking About Technology.
Planning Technology Implementation.
Some Basic Advice.
Technology Life-Cycle Models.
Technology Solution Evaluation.
Role of Analysts.
Technology Strategy Components:
The Security Strategy Technical Architecture.
Leveraging Existing Vendors.
The Management Dimension.
Overall Technical Design.
The Logical Technology Architecture.
Specific Technical Components.
External Network Connections.
Applications and DBMS.
Portable Computing Devices.
Facility Security Systems.
Security Management Systems.
4. The Management Strategy.
Control Systems and the Information Security Strategy.
Ensuring IT Governance.
IT Governance Models.
Current Issues in Governance.
Control Objectives for Information and Related Technology (CobiT).
IT Balanced Scorecard.
Governance in Information Security.
An IT Management Model for Information Security.
Policies, Procedures, and Standards.
Assigning Information Security Responsibilities.
To Whom Should Information Security Report?
Information Security Staff Structure.
Staffing and Funding Levels.
Organizational Culture and Legitimacy.
Training and Awareness.
5. Case Studies.
Case Study 1—Singles Opportunity Services.
Developing the Strategic Plan.
Information Value Analysis.
Case Study 2—Rancho Nachos Mosquito Abatement District.
Developing the Strategic Plan.
Information Value Analysis.
6. Business and IT Strategy:
Strategy and Systems of Management.
Business Strategy Models.
Boston Consulting Group Business Matrix.
Michael Porter—Competitive Advantage.
Business Process Reengineering.
The Strategy of No Strategy.
Nolan/Gibson Stages of Growth.
Rockart’s Critical Success Factors.
IBM Business System Planning (BSP).
So is IT really “strategic”?
IT Strategy and Information Security Strategy.
7. Information Economics.
Concepts of Information Protection.
From Ownership to Asset.
Information Economics and Information Security.
Basic Economic Principles.
Why is Information Economics Difficult?
Information Value—Reducing Uncertainty.
Information Value—Improved Business Processes.
Information Security Investment Economics.
The Economic Cost of Security Failures.
Future Directions in Information Economics.
Information Management Accounting—Return on Investment.
Economic Models and Management Decision Making.
Information Protection or Information Stewardship?
8. Risk Analysis.
Compliance Versus Risk Approaches.
The “Classic” Risk Analysis Model.
Newer Risk Models.
Process-Oriented Risk Models.
Tree-Based Risk Models.
Organizational Risk Cultures.
Risk Averse, Risk Neutral, and Risk Taking Organizations.
Strategic Versus Tactical Risk Analysis.
When Compliance-based Models are Appropriate.
Notes and References.
- Includes case studies and handly check lists at the end of each chapter.
- Offers Information security executives a guide to long-term planning that can provide solid business justification for often costly programs
- Offers non-technical management a theoretical framework for evaluating information security’s role in the enterprise
"Useful for information security managers, IT executives, and consultants, the book can also help nontechnical executives who need to protect the value and security of their organization's information." (IEEE Computer Magazine, May 2006)