CriticalSecurity.com, the home of Computer Security, Internet Security and Network Security CriticalSecurity.com, the home of Computer Security, Internet Security and Network Security
Download
Worksheets 		Search Buy the
Book
    HOME > Book Forward
CriticalSecurity.com, the home of Computer Security, Internet Security and Network Security

ABOUT MISSION CRITICAL SECURITY PLANNER
Contents Foreword Author Purchase Corrections Reviews

Mission Critical Security Planner Foreword

Security—of our systems, our organizations, our personal identities—is more important than ever, and we, as an industry, need to advance the art and technology of security to make it less elusive, more readily achievable. I’m well aware that being responsible for security in an organization is not an easy job, and my objective for Mission-Critical Security Planner is to make that job easier and the results more effective. Few if any comprehensive security planning guides are available today that present a consistently workable methodology and perspective derived from an author's first-hand experience. This book seeks to fill that gap. Whereas most books provide tutorials and implementation tips relating to specific security technologies or an overview of security technologies, this book introduces a system of worksheets that enables you, the reader, to immediately have a hands-on experience in security planning.


As you go through the security planning process in this book, keep in mind the adage that actions speak louder than words; that is, in the end, we will have to evaluate our ultimate commitment to security planning by what we do, not by what we say we should do. Otherwise, we end up with what I call the “soft spots” in most security implementations. To name just a few I commonly see: Too many organizations do not adequately and effectively address the physical security elements of our corporate offices, incorrectly assuming that physical security relates in only a small way to electronic security. Too many people routinely email confidential information “in the clear” over public networks. Too many deploy systems without proper security review and implementation. Simply put, too many build what can only be described as playgrounds for hackers.


The other side of the coin, equally detrimental, is to try to incorporate too much into the security planning process. This causes lack of focus. Security planning, as I define it here, is concerned with the protection of information and infrastructure against risks introduced through the acts of one or more human beings, either intentional or accidental.


Who Should Read This Book
This book is intended for the working IS/IT manager and administrator, security officer, security consultant, operational executive concerned about security, and the CTO who spends most of his or her workday putting out fires. If you fill one of these roles at your company, I’m betting you need an approach to security planning that relates to the technology you see every day. You need answers—a road map, really—and advice about how to sort through the morass of security technologies, directions, and options that proliferate today. This book is intended for that purpose, again to make your job easier. In it you will find a plan and template to follow, one that will help you find your way through the tangle of security technology and challenges.

Let me assure you that you will not need to take out the equivalent of a slide rule to perform solid security risk analysis. Nor will you need to become a technical expert—though, ideally, you should be familiar with a range of technologies. (For those not familiar with common industry terms such as filter or proxy server, a comprehensive glossary is provided at the end of the book.) In this book I do not ask you to understand something fundamentally if you can get the job done by understanding just enough to manage the problem. I attempt to provide answers; I do not expect you to learn to derive them on your own from first principles.

I have deliberately kept the book's style conversational and friendly. It shares my philosophies, perspectives, and viewpoints on the topic of security planning. And though it does not provide specific command-line tips and techniques for configuring Cisco routers, an Entrust PKI, or a Checkpoint firewall, it does present the issues associated with these classes of products and related technology for the purpose of planning security.

And to address a fundamental challenge of security planning faced by all IS/IT managers today—that of justifying cost—I provide a quantitative risk analysis methodology, which I call impact analysis, as a means to do just that: justify security expenditures. Using this method will help you to understand the risks, how to estimate the costs, if any, and to lower them, and how to assess the resultant impact risk reduction.

With that said, it’s important to point out that security planning is not all about spending more money to reduce risk. In fact, spending money often does not solve the problem or reduce the risk (though it’s probably safe to say that a well-funded security group will perform, on average, better than a poorly funded one). Security is as much about sound policies, procedures, implementation, and operations as it is about investment. So, of course, this book addresses those issues as well as part of the security planning process.

Finally, I want to elaborate on what can be considered the heart of the book: the worksheets. For the busy IT professional, few things are more helpful than a template showing how to complete a new and complex task. These worksheets provide such a guide. They are tools you can use directly in your work. You can integrate them into your planning documents, use them as the basis for important security policies and procedures, and include completed worksheets in memos that you distribute within your company. You can even customize worksheets for the various implementation groups, which can use them to verify that they have completed all of the steps delineated in the worksheets.

To save you time the worksheets are included in two forms: fill-in-the-blank versions to view as you read and Microsoft Word-formatted electronic versions. Feel free to customize these worksheets to include more questions and pointers related to your particular needs. Electronic copies of the worksheets included in this book are available for download from this website.


How the Book Is Organized
I think you’ll find that Mission-Critical Security Planner is logically organized to ensure that you get the most from the material. The chapters break down as follows:


Chapter 1: Setting the Stage for Successful Security Planning. This chapter introduces you to a security planning approach that works. In it I identify challenges, problems, and pitfalls associated with less-than-optimal approaches so that you’ll know how to avoid them. The chapter also introduces a method for guiding and justifying your security budget, and it addresses the important topic of successfully “selling” security inside your organization. The chapter closes with a summary of security business process improvement. All of these topics are expanded on throughout the remainder of the book.

Chapter 2: A Security Plan That Works. This chapter describes how to form the security planning team, whose members will be responsible for carrying out the security plan for your organization. This chapter also introduces the security planning template that we will use throughout the remainder of this book and that, subsequently, you will be able to use to develop an effective security plan for your own organization.

Chapter 3: Using the Security Plan Worksheets: The Fundamentals. In this chapter you will begin to learn how to fill out the worksheets that will serve as your guide throughout the security planning process. The worksheets contain an important starter set of questions and pointers. When you address these conscientiously and plan accordingly, the result will be a comprehensive security plan.

Chapter 4: Using the Security Plan Worksheets: The Remaining Core and Wrap-up Elements. In this chapter you continue to learn how to fill out the worksheets that will serve as your guide throughout the security planning process.

Chapter 5: Strategic Security Planning with PKI. This chapter offers a primer on the business, technical, and planning issues associated with a poorly understood but very important strategic security planning technology, public key infrastructure (PKI) technology.

Chapter 6: Ahead of the Hacker: Best Practices and a View of the Future. In this concluding chapter I review the best practices for security planning presented throughout the book. I also invite you to look with me into the future at what we might expect from hackers and how our approach to security planning can be continually applied to protect our information and infrastructure as we face those oncoming challenges.

Glossary.
For Further Reading.

 



About NetFrameworks - Contact - Privacy Policy - Website Security

Netframeworks.com, The sponser of CriticalSecurity.com - the home of Computer Security, Internet Security and Network Security

Copyright © 2002-2005 NetFrameworks, Inc.
All product names are trademarks of their respective companies.
Mission Critical Security is not affiliated with or endorsed by any company listed at this site.
This site provides resources in the areas of Computer Security, Internet Security and Network Security.

Search Engine Optimatization: While the terms computer security, internet security, and network security are perhaps the most popular search engine terms, it's important to note that these three areas are indeed one. However, in order to help improve the indexed search capability of this website, we are forced to use these keywords over and over again.