How to Cheat at Managing Information Security

In the first part of this chapter, we put information security to one side and reviewed general business theory. We learned that at each level of management, control is enforced by standards and procedures, policy, and strategy. At the end of the chapter, we learned about monitoring and enforcement, which provide management the ability to monitor the effectiveness of their control. Understanding this fact allows us to apply basic good management techniques to our specific mission of information security management. In turn, this allows to appear businesslike and effective to other parts of the organization; security management often has little to do with computers. (If you would like to know more, refer to the works of Stafford Beer on diagnosing the system.)
Having set the commercial backdrop, we:
Related this general theory to the generation of a strategic security plan
Detailed the format of a policy, the type of statements it should contain (based on your analysis of assets and impact), and the type of subjects that should form an initial policy set
Described how to produce technical standards and baselines
Dealt with enforcement how to make sure it is working
| Note | Value this chapter and the small pearls of wisdom it contains. To the disinterested or unperceptive layperson, it might appear lightweight, but there is a lifetime of experience represented in these few words. |
The following addendum to this chapter contains a basic methodology that can help security officers capture the information security strategic requirements and consolidate them into...