The CISO Handbook

The CISO Handbook

by Michael Gentile, Ron Collette, Thomas D. August
Released April 2016
Publisher(s): Auerbach Publications
ISBN: 9781420031379

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

Truly a practical work, this handbook offers a comprehensive roadmap for designing and implementing an effective information security program based on real world scenarios. It builds a bridge between high-level theory and practical execution by illustrating solutions to practical issues often overlooked by theoretical texts. This leads to a set of practices that security professionals can use every day. The framework it describes can be expanded or contracted to meet the needs of almost any organization. A reference as well as a guide, each of the chapters are self-contained and can be read in any order.

Table of contents

  1. Front cover
  2. Table of Contents (1/2)
  3. Table of Contents (2/2)
  4. Foreword
  5. Acknowledgments
  6. Introduction (1/2)
  7. Introduction (2/2)
  8. Chapter 1
    1. Assess
      1. Overview
      2. Foundation Concepts (1/11)
      3. Foundation Concepts (2/11)
      4. Foundation Concepts (3/11)
      5. Foundation Concepts (4/11)
      6. Foundation Concepts (5/11)
      7. Foundation Concepts (6/11)
      8. Foundation Concepts (7/11)
      9. Foundation Concepts (8/11)
      10. Foundation Concepts (9/11)
      11. Foundation Concepts (10/11)
      12. Foundation Concepts (11/11)
        1. Critical Skills
          1. Consultative Sales Skills
          2. Enabling New Business Opportunities
          3. Reducing Business Risk
        2. Critical Knowledge
        3. Understanding Your Business
        4. Understanding Risk
        5. Understanding Your Enterprise Differentiators
          1. Understanding Your Legal and Regulatory Environment
          2. Understanding Your Organizational Structure
          3. Understanding Your Organizational Dynamics
          4. Enterprise Culture
          5. Understanding Your Enterprise’s View of Technology
          6. Assessment Methodology
        6. Identifying Your Program’s Primary Driver
          1. Why Are You Here?
          2. Stakeholders
          3. Types of Stakeholders
          4. Analysis
          5. Identifying Your External Drivers
          6. Regulatory/Audit Environment
          7. Other External Drivers
          8. Identifying Your Internal Drivers
          9. Political Climate
          10. Who Is on Your Team?
          11. The Enterprise’s Business
          12. Financial Environment
          13. Technical Environment
          14. Industry
        7. Assessment Checklist
  9. Chapter 2
    1. Plan
      1. Overview
      2. Foundation Concepts
      3. Critical Skills (1/2)
      4. Critical Skills (2/2)
        1. Visioning
        2. Strategic Planning
        3. Negotiating
        4. Marketing
        5. Talent Assessment
        6. Critical Skills Summary
        7. Critical Knowledge
        8. ISC2 Common Body of Knowledge (CBK)
        9. Other Security Industry Resources
      5. Planning Methodology (1/9)
      6. Planning Methodology (2/9)
      7. Planning Methodology (3/9)
      8. Planning Methodology (4/9)
      9. Planning Methodology (5/9)
      10. Planning Methodology (6/9)
      11. Planning Methodology (7/9)
      12. Planning Methodology (8/9)
      13. Planning Methodology (9/9)
        1. Understanding Your Program’s Mandate
          1. Determining Your Program Mission
          2. Mission Statements
          3. Building Your Mission Statement
        2. Determining Your Program’s Structure
          1. Operational Versus Non-Operational
          2. Size of Your Enterprise
          3. Political Climate
        3. Centralized Versus Decentralized
          1. Common Reasons for Choosing a Centralized Model
          2. Common Reasons for Choosing a De-Centralized Model
        4. Security Pipeline
          1. Architecture
          2. Maintenance
          3. Inspection
        5. Size of Your Program
          1. Large Program Considerations
          2. Small Program Considerations
          3. Conclusion
          4. Common Security Responsibilities
        6. Information Security Program Structure Summary
        7. Determining Your Program’s Staffing
          1. Define the Roles and Responsibilities of Your Team Members
          2. Critical Attributes
          3. Security Roles and Responsibilities
          4. Influence on Staffing by the Information Security Program Structure
          5. Perform a Gap Analysis
          6. Evaluate Talent
      14. Planning Summary
      15. Planning Checklist
  10. Chapter 3
    1. Design
      1. Overview
      2. Foundation Concepts
        1. Critical Skills
          1. Analytical Skills
          2. Discovery
          3. Evaluation
          4. Strategy
          5. Formulation
          6. Organizational Skills
          7. Sales
          8. Financial Planning and Budgeting
          9. Critical Skills Summary
        2. Critical Knowledge
          1. Opportunity Cost
          2. Security Documents
          3. Policies
          4. Standards
          5. Procedures
          6. Guidelines
          7. Example
          8. Risks, Threats, and Vulnerabilities … Oh My!
          9. Example
          10. Types of Security Controls
          11. Preventive Controls
          12. Detective Controls
          13. Gap Analysis
          14. SMART Statements
          15. Types of Projects
          16. People Projects
          17. Process Projects
          18. Technology Projects
      3. Methodology (1/8)
      4. Methodology (2/8)
      5. Methodology (3/8)
      6. Methodology (4/8)
      7. Methodology (5/8)
      8. Methodology (6/8)
      9. Methodology (7/8)
      10. Methodology (8/8)
        1. Preview
        2. Security Document Development
        3. Project Portfolio Development
        4. Communication Plan Development
        5. Incorporating Your Enterprise Drivers
          1. Constraints
          2. Laws and Regulations
          3. Corporate Responsibility/Code of Conduct
          4. Enablers
        6. Requirements
          1. Business Requirements
          2. Example
          3. Example
          4. Functional Requirement
          5. Example
          6. Business Requirements of PCSI
          7. Functional Requirement
          8. Analysis
          9. Methods for Creating Functional Requirements
          10. Requirements Summary
        7. Gap Analysis
        8. Building Security Policies, Standards, Procedures, and Guidelines
          1. The Theory of Security Policies
          2. Drafting Your Information Security Policies
          3. Ratifying the Security Policies
          4. Standards, Procedures, and Guidelines
        9. Build Security Documents Summary
        10. Building the Security Project Portfolio
          1. Performing the Policy Gap Analysis
          2. Example
          3. Analysis
          4. Defining Ambiguities
          5. Evaluating Controls (Gap Analysis)
          6. Risk and Exposure Statements
          7. Risk Rating
          8. Risk Rating - High
          9. Deriving the Security Projects
          10. Quantitative Evaluation
          11. Qualitative Evaluation
          12. Cursory Project Scoping
          13. Projects Versus Core
          14. Scheduling (First Three Years)
          15. Capital Budgeting
          16. Approval of the Security Project Portfolio
          17. Believe in Your Product
          18. Ensure That Your Logic for Prioritization Is Understood
          19. Know Your Product
          20. Know What Others Are Buying
          21. Identify the Buyers and the Roadblocks
          22. Those Who Will Buy Your Offerings
          23. Those Who Will Not Buy Any of Your Offerings
          24. Those Who Can Apply Pressure to Individuals Who Won’t Buy Your Offerings
          25. Sell through Momentum
          26. Sell through Others
          27. Ensure That It’s Sold before You Attempt to Sell It
          28. Always Present in Person
          29. Summary
        11. Annual Portfolio Review
        12. Build the Communication Plan
          1. Potential Channels for the Communication Plan
      11. Chapter Summary
      12. Design Checklist
  11. Chapter 4
    1. Execute
      1. Overview
      2. Foundation Concepts (1/12)
      3. Foundation Concepts (2/12)
      4. Foundation Concepts (3/12)
      5. Foundation Concepts (4/12)
      6. Foundation Concepts (5/12)
      7. Foundation Concepts (6/12)
      8. Foundation Concepts (7/12)
      9. Foundation Concepts (8/12)
      10. Foundation Concepts (9/12)
      11. Foundation Concepts (10/12)
      12. Foundation Concepts (11/12)
      13. Foundation Concepts (12/12)
        1. Preview
        2. Critical Skills
          1. Executor
          2. Commander
          3. Communication
          4. Tactician
          5. Research
          6. Analysis
          7. Critical Skills Summary
        3. Critical Knowledge
          1. Overview of Project Management Methodologies
          2. Benefits of a Project Mentality for Your Information Security Program
          3. The Project Management Triangle
          4. Technical Control Layers
          5. Summary
        4. Methodology
          1. Preview
        5. Project Execution
          1. Development Methodology Structure
          2. Critical Success Factors for a Project
          3. Business, Functional, and Technical Requirements
          4. Marketing Metrics
          5. Project Governance Model
          6. Management Support - Sponsorship
          7. Establish a Team
          8. Shared Vision
          9. Formalized Project Plan (Gantt Chart)
          10. Identifying and Working through the Lull of Doom
          11. Critical Success Factors Summary
          12. Warning Signs for Projects
          13. Train Wrecks
          14. Project Types and Their Intricacies
          15. Common Guidelines for All Projects
          16. Common Guidelines for People Projects
          17. Common Guidelines for Process Projects
          18. Common Guidelines for Technology Projects
          19. Project Type Summary
          20. Incorporating Security into Projects
          21. Tools for Adding Security into a Properly Structured Project
          22. Deploy
          23. Tools for Adding Security into a Project with Missing Components
          24. Vendor Evaluation/Selection
          25. Preparing the Marketing Material
      14. Chapter Summary
  12. Chapter 5
    1. Report
      1. Overview
      2. Foundation Concepts (1/2)
      3. Foundation Concepts (2/2)
        1. Critical Skills
          1. Writer
          2. Presenter
        2. Critical Knowledge
          1. Primary Principle of Reporting
          2. Basic Reporting Components
          3. Delivery Mechanisms
        3. Marketing
        4. Branding
          1. Metrics
          2. Damage Control
          3. Summary
      4. Methodology (1/8)
      5. Methodology (2/8)
      6. Methodology (3/8)
      7. Methodology (4/8)
      8. Methodology (5/8)
      9. Methodology (6/8)
      10. Methodology (7/8)
      11. Methodology (8/8)
        1. Report Construction Process
          1. Identifying the Need
          2. Determine Intent
          3. Desired Reaction
        2. Determine Target Audience
          1. Internal Audiences
          2. Executive Management/Board of Directors
          3. Technical Engineering Staff
          4. Employees
          5. Internal Audit/Regulatory Compliance Office
          6. External Audiences
          7. Government Agencies/Independent Auditors/Regulators
          8. Stockholders and Owners
          9. Customers and Clients
          10. Target Audience Summary
        3. Delivery Mechanisms
          1. Administrative Reporting
          2. Operational Reporting
          3. Types of Delivery
          4. Follow up on the Message
          5. Close the Deal
      12. Chapter Summary
  13. Chapter 6
    1. The Final Phase
      1. Overview
      2. Back to the Beginning
      3. Parting Thoughts
  14. Appendix A
    1. Design Chapter Worksheets
  15. Appendix B
    1. Report Creation Process Worksheet
  16. Appendix C
    1. Requirements Sample
      1. Anti-Virus Project Requirements
        1. Vision
        2. Objective Statement
        3. Business Requirements
        4. Functional Requirements
          1. Solution Oriented:
          2. Operational:
          3. Vendor Oriented:
        5. Technical Requirements
          1. Solution Oriented:
          2. Vendor Oriented:
  17. Appendix D
    1. SDLC Checklist
      1. Systems Development Life Cycle Project Documentation
  18. Appendix E
    1. Recommended Reading
      1. Web sites
      2. Books
  19. Index
    1. A
    2. B
    3. C
    4. D
    5. E
    6. F
    7. G
    8. H
    9. I
    10. J
    11. L
    12. M
    13. N
    14. O
    15. P
    16. Q
    17. R
    18. S
    19. T
    20. V
    21. W

Product information

  • Title: The CISO Handbook
  • Author(s): Michael Gentile, Ron Collette, Thomas D. August
  • Release date: April 2016
  • Publisher(s): Auerbach Publications
  • ISBN: 9781420031379