SANS InfoSec Reading Room - Management & Leadership

<<Reading Room Home
Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact webmaster@sans.org.

Secunia_yearly_report

Featuring 24 papers as of May 23, 2013
PDF Managing the Implementation of a BYOD Policy
By: Jim Horwath (posted on May 8, 2013)
Mobile devices are consumer-oriented devices that are changing the way people do business.
PDF Information Risks & Risk Management
By: John Wurzler (posted on May 1, 2013)
In a relatively short period of time, data in the business world has moved from paper files, carbon copies, and filing cabinets to electronic files stored on very powerful computers.
PDF Using Teambuilding to Improve Performance for Geographically Distributed Information Security Professionals
By: Julie Kent (posted on January 21, 2013)
In recent years there has been a focus on work being done in teams rather than individually.
PDF Recovering Security in Program Management
By: Howard Thomas (posted on October 3, 2012)
Few Information Security (InfoSec) professionals get the opportunity to build a program from the ground up. Whether brought in to maintain, enhance, or fix an existing environment, most inherit a security situation not of their own making.
PDF A Process for Continuous Improvement Using Log Analysis
By: David Swift (posted on October 26, 2011)
A great deal of money has been spent by organizations on security technology, with only moderate success. Technology is often installed, but often left untuned and unmonitored. Though vendors have touted self-defending networks (Gleichauf, 2005), and claimed their products are impervious, reality teaches otherwise.
PDF Net Neutrality, Rest in Peace
By: James Mosier (posted on October 11, 2011)
No one would argue that the Internet has become an instrumental part of society. With broad- band access in a large percentage of homes, WiFi freely available in many places of business, and smart phones connected via mobile service providers, our access to the information portal has become nearly an always-on experience.
PDF Scoping Security Assessments - A Project Management Approach
By: Ahmed Abdel-Aziz (posted on June 7, 2011)
Security assessments can mean different things to different people. This paper will explore what a security assessment is, why it should be done, and how it is different than a security audit.
PDF Creating a monthly Information Security Scorecard for CIO and CFO
By: Michael Hoehl (posted on January 4, 2011)
Identifying the specific security metrics desired by executives ultimately accountable for information security financials and organization risk management is a daunting task. Common security metrics report how well policies, processes, or controls are functioning. Though this operational perspective is important, additional insight may be desired to reveal the capability maturity of the organization’s security practice (right way), assure I.T. investments are being made based on risk management (right amount and order), and confirm the organization’s business objectives are being advanced (right outcome).
PDF Practical Approaches to Organizational Information Security Management
By: Raees Khan (posted on December 20, 2010)
All around the world, it has become a well-known fact, that a majority of the world’s leading global organizations, across all industries, are constantly challenged in successfully achieving their strategic and tactical business and technology objectives in an effort to provide true-value to their stakeholders (COBIT, 2005). These leading global organizations increasingly rely on a variety of information assets, such as skilled personnel, complex business processes and the latest technology, to perform various functions across all divisions. These factors, when correctly provisioned, ultimately contribute towards successfully achieving the organizational objectives. However, one of the most compelling challenges encountered by these leading global organizations is the lack of clear and concise enterprise-wide view of organizational information security across the board (ISO/IEC 17799:2000/27002:2005).
PDF Get Out of Your Own Head: Mindful Listening for Project Managers
By: Charlie Scott (posted on December 20, 2010)
It is important for project managers to have interpersonal skills in order to develop a project team (Novello, 2008; Frisk, 2009; Project Management Institute, 2008; Heldman, 2009). The Project Management Institute (2008) summarizes the need for interpersonal skills in a project manager as follows
PDF Creating Robust IT Security and Efficiency by Reducing Infrastructure Complexity in Higher Education
By: Keith Lard (posted on November 17, 2010)
Recent economic conditions have created a business problem unique to higher education and its IT infrastructure. In the past ten years, IT systems and infrastructure have experienced a rapid change in complexity as a result of moving from mainframes to web services (Weinschenk, 2003). The technical landscape continues to become more complex as technology advances and application sophistication increases more rapidly, creating a greater dependency on IT services. To stay competitive and efficient, private and for-profit businesses have spent the last ten years keeping up with technology and training their staff. However, the university has been insulated in its own microcosm, having the luxury of ignoring business cycles, as the product offered has not changed drastically. Now, recent economic conditions and rapid advancement in technology have created the perfect storm within the university setting.
PDF Determining the Role of the IA/Security Engineer
By: Brian Dutcher (posted on October 14, 2010)
What is your view of the role performed by an IA/Security Engineer? Is it focused on securing the network perimeter through the operations of the firewall, virtual private networks (VPNs), intrusion detection system/intrusion prevention system (IDS/IPS), network access control (NAC), data loss prevention (DLP) and enterprise anti-virus solutions? Is it the network specialist responsible for the secure design of the local area network (LAN), virtual LAN (VLAN), wide area network (WAN) and all endpoints? Is it the systems designer or operator responsible for the security of all clients and servers? Is it a software developer specializing in developing and hardening custom applications? Is the IA/Security Engineer someone who is an expert in all these areas? Is the IA/Security Engineer a specialized single technology (i.e. Cisco) expert, or is the position technologically agnostic, working at a higher level where specific detailed technology is irrelevant in the bigger scheme of things?
PDF Brains for Hire / Blame for Hire - The Life and Challenges of a Consulting Project Manager
By: Rob VandenBrink (posted on May 7, 2010)
This paper explores many aspects of project management that are unique to consulting, and consulting Project Managers in particular. Discussions will include how consultants managing projects face different challenges than those in the “normal” in-house project management situation. We’ll explore some of the ways to maximize the chances of project success when consulting. We’ll also discuss how the Process Groups defined within Project Management Body of Knowledge (PMBOK) can be combined, modified, or sometimes outright skipped, under the unique pressures of the consulting situation.
PDF The Evolving Role of Security Structures
By: Dale Emel (posted on January 28, 2010)
PDF Gathering Security Metrics and Reaping the Rewards
By: Dan Rathbun (posted on November 16, 2009)
Far from being another treatise on detailed metric formulas or data analysis techniques, this is a practical roadmap for initiating a brand new security metrics program or strengthening an existing one.
PDF Women in IT Security Project Management
By: Gurdeep Kaur (posted on October 27, 2009)
This paper will provide information about specific skills, which may have developed or acquired within the IT security field.
PDF Tackling ISO 27001: A Project to Build an ISMS
By: DDavid Henning (posted on July 22, 2009)
The ISO 27001/27002 standards for implementing an Information Security Management System (ISMS) often present a challenging set of activities to be performed. When a security professional is tasked with implementing a project of this nature, success hinges on the ability to organize, prepare, and plan effectively. This paper addresses the implementation of an ISO 27001 ISMS using the Project Management Body of Knowledge known as the PMBOK Guide published by Project Management Institute, Inc. This paper explores the process of implementing an Information Security Management System capable of being certified against ISO 27001. It also provides real world concrete examples of the 44 processes in the PMBOK Guide as applied to an information security project at a satellite broadband ISP.
PDF Quantifying Business Value of Information Security
By: EEric Poole (posted on July 14, 2009)
Some organizations forgo implementing information security controls that could bring a positive return on investment to their organization. The goal of this paper is to familiarize the reader with risk management terminology, and present a quantitative risk management valuation process to show the benefit of a security control to the business. The impact of security controls are on the bottom line of the organization.
PDF Effective Time and Communication Management
By: Brad Ruppert (posted on June 9, 2009)
This paper will discuss how to manage your time to ensure you are focusing your work on the business rather than in the business.
PDF Beer - The Key Ingredient to Team Development
By: Brad Ruppert (posted on May 20, 2009)
This paper will discuss the importance of building a social connection with your team members to effectively communicate, problem-solve, and ultimately work together as a team.
PDF Improving the Management of Information Security in Canadian Government Departments
By: Ken Fogalin (posted on April 13, 2009)
Taking Lessons from the ISO/IEC 27001 Standard to Make Continuous, Incremental, and Enduring Improvements
PDF Leading the Transformation of a Security Organization as a New Security Manager
By: Robert Mayhugh (posted on August 19, 2008)
PDF Successfully Building Security into Business Projects
By: Alex Clayton (posted on August 7, 2008)
PDF The Death of Leadership in Management
By: Dana Hudnall (posted on September 12, 2007)
SANS Reading Room

This is critical to any business to protect sensitive data.
-Melissa Black, Lockheed Martin

Security Impact of IPv6 Summit 2013 - Washington

Latest Whitepapers

Event Monitoring and Incident Response
By Ryan Boyle

Dead Linux Machines Do Tell Tales
By James Fung

Setting Up a Database Security Logging and Monitoring Program
By Jim Horwath

Latest Tweets

Excellent blog post by @MarkBaggett on pen testing MS SQL vi [...]
May 22, 2013 - 7:39 PM

#appsec "WhatWorks in AppSec: Log Forging" http://t.co/Gsq91O7UAH
May 22, 2013 - 10:00 AM

DFIR Webcast starts in 75 minutes - 50 Shades of Hidden - Di [...]
May 17, 2013 - 3:46 PM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"It was a great learning experience that helped open my eyes wider. The instructor's knowledge was fantastic."
- Manuja Wikesekera, Melbourne Cricket Club

"Because of the use of real-world examples it's easier to apply what you learn."
- Danny Hill, Friedkin Companies, Inc.

"The amount of knowledge conveyed and technical diving by practical hands-on was well balanced."
- Aaron Moore, Maricopa County