Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact firstname.lastname@example.org.
Few Information Security (InfoSec) professionals get the opportunity to build a program from the ground up. Whether brought in to maintain, enhance, or fix an existing environment, most inherit a security situation not of their own making.
A great deal of money has been spent by organizations on security technology, with only moderate success. Technology is often installed, but often left untuned and unmonitored. Though vendors have touted self-defending networks (Gleichauf, 2005), and claimed their products are impervious, reality teaches otherwise.
No one would argue that the Internet has become an instrumental part of society. With broad- band access in a large percentage of homes, WiFi freely available in many places of business, and smart phones connected via mobile service providers, our access to the information portal has become nearly an always-on experience.
Identifying the specific security metrics desired by executives ultimately accountable for information security financials and organization risk management is a daunting task. Common security metrics report how well policies, processes, or controls are functioning. Though this operational perspective is important, additional insight may be desired to reveal the capability maturity of the organization’s security practice (right way), assure I.T. investments are being made based on risk management (right amount and order), and confirm the organization’s business objectives are being advanced (right outcome).
All around the world, it has become a well-known fact, that a majority of the world’s leading global organizations, across all industries, are constantly challenged in successfully achieving their strategic and tactical business and technology objectives in an effort to provide true-value to their stakeholders (COBIT, 2005). These leading global organizations increasingly rely on a variety of information assets, such as skilled personnel, complex business processes and the latest technology, to perform various functions across all divisions. These factors, when correctly provisioned, ultimately contribute towards successfully achieving the organizational objectives. However, one of the most compelling challenges encountered by these leading global organizations is the lack of clear and concise enterprise-wide view of organizational information security across the board (ISO/IEC 17799:2000/27002:2005).
It is important for project managers to have interpersonal skills in order to develop a project team (Novello, 2008; Frisk, 2009; Project Management Institute, 2008; Heldman, 2009). The Project Management Institute (2008) summarizes the need for interpersonal skills in a project manager as follows
Recent economic conditions have created a business problem unique to higher education and its IT infrastructure. In the past ten years, IT systems and infrastructure have experienced a rapid change in complexity as a result of moving from mainframes to web services (Weinschenk, 2003). The technical landscape continues to become more complex as technology advances and application sophistication increases more rapidly, creating a greater dependency on IT services. To stay competitive and efficient, private and for-profit businesses have spent the last ten years keeping up with technology and training their staff. However, the university has been insulated in its own microcosm, having the luxury of ignoring business cycles, as the product offered has not changed drastically. Now, recent economic conditions and rapid advancement in technology have created the perfect storm within the university setting.
What is your view of the role performed by an IA/Security Engineer? Is it focused on securing the network perimeter through the operations of the firewall, virtual private networks (VPNs), intrusion detection system/intrusion prevention system (IDS/IPS), network access control (NAC), data loss prevention (DLP) and enterprise anti-virus solutions? Is it the network specialist responsible for the secure design of the local area network (LAN), virtual LAN (VLAN), wide area network (WAN) and all endpoints? Is it the systems designer or operator responsible for the security of all clients and servers? Is it a software developer specializing in developing and hardening custom applications? Is the IA/Security Engineer someone who is an expert in all these areas? Is the IA/Security Engineer a specialized single technology (i.e. Cisco) expert, or is the position technologically agnostic, working at a higher level where specific detailed technology is irrelevant in the bigger scheme of things?
This paper explores many aspects of project management that are unique to consulting, and consulting Project Managers in particular. Discussions will include how consultants managing projects face different challenges than those in the “normal” in-house project management situation. We’ll explore some of the ways to maximize the chances of project success when consulting. We’ll also discuss how the Process Groups defined within Project Management Body of Knowledge (PMBOK) can be combined, modified, or sometimes outright skipped, under the unique pressures of the consulting situation.
Far from being another treatise on detailed metric formulas or data analysis techniques, this is a practical roadmap for initiating a brand new security metrics program or strengthening an existing one.
The ISO 27001/27002 standards for implementing an Information Security Management System (ISMS) often present a challenging set of activities to be performed. When a security professional is tasked with implementing a project of this nature, success hinges on the ability to organize, prepare, and plan effectively. This paper addresses the implementation of an ISO 27001 ISMS using the Project Management Body of Knowledge known as the PMBOK Guide published by Project Management Institute, Inc. This paper explores the process of implementing an Information Security Management System capable of being certified against ISO 27001. It also provides real world concrete examples of the 44 processes in the PMBOK Guide as applied to an information security project at a satellite broadband ISP.
Some organizations forgo implementing information security controls that could bring a positive return on investment to their organization. The goal of this paper is to familiarize the reader with risk management terminology, and present a quantitative risk management valuation process to show the benefit of a security control to the business. The impact of security controls are on the bottom line of the organization.