SANS InfoSec Reading Room - Management & Leadership

Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact webmaster@sans.org.

Featuring 10 papers as of Nov 22, 2009

Gathering Security Metrics and Reaping the Rewards

By: Dan Rathbun (posted on November 16, 2009)

Far from being another treatise on detailed metric formulas or data analysis techniques, this is a practical roadmap for initiating a brand new security metrics program or strengthening an existing one.

Women in IT Security Project Management

By: Gurdeep Kaur (posted on October 27, 2009)

This paper will provide information about specific skills, which may have developed or acquired within the IT security field.

Effective Time and Communication Management

By: Brad Ruppert (posted on June 9, 2009)

This paper will discuss how to manage your time to ensure you are focusing your work on the business rather than in the business.

Beer - The Key Ingredient to Team Development

By: Brad Ruppert (posted on May 20, 2009)

This paper will discuss the importance of building a social connection with your team members to effectively communicate, problem-solve, and ultimately work together as a team.

Improving the Management of Information Security in Canadian Government Departments

By: Ken Fogalin (posted on April 13, 2009)

Taking Lessons from the ISO/IEC 27001 Standard to Make Continuous, Incremental, and Enduring Improvements

Leading the Transformation of a Security Organization as a New Security Manager

By: Robert Mayhugh (posted on August 19, 2008)

Successfully Building Security into Business Projects

By: Alex Clayton (posted on August 7, 2008)

The Death of Leadership in Management

By: Dana Hudnall (posted on September 12, 2007)

Quantifying Business Value of Information Security

By: EEric Poole (posted on )

Some organizations forgo implementing information security controls that could bring a positive return on investment to their organization. The goal of this paper is to familiarize the reader with risk management terminology, and present a quantitative risk management valuation process to show the benefit of a security control to the business. The impact of security controls are on the bottom line of the organization.

Tackling ISO 27001: A Project to Build an ISMS

By: DDavid Henning (posted on )

The ISO 27001/27002 standards for implementing an Information Security Management System (ISMS) often present a challenging set of activities to be performed. When a security professional is tasked with implementing a project of this nature, success hinges on the ability to organize, prepare, and plan effectively. This paper addresses the implementation of an ISO 27001 ISMS using the Project Management Body of Knowledge known as the PMBOK Guide published by Project Management Institute, Inc. This paper explores the process of implementing an Information Security Management System capable of being certified against ISO 27001. It also provides real world concrete examples of the 44 processes in the PMBOK Guide as applied to an information security project at a satellite broadband ISP.