Advance your career as an information security professional by turning theory into robust solutions to secure your organization

Key Features

  • Convert the theory of your security certifications into actionable changes to secure your organization
  • Discover how to structure policies and procedures in order to operationalize your organization's information security strategy
  • Learn how to achieve security goals in your organization and reduce software risk

Book Description

Information security and risk management best practices enable professionals to plan, implement, measure, and test their organization's systems and ensure that they're adequately protected against threats.

The book starts by helping you to understand the core principles of information security, why risk management is important, and how you can drive information security governance. You'll then explore methods for implementing security controls to achieve the organization's information security goals. As you make progress, you'll get to grips with design principles that can be utilized along with methods to assess and mitigate architectural vulnerabilities. The book will also help you to discover best practices for designing secure network architectures and controlling and managing third-party identity services. Finally, you will learn about designing and managing security testing processes, along with ways in which you can improve software security.

By the end of this infosec book, you'll have learned how to make your organization less vulnerable to threats and reduce the likelihood and impact of exploitation. As a result, you will be able to make an impactful change in your organization toward a higher level of information security.

What you will learn

  • Understand and operationalize risk management concepts and important security operations activities
  • Discover how to identify, classify, and maintain information and assets
  • Assess and mitigate vulnerabilities in information systems
  • Determine how security control testing will be undertaken
  • Incorporate security into the SDLC (software development life cycle)
  • Improve the security of developed software and mitigate the risks of using unsafe software

Who this book is for

If you are looking to begin your career in an information security role, then this book is for you. Anyone who is studying to achieve industry-standard certification such as the CISSP or CISM, but looking for a way to convert concepts (and the seemingly endless number of acronyms) from theory into practice and start making a difference in your day-to-day work will find this book useful.

Table of Contents

  1. Infosec Strategies and Best Practices
  2. Contributors
  3. About the author
  4. About the reviewer
  5. Preface
    1. Who this book is for
    2. What this book covers
    3. To get the most out of this book
    4. Download the color images
    5. Conventions used
    6. Get in touch
    7. Reviews
  6. Section 1: Information Security Risk Management and Governance
  7. Chapter 1: InfoSec and Risk Management
    1. Basic InfoSec terminology
    2. Understanding why risk management is important
    3. Understanding assets
    4. Understanding vulnerabilities
    5. Performing a basic risk assessment
    6. Defining and calculating impact
    7. Defining and calculating likelihood
    8. Calculating risk
    9. Risk appetite, risk treatment, and risk acceptance
    10. Considering legal regulations, investigations, and compliance structures
    11. Compliance structures
    12. Understanding legal and regulatory requirements
    13. Responding to and undertaking investigations
    14. Further compliance optimization
    15. Proven methodologies in creating a strategy
    16. Creating InfoSec policies, procedures, and playbooks 
    17. Establishing and maintaining a security awareness, education, and training program
    18. Managing third-party risk 
    19. Continual improvement and reporting
    20. Summary
  8. Chapter 2: Protecting the Security of Assets
    1. Implementing an ISMS
    2. Responsibilities of top management
    3. Developing an ISMS
    4. Educating members of your organization
    5. Evaluating the effectiveness of the ISMS
    6. Improving the policy
    7. Identifying and classifying information assets
    8. Structuring information asset classifications
    9. Determining the roles for assets
    10. Methods of identifying and protecting information assets
    11. Retention policies
    12. Securing information assets
    13. Disposing of assets
    14. Data remnants
    15. Summary
  9. Section 2: Closing the Gap: How to Protect the Organization
  10. Chapter 3: Designing Secure Information Systems
    1. Understanding the risks your organization faces
    2. Threats, threat actors, and motivations
    3. Vulnerabilities
    4. System exploitation methods
    5. Best practices in assessing and mitigating vulnerabilities
    6. Hardware security
    7. Software security
    8. Network security
    9. Physical security
    10. Selecting appropriate controls/defense against the dark arts
    11. Best practices in designing secure information systems
    12. Secure design principles
    13. Well-known controls and their mitigations
    14. Considering alternative devices
    15. Summary
  11. Chapter 4: Designing and Protecting Network Security
    1. Designing secure network architectures
    2. Internet Protocol suite and the OSI model
    3. Network components and protocols
    4. Network devices and applications
    5. Attacks, defense, and detection
    6. Strategies for protecting network security
    7. Creating a policy
    8. Keep it simple
    9. Business continuity and disaster recovery
    10. Backup and restore procedures
    11. Insider threat mitigations/third-party threats
    12. Software and firmware updates
    13. Ensuring secure communication
    14. Cloud network security
    15. Education and awareness
    16. Security Operations Center
  12. Chapter 5: Controlling Access and Managing Identity
    1. Access control models and concepts
    2. State machine model
    3. Information flow model
    4. Confidentiality models
    5. Integrity models
    6. Real-world access control models
    7. Selecting and implementing authentication and authorization mechanisms
    8. Authentication versus authorization
    9. Authentication and security
    10. Authorization
    11. Identity and access management (IAM) 
    12. Leveraging identity services
    13. Controlling physical access to assets
    14. Physical access control
    15. Electronic access control
    16. Preventing exploitation
    17. Summary
  13. Section 3: Operationalizing Information Security
  14. Chapter 6: Designing and Managing Security Testing Processes
    1. Preparing for security assessments
    2. Defining your requirements
    3. Understanding the different types of security assessments
    4. Automated assessments and scanning
    5. Internal assessments
    6. Third-party assessments
    7. Best practices in performing security assessments
    8. Interpreting results from security assessments
    9. Summary
  15. Chapter 7: Owning Security Operations
    1. Effective strategies in provisioning resources and maintaining assets
    2. Provisioning resources
    3. Focusing on availability, disaster recovery, and business continuity
    4. Defining, implementing, and testing disaster recovery processes
    5. Managing business continuity design, planning, and testing
    6. Implementing and managing physical security
    7. Managing upgrades, patching, and applying security controls
    8. Education
    9. Change control
    10. Security improvement program
    11. Investigating events and responding to incidents
    12. Defining your incident response plans
    13. Performing security investigations
    14. Implementing and utilizing detective controls
    15. Using security monitoring to improve visibility
    16. Security monitoring best practices
    17. Establish requirements and define workflows
    18. Define specific rules and ensure their effectiveness
    19. Continuously improve your SIEM configuration and incident response policies
    20. Summary
  16. Chapter 8: Improving the Security of Software
    1. Exploring software security paradigms
    2. Buyer beware
    3. Legal documentation
    4. Understanding the secure development life cycle
    5. Compatibility with various software development methodologies
    6. Defining business and security requirements
    7. Designing secure software
    8. Testing plans for secure software
    9. Securing software development
    10. Testing the software
    11. Utilizing the OWASP Top 10 Proactive Controls
    12. Define security requirements
    13. Leverage security frameworks and libraries
    14. Secure database access
    15. Encode and escape data
    16. Validate all inputs
    17. Implement digital identity
    18. Enforce access controls
    19. Protect data everywhere
    20. Implement security logging and monitoring
    21. Handle all errors and exceptions
    22. Assessing software security
    23. Reducing the risk from software developed by a third-party vendor
    24. Improving the security of in-house software
    25. Summary
    26. Why subscribe?
  17. Other Books You May Enjoy
    1. Packt is searching for authors like you
    2. Leave a review - let other readers know what you think