17.1 PURPOSE
Provide an overview and broad understanding of information security.
17.2 KEY CONCEPTS
Information security Enterprise security Information technology security
External factors Measurement Information security governance
Reporting Impact analysis Vulnerabilities
Risk management Business continuity Crisis management
On completion of this lesson, you should be able to
 put information security in context
 identify the lessons learnt in the past
 define information security
 discuss the management of information security in an enterprise
 identify the four domains of information security vulnerabilities
 identify other drivers of information security risks
 explain how information security is measured
 discuss business impact analysis
 discuss information risk management
 discuss business continuity and crisis management
Chapters 1-8 of the online book: Gelbstein, E. 2013. Information security for non-technical managers. Available at: https://sunsreynat.files.wordpress.com/2014/07/information-security-for-non-technical-managers.pdf
.
17.4.1
Information security in context
Information security involves the use of computer systems and networks in a connected world in which many people have computers and cellphones with access to the internet. Many users also have sufficient knowledge of computers and software technology to be able to disrupt and cause harm in cyberspace. This chapter of the textbook covers
 a short history of information technologies, its side effects and unintended consequences
 the importance of information security and information technology security
 the pervasiveness and dependencies of information technologies

Read sections 1.1 to 1.3 in chapter 1 – Information security in context.
17.4.2 Lessons identified in the last ten years
One of the many challenges of managing information security in the corporate world is scale. Small organisations may not have access to the skills and experience to implement many of the recommended practices. Very large organisations that have various locations may lack a coordinated and customised approach and have to rely on bureaucratic procedures and rules. Each approach should incorporate the circumstances at a specific organisation and be part of information security governance. This chapter covers
 the semantics of information security – how ambiguity in the language of information security leads to misunderstandings and confusion
 the primary information security target areas – crime, critical infrastructures, government, the military and individuals
 how so many organisations are unprepared despite the availability of standards, guidelines and good practices
 organisational, professional and international certifications
 asymmetries and consequences - the asymmetric nature of what has become a war of attrition
 how maintaining security is everybody's responsibility
Read sections 2.1 to 2.6 in chapter 2 – Lessons identified in the last ten years.
17.4.3 Defining information security
The terminology regarding cyberspace is ambiguous and can lead to misunderstandings and confusion. Many basic terms have disputed definitions and spelling. The same is true for the concepts of information security and information technology security. This chapter covers
 the meaning of information security
 availability, confidentiality, integrity and other concepts
 the various layers of security and how they relate to information
 the differences between enterprise security, information security and information technology security
Read sections 3.1 and 3.2 in chapter 3 – Defining information security.
17.4.4 Managing information security in the enterprise
Society operates on the basis of trust, which represents a belief in the honesty, fairness and goodwill of all parties concerned.
The loss of trust in cyberspace led to the development of standards, good practices, guidelines, information security policies, legislation and other measures considered necessary for the protection of information assets. Achieving a satisfactory level of information security requires leadership and proper management. This chapter covers

information security governance
 the components of information security governance
 security management - standards, good practices and guidelines

 characteristics of a competent chief information security officer (CISO)
 role of the manager
Read sections 4.1 to 4.5 in chapter 4 – Managing information security in the enterprise.
17.4.5
The four domains of vulnerabilities
Security professionals and senior management have different perceptions of the importance of information security and this results in limited dialogue and weak governance. Many organisations, therefore, are not well prepared to respond to a security incident. Complete information security is unachievable, as it would require the four components (i.e. governance, people, processes and technology) on which it relies to be perfect. This chapter covers
 information security governance
 people (information technology, management and others)
 processes (information technology operations, applications, support data and project management incident response, disaster recovery, business continuity and crisis management)
 technology
Read sections 5.1 to 5.4 in chapter 5 – The four domains of vulnerabilities.
17.4.6 Other drivers of information insecurity
Information security has become a stable and recognised profession, but it is not regulated and anyone can be a practitioner.
This chapter covers
 causes for concern
 external factors - a continually changing landscape
 information security inhibiting innovative thinking
Read sections 6.1 to 6.3 in chapter 6 – Other drivers of information insecurity.
17.4.7 Measuring security
The speed of technical innovation and enthusiasm for new products work against security by design, which is largely absent in the products on which cyberspace relies. This is in contrast to the safety industry, where an accident is thoroughly investigated to discover its root cause, which is then removed by design. This chapter covers
 security metrics – measuring information security
 reporting information security metrics – what, when, to whom and how
Read sections 7.1 and 7.2 in chapter 7 – Measuring security.
17.4.8 Other information security topics
Understanding and quantifying the impact of security events on an organisation are fundamentally important to ensure that

preventive and protective measures are applied where it matters most. Information security deals with uncertainty rather than risk by targeting specific incidents and not random events. This chapter covers
 business impact analysis (BIA)
 information risk management
 planning for survival – business continuity and crisis management
 the legislative landscape
Read sections 8.1 to 8.4 in chapter 8 – Other information security topics.
Reflect on the following personal questions: a.
Where, in your professional life, do you think you will be able to use the skills you have learnt in this lesson? b.
What did you find difficult? Why do you think you found it difficult? Do you understand it now, or do you need more help? What are you going to do about it? c.
What did you find interesting in this lesson? Why? d.
How long did it take you to work through chapter for this lesson? Are you still on schedule, or do you need to adjust your study programme? e.
How do you feel now?
Gelbstein, E. 2013. Information security for non-technical managers. Available at: https://sunsreynat.files.wordpress.com/2014/07/information-security-for-non-technical-managers.pdf