- The NIST Framework — The Information Security Management Chain- Following the NIST Framework for Improving Critical Infrastructure Cybersecurity, managing the security of information hinges on five security management capabilities: Identify: what information needs to be protected and where it is located Protect: that information Detect: information attacks and other incidents Respond: to information attacks and other incidents, especially successful attacks Recover: from the incident, […]
- The Objective of Information Security Management- Overview of the objectives of Information Security Management
- Information Security Management — Seven Critical Success Strategies- Critical points for understanding effective information security management and success.
- A Few Quotes about Information Security and Privacy- Distrust and Caution Are the Parents of Security … Benjamin Franklin The secret of success lies in managing risk, not avoiding it. … Merryle Rukeyser, Financial Journalist / Educator The number one thing at the Board level and CEO level is to take cybersecurity as seriously as you take business operations and financial operations. It’s […]
- Small Business Information Security: The Fundamentals . The guide from the National Institute of Standards and Technology (NIST) is written for small-business owners not experienced in cybersecurity and explains basic steps they can take to better protect their information systems.
- Protecting Personal Information: A Guide for Business — Federal Trade Commission (FTC)
- Start with Security: A Guide for Business; Lessons Learned from FTC Cases — Federal Trade Commission (FTC)
- Cybersecurity for Small Businesses, Small Business Administration Learning Center
Information Security and Governance Management Overviews
- The Citadel Way to Information Security Management … A Management Guide, Citadel Information Group
- Cybersecurity for middle market companies (5-minute video with transcript) — Robert Braun, Michael Gold; Cybersecurity and Privacy Law Group; Jeffer Mangels Butler & Mitchell
- Hacker stories: Case studies — Insights for the C-Suite. Target. Sony. Wendy’s and more — Presentation to SecureTheVillage Pasadena Roundtable, July 2016, Stan Stahl, Citadel Information Group
Illustrative Compliance Requirements
- HIPAA HITECH: The Security Rule. The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.
- Cybersecurity requirements for financial services companies, Information security management requirements from the New York State Department of Financial Services (DFS), 2017.
Deeper Looks at Information Security Management
- ISO/IEC 27001:2013 Information technology — Security techniques — Information security management systems — Requirements: ISO/IEC 27001 formally specifies an Information Security Management System (ISMS), a suite of activities concerning the management of information risks (called ‘information security risks’ in the standard). The ISMS is an overarching management framework through which the organization identifies, analyzes and addresses its information risks. The ISMS ensures that the security arrangements are fine-tuned to keep pace with changes to the security threats, vulnerabilities and business impacts – an important aspect in such a dynamic field, and a key advantage of ISO27k’s flexible risk-driven approach as compared to, say, PCI-DSS.
- NIST Cybersecurity Framework: The NIST Cybersecurity Framework provides a framework for how organizations can assess and improve their ability to prevent, detect, respond to, and recover from cyber attacks.
- California Data Breach Report, February 2016 — A good source for CA information security laws and regulations. The report provides a summary of 20 specific controls that the California Attorney General describes as “a minimum level of information security that all organizations that collect or maintain personal information should meet.” Former California Attorney General, Kamala Harris, asserts in the report that “failure to implement all the Controls that apply to an organization’s environment constitutes a lack of reasonable security.”
Creating a Cybersecurity culture
- Beyond Information Security Awareness Training: It’s Time to Change the Culture, Stan Stahl, Information Security Management Handbook, Sixth Edition, edited by Hal Tipton and Micki Krause, Auerbach, 2006