Alexander David - Information Security Management Principles - Second edition

BCS, THE CHARTERED INSTITUTE FOR IT

BCS, The Chartered Institute for IT champions the global IT profession and the interests of individuals engaged in that profession for the benefit of all. We promote wider social and economic progress through the advancement of information technology science and practice. We bring together industry, academics, practitioners and government to share knowledge, promote new thinking, inform the design of new curricula, shape public policy and inform the public.

Our vision is to be a world-class organisation for IT. Our 70,000 strong membership includes practitioners, businesses, academics and students in the UK and internationally. We deliver a range of professional development tools for practitioners and employees. A leading IT qualification body, we offer a range of widely recognised qualifications.

Further Information

BCS, The Chartered Institute for IT,

First Floor, Block D,

North Star House, North Star Avenue,

Swindon, SN2 1FA, United Kingdom.

T +44 (0) 1793 417 424

F +44 (0) 1793 417 444

www.bcs.org/contact

2013 BCS Learning & Development Ltd

All rights reserved. Apart from any fair dealing for the purposes of research or private study, or criticism or review, as permitted by the Copyright Designs and Patents Act 1988, no part of this publication may be reproduced, stored or transmitted in any form or by any means, except with the prior permission in writing of the publisher, or in the case of reprographic reproduction, in accordance with the terms of the licences issued by the Copyright Licensing Agency. Enquiries for permission to reproduce material outside those terms should be directed to the publisher.

All trade marks, registered names etc. acknowledged in this publication are the property of their respective owners. BCS and the BCS logo are the registered trade marks of the British Computer Society, charity number 292786 (BCS).

Published by BCS Learning and Development Ltd, a wholly owned subsidiary of BCS, The Chartered Institute for IT, First Floor, Block D, North Star House, North Star Avenue, Swindon, SN2 1FA, UK.

www.bcs.org

ISBN: 978-1-78017-175-3

PDF ISBN: 978-1-78017-176-0

ePUB ISBN: 978-1-78017-177-7

Kindle ISBN: 978-1-78017-178-4

British Cataloguing in Publication Data.

A CIP catalogue record for this book is available at the British Library.

Disclaimer:

The views expressed in this book are of the author(s) and do not necessarily reflect the views of the Institute or BCS Learning and Development Ltd except where explicitly stated as such. Although every care has been taken by the authors and BCS Learning and Development Ltd in the preparation of the publication, no warranty is given by the authors or BCS Learning and Development Ltd as publisher as to the accuracy or completeness of the information contained within it and neither the authors nor BCS Learning and Development Ltd shall be responsible or liable for any loss or damage whatsoever arising by virtue of such information or any instructions or advice contained within this publication or by any of the aforementioned.

Typeset by Lapiz Digital Services, Chennai, India.

Printed at CPI Antony Rowe Ltd, Chippenham, UK.

LIST OF FIGURES AND TABLES

AUTHORS

Andy Taylor , after initially teaching in secondary schools, has been involved with information assurance for over 20 years, starting when he served in the Royal Navy in several posts as security officer. He had responsibility for all classified and cryptographic materials in both warships and shore establishments, at times helping to maintain the effectiveness of the nuclear deterrent. After leaving the Royal Navy he chose a further career in consultancy and was instrumental in achieving one of the first accreditations for a management consultancy against the information security standard ISO17799 (now ISO27001).

As one of the earliest members of the CESG Listed Advisor Scheme (CLAS) approved by Government Communications Headquarters (GCHQ), he has provided information assurance advice to a wide variety of organisations in both the public and private sectors including the Health Service, Home Office, utility regulators, the Prison and Probation Services and web developers. He has developed and delivered a number of specialist security briefings to help educate users in the effective use of information in a secure manner, and has been lecturing to all new staff in the Treasury Solicitors for over 10 years. He has a passionate interest in maintaining the highest standards of information assurance and helping others to gain expertise in it. To that end he is now the lead assessor for one of the three bodies that certify IA professionals against a framework of competences through the governments CESG scheme, which was set up in 2012.

David Alexander is Head of Vulnerability Research at Regency IT Consulting and specialises in information security architectures, the security of industrial control systems, information assurance and governance. He has 15 years experience as an information security practitioner and consultant. In that time he has worked on a wide range of commercial, central government and defence projects around the world. David started his career as an officer in the RAF, learning the need for information security at the outset of his working life. He has been involved in IT for over 25 years, the first 10 of these as a software engineer, operations manager, project manager and IT consultant, after which he changed sides from poacher to gamekeeper and became an information security practitioner. He has been a CLAS consultant for 10 years and was one of the first 50 people in the world accredited as Lead Auditor for what is now ISO27001. David is a director and full member of the Institute for Information Security Professionals (IISP), he is a Chartered IT Professional, Fellow of BCS and a committee member of their Information Security Special Interest Group.

Amanda Finch has specialised in information security management since 1991 when she helped establish the function within Marks & Spencer. As security manager, she has been at the heart of shaping information security within the company and has developed an extensive understanding of the commercial sector and its particular security needs. Amanda is engaged in all aspects of information security management and takes a pragmatic approach to the application of security controls to meet business objectives. As an active contributor within the industry, Amanda is particularly interested in raising levels of education and in gaining recognition for the discipline as a recognised profession. She is involved with the principal organisations in order to encourage this. Amanda has a Masters degree in Information Security and holds full membership of the Institute of Information Security Professionals (IISP). In 2007 she was awarded European Chief Information Security Officer of the year by Secure Computing magazine.

David Suttons career spans more than 45 years and includes computing, voice and data networking, radio transmission, information security and critical information infrastructure protection. He joined Cellnet (now Telefnica O2 UK) in 1993, where he was responsible for ensuring the continuity and restoration of the core cellular and broadband networks, and represented O2 in the electronic communications industrys resilience forum. In December 2005, he gave evidence to the Greater London Authority enquiry into the mobile telecoms impact in the London bombings. David has been a member of the BCS Professional Certification Information Security Panel since 2005 and delivers lectures on risk management, business continuity and disaster recovery at the Royal Holloway University of London, from which he holds an MSc in Information Security. Since retiring from O2 in 2010, he has undertaken a number of critical information infrastructure projects for the European Network and Information Security Agency (ENISA), and is currently developing training material for InfoSec Skills.