I just finished reading InfoSec Strategies and Best Practices by Joseph MacMilan last week. I have to say that if you want one book to read on the Information Security field, this is a pretty good choice. Not only did the book go over some of the basics of information security like the CIA Triad (Confidentiality, Integrity, and Availability), but he goes into specific tips for information security professionals such as how to translate the security risks into organizational impact language so that the organizational leaders understand what they’re looking at.
I’m including the index for those who use that as a means to determine the content of the book and understand the structure. It helps me to look at this after reading it as well, because it helps bring to mind what the author talked about and how the author transitioned from one section to another. Skip this if it’s of no help to you.
| Divisions | Title |
| Section 1 | Information Security Risk Management and governance |
| 1 | InfoSec and Risk Management |
| 2 | Protecting the Security of Assets |
| Section 2 | Closing the Gap: How to Protect the Organization |
| 3 | Designing Secure Information Systems |
| 4 | Designing and Protecting Network Security |
| 5 | Controlling Access and Managing Identity |
| Section 3 | Operationalizing Information Security |
| 6 | Designing and Managing Security Testing Process |
| 7 | Owning Security Operations |
| 8 | Improving the Security of Software |
Here are a few takeaways:
- Risk = Impact x Likelihood
- Risk can be handled by one of the four options below. Accepting risk should only be done when the other three options have been considered.
- avoiding it
- reducing it
- transferring it
- or accepting it.
- All information security policies, procedures, and systems should be run by/through leadership so that they will endorse and advocate for all that you’re implementing and are more likely to give authority to these controls.
- Understanding a threat actor’s motivations and intentions are helpful in determining what kind of threat your organization may face and how to respond to specific security incidents that may be occurring.
- Document your assets (anything valuable to your company that will need to be protected), risks, threats, policies, procedures, and make sure this information is stored somewhere where system outages won’t prevent stakeholders from being able to access the information if necessary.
There’s much more to this book, but a few takeaways are better than trying to recreate all of my notes here for you. Read the book, it’s worth it if you want to understand information security better.
Truth & Tech 
Leave a comment