Part 4 emphasizes the central role that people must fulfill in every aspect of information security. Senior leaders and managers set the organization’s culture, decision-making style, and risk tolerance. People make the day-to-day decisions and take the moment-by-moment actions that create value, with which the company pays its bills. People decide how to design, implement, and operate the information systems that enable that value creation, and people are the ones who keep those information systems safe, secure, and reliable—or expose those systems to risk and loss.
In Chapter 10, you’ll use the NIST Computer Security Incident Response framework and the NIST Cybersecurity Framework (CSF) as guides to planning, preparing, and responding to incidents of interest. By now, you’ve probably realized that this is not a case of if an information security incident strikes your organization, but rather when. You’ll see how to tailor these frameworks to meet the needs of your own business or organization, and you’ll identify key planning factors you’ll need management’s decision and action on to be ready to detect, contain, recover, and help guide the organization in preparing for the next such incident.
Chapter 11 takes us further on from the immediate incident response time frame and shows how organizations plan for and achieve continuity of business operations in the face of a disaster or major dislocation. This is the time when all of your team’s efforts at backup and recovery strategies and preparation get put to the test as you help your traumatized company get back into business.
Taken together, Chapters 10 and 11 help bring together every aspect of the administrative aspect of information risk management and mitigation. Chapter 12 takes a different perspective on people power. It operationalizes concepts and ideas from across all SSCP domains, applying them to some of the more pernicious and challenging problems facing today’s information security professionals.
In the end, it is SSCPs like you who bring all of the technical, physical, and administrative measures together to help organizations keep their information systems safe, secure, private, reliable—and available!