An Introduction to Information Security is a 70-page publication from the National Institute of Standards & Technology. While this, like other government publications, are not filled with eye-catching graphics or pictures, it does cover the fundamentals of building an Information Security program within an organization. Keep in mind, that organization can be any aspect of government (Federal, State, Local), as well as any commercial enterprise regardless of size (public or private). The book has 10 chapters starting with basic definitions and includes sage information on the various elements of Information Security, Roles and Responsibilities of individual positions, vulnerabilities, Policies, Risk Management, as well as several other aspects of the field. It concludes with a discussion of the various “controls” an organization should have in place to ensure that the InfoSec program is working as expected. Rest assured, without these controls it will not!
Anyway, I’m not asking for a detailed understanding of the various roles and responsibilities or other granular information. Instead, I want you to come away with a basic familiarity with what it takes to set up an Information Security Program, starting with basic definitions. So, don’t worry about the details. We’ll cover the important ones in class. Rather, do become familiar with the broader concepts. For example, why are information policies needed? What exactly do we mean by risk management? Why shouldn’t we make absolutely certain we’re covering every single risk? What is Cryptography?
