Security Basics

Whether you’re new to the field of security, expanding your skill set or just keeping your fundamentals sharp, these primers will do the trick. These Security Basics articles are compiled from expert input on CSOonline or contributed directly by subject-matter specialists.

Updated 3/1/2013

Security Basics categories (click to skip to a category)

• Information Security and Audit
• Physical Security and Business Continuity
• Security Leadership

Information Security and Audit Basics

Understanding information security policy, cloud security, social media, IT audit, penetration tests and more.

Penetration test basics

Pen tests need to accomplish business goals, not just check for random holes. Here’s how to get the most value for your efforts.

Cloud security: the basics

SaaS, IaaS and PaaS and their security implications.

Log management basics

How to choose the right type of log management system—and use it for business intelligence.

by David Torre

Software security for developers

Best practices and key concepts for writing secure code.

by Mark Merkow and Lakshmikanth Raghavan

Software security for application development managers

How to deliver more code at lower cost—by building security into the application development process. Also by Merkow and Raghavan.

Vulnerability management: The basics

A three-part series covering vulnerability management tactics and tools, plus how penetration testing fits in.

Social media security risks: the basics

TMI, tweet rage, “friend” scams and many more risks to avoid on social media and social networking sites.

IT risk assessment frameworks: an introduction

OCTAVE, FAIR, NIST RMF, and TARA—a look at the strengths and weaknesses of four formal methodologies for risk assessment.

How to write an information security policy

Where to start, what to cover and how to make your overall information security policy effective.

by Jennifer Bayuk

Information system audit basics

What should you expect from an IS audit? Here’s a step-by-step walkthrough.

by Jennifer Bayuk

Network security: basic concepts

Defense in depth, role-based access control, and other critical network concepts to understand before you get lost in the bits and bytes

by Stephen Northcutt, SANS Institute

Wireless security basics

Encryption and authentication are the key to securing wireless networks, regardless of protocol

by Galen Gruman

Incident detection, response and forensics

How to build a robust function for dealing with computer security incidents

by Richard Bejtlich

VoIP security basics

Dealing with vishing, SPIT and other voice-over-IP (VoIP) threats

by Bob Bradley, Sonus Networks

Service-Oriented Architecture (SOA) security

Threats and defensive techniques in SOAP/WSDL and REST-based architectures

by Mark O’Neill, Vordel

Phishing: the basics

How to foil identity theft and other phishing attempts

Identity management basics

Providing IT managers with tools and technologies for controlling user access to critical information within an organization

by John Waters

Physical Security and Business Continuity

Physical security threats and concepts and business interruption scenarios including pickets and strikes, social engineering, access control, video surveillance and more.

Fraud prevention: Improving internal controls

Fighting fraud requires cooperation, ethical culture, good detection mechanisms, and more. NEW

by Daniel Draz, M.S., CFE

Physical security information management (PSIM): the basics

Physical security information management software synthesizes data from video, access control systems, and other sensors. NEW

by Steve Hunt

VSaaS: video surveillance as a service

Hosted or managed video surveillance services aim to reduce hardware hassles and monitoring manpower.

Social engineering: the basics

What is social engineering and what are the most common and most current tricks and tactics?

Internal investigations basics

How to plan and conduct internal investigations of suspected (or alleged) employee misconduct or fraud.

How to handle pickets and strikes

9 things security should do – and 6 things you absolutely can’t do – to help ensure a strike or picket remains peaceful

by Anthony Manley

The physical access control project planner

Planning walkthroughs, avoiding common project pitfalls, and more about physical access control

by Jason Cowling

The CCTV project planner

The lowdown on frame rates, storage requirements and other CCTV considerations

by Jason Cowling

Video surveillance and data monitoring

There are lots of ways to watch your employees, visitors, and customers. Here’s a guide to doing it well and staying out of hot water.

The 6 things you should know about executive protection

How to build a world-class executive protection program that works in the private-sector setting.

19 ways to build security into a data center

Mantraps, biometrics and simpler measures as well for protecting data centers.

Intellectual property protection: the basics

Do you know the difference between a trade secret and a copyright? Have you taken a holistic look at legal, technical and procedural means of protecting your organization’s intellectual property?

Business continuity and disaster recovery basics

How to ready your human, physical and IT infrastructure for disasters or business interruption.

The essential retail security reader

Starting a job in retail security? Just double-checking your defenses? Here’s a roundup of strategies for protecting retail inventory, profits and employees. NEW

Home security basics

How to keep your house or apartment secure, including vacation tips

by Chris McGooey

Security Leadership

Critical concepts and tactics for leading a security department or function.

Enterprise Risk Management: The basics

http://www.csoonline.com/article/729621/erm-the-basics NEW

What is a Chief Security Officer?What is a CSO part 2.

A sample job description for security leadership and operational risk management.

Also read about the role of the CSO as a business enabler in

The new basics of security leadership

Maintaining the right level of boardroom and employee security awareness is a consequence of leadership. And more effective ideas and tactics are replacing the old, reactive security leadership paradigm.

Security and business: communication 101

Understanding business language and priorities, and translating security-speak into effective communication with other executives

Security and business: financial metrics 101

From ALE to ROSI—the evolving science of quantifying security’s payoff

Physical and IT security convergence: the basics

The benefits and challenges of holistic security management

Information security management basics

How to take a multi-faceted approach to information security management that incorporates organizational, managerial and operational aspects that are closely associated with the business.

by Micki Krause, et al

The CISO’s shift from network security to risk management

How the CISO role has evolved over the past several years.

How to build an effective security awareness program

Awareness programs are the cheapest way to prevent costly problems, but the security message can be easy to ignore. CSOs and CISOs share their strategies for spreading the good word.

More in-depth leadership reading:

Security Case Studies

Real-world looks at security in action.

The Security Metrics Collection

A roundup of security metrics coverage, including both operational and financial metrics.

Templates, tools, and policies:

Also see our resource center with sample security policies and tools.