An interesting and straight to the point read, Lessons Learned: Critical Information Infrastructure Protection by Toomas Viira provides a how-to for information security professionals on how to manage critical information infrastructure.
Viira draws on his extensive experience as part of the Estonian information system authority to deliver 23 lessons that can be used to form a plan to protect an organizations’ critical information infrastructure.
Lessons Learned is split into seven parts which present six lessons around a particular theme. Each chapter is preceded by a relevant quote that sets up the chapter ahead. These quotes are drawn from a variety of sources and are referenced in the footer of the page.
Following each chapter, Viira highlights the lessons learned during that particular chapter.
The first part of Lessons Learned: Critical Information Infrastructure Protection is built around critical infrastructure and is designed to enable the reader to create their own list of critical infrastructure including a description of said infrastructure, service provider and interconnections between providers.
Following this, part two brings in critical information infrastructure and informs the user on what information assets are important to critical infrastructure and how they are interconnected with other assets. This allows readers to build up a detailed description of critical information infrastructure that are relevant to the user which includes the information stored or processed by the infrastructure and what they are connected to.
The third part moves on to create a risk assessment of critical infrastructure including threats, vulnerabilities and their perceived risks. A key takeaway from this section is that readers should be able to distinguish risks of different levels.
Building on from the risk assessment created in part three, part four moves onto protection activities which includes defining the type of protection required, planning and other related activities. Part five provides supplementary activates to those defined in part four, including information sharing and training people.
Finally, part six reminds the reader that in order for critical information infrastructure to remain protected their protection system must constantly evolve and improve. While part seven introduces the reader in how to deal with providing critical information infrastructure without IT systems.
Viira finishes off the book with a completed list of Lessons Learned and a list of helpful resources provided by IT Governance Ltd, the book’s publisher.
Overall, Lessons Learned: Critical Information Infrastructure Protection is a straight forward, no-nonsense reference guide for information security professionals that provide 23 key lessons that they should learn in order to manage and protect critical information infrastructure.