did-you-know? rent-now

Amazon no longer offers textbook rentals. We do!

did-you-know? rent-now

Amazon no longer offers textbook rentals. We do!

We're the #1 textbook rental company. Let us show you why.

9780619215156

Management of Information Security

by
  • ISBN13:

    9780619215156

  • ISBN10:

    0619215151

  • Format: Paperback
  • Copyright: 2004-01-27
  • Publisher: Cengage Learning
  • View Upgraded Edition

Note: Supplemental materials are not guaranteed with Rental or Used book purchases.

Purchase Benefits

  • Free Shipping Icon Free Shipping On Orders Over $35!
    Your order must be $35 or more to qualify for free economy shipping. Bulk sales, PO's, Marketplace items, eBooks and apparel do not qualify for this offer.
  • eCampus.com Logo Get Rewarded for Ordering Your Textbooks! Enroll Now
List Price: $151.95 Save up to $37.99
  • Buy Used
    $113.96
    Add to Cart Free Shipping Icon Free Shipping

    USUALLY SHIPS IN 2-4 BUSINESS DAYS

Supplemental Materials

What is included with this book?

Summary

"Updated to maintain the industry currency and academic relevance, Management of Information Security continues to provide an overview of information security from a management perspective, as well as a thorough understanding of the administration of information security. Written by two Certified Information Systems Security Professionals (CISSP), this book has the added credibility of incorporating the CISSP Common Body of Knowledge (CBK), especially in the area of information security management."--BOOK JACKET.

Author Biography

Herbert J. Mattord has been an adjunct professor at Kennesaw State University in Kennesaw Georgia, Southern Polytechnic State University in Marietta, Georgia, Austin Community College in Austin, Texas, and Texas State University-San Marcos. Michael E. Whitman is a Professor of Information Systems at Kennesaw State University, Kennesaw, Georgia, where he is also the Director of the KSU Center for Information Security Education and the Coordinator of the Bachelor of Science in Information Security and Assurance program.

Table of Contents

Preface xv
Section I--Introduction
Introduction to the Management of Information Security
1(24)
Introduction
2(1)
What Is Security?
3(7)
NSTISSC Security Model
5(1)
Key Concepts of Information Security
6(4)
What is Management?
10(9)
The Difference Between Leadership and Management
11(1)
Characteristics of a Leader
11(1)
Characteristics of Management
12(4)
Solving Problems
16(3)
Principles of Information Security Management
19(2)
Chapter Summary
21(1)
Review Questions
22(1)
Exercises
23(1)
Case Exercises
23(2)
Section II-Planning
Planning for Security
25(38)
Introduction
26(2)
Components of Organizational Planning
28(9)
Mission
28(1)
Vision
29(1)
Values
30(1)
Strategy
31(3)
Planning and the CISO
34(3)
Planning for Information Security Implementation
37(22)
Introduction to the Systems Development Life Cycle
39(3)
The Security Systems Development Life Cycle (SecSDLC)
42(14)
Comparing the SDLC and the SecSDLC
56(3)
Chapter Summary
59(1)
Review Questions
60(1)
Exercises
61(1)
Case Exercises
61(2)
Planning for Contingencies
63(42)
Introduction
64(1)
What Is Contingency Planning?
65(2)
Components of Contingency Planning
67(19)
Incident Response Plan
67(9)
Disaster Recovery
76(6)
Business Continuity Planning
82(2)
Timing and Sequence of CP Elements
84(2)
Putting a Contingency Plan Together
86(9)
Business Impact Analysis
87(3)
Combining the DRP and the BCP
90(5)
Testing Contingency Plans
95(3)
Desk Check
95(1)
Structured Walk-Through
95(1)
Simulation
95(1)
Parallel Testing
96(1)
Full Interruption
96(2)
A Single Continuity Plan
98(1)
Chapter Summary
99(2)
Review Questions
101(1)
Exercises
101(1)
Case Exercises
102(3)
Section III--Policy and Programs
Information Security Policy
105(50)
Introduction
106(1)
Why Policy?
107(3)
Policy, Standards, and Practices
108(2)
Enterprise Information Security Policy
110(6)
Integrating an Organization's Mission and Objectives into the EISP
110(1)
EISP Elements
110(2)
Example EISP
112(4)
Issue-Specific Security Policy
116(5)
Components of the ISSP
117(2)
Implementing the ISSP
119(2)
System-Specific Policy
121(5)
Management Guidance SysSPs
121(1)
Technical Specifications SysSPs
122(4)
Combination SysSPs
126(1)
Guidelines for Policy Development
126(25)
The Policy Project
127(4)
Automated Tools
131(1)
The Information Securities Policy Made Easy Approach
132(15)
SP 800-18: Guide for Developing Security Plans for Information Technology Systems Policy Management
147(1)
A Final Note on Policy
148(3)
Chapter Summary
151(1)
Review Questions
152(1)
Exercises
152(1)
Case Exercises
153(2)
Developing the Security Program
155(54)
Introduction
156(1)
Organizing for Security
156(10)
Security in Large Organizations
160(3)
Security in Medium-Sized Organizations
163(1)
Security in Small Organizations
163(3)
Placing Information Security Within An Organization
166(14)
Option 1: Information Technology
168(1)
Option 2: Security
169(2)
Option 3: Administrative Services
171(1)
Option 4: Insurance and Risk Management
172(1)
Option 5: Strategy and Planning
173(2)
Option 6: Legal
175(1)
Option 7: Internal Audit
176(1)
Option 8: Help Desk
177(1)
Option 9: Accounting and Finance Through IT
178(1)
Option 10: Human Resources
179(1)
Option 11: Facilities Management
179(1)
Option 12: Operations
179(1)
Summary of Reporting Relationships
179(1)
Components of the Security Program
180(1)
Information Security Roles and Titles
181(3)
Chief Information Security Officer
182(1)
Security Managers
182(1)
Security Administrators and Analysts
183(1)
Security Technicians
183(1)
Security Staffers
184(1)
Security Consultants
184(1)
Security Officers and Investigators
184(1)
Help Desk Personnel
184(1)
Implementing Security Education, Training, and Awareness Programs
184(20)
Security Education
186(3)
Security Training
189(2)
Training Techniques
191(4)
Security Awareness
195(9)
Chapter Summary
204(1)
Review Questions
205(1)
Exercises
206(1)
Case Exercises
206(3)
Security Management Models and Practices
209(40)
Introduction
210(1)
Security Management Models
211(20)
BS 7799 Part 1 (ISO 17799:2002 Standard): Code of Practice for Information Security Management
211(3)
BS 7799 Part 2: The Information Security Management System
214(2)
The Security Management Index and ISO 17799
216(1)
RFC 2196 Site Security Handbook
217(1)
NIST Security Models
218(11)
A Hybrid Security Management Model
229(2)
Security Management Practices
231(8)
Standards of Due Care/Due Diligence
231(1)
Best Security Practices
231(4)
The Gold Standard
235(1)
Selecting Best Practices
235(1)
Benchmarking and Best Practices Limitations
236(1)
Baselining
237(2)
Emerging Trends in Certification and Accreditation
239(5)
SP 800-37: Guidelines for the Security Certification and Accreditation of Federal IT Systems
239(2)
SP 800-53: Minimum Security Controls for Federal IT Systems
241(3)
Chapter Summary
244(1)
Review Questions
245(1)
Exercises
246(1)
Case Exercises
246(3)
Appendix A Appendix: NIST SP 800-26, Security Self-Assessment Guide for Information Technology Systems, and the Human Firewall Council's Security Management Index Survey
249(274)
NIST SP 800-26, Security Self-Assessment Guide for Information Technology Systems
250(28)
Utilizing the Completed Questionnaire
250(1)
Questionnaire Analysis
251(1)
Questionnaire Cover Sheet
251(1)
The Self-Assessment Guide Questions
252(26)
Human Firewall Council's Security Management Index Survey
278(7)
Security Management Index Scoring Methodology
278(1)
Questionnaire
279(1)
Security Policy
279(1)
Organizational Security
279(1)
Asset Classification & Control
280(1)
Personnel Security
280(1)
Physical and Environmental Security
281(1)
Communications & Operations Management
281(1)
Access Control
282(1)
Systems Development and Maintenance
283(1)
Business Continuity Management
284(1)
Compliance
284(1)
Section IV--Protection
Risk Management: Identifying and Assessing Risk
285(34)
Introduction
286(1)
Risk Management
287(3)
Knowing Ourselves
287(1)
Knowing the Enemy
287(1)
Accountability for Risk Management
288(2)
Risk Identification
290(18)
Creating an Inventory of Information Assets
290(4)
Classifying and Categorizing Assets
294(1)
Assessing Values for Information Assets
295(2)
Listing Assets in Order of Importance
297(1)
Data Classification Model
297(2)
Security Clearances
299(1)
Management of the Classified Information Asset
299(2)
Threat Identification
301(7)
Risk Assessment
308(4)
Introduction to Risk Assessment
308(1)
Likelihood
309(1)
Assessing Potential Loss
309(1)
Percentage of Risk Mitigated by Current Controls
310(1)
Uncertainty
310(1)
Risk Determination
310(1)
Identify Possible Controls
310(1)
Access Controls
311(1)
Documenting the Results of Risk Assessment
312(2)
Chapter Summary
314(1)
Review Questions
315(1)
Exercises
316(1)
Case Exercises
317(2)
Risk Management: Assessing and Controlling Risk
319(42)
Introduction
320(1)
Risk Control Strategies
321(5)
Avoidance
321(3)
Transference
324(1)
Mitigation
324(1)
Acceptance
325(1)
Risk Control Strategy Selection
326(2)
Evaluation, Assessment, and Maintenance of Risk Controls
327(1)
Categories of Controls
328(3)
Control Function
328(1)
Architectural Layer
329(1)
Strategy Layer
329(1)
Information Security Principle
329(2)
Feasibility Studies and Cost-Benefit Analysis
331(9)
Cost-Benefit Analysis
332(5)
Other Feasibility Studies
337(2)
Alternatives to Feasability
339(1)
Risk Management Discussion Points
340(3)
Risk Appetite
340(1)
Residual Risk
340(1)
Documenting Results
341(2)
Recommended Risk Control Practices
343(2)
Qualitative Measures
344(1)
Delphi Technique
344(1)
A Single-Source Approach to Risk Management
344(1)
The Octave Method
345(11)
Important Aspects of the Octave Method
345(2)
Phases, Processes, and Activities
347(1)
Preparing for the Octave Method
347(2)
Phase 1: Build Asset-Based Threat Profiles
349(3)
Phase 2: Identify Infrastructure Vulnerabilities
352(2)
Phase 3: Develop Security Strategy and Plans
354(2)
Chapter Summary
356(1)
Review Questions
357(1)
Exercises
358(1)
Case Exercises
359(2)
Protection Mechanisms
361(52)
Introduction
362(2)
Access Controls
364(11)
Authentication
364(7)
Authorization
371(1)
Evaluating Biometrics
372(1)
Acceptability of Biometrics
372(1)
Managing Access Controls
373(2)
Firewalls
375(10)
The Development of Firewalls
375(3)
Firewall Architectures
378(3)
Selecting the Right Firewall
381(1)
Managing Firewalls
381(4)
Dial-Up Protection
385(2)
Radius and Tacacs
385(1)
Managing Dial-Up Connections
386(1)
Intrusion Detection Systems
387(8)
Host-Based IDS
388(1)
Network-Based IDS
389(1)
Signature-Based IDS
389(1)
Statistical Anomaly-Based IDS
389(1)
Managing Intrusion Detection Systems
390(1)
Scanning and Analysis Tools
390(1)
Port Scanners
391(1)
Vulnerability Scanners
392(1)
Packet Sniffers
393(1)
Content Filters
393(1)
Trap and Trace
393(1)
Managing Scanning and Analysis Tools
394(1)
Cryptography
395(14)
Encryption Definitions
395(1)
Encryption Operations
396(7)
Using Cryptographic Controls
403(3)
Managing Cryptographic Controls
406(3)
Chapter Summary
409(1)
Review Questions
410(1)
Exercises
410(1)
Case Exercises
411(2)
Section V--People and Projects
Personnel and Security
413(38)
Introduction
414(1)
Staffing the Security Function
415(12)
Qualifications and Requirements
415(1)
Entering the Information Security Profession
416(1)
Information Security Positions
417(10)
Information Security Professional Credentials
427(9)
Certified Information Systems Security Professional (CISSP) and Systems Security Certified Practitioner (SSCP)
427(1)
Global Information Assurance Certification (GIAC)
428(1)
Security Certified Program (SCP)
429(1)
TruSecure ICSA Certified Security Associate (TICSA)
430(1)
Security+
431(1)
Certified Information Systems Auditor (CISA) and Certified Information Security Manager (CISM)
432(1)
Certified Information Forensics Investigator (CIFI)
433(1)
Certification Costs
433(3)
Employment Policies and Practices
436(11)
Hiring
436(2)
Contracts and Employment
438(1)
Security as Part of Performance Evaluation
438(1)
Termination Issues
438(2)
Personnel Security Practices
440(1)
Security of Personnel and Personal Data
441(1)
Security Considerations for Nonemployees
441(6)
Chapter Summary
447(1)
Review Questions
448(1)
Exercises
449(1)
Case Exercises
449(2)
Law and Ethics
451(36)
Introduction
452(1)
Law and Ethics in Information Security
453(1)
The Legal Environment
453(16)
Types of Law
453(1)
Relevant U.S. Laws
453(11)
International Laws and Legal Bodies
464(1)
State and Local Regulations
465(3)
Policy versus Law
468(1)
Ethical Concepts in Information Security
469(1)
Differences in Ethical Concepts
470(6)
Ethics and Education
473(1)
Deterring Unethical and Illegal Behavior
473(3)
Certifications and Professional Organizations
476(6)
Association of Computing Machinery (ACM)
476(1)
International Information Systems Security Certification Consortium, Inc. (ISC)2
477(1)
System Administration, Networking, and Security Institute (SANS)
477(1)
Information Systems Audit and Control Association (ISACA)
478(1)
Computer Security Institute (CSI)
478(1)
Information Systems Security Association
478(1)
Other Security Organizations
478(2)
Key U.S. Federal Agencies
480(2)
Organizational Liability and the Need for Counsel
482(1)
Chapter Summary
483(1)
Review Questions
483(1)
Exercises
484(1)
Case Exercises
484(3)
Information Security Project Management
487(36)
Introduction
488(2)
Project Management
490(1)
Applying Project Management to Security
491(18)
PMBoK Knowledge Areas
491(8)
Additional Project Planning Considerations
499(3)
Controlling the Project
502(2)
Conversion Strategies
504(1)
To Outsource or Not
504(1)
Dealing With Change
505(2)
Considerations for Organizational Change
507(2)
Project Management Tools
509(10)
Work Breakdown Structure
510(4)
Task-Sequencing Approaches
514(4)
Automated Project Tools
518(1)
Chapter Summary
519(1)
Review Questions
519(1)
Exercises
520(1)
Case Exercises
521(2)
Glossary 523(12)
Index 535

Supplemental Materials

What is included with this book?

The New copy of this book will include any supplemental materials advertised. Please check the title of the book to determine if it should include any access cards, study guides, lab manuals, CDs, etc.

The Used, Rental and eBook copies of this book are not guaranteed to include any supplemental materials. Typically, only the book itself is included. This is true even if the title states it includes any access cards, study guides, lab manuals, CDs, etc.

Rewards Program