Email RIS file
Bookmark
Report an Issue

Management of information security / Michael E. Whitman, Herbert J. Mattord

Author
Whitman, Michael E., 1964-
Published
Stamford, CT : Cengage Learning, [2014]
Copyright Date
©2014
Edition
4th edition.
Physical Description
xxv, 566 pages : illustrations ; 19 cm
Additional Creators
Mattord, Herbert J.

Availability

Browse Nearby on Shelf
I Want It
I Want It

Finding items...

Contents
Machine generated contents note: ch. 1 Introduction to the Management of Information Security -- Introduction -- What Is Security? -- CNSS Security Model -- Key Concepts of Information Security -- What Is Management? -- Behavioral Types of Leaders -- Management Characteristics -- Solving Problems -- Principles of Information Security Management -- Planning -- Policy -- Programs -- Protection -- People -- Projects -- Project Management -- Applying Project Management to Security -- PMBoK Knowledge Areas -- Project Management Tools -- Work Breakdown Structure -- Task-Sequencing Approaches -- Automated Project Tools -- Chapter Summary -- Review Questions -- Exercises -- Closing Case -- Endnotes -- ch. 2 Planning for Security -- Introduction -- The Role of Planning -- Precursors to Planning -- Values Statement -- Vision Statement -- Mission Statement -- Strategic Planning -- Creating a Strategic Plan -- Planning Levels -- Planning and the CISO -- Information Security Governance -- Desired Outcomes -- Benefits of Information Security Governance -- Implementing Information Security Governance -- Security Convergence -- Planning for Information Security Implementation -- Introduction to the Security Systems Development Life Cycle -- Chapter Summary -- Review Questions -- Exercises -- Closing Case -- Endnotes -- ch. 3 Planning for Contingencies -- Introduction -- Fundamentals of Contingency Planning -- Components of Contingency Planning -- Business Impact Analysis -- Contingency Planning Policies -- Incident Response -- Disaster Recovery -- Business Continuity -- Crisis Management -- Business Resumption -- Testing Contingency Plans -- Final Thoughts -- Chapter Summary -- Review Questions -- Exercises -- Closing Case -- Endnotes -- ch. 4 Information Security Policy -- Introduction -- Why Policy? -- Policy, Standards, and Practices -- Enterprise Information Security Policy -- Integrating an Organization's Mission and Objectives into the EISP -- EISP Elements -- Example EISP Components -- Issue-Specific Security Policy -- Components of the ISSP -- Implementing the ISSP -- System-Specific Security Policy -- Managerial Guidance SysSPs -- Technical Specification SysSPs -- Guidelines for Effective Policy -- Developing Information Security Policy -- Policy Distribution -- Policy Reading -- Policy Comprehension -- Policy Compliance -- Policy Enforcement -- The Information Securities Policy Made Easy Approach -- Checklist of Steps in the Policy Development Process -- Next Steps -- SP 800-18 Rev. 1: Guide for Developing Security Plans for Federal Information Systems -- A Final Note On Policy -- Chapter Summary -- Review Questions -- Exercises -- Closing Case -- Endnotes -- ch. 5 Developing the Security Program -- Introduction -- Organizing for Security -- Security in Large Organizations -- Security in Medium-Sized Organizations -- Security in Small Organizations -- Placing Information Security within an Organization -- Option 1 Information Technology -- Option 2 Security -- Option 3 Administrative Services -- Option 4 Insurance and Risk Management -- Option 5 Strategy and Planning -- Other Options -- Summary of Reporting Relationships -- Components of the Security Program -- Information Security Roles and Titles -- Chief Information Security Officer -- Security Managers -- Security Administrators and Analysts -- Security Technicians -- Security Staffers and Watchstanders -- Security Consultants -- Security Officers and Investigators -- Help Desk Personnel -- Implementing Security Education, Training, and Awareness Programs -- Security Education -- Security Training -- Training Techniques -- Identify Program Scope, Goals, and Objectives -- Identify Training Staff -- Identify Target Audiences -- Motivate Management and Employees -- Administer the Program -- Maintain the Program -- Evaluate the Program -- Security Awareness -- Chapter Summary -- Review Questions -- Exercises -- Closing Case -- Endnotes -- ch. 6 Security Management Models -- Introduction -- Blueprints, Frameworks, and Security Models -- Access Control Models -- Categories of Access Control -- Security Architecture Models -- Trusted Computing Base -- Information Technology System Evaluation Criteria -- The Common Criteria -- Bell-LaPadula Confidentiality Model -- Biba Integrity Model -- Clark-Wilson Integrity Model -- Graham-Denning Access Control Model -- Harrison-Ruzzo-Ullman Model -- Brewer-Nash Model (Chinese Wall) -- Security Management Models -- The ISO 27000 Series -- NIST Security Models -- Control Objectives for Information and Related Technology -- Committee of Sponsoring Organizations -- Information Technology Infrastructure Library -- Information Security Governance Framework -- Chapter Summary -- Review Questions -- Exercises -- Closing Case -- Endnotes -- ch. 7 Security Management Practices -- Introduction -- Benchmarking -- Standards of Due Care/Due Diligence -- Recommended Security Practices -- Selecting Recommended Practices -- Limitations to Benchmarking and Recommended Practices -- Baselining -- Support for Benchmarks and Baselines -- Performance Measurement in InfoSec Management -- InfoSec Performance Management -- Evaluate the Program -- Security Awareness -- Chapter Summary -- Review Questions -- Exercises -- Closing Case -- Endnotes -- ch. 8 Security Management Models -- Introduction -- Blueprints, Frameworks, and Security Models -- Access Control Models -- Categories of Access Control -- Security Architecture Models -- Trusted Computing Base -- Information Technology System Evaluation Criteria -- The Common Criteria -- Bell-LaPadula Confidentiality Model -- Biba Integrity Model -- Clark-Wilson Integrity Model -- Graham-Denning Access Control Model -- Harrison-Ruzzo-Ullman Model -- Brewer-Nash Model (Chinese Wall) -- Security Management Models -- The ISO 27000 Series -- NIST Security Models -- Control Objectives for Information and Related Technology -- Committee of Sponsoring Organizations -- Information Technology Infrastructure Library -- Information Security Governance Framework -- Chapter Summary -- Review Questions -- Exercises -- Closing Case -- Endnotes -- ch. 9 Security Management Practices -- Introduction -- Benchmarking -- Standards of Due Care/Due Diligence -- Recommended Security Practices -- Selecting Recommended Practices -- Limitations to Benchmarking and Recommended Practices -- Baselining -- Support for Benchmarks and Baselines -- Performance Measurement in InfoSec Management -- InfoSec Performance Management -- Risk Control Strategies -- Defense -- Transferal -- Mitigation -- Acceptance -- Termination -- Managing Risk -- Feasibility and Cost-Benefit Analysis -- Cost-Benefit Analysis -- Other Methods of Establishing Feasibility -- Alternatives to Feasibility Analysis -- Recommended Risk Control Practices -- Qualitative and Hybrid Measures -- Delphi Technique -- The OCTAVE Methods -- Microsoft Risk Management Approach -- FAIR -- ISO 27005 Standard for InfoSec Risk Management -- NIST Risk Management Model -- Other Methods -- Chapter Summary -- Review Questions -- Exercises -- Closing Case -- Endnotes -- ch. 10 Protection Mechanisms -- Introduction -- Access Controls -- Identification -- Authentication -- Authorization -- Accountability -- Managing Access Controls -- Firewalls -- The Development of Firewalls -- Firewall Architectures -- Selecting the Right Firewall -- Managing Firewalls -- Intrusion Detection and Prevention Systems -- Host-Based IDPS -- Network-Based IDPS -- Signature-Based IDPS -- Anomaly-Based IDPS -- Managing Intrusion Detection and Prevention Systems -- Remote Access Protection -- RADIUS and TACACS -- Managing Dial-Up Connections -- Wireless Networking Protection -- Wired Equivalent Privacy (WEP) -- Wi-Fi Protected Access (WPA) -- WiMax -- Bluetooth -- Managing Wireless Connections -- Scanning and Analysis Tools -- Port Scanners -- Vulnerability Scanners -- Packet Sniffers -- Content Filters -- Trap and Trace -- Managing Scanning and Analysis Tools -- Cryptography -- Encryption Operations -- Using Cryptographic Controls -- Managing Cryptographic Controls -- Chapter Summary -- Review Questions -- Exercises -- Closing Case -- Endnotes -- ch. 11 Personnel and Security -- Introduction -- Staffing the Security Function -- Qualifications and Requirements -- Entering the Information Security Profession -- Information Security Positions -- Information Security Department Manager -- Information Security Engineer -- Information Security Professional Credentials -- (ISC)2 Certifications -- ISACA Certifications -- SANS Certifications -- EC-Council Certifications -- CompTIA Certifications -- ISFCE Certifications -- Certification Costs -- Employment Policies and Practices -- Hiring -- Contracts and Employment -- Security as Part of Performance Evaluation -- Termination Issues -- Personnel Security Practices -- Security of Personnel and Personal Data -- Security Considerations for Nonemployees -- Chapter Summary -- Review Questions -- Exercises -- Closing Case -- Endnotes -- ch. 12 Law and Ethics -- Introduction -- Law and Ethics in InfoSec -- InfoSec and the Law -- Types of Law -- Relevant U.S. Laws -- International Laws and Legal Bodies -- State and Local Regulations -- Policy versus Law -- Ethics in InfoSec -- Ethics and Education -- Deterring Unethical and Illegal Behavior -- Professional Organizations and their Codes of Ethics -- Association for Computing Machinery (ACM) -- International Information Systems Security Certification Consortium, Inc. (ISC)2 -- SANS -- Information Systems Audit and Control Association (ISACA) -- Information Systems Security Association (ISSA) -- Organizational Liability and the Need for Counsel -- Key Law Enforcement Agencies -- Managing Investigations in the Organization -- Digital Forensics Team -- Affidavits and Search Warrants -- Digital Forensics Methodology -- Evidentiary Procedures -- Chapter Summary -- Review Questions -- Exercises -- Closing Case -- Endnotes -- APPENDIX -- and Contents note continued: NIST SP 800-26, Security Self-Assessment Guide for Information Technology Systems -- ISO 17799: 2005 Overview -- The OCTAVE Method of Risk Management -- Microsoft Risk Management Approach.
Subject(s)
ISBN
9781285062297 (pbk)
1285062299 (pbk)
Bibliography Note
Includes bibliographical references and index.
Endowment Note
Paterno Libraries Endowment (Campus College Libraries)
View MARC record | catkey: 11551182