Management of information security / by Michael E. Whitman, Ph.D., CISM, CISSP, Herbert J. Mattord, Ph.D., CISM, CISSP, Kennesaw State University.
Material type: TextPublisher: Delhi : Cengage Learning, 2016 cEdition: Fourth editionDescription: xxv, 566 pages : illustrations ; 23 cmContent type: text Media type: unmediated Carrier type: volumeISBN: 9788131531815 (pbk)Subject(s): Computer networks -- Security measures | Computer security | Information technology -- Security measures | Information technology -- ManagementDDC classification: 658.478 LOC classification: TK5105.59 | .W5356 2014Online resources: Contributor biographical information | Publisher description | Table of contents onlyItem type | Current library | Call number | Copy number | Status | Date due | Barcode | Item holds |
---|---|---|---|---|---|---|---|
Books | Namal Library Management | 658.478 WHI-M 2016 11405 (Browse shelf (Opens below)) | 1 | Available | 0011405 |
Includes index.
Machine generated contents note: ch. 1 Introduction to the Management of Information Security --
Introduction --
What Is Security? --
CNSS Security Model --
Key Concepts of Information Security --
What Is Management? --
Behavioral Types of Leaders --
Management Characteristics --
Solving Problems --
Principles of Information Security Management --
Planning --
Policy --
Programs --
Protection --
People --
Projects --
Project Management --
Applying Project Management to Security --
PMBoK Knowledge Areas --
Project Management Tools --
Work Breakdown Structure --
Task-Sequencing Approaches --
Automated Project Tools --
Chapter Summary --
Review Questions --
Exercises --
Closing Case --
Endnotes --
ch. 2 Planning for Security --
Introduction --
The Role of Planning --
Precursors to Planning --
Values Statement --
Vision Statement --
Mission Statement --
Strategic Planning --
Creating a Strategic Plan --
Planning Levels --
Planning and the CISO --
Information Security Governance --
Desired Outcomes --
Benefits of Information Security Governance --
Implementing Information Security Governance --
Security Convergence --
Planning for Information Security Implementation --
Introduction to the Security Systems Development Life Cycle --
Chapter Summary --
Review Questions --
Exercises --
Closing Case --
Endnotes --
ch. 3 Planning for Contingencies --
Introduction --
Fundamentals of Contingency Planning --
Components of Contingency Planning --
Business Impact Analysis --
Contingency Planning Policies --
Incident Response --
Disaster Recovery --
Business Continuity --
Crisis Management --
Business Resumption --
Testing Contingency Plans --
Final Thoughts --
Chapter Summary --
Review Questions --
Exercises --
Closing Case --
Endnotes --
ch. 4 Information Security Policy --
Introduction --
Why Policy? --
Policy, Standards, and Practices --
Enterprise Information Security Policy --
Integrating an Organization's Mission and Objectives into the EISP --
EISP Elements --
Example EISP Components --
Issue-Specific Security Policy --
Components of the ISSP --
Implementing the ISSP --
System-Specific Security Policy --
Managerial Guidance SysSPs --
Technical Specification SysSPs --
Guidelines for Effective Policy --
Developing Information Security Policy --
Policy Distribution --
Policy Reading --
Policy Comprehension --
Policy Compliance --
Policy Enforcement --
The Information Securities Policy Made Easy Approach --
Checklist of Steps in the Policy Development Process --
Next Steps --
SP 800-18 Rev. 1: Guide for Developing Security Plans for Federal Information Systems --
A Final Note On Policy --
Chapter Summary --
Review Questions --
Exercises --
Closing Case --
Endnotes --
ch. 5 Developing the Security Program --
Introduction --
Organizing for Security --
Security in Large Organizations --
Security in Medium-Sized Organizations --
Security in Small Organizations --
Placing Information Security within an Organization --
Option 1 Information Technology --
Option 2 Security --
Option 3 Administrative Services --
Option 4 Insurance and Risk Management --
Option 5 Strategy and Planning --
Other Options --
Summary of Reporting Relationships --
Components of the Security Program --
Information Security Roles and Titles --
Chief Information Security Officer --
Security Managers --
Security Administrators and Analysts --
Security Technicians --
Security Staffers and Watchstanders --
Security Consultants --
Security Officers and Investigators --
Help Desk Personnel --
Implementing Security Education, Training, and Awareness Programs --
Security Education --
Security Training --
Training Techniques --
Identify Program Scope, Goals, and Objectives --
Identify Training Staff --
Identify Target Audiences --
Motivate Management and Employees --
Administer the Program --
Maintain the Program --
Evaluate the Program --
Security Awareness --
Chapter Summary --
Review Questions --
Exercises --
Closing Case --
Endnotes --
ch. 6 Security Management Models --
Introduction --
Blueprints, Frameworks, and Security Models --
Access Control Models --
Categories of Access Control --
Security Architecture Models --
Trusted Computing Base --
Information Technology System Evaluation Criteria --
The Common Criteria --
Bell-LaPadula Confidentiality Model --
Biba Integrity Model --
Clark-Wilson Integrity Model --
Graham-Denning Access Control Model --
Harrison-Ruzzo-Ullman Model --
Brewer-Nash Model (Chinese Wall) --
Security Management Models --
The ISO 27000 Series --
NIST Security Models --
Control Objectives for Information and Related Technology --
Committee of Sponsoring Organizations --
Information Technology Infrastructure Library --
Information Security Governance Framework --
Chapter Summary --
Review Questions --
Exercises --
Closing Case --
Endnotes --
ch. 7 Security Management Practices --
Introduction --
Benchmarking --
Standards of Due Care/Due Diligence --
Recommended Security Practices --
Selecting Recommended Practices --
Limitations to Benchmarking and Recommended Practices --
Baselining --
Support for Benchmarks and Baselines --
Performance Measurement in InfoSec Management --
InfoSec Performance Management --
Evaluate the Program --
Security Awareness --
Chapter Summary --
Review Questions --
Exercises --
Closing Case --
Endnotes --
ch. 8 Security Management Models --
Introduction --
Blueprints, Frameworks, and Security Models --
Access Control Models --
Categories of Access Control --
Security Architecture Models --
Trusted Computing Base --
Information Technology System Evaluation Criteria --
The Common Criteria --
Bell-LaPadula Confidentiality Model --
Biba Integrity Model --
Clark-Wilson Integrity Model --
Graham-Denning Access Control Model --
Harrison-Ruzzo-Ullman Model --
Brewer-Nash Model (Chinese Wall) --
Security Management Models --
The ISO 27000 Series --
NIST Security Models --
Control Objectives for Information and Related Technology --
Committee of Sponsoring Organizations --
Information Technology Infrastructure Library --
Information Security Governance Framework --
Chapter Summary --
Review Questions --
Exercises --
Closing Case --
Endnotes --
ch. 9 Security Management Practices --
Introduction --
Benchmarking --
Standards of Due Care/Due Diligence --
Recommended Security Practices --
Selecting Recommended Practices --
Limitations to Benchmarking and Recommended Practices --
Baselining --
Support for Benchmarks and Baselines --
Performance Measurement in InfoSec Management --
InfoSec Performance Management --
Risk Control Strategies --
Defense --
Transferal --
Mitigation --
Acceptance --
Termination --
Managing Risk --
Feasibility and Cost-Benefit Analysis --
Cost-Benefit Analysis --
Other Methods of Establishing Feasibility --
Alternatives to Feasibility Analysis --
Recommended Risk Control Practices --
Qualitative and Hybrid Measures --
Delphi Technique --
The OCTAVE Methods --
Microsoft Risk Management Approach --
FAIR --
ISO 27005 Standard for InfoSec Risk Management --
NIST Risk Management Model --
Other Methods --
Chapter Summary --
Review Questions --
Exercises --
Closing Case --
Endnotes --
ch. 10 Protection Mechanisms --
Introduction --
Access Controls --
Identification --
Authentication --
Authorization --
Accountability --
Managing Access Controls --
Firewalls --
The Development of Firewalls --
Firewall Architectures --
Selecting the Right Firewall --
Managing Firewalls --
Intrusion Detection and Prevention Systems --
Host-Based IDPS --
Network-Based IDPS --
Signature-Based IDPS --
Anomaly-Based IDPS --
Managing Intrusion Detection and Prevention Systems --
Remote Access Protection --
RADIUS and TACACS --
Managing Dial-Up Connections --
Wireless Networking Protection --
Wired Equivalent Privacy (WEP) --
Wi-Fi Protected Access (WPA) --
WiMax --
Bluetooth --
Managing Wireless Connections --
Scanning and Analysis Tools --
Port Scanners --
Vulnerability Scanners --
Packet Sniffers --
Content Filters --
Trap and Trace --
Managing Scanning and Analysis Tools --
Cryptography --
Encryption Operations --
Using Cryptographic Controls --
Managing Cryptographic Controls --
Chapter Summary --
Review Questions --
Exercises --
Closing Case --
Endnotes --
ch. 11 Personnel and Security --
Introduction --
Staffing the Security Function --
Qualifications and Requirements --
Entering the Information Security Profession --
Information Security Positions --
Information Security Department Manager --
Information Security Engineer --
Information Security Professional Credentials --
(ISC)2 Certifications --
ISACA Certifications --
SANS Certifications --
EC-Council Certifications --
CompTIA Certifications --
ISFCE Certifications --
Certification Costs --
Employment Policies and Practices --
Hiring --
Contracts and Employment --
Security as Part of Performance Evaluation --
Termination Issues --
Personnel Security Practices --
Security of Personnel and Personal Data --
Security Considerations for Nonemployees --
Chapter Summary --
Review Questions --
Exercises --
Closing Case --
Endnotes --
ch. 12 Law and Ethics --
Introduction --
Law and Ethics in InfoSec --
InfoSec and the Law --
Types of Law --
Relevant U.S. Laws --
International Laws and Legal Bodies --
State and Local Regulations --
Policy versus Law --
Ethics in InfoSec --
Ethics and Education --
Deterring Unethical and Illegal Behavior --
Professional Organizations and their Codes of Ethics --
Association for Computing Machinery (ACM) --
International Information Systems Security Certification Consortium, Inc. (ISC)2 --
SANS --
Information Systems Audit and Control Association (ISACA) --
Information Systems Security Association (ISSA) --
Organizational Liability and the Need for Counsel --
Key Law Enforcement Agencies --
Managing Investigations in the Organization --
Digital Forensics Team --
Affidavits and Search Warrants --
Digital Forensics Methodology --
Evidentiary Procedures --
Chapter Summary --
Review Questions --
Exercises --
Closing Case --
Endnotes --
APPENDIX. Note continued: NIST SP 800-26, Security Self-Assessment Guide for Information Technology Systems --
ISO 17799: 2005 Overview --
The OCTAVE Method of Risk Management --
Microsoft Risk Management Approach.
There are no comments on this title.