Normal view MARC view ISBD view

Management of information security / by Michael E. Whitman, Ph.D., CISM, CISSP, Herbert J. Mattord, Ph.D., CISM, CISSP, Kennesaw State University.

By: Whitman, Michael E, 1964-Contributor(s): Mattord, Herbert JMaterial type: Text

TextPublisher: Delhi : Cengage Learning, 2016 cEdition: Fourth editionDescription: xxv, 566 pages : illustrations ; 23 cmContent type: text Media type: unmediated Carrier type: volumeISBN: 9788131531815 (pbk)Subject(s): Computer networks -- Security measures | Computer security | Information technology -- Security measures | Information technology -- ManagementDDC classification: 658.478 LOC classification: TK5105.59 | .W5356 2014Online resources: Contributor biographical information | Publisher description | Table of contents only

Contents:

Machine generated contents note: ch. 1 Introduction to the Management of Information Security -- Introduction -- What Is Security? -- CNSS Security Model -- Key Concepts of Information Security -- What Is Management? -- Behavioral Types of Leaders -- Management Characteristics -- Solving Problems -- Principles of Information Security Management -- Planning -- Policy -- Programs -- Protection -- People -- Projects -- Project Management -- Applying Project Management to Security -- PMBoK Knowledge Areas -- Project Management Tools -- Work Breakdown Structure -- Task-Sequencing Approaches -- Automated Project Tools -- Chapter Summary -- Review Questions -- Exercises -- Closing Case -- Endnotes -- ch. 2 Planning for Security -- Introduction -- The Role of Planning -- Precursors to Planning -- Values Statement -- Vision Statement -- Mission Statement -- Strategic Planning -- Creating a Strategic Plan -- Planning Levels -- Planning and the CISO -- Information Security Governance -- Desired Outcomes -- Benefits of Information Security Governance -- Implementing Information Security Governance -- Security Convergence -- Planning for Information Security Implementation -- Introduction to the Security Systems Development Life Cycle -- Chapter Summary -- Review Questions -- Exercises -- Closing Case -- Endnotes -- ch. 3 Planning for Contingencies -- Introduction -- Fundamentals of Contingency Planning -- Components of Contingency Planning -- Business Impact Analysis -- Contingency Planning Policies -- Incident Response -- Disaster Recovery -- Business Continuity -- Crisis Management -- Business Resumption -- Testing Contingency Plans -- Final Thoughts -- Chapter Summary -- Review Questions -- Exercises -- Closing Case -- Endnotes -- ch. 4 Information Security Policy -- Introduction -- Why Policy? -- Policy, Standards, and Practices -- Enterprise Information Security Policy -- Integrating an Organization's Mission and Objectives into the EISP -- EISP Elements -- Example EISP Components -- Issue-Specific Security Policy -- Components of the ISSP -- Implementing the ISSP -- System-Specific Security Policy -- Managerial Guidance SysSPs -- Technical Specification SysSPs -- Guidelines for Effective Policy -- Developing Information Security Policy -- Policy Distribution -- Policy Reading -- Policy Comprehension -- Policy Compliance -- Policy Enforcement -- The Information Securities Policy Made Easy Approach -- Checklist of Steps in the Policy Development Process -- Next Steps -- SP 800-18 Rev. 1: Guide for Developing Security Plans for Federal Information Systems -- A Final Note On Policy -- Chapter Summary -- Review Questions -- Exercises -- Closing Case -- Endnotes -- ch. 5 Developing the Security Program -- Introduction -- Organizing for Security -- Security in Large Organizations -- Security in Medium-Sized Organizations -- Security in Small Organizations -- Placing Information Security within an Organization -- Option 1 Information Technology -- Option 2 Security -- Option 3 Administrative Services -- Option 4 Insurance and Risk Management -- Option 5 Strategy and Planning -- Other Options -- Summary of Reporting Relationships -- Components of the Security Program -- Information Security Roles and Titles -- Chief Information Security Officer -- Security Managers -- Security Administrators and Analysts -- Security Technicians -- Security Staffers and Watchstanders -- Security Consultants -- Security Officers and Investigators -- Help Desk Personnel -- Implementing Security Education, Training, and Awareness Programs -- Security Education -- Security Training -- Training Techniques -- Identify Program Scope, Goals, and Objectives -- Identify Training Staff -- Identify Target Audiences -- Motivate Management and Employees -- Administer the Program -- Maintain the Program -- Evaluate the Program -- Security Awareness -- Chapter Summary -- Review Questions -- Exercises -- Closing Case -- Endnotes -- ch. 6 Security Management Models -- Introduction -- Blueprints, Frameworks, and Security Models -- Access Control Models -- Categories of Access Control -- Security Architecture Models -- Trusted Computing Base -- Information Technology System Evaluation Criteria -- The Common Criteria -- Bell-LaPadula Confidentiality Model -- Biba Integrity Model -- Clark-Wilson Integrity Model -- Graham-Denning Access Control Model -- Harrison-Ruzzo-Ullman Model -- Brewer-Nash Model (Chinese Wall) -- Security Management Models -- The ISO 27000 Series -- NIST Security Models -- Control Objectives for Information and Related Technology -- Committee of Sponsoring Organizations -- Information Technology Infrastructure Library -- Information Security Governance Framework -- Chapter Summary -- Review Questions -- Exercises -- Closing Case -- Endnotes -- ch. 7 Security Management Practices -- Introduction -- Benchmarking -- Standards of Due Care/Due Diligence -- Recommended Security Practices -- Selecting Recommended Practices -- Limitations to Benchmarking and Recommended Practices -- Baselining -- Support for Benchmarks and Baselines -- Performance Measurement in InfoSec Management -- InfoSec Performance Management -- Evaluate the Program -- Security Awareness -- Chapter Summary -- Review Questions -- Exercises -- Closing Case -- Endnotes -- ch. 8 Security Management Models -- Introduction -- Blueprints, Frameworks, and Security Models -- Access Control Models -- Categories of Access Control -- Security Architecture Models -- Trusted Computing Base -- Information Technology System Evaluation Criteria -- The Common Criteria -- Bell-LaPadula Confidentiality Model -- Biba Integrity Model -- Clark-Wilson Integrity Model -- Graham-Denning Access Control Model -- Harrison-Ruzzo-Ullman Model -- Brewer-Nash Model (Chinese Wall) -- Security Management Models -- The ISO 27000 Series -- NIST Security Models -- Control Objectives for Information and Related Technology -- Committee of Sponsoring Organizations -- Information Technology Infrastructure Library -- Information Security Governance Framework -- Chapter Summary -- Review Questions -- Exercises -- Closing Case -- Endnotes -- ch. 9 Security Management Practices -- Introduction -- Benchmarking -- Standards of Due Care/Due Diligence -- Recommended Security Practices -- Selecting Recommended Practices -- Limitations to Benchmarking and Recommended Practices -- Baselining -- Support for Benchmarks and Baselines -- Performance Measurement in InfoSec Management -- InfoSec Performance Management -- Risk Control Strategies -- Defense -- Transferal -- Mitigation -- Acceptance -- Termination -- Managing Risk -- Feasibility and Cost-Benefit Analysis -- Cost-Benefit Analysis -- Other Methods of Establishing Feasibility -- Alternatives to Feasibility Analysis -- Recommended Risk Control Practices -- Qualitative and Hybrid Measures -- Delphi Technique -- The OCTAVE Methods -- Microsoft Risk Management Approach -- FAIR -- ISO 27005 Standard for InfoSec Risk Management -- NIST Risk Management Model -- Other Methods -- Chapter Summary -- Review Questions -- Exercises -- Closing Case -- Endnotes -- ch. 10 Protection Mechanisms -- Introduction -- Access Controls -- Identification -- Authentication -- Authorization -- Accountability -- Managing Access Controls -- Firewalls -- The Development of Firewalls -- Firewall Architectures -- Selecting the Right Firewall -- Managing Firewalls -- Intrusion Detection and Prevention Systems -- Host-Based IDPS -- Network-Based IDPS -- Signature-Based IDPS -- Anomaly-Based IDPS -- Managing Intrusion Detection and Prevention Systems -- Remote Access Protection -- RADIUS and TACACS -- Managing Dial-Up Connections -- Wireless Networking Protection -- Wired Equivalent Privacy (WEP) -- Wi-Fi Protected Access (WPA) -- WiMax -- Bluetooth -- Managing Wireless Connections -- Scanning and Analysis Tools -- Port Scanners -- Vulnerability Scanners -- Packet Sniffers -- Content Filters -- Trap and Trace -- Managing Scanning and Analysis Tools -- Cryptography -- Encryption Operations -- Using Cryptographic Controls -- Managing Cryptographic Controls -- Chapter Summary -- Review Questions -- Exercises -- Closing Case -- Endnotes -- ch. 11 Personnel and Security -- Introduction -- Staffing the Security Function -- Qualifications and Requirements -- Entering the Information Security Profession -- Information Security Positions -- Information Security Department Manager -- Information Security Engineer -- Information Security Professional Credentials -- (ISC)2 Certifications -- ISACA Certifications -- SANS Certifications -- EC-Council Certifications -- CompTIA Certifications -- ISFCE Certifications -- Certification Costs -- Employment Policies and Practices -- Hiring -- Contracts and Employment -- Security as Part of Performance Evaluation -- Termination Issues -- Personnel Security Practices -- Security of Personnel and Personal Data -- Security Considerations for Nonemployees -- Chapter Summary -- Review Questions -- Exercises -- Closing Case -- Endnotes -- ch. 12 Law and Ethics -- Introduction -- Law and Ethics in InfoSec -- InfoSec and the Law -- Types of Law -- Relevant U.S. Laws -- International Laws and Legal Bodies -- State and Local Regulations -- Policy versus Law -- Ethics in InfoSec -- Ethics and Education -- Deterring Unethical and Illegal Behavior -- Professional Organizations and their Codes of Ethics -- Association for Computing Machinery (ACM) -- International Information Systems Security Certification Consortium, Inc. (ISC)2 -- SANS -- Information Systems Audit and Control Association (ISACA) -- Information Systems Security Association (ISSA) -- Organizational Liability and the Need for Counsel -- Key Law Enforcement Agencies -- Managing Investigations in the Organization -- Digital Forensics Team -- Affidavits and Search Warrants -- Digital Forensics Methodology -- Evidentiary Procedures -- Chapter Summary -- Review Questions -- Exercises -- Closing Case -- Endnotes -- APPENDIX. Note continued: NIST SP 800-26, Security Self-Assessment Guide for Information Technology Systems -- ISO 17799: 2005 Overview -- The OCTAVE Method of Risk Management -- Microsoft Risk Management Approach.

Tags from this library: No tags from this library for this title. Log in to add tags.

Average rating: 0.0 (0 votes)

Holdings ( 1 )
Title notes ( 2 )
Comments ( 0 )

Holdings
Item type	Current library	Call number	Copy number	Status	Date due	Barcode	Item holds
Books	Namal Library Management	658.478 WHI-M 2016 11405 (Browse shelf (Opens below))	1	Available		0011405

Total holds: 0

Includes index.

Machine generated contents note: ch. 1 Introduction to the Management of Information Security --
Introduction --
What Is Security? --
CNSS Security Model --
Key Concepts of Information Security --
What Is Management? --
Behavioral Types of Leaders --
Management Characteristics --
Solving Problems --
Principles of Information Security Management --
Planning --
Policy --
Programs --
Protection --
People --
Projects --
Project Management --
Applying Project Management to Security --
PMBoK Knowledge Areas --
Project Management Tools --
Work Breakdown Structure --
Task-Sequencing Approaches --
Automated Project Tools --
Chapter Summary --
Review Questions --
Exercises --
Closing Case --
Endnotes --
ch. 2 Planning for Security --
Introduction --
The Role of Planning --
Precursors to Planning --
Values Statement --
Vision Statement --
Mission Statement --
Strategic Planning --
Creating a Strategic Plan --
Planning Levels --
Planning and the CISO --
Information Security Governance --
Desired Outcomes --
Benefits of Information Security Governance --
Implementing Information Security Governance --
Security Convergence --
Planning for Information Security Implementation --
Introduction to the Security Systems Development Life Cycle --
Chapter Summary --
Review Questions --
Exercises --
Closing Case --
Endnotes --
ch. 3 Planning for Contingencies --
Introduction --
Fundamentals of Contingency Planning --
Components of Contingency Planning --
Business Impact Analysis --
Contingency Planning Policies --
Incident Response --
Disaster Recovery --
Business Continuity --
Crisis Management --
Business Resumption --
Testing Contingency Plans --
Final Thoughts --
Chapter Summary --
Review Questions --
Exercises --
Closing Case --
Endnotes --
ch. 4 Information Security Policy --
Introduction --
Why Policy? --
Policy, Standards, and Practices --
Enterprise Information Security Policy --
Integrating an Organization's Mission and Objectives into the EISP --
EISP Elements --
Example EISP Components --
Issue-Specific Security Policy --
Components of the ISSP --
Implementing the ISSP --
System-Specific Security Policy --
Managerial Guidance SysSPs --
Technical Specification SysSPs --
Guidelines for Effective Policy --
Developing Information Security Policy --
Policy Distribution --
Policy Reading --
Policy Comprehension --
Policy Compliance --
Policy Enforcement --
The Information Securities Policy Made Easy Approach --
Checklist of Steps in the Policy Development Process --
Next Steps --
SP 800-18 Rev. 1: Guide for Developing Security Plans for Federal Information Systems --
A Final Note On Policy --
Chapter Summary --
Review Questions --
Exercises --
Closing Case --
Endnotes --
ch. 5 Developing the Security Program --
Introduction --
Organizing for Security --
Security in Large Organizations --
Security in Medium-Sized Organizations --
Security in Small Organizations --
Placing Information Security within an Organization --
Option 1 Information Technology --
Option 2 Security --
Option 3 Administrative Services --
Option 4 Insurance and Risk Management --
Option 5 Strategy and Planning --
Other Options --
Summary of Reporting Relationships --
Components of the Security Program --
Information Security Roles and Titles --
Chief Information Security Officer --
Security Managers --
Security Administrators and Analysts --
Security Technicians --
Security Staffers and Watchstanders --
Security Consultants --
Security Officers and Investigators --
Help Desk Personnel --
Implementing Security Education, Training, and Awareness Programs --
Security Education --
Security Training --
Training Techniques --
Identify Program Scope, Goals, and Objectives --
Identify Training Staff --
Identify Target Audiences --
Motivate Management and Employees --
Administer the Program --
Maintain the Program --
Evaluate the Program --
Security Awareness --
Chapter Summary --
Review Questions --
Exercises --
Closing Case --
Endnotes --
ch. 6 Security Management Models --
Introduction --
Blueprints, Frameworks, and Security Models --
Access Control Models --
Categories of Access Control --
Security Architecture Models --
Trusted Computing Base --
Information Technology System Evaluation Criteria --
The Common Criteria --
Bell-LaPadula Confidentiality Model --
Biba Integrity Model --
Clark-Wilson Integrity Model --
Graham-Denning Access Control Model --
Harrison-Ruzzo-Ullman Model --
Brewer-Nash Model (Chinese Wall) --
Security Management Models --
The ISO 27000 Series --
NIST Security Models --
Control Objectives for Information and Related Technology --
Committee of Sponsoring Organizations --
Information Technology Infrastructure Library --
Information Security Governance Framework --
Chapter Summary --
Review Questions --
Exercises --
Closing Case --
Endnotes --
ch. 7 Security Management Practices --
Introduction --
Benchmarking --
Standards of Due Care/Due Diligence --
Recommended Security Practices --
Selecting Recommended Practices --
Limitations to Benchmarking and Recommended Practices --
Baselining --
Support for Benchmarks and Baselines --
Performance Measurement in InfoSec Management --
InfoSec Performance Management --
Evaluate the Program --
Security Awareness --
Chapter Summary --
Review Questions --
Exercises --
Closing Case --
Endnotes --
ch. 8 Security Management Models --
Introduction --
Blueprints, Frameworks, and Security Models --
Access Control Models --
Categories of Access Control --
Security Architecture Models --
Trusted Computing Base --
Information Technology System Evaluation Criteria --
The Common Criteria --
Bell-LaPadula Confidentiality Model --
Biba Integrity Model --
Clark-Wilson Integrity Model --
Graham-Denning Access Control Model --
Harrison-Ruzzo-Ullman Model --
Brewer-Nash Model (Chinese Wall) --
Security Management Models --
The ISO 27000 Series --
NIST Security Models --
Control Objectives for Information and Related Technology --
Committee of Sponsoring Organizations --
Information Technology Infrastructure Library --
Information Security Governance Framework --
Chapter Summary --
Review Questions --
Exercises --
Closing Case --
Endnotes --
ch. 9 Security Management Practices --
Introduction --
Benchmarking --
Standards of Due Care/Due Diligence --
Recommended Security Practices --
Selecting Recommended Practices --
Limitations to Benchmarking and Recommended Practices --
Baselining --
Support for Benchmarks and Baselines --
Performance Measurement in InfoSec Management --
InfoSec Performance Management --
Risk Control Strategies --
Defense --
Transferal --
Mitigation --
Acceptance --
Termination --
Managing Risk --
Feasibility and Cost-Benefit Analysis --
Cost-Benefit Analysis --
Other Methods of Establishing Feasibility --
Alternatives to Feasibility Analysis --
Recommended Risk Control Practices --
Qualitative and Hybrid Measures --
Delphi Technique --
The OCTAVE Methods --
Microsoft Risk Management Approach --
FAIR --
ISO 27005 Standard for InfoSec Risk Management --
NIST Risk Management Model --
Other Methods --
Chapter Summary --
Review Questions --
Exercises --
Closing Case --
Endnotes --
ch. 10 Protection Mechanisms --
Introduction --
Access Controls --
Identification --
Authentication --
Authorization --
Accountability --
Managing Access Controls --
Firewalls --
The Development of Firewalls --
Firewall Architectures --
Selecting the Right Firewall --
Managing Firewalls --
Intrusion Detection and Prevention Systems --
Host-Based IDPS --
Network-Based IDPS --
Signature-Based IDPS --
Anomaly-Based IDPS --
Managing Intrusion Detection and Prevention Systems --
Remote Access Protection --
RADIUS and TACACS --
Managing Dial-Up Connections --
Wireless Networking Protection --
Wired Equivalent Privacy (WEP) --
Wi-Fi Protected Access (WPA) --
WiMax --
Bluetooth --
Managing Wireless Connections --
Scanning and Analysis Tools --
Port Scanners --
Vulnerability Scanners --
Packet Sniffers --
Content Filters --
Trap and Trace --
Managing Scanning and Analysis Tools --
Cryptography --
Encryption Operations --
Using Cryptographic Controls --
Managing Cryptographic Controls --
Chapter Summary --
Review Questions --
Exercises --
Closing Case --
Endnotes --
ch. 11 Personnel and Security --
Introduction --
Staffing the Security Function --
Qualifications and Requirements --
Entering the Information Security Profession --
Information Security Positions --
Information Security Department Manager --
Information Security Engineer --
Information Security Professional Credentials --
(ISC)2 Certifications --
ISACA Certifications --
SANS Certifications --
EC-Council Certifications --
CompTIA Certifications --
ISFCE Certifications --
Certification Costs --
Employment Policies and Practices --
Hiring --
Contracts and Employment --
Security as Part of Performance Evaluation --
Termination Issues --
Personnel Security Practices --
Security of Personnel and Personal Data --
Security Considerations for Nonemployees --
Chapter Summary --
Review Questions --
Exercises --
Closing Case --
Endnotes --
ch. 12 Law and Ethics --
Introduction --
Law and Ethics in InfoSec --
InfoSec and the Law --
Types of Law --
Relevant U.S. Laws --
International Laws and Legal Bodies --
State and Local Regulations --
Policy versus Law --
Ethics in InfoSec --
Ethics and Education --
Deterring Unethical and Illegal Behavior --
Professional Organizations and their Codes of Ethics --
Association for Computing Machinery (ACM) --
International Information Systems Security Certification Consortium, Inc. (ISC)2 --
SANS --
Information Systems Audit and Control Association (ISACA) --
Information Systems Security Association (ISSA) --
Organizational Liability and the Need for Counsel --
Key Law Enforcement Agencies --
Managing Investigations in the Organization --
Digital Forensics Team --
Affidavits and Search Warrants --
Digital Forensics Methodology --
Evidentiary Procedures --
Chapter Summary --
Review Questions --
Exercises --
Closing Case --
Endnotes --
APPENDIX. Note continued: NIST SP 800-26, Security Self-Assessment Guide for Information Technology Systems --
ISO 17799: 2005 Overview --
The OCTAVE Method of Risk Management --
Microsoft Risk Management Approach.

There are no comments on this title.

to post a comment.