Machine generated contents note: Introduction to Security -- CNSS Security Model -- The Value of Information and the C.I.A. Triad -- Key Concepts of Information Security: Threats and Attacks -- The 12 Categories of Threats -- Management and Leadership -- Behavioral Types of Leaders -- Management Characteristics -- Governance -- Solving Problems -- Principles of Information Security Management -- Planning -- Policy -- Programs -- Protection -- People -- Projects -- Additional Reading -- Chapter Summary -- Review Questions -- Exercises -- Closing Case -- Discussion Questions -- Ethical Decision Making -- Endnotes -- Introduction to Law and Ethics -- Ethics in InfoSec -- Ethics and Education -- Deterring Unethical and Illegal Behavior -- Professional Organizations and Their Codes of Conduct -- Association for Computing Machinery (ACM) -- International Information Systems Security Certification Consortium, Inc. (ISC)2 -- SANS -- Information Systems Audit and Control Association (ISACA) -- Information Systems Security Association (ISSA) -- Information Security and Law -- Types of Law -- Relevant U.S. Laws -- International Laws and Legal Bodies -- State and Local Regulations -- Standards Versus Law -- Policy Versus Law -- Organizational Liability and the Management of Digital Forensics -- Key Law Enforcement Agencies -- Managing Digital Forensics -- Additional Reading -- Chapter Summary -- Review Questions -- Exercises -- Closing Case -- Discussion Questions -- Ethical Decision Making -- Endnotes -- The Role of Planning -- Precursors to Planning -- Strategic Planning -- Creating a Strategic Plan -- Planning Levels -- Planning and the CISO -- Information Security Governance -- The ITGI Approach to Information Security Governance -- NCSP Industry Framework for Information Security Governance -- CERT Governing for Enterprise Security Implementation -- ISO/IEC 27014:2013 Governance of Information Security -- Security Convergence -- Planning for Information Security Implementation -- Implementing the Security Program using the SecSDLC -- Additional Reading -- Chapter Summary -- Review Questions -- Exercises -- Closing Case -- Discussion Questions -- Ethical Decision Making -- Endnotes -- Why Policy? -- Policy, Standards, and Practices -- Enterprise Information Security Policy -- Integrating an Organization's Mission and Objectives into the EISP -- EISP Elements -- Example EISP Elements -- Issue-Specific Security Policy -- Elements of the ISSP -- Implementing the ISSP -- System-Specific Security Policy -- Managerial Guidance SysSPs -- Technical Specification SysSPs -- Guidelines for Effective Policy Development and Implementation -- Developing Information Security Policy -- Policy Distribution -- Policy Reading -- Policy Comprehension -- Policy Compliance -- Policy Enforcement -- Policy Development and Implementation Using the SDLC -- Software Support for Policy Administration -- Other Approaches to Information Security Policy Development -- SP 800-18, Rev. 1: Guide for Developing Security Plans for Federal Information Systems -- A Final Note on Policy -- Additional Reading -- Chapter Summary -- Review Questions -- Exercises -- Closing Case -- Discussion Questions -- Ethical Decision Making -- Endnotes -- Organizing for Security -- Security in Large Organizations -- Security in Medium-Sized Organizations -- Security in Small Organizations -- Placing Information Security Within an Organization -- Components of the Security Program -- Staffing the Security Function -- Information Security Professional Credentials -- Entering the Information Security Profession -- Implementing Security Education, Training, and Awareness (SETA) Programs -- Security Education -- Security Training -- Security Awareness -- Project Management in Information Security -- Projects Versus Processes -- Organizational Support for Project Management -- PMBOK Knowledge Areas -- Project Management Tools -- Additional Reading -- Chapter Summary -- Review Questions -- Exercises -- Closing Case -- Discussion Questions -- Ethical Decision Making -- Endnotes -- Introduction to the Management of Risk in Information Security -- Knowing Yourself and Knowing the Enemy -- The Information Security Risk Management Framework -- Roles of Communities of Interest in Managing Risk -- Executive Governance and Support -- Framework Design -- Framework Implementation -- Framework Monitoring and Review -- Continuous Improvement -- The Risk Management Process -- RM Process Preparation-Establishing the Context -- Risk Assessment: Risk Identification -- Risk Assessment: Risk Analysis -- Risk Evaluation -- Risk Treatment/Risk Control -- Process Communications, Monitoring, and Review -- Additional Reading -- Chapter Summary -- Review Questions -- Exercises -- Closing Case -- Discussion Questions -- Ethical Decision Making -- Endnotes -- Introduction to Risk Treatment -- Risk Treatment Strategies -- Managing Risk -- Feasibility and Cost-benefit Analysis -- Other Methods of Establishing Feasibility -- Alternatives to Feasibility Analysis -- Recommended Alternative Risk Treatment Practices -- Alternative Risk Management Methodologies -- The OCTAVE Methods -- Microsoft Risk Management Approach -- FAIR -- ISO Standards for InfoSec Risk Management -- NIST Risk Management Framework (RMF) -- Other Methods -- Selecting the Best Risk Management Model -- Additional Reading -- Chapter Summary -- Review Questions -- Exercises -- Closing Case -- Discussion Questions -- Ethical Decision Making -- Endnotes -- Introduction to Blueprints, Frameworks, and Security Models -- Security Management Models -- The ISO 27000 Series -- NIST Security Publications -- Control Objectives for Information and Related Technology -- Committee of Sponsoring Organizations -- Information Technology Infrastructure Library -- Information Security Governance Framework -- Security Architecture Models -- TCSEC and the Trusted Computing Base -- Information Technology System Evaluation Criteria -- The Common Criteria -- Access Control Models -- Categories of Access Controls -- Other Forms of Access Control -- Academic Access Control Models -- Bell-LaPadula Confidentiality Model -- Biba Integrity Model -- Clark-Wilson Integrity Model -- Graham-Denning Access Control Model -- Harrison-Ruzzo-Ullman Model -- Brewer-Nash Model (Chinese Wall) -- Additional Reading -- Chapter Summary -- Review Questions -- Exercises -- Closing Case -- Discussion Questions -- Ethical Decision Making -- Endnotes -- Introduction to Security Practices -- Security Employment Practices -- Hiring -- Contracts and Employment -- Security Expectations in the Performance Evaluation -- Termination Issues -- Personnel Security Practices -- Security of Personnel and Personal Data -- Security Considerations for Temporary Employees, Consultants, and Other Workers -- Information Security Performance Measurement -- InfoSec Performance Management -- Building the Performance Measurement Program -- Specifying InfoSec Measurements -- Collecting InfoSec Measurements -- Implementing InfoSec Performance Measurement -- Reporting InfoSec Performance Measurements -- Benchmarking -- Standards of Due Care/Due Diligence -- Recommended Security Practices -- Selecting Recommended Practices -- Limitations to Benchmarking and Recommended Practices -- Baselining -- Support for Benchmarks and Baselines -- ISO Certification -- Additional Reading -- Chapter Summary -- Review Questions -- Exercises -- Closing Case -- Discussion Questions -- Ethical Decision Making -- Endnotes -- Introduction to Contingency Planning -- Fundamentals of Contingency Planning -- Components of Contingency Planning -- Business Impact Analysis -- Contingency Planning Policies -- Incident Response -- Getting Started -- Incident Response Policy -- Incident Response Planning -- Detecting Incidents -- Reacting to Incidents -- Recovering from Incidents -- Disaster Recovery -- The Disaster Recovery Process -- Disaster Recovery Policy -- Disaster Classification -- Planning to Recover -- Responding to the Disaster -- Simple Disaster Recovery Plan -- Business Continuity -- Business Continuity Policy -- Continuity Strategies -- Timing and Sequence of CP Elements -- Crisis Management -- Business Resumption -- Testing Contingency Plans -- Final Thoughts on CP -- Additional Reading -- Chapter Summary -- Review Questions -- Exercises -- Closing Case -- Discussion Questions -- Ethical Decision Making -- Endnotes -- Introduction to Security
Text of Note
Maintenance -- Security Management Maintenance Models -- NIST SP 800-100, Information Security Handbook: A Guide for Managers -- The Security Maintenance Model -- Additional Reading -- Chapter Summary -- Review Questions -- Exercises -- Closing Case -- Discussion Questions -- Ethical Decision Making -- Endnotes -- Introduction to Protection Mechanisms -- Access Controls and Biometrics -- Managing Network Security -- Firewalls -- Intrusion Detection and Prevention Systems -- Wireless Networking Protection -- Scanning and Analysis Tools -- Managing Server-Based Systems with Logging -- Managing Security for Emerging Technologies -- Cryptography -- Encryption Operations -- Using Cryptographic Controls -- Managing Cryptographic Controls -- Additional Reading -- Chapter Summary -- Review Questions -- Exercises -- Closing Case -- Discussion Questions -- Ethical Decision Making -- Endnotes.
0
0
SUMMARY OR ABSTRACT
Text of Note
Prepares you to become an information security management practitioner able to secure systems and networks in a world where continuously emerging threats, ever-present attacks and the success of criminals illustrate the weaknesses in current information technologies. You'll develop both the information security skills and practical experience that organizations are looking for as they strive to ensure more secure computing environments. The text focuses on key executive and managerial aspects of information security. It also integrates coverage of CISSP and CISM throughout to effectively prepare you for certification. Reflecting the most recent developments in the field, it includes the latest information on NIST, ISO and security governance as well as emerging concerns like Ransomware, Cloud Computing and the Internet of Things -- Provided by the publisher.