Principles of Information Security examines the field of information security to prepare individuals for their future roles as business decision makers. This book presents both the managerial and the technicla aspects of this exciting discipline and addresses knowledge areas of CISSP(Certified Information Systems Security Professional) certification throughout.

Chapter 1 Introduction to Information Security 1
Introduction 3
The History of Information Security 4
The 1960s 5
The 1970s and 80s 6
The 1990s 8
The Present 9
What Is Security？ 9
What Is Information Security? 10
Critical Characteristics of Information 10
Availability 11
Accuracy 11
Authenticity 11
Confidentiality 12
Integrity 13
Utility 14
Possession 14
NSTISSC Security Model 15
Components of an Information System 15
Software 16
Hardware 16
Data 17
People 17
Procedures 17
Securing the Components 18
Balancing Security and Access 19
Top-Down Approach to Security Implementation 20
The Systems Development Life Cycle 21
Methodology 21
Phases 21
Investigation 22
Analysis 23
Logical Design 23
Physical Design 23
Implementation 23
Maintenance and Change 24
The Security Systems Development Life Cycle 24
Investigation 24
Analysis 24
Logical Design 25
Physical Design 25
Implementation 25
Maintenance and Change 26
Key Terms 28
Security Professionals and the Organization 30
Senior Management 30
Security Project Team 32
Data Ownership 32
Communities of Interest 33
Information Security Management and Professionals 33
Information Technology Management and Professionals 33
Organizational Management and Professionals 33
Information Security: Is It an Art or a Science? 34
Security as Art 34
Security as Science 34
Security as a Social Science 35
Chapter Summary 35
Review Questions 36
Exercises 37
Case Exercises 37

Chapter 2 The Need for Security 41
Introduction 43
Business Needs First, Technology Needs Last 43
Protecting the Ability of the Organization to Function 43
Enabling the Safe Operation of Applications 44
Protecting Data that Organizations Collect and Use 44
Safeguarding Technology Assets in Organizations 44
Threats 45
Threat Group 1: Inadvertent Acts 46
Threat Group 2: Deliberate Acts 49
Threat Group 3: Acts of God 64
Threat Group 4: Technical Failures 66
Threat Group 5: Management Failures 67
Attacks 68
Malicious Code 68
Hoaxes 69
Back Doors 69
Password Crack 69
Brute Force 69
Dictionary 70
Denial-of-Service （DoS） and Distributed Denial-of-Service (DDoS) 70
Spoofing 71
Man-in-the-Middle 71
Spam 72
Mail bombing 72
Sniffers 72
Social Engineering 73
Buffer Overflow 74
Timing Attack 75
Chapter Summary 75
Review Questions 75
Case Exercises 77

Chapter 3 Legal, Ethical and Professional Issues in Information Security 83
Introduction 84
Law and Ethics in Information Security 85
Types Of Law 85
Relevant U.S. Laws 85
General Computer Crime Laws 86
Privacy 86
Export and Espionage Laws 91
U.S. Copyright Law 92
International Laws and Legal Bodies 94
European Council Cyber-Crime Convention 95
Digital Millennium Copyright Act (DMCA) 96
United Nations Charter 96
Policy Versus Law 97
Ethical Concepts in Information Security 97
Cultural Differences in Ethical Concepts 97
Software License Infringement 98
Illicit Use 99
Misuse of Corporate Resources 99
Ethics and Education 102
Deterrence to Unethical and Illegal Behavior 102
Codes of Ethics, Certifications, and Professional Organizations 103
Other Security Organizations 109
Key U.S. Federal Agencies 111
Organizational Liability and the Need for Counsel 114
Chapter Summary 114
Review Questions 115
Exercises 116
Case Exercises 116

Chapter 4 Risk Management: Identifying and Assessing Risk 121
Introduction 122
Chapter Organization 123
Risk Management 124
Know Yourself 125
Know the Enemy 125
All Communities of Interest are Accountable 125
Integrating Risk Management into the SecSDLC 126
Risk Identification 127
Asset Identification and Valuation 127
Automated Risk Management Tools 131
Information Asset Classification 131
Information Asset Valuation 132
Listing Assets in Order of Importance 134
Data Classification and Management 135
Security Clearances 137
Management of Classified Data 137
Threat Identification 139
Identify And Prioritize Threats and Threat Agents 139
Vulnerability Identification 143
Risk Assessment 145
Introduction to Risk Assessment 145
Likelihood 145
Valuation of Information Assets 146
Percentage of Risk Mitigated by Current Controls 147
Risk Determination 147
Identify Possible Controls 147
Access Controls 148
Documenting Results of Risk Assessment 150
Chapter Summary 151
Review Questions 153
Exercises 154
Case Exercises 154

Chapter 5 Risk Management: Assessing and Controlling Risk 158
Introduction 159
Risk Control Strategies 160
Avoidance 161
Transference 163
Mitigation 164
Acceptance 166
Risk Mitigation Strategy Selection 167
Evaluation, Assessment, and Maintenance of Risk Controls 168
Categories of Controls 169
Control Function 169
Architectural Layer 169
Strategy Layer 170
Information Security Principles 170
Feasibility Studies 171
Cost Benefit Analysis (CBA) 171
Other Feasibility Studies 183
Risk Management Discussion Points 185
Risk Appetite 185
Residual Risk 186
Documenting Results 187
Recommended Practices in Controlling Risk 187
Qualitative Measures 188
Delphi Technique 188
Risk Management and the SecSDLC 188
Chapter Summary 189
Review Questions 190
Exercises 191
Case Exercises 193

Chapter 6 Blueprint For Security 198
Introduction 199
Information Security Policy, Standards, and Practices 199
Definitions 201
Security Program Policy (SPP) 202
Issue-Specific Security Policy (ISSP) 203
Systems-Specific Policy (SysSP) 206
Policy Management 210
Information Classification 212
Systems Design 213
Information Security Blueprints 215
ISO 17799/BS 7799 215
NIST Security Models 217
NIST Special Publication SP 800-12 217
NIST Special Publication 800-14 218
IETF Security Architecture 222
VISA International Security Model 222
Baselining and Best Business Practices 223
Hybrid Framework for a Blueprint of an Information Security System 224
Security Education, Training, and Awareness Program 227
Security Education 228
Security Training 229
Security Awareness 229
Design of Security Architecture 230
Defense in Depth 230
Security Perimeter 231
Key Technology Components 231
Chapter Summary 234
Review Questions 236
Exercises 237
Case Exercises 237

Chapter 7 Planning for Continuity 241
Introduction 242
Continuity Strategy 243
Business Impact Analysis 246
Threat Attack Identification and Prioritization 247
Business Unit Analysis 247
Attack Success Scenario Development 248
Potential Damage Assessment 248
Subordinate Plan Classification 248
Incident Response Planning 249
Incident Planning 250
Incident Detection 253
When Does an Incident Become a Disaster? 256
Incident Reaction 256
Notification of Key Personnel 256
Documenting an Incident 257
Incident Containment Strategies 257
Incident Recovery 259
Prioritization of Efforts 259
Damage Assessment 259
Recovery 260
Backup Media 263
Automated Response 264
Disaster Recovery Planning 265
The Disaster Recovery Plan 265
Crisis Management 266
Recovery Operations 267
Business Continuity Planning 268
Developing Continuity Programs (BCPs) 268
Continuity Strategies 268
Model for a Consolidated Contingency Plan 271
The Planning Document 271
Law Enforcement Involvement 273
Local, State, or Federal Authorities 273
Benefits and Drawbacks of Law Enforcement Involvement 274
Chapter Summary 275
Review Questions 276
Exercises 277
Case Exercises 278

Chapter 8 Security Technology 281
Introduction 282
Physical Design of the SecSDLC 283
Firewalls 284
Development of Firewalls 284
Firewall Architectures 287
Configuring and Managing Firewalls 291
Dial-up Protection 293
RADIUS and TACACS 294
Intrusion Detection Systems (IDS) 295
Host-based IDS 295
Network-based IDS 296
Signature-based IDS 297
Statistical Anomaly-based IDS 298
Scanning and Analysis Tools 299
Port Scanners 300
Vulnerability Scanners 301
Packet Sniffers 302
Content Filters 303
Trap and Trace 304
Cryptography and Encryption-based Solutions 304
Encryption Definitions 305
Encryption Operations 307
Vernam Cipher 308
Book or Running Key Cipher 308
Symmetric Encryption 310
Asymmetric Encryption 312
Digital Signatures 313
RSA 313
PKI 314
What are Digital Certificates and Certificate Authorities? 314
Hybrid Systems 316
Securing E-mail 317
Securing the Web 317
Securing Authentication 319
Sesame 321
Access Control Devices 321
Authentication 321
Effectiveness of Biometrics 324
Acceptability of Biometrics 325
Chapter Summary 325
Review Questions 327
Exercises 328
Case Exercises 328

Chapter 9 Physical Security 332
Introduction 334
Access Controls 335
Controls for Protecting the Secure Facility 336
Fire Safety 343
Fire Detection and Response 343
Failure of Supporting Utilities and Structural Collapse 350
Heating, Ventilation, and Air Conditioning 350
Power Management and Conditioning 351
Testing Facility Systems 356
Interception of Data 356
Mobile and Portable Systems 357
Remote Computing Security 359
Special Considerations for Physical Security Threats 361
Inventory Management 362
Chapter Summary 362
Review Questions 363
Exercises 365
Case Exercises 366

Chapter 10 Implementing Security 369
Introduction 371
Project Management in the Implementation Phase 372
Developing the Project Plan 373
Project Planning Considerations 378
The Need for Project Management 382
Supervising Implementation 382
Executing the Plan 382
Wrap-up 383
Technical Topics of Implementation 384
Conversion Strategies 384
The Bull’s-eye Model for Information Security Project Planning 385
To Outsource or Not 386
Technology Governance and Change Control 387
Nontechnical Aspects of Implementation 387
The Culture of Change Management 387
Considerations for Organizational Change 389
Chapter Summary 390
Review Questions 392
Exercises 393
Case Exercises 394

Chapter 11 Security and Personnel 397
Introduction 399
The Security Function Within an Organization’s Structure 399
Staffing the Security Function 400
Qualifications and Requirements 401
Entry into the Security Profession 402
Information Security Positions 403
Credentials of Information Security Professionals 407
Certified Information Systems Security Professional (CISSP) and Systems Security Certified Practitioner (SSCP) 408
Security Certified Professional 410
TruSecure ICSA Certified Security Associate (T.I.C.S.A.) and TruSecure ICSA Certified Security Expert (T.I.C.S.E.) 411
Security+ 412
Certified Information Systems Auditor (CISA) 413
Certified Information Systems Forensics Investigator 413
Related Certifications 414
Cost of Being Certified 414
Advice for Information Security Professionals 415
Employment Policies and Practices 416
Hiring and Termination Issues 417
Performance Evaluation 420
Termination 420
Security Considerations for Nonemployees 421
Temporary Employees 422
Contract Employees 422
Consultants 423
Business Partners 423
Separation of Duties and Collusion 424
Privacy and the Security of Personnel Data 425
Chapter Summary 426
Review Questions 427
Exercises 429
Case Exercises 429

Chapter 12 Information Security Maintenance 433
Introduction 434
Managing for Change 436
Security Management Models 436
The ISO Network Management Model 437
The Maintenance Model 446
Monitoring the External Environment 447
Monitoring the Internal Environment 452
Planning and Risk Assessment 455
Vulnerability Assessment and Remediation 462
Readiness and Review 470
Chapter Summary 473
Review Questions 474
Exercises 475
Case Exercises 475
Appendix A Cryptography 478
Introduction 478
Definitions 481
Types of Ciphers 483
Polyalphabetic Substitution Ciphers 484
Transposition Ciphers 485
Cryptographic Algorithms 486
Asymmetric Cryptography or Public Key Cryptography 489
Hybrid Cryptosystems 489
Popular Cryptographic Algoritms 490
Data Encryption Standard (DES) 490
Data Encryption Core Process 493
Public Key Infrastructure (PKI) 499
Digital Signatures 500
Digital Certificates 500
Pretty Good Privacy (PGP) 502
PGP Suite of Security Solutions 502
Protocols for Secure Communications 503
S-HTTP and SSL 503
Secure/Multipurpose Internet Mail Extension (S/MIME) 504
Internet Protocol Security (IPSec) 505
Attacks on Cryptosystems 507
Man-in-the-Middle Attack 507
Correlation Attacks 507
Dictionary Attacks 508
Timing Attacks 508
Glossary 510