Professional Documents
Culture Documents
eBook PDF
Visit to download the full and correct content document:
https://ebooksecure.com/download/management-of-information-security-ebook-pdf/
INFORMATION SECURITY
MANAGEMENT OF
INFORMATION SECURITY
Sixth Edition
Michael E. Whitman
Herbert J. Mofford
INFORMATION SECURITY
MANAGEMENT OF
INFORMATION SECURITY
Sixth Edition
Michael E. Whitman
Herbert J. Mattord
Au stralia • Brazil • Mexico • Singapore • Un ited Kingdom • United States
This is an e lectronic version of the print textbook. Due to e lectronic right~ restrictions, some third party content
may be suppressed. Editorial review has deemed that any suppressed content does not materially affect the
overall learning experience. The publisher reserves the right to remove content from this title at any time if
subsequent right~ restrictions require it. For valuable information on pric ing, previous editions, changes to
current editions, and alternate formats, please visit www.cengage.com/highered to search by ISBN#, author,
title, or keyword for materials in your areas of interest.
Impo1tant Notice: Media content referenced within the product description or the product text may not be
available in the eBook version.
Management of Information <O 2019, 2017, 2014, 201 o Cengage Learning, Inc.
Security, Sixth Edit i on Unless otherwise noted, all content is <O (engage.
Michael E. Whitman ,
HerbertJ. Mattor d All RIGHTS RESERVED. No part of this work covered by the copyright
herein may be reproduced or distributed in any form or by any
m eans, except as permitted by U.S. copyright law, without the prior
SVP, GM Skills: Jonathan Lau
written permission of the copyright owner.
Product Director: Lauren Murphy
SOURCE FDR ILLUSTRATIONS: Copyright co (engage.
Product Team Manager: Kristin McNary Screenshots are c.t>Microsoft Corporation unless otherwise noted.
Product Manager: Amy Savino
Product Assistant: Jake Toth For product information and technology assistance, contact us at
Executive Director, Content Design: Cengage Custom er & Sales Su pport, 1·800-354-9706 or
Marah Bellegarde support.cengag e.com .
For permission to use material from this text or product, submit
Director, Learning Design: all requests online at www.cengage.com/permissions.
Leigh Hefferon
Cover image: iStockPhoto.com/ To learn more about Cengage platforms and services, visit
ValeryBrozhinsky www.cengage.com .
CHAPTER 1
Introduction to the Management of Information Secur ity ..................... 1
CHAPTER2
Compliance: Law and Ethics ...................................................................... 63
CHAPTER3
Governance and Strategic Planning for Security .................................. 123
CHAPTER4
Information Security Policy ..................................................................... 169
CHAPTER 5
Developing the Security Program ........................................................... 219
CHAPTER6
Risk Management: Assess ing Risk .......................................................... 303
CHAPTER 7
Risk Management: Treating Risk ............................................................ 365
CHAPTERS
Security Management Models ................................................................ 411
CHAPTER 9
Security Management Practices ............................................................. 457
CHAPTER 10
Pia nni ng for Contingencies ...................................................................... 497
CHAPTER 11
Security Maintenance .............................................................................. 567
CHAPTER 12
Protection Meehan isms ........................................................................... 619
...
Ill
Table of Contents
PREFACE ....................................................................................................... xv
CHAPTER 1
Introduction to the Management
of Information Security........................................................... 1
Introducti on to Security ......................................................................................2
CNSS Security Model ........................................................................................ 5
The Value of Information and the C.I.A. Triad ................................................. 7
Key Concept s of Infor mation Security: Threats and Attacks ....................... 11
The 12 Categories of Threats ............................................................................ 13
Management and Lea dership ..........................................................................45
Behavioral Types of Leaders ........................................................................... 46
Management Characteristics .......................................................................... 47
Governance ..................................................................................................... so
Solving Problems ............................................................................................ so
Principles of Information Security Management .......................................... .52
Planning .......................................................................................................... 53
Policy ............................................................................................................... 54
Programs ......................................................................................................... 55
Protection ........................................................................................................ SS
People .............................................................................................................. SS
Projects ............................................................................................................ SS
Additional Reading ............................................................................................57
Chapter Summary............................................................................................. .57
Review Quest ions ............................................................................................. .58
Exercises ............................................................................................................ .59
Closing Case........................................................................................................60
Discussion Questions ..................................................................................... 60
Ethical Decision Making ................................................................................. 60
Endnotes .............................................................................................................61
CHAPTER2
Compliance: Law and Ethics ................................................. 63
Introduction to Law and Ethics ........................................................................64
Table of Contents
CHAPTER3
Governance and Strategic Planning for Security ............. 123
The Role of Planning....................................................................................... 125
Precursors to Planning................................................................................... 127
Strategic Planning ........................................................................................... 129
Creating a Strategic Plan .................................................................................131
Planning Levels .............................................................................................. 132
Planning and the CISO ................................................................................... 133
Information Security Governance ................................................................ 135
The ITGI Approach to Information Security Governance ............................. 136
NCSP Industry Framework for Information Security Governance ............... 138
Table of Contents vii
CHAPTER4
Information Security Policy ................................................ 169
Why Policy? ...................................................................................................... 170
Policy, Standards, and Practices .................................................................... 175
Enterprise Information Security Policy ........................................................ 177
Integrating an Organization's Mission and Objectives into the EISP ........... 178
EISP Elements ................................................................................................ 178
Example EISP Elements ................................................................................ 180
Issue-Specific Security Policy ......................................................................... 183
Elements of the ISSP ...................................................................................... 185
Implementing the ISSP .................................................................................. 188
System-Specific Security Policy ..................................................................... 190
Managerial Guidance SysSPs ......................................................................... 191
Technical Specification SysSPs ...................................................................... 192
Guidelines for Effective Policy Development and Implement ation ......... 197
Developing Information Security Policy ....................................................... 197
Policy Distribution .........................................................................................198
Policy Reading ................................................................................................199
Policy Comprehension ...................................................................................199
Policy Compliance ........................................................................................ 200
Policy Enforcement ........................................................................................ 201
Policy Development and Implementation Using the SDLC .......................... 201
Software Support for Policy Administration ................................................ 206
Other Approaches to Information Security Policy Development ................ 207
SP 800-18, Rev. 1: Guide for Developing Security Plans
for Federal Information Systems .................................................................. 209
viii Table of Contents
CHAPTER 5
Developing the Security Program ...................................... 219
Organizing fo r Security .................................................................................. 220
Security in Large Organizations .................................................................... 225
Security in Medium-Sized Organizations ..................................................... 228
Security in Small Organizations .................................................................... 229
Placing Information Security Within an Organization ............................... 230
Components of the Security Program .......................................................... 241
Staffing the Security Function ...................................................................... 244
Informatio n Security Professional Credentials ............................................. 254
Entering the Information Security Profession .............................................. 265
Implementing Security Education, Train ing, and Awareness
(SETA) Programs .............................................................................................. 267
Security Education ........................................................................................ 269
Security Training ........................................................................................... 271
Security Awareness ....................................................................................... 278
Proj ect Management in Information Security ............................................ 286
Projects Versus Processes ............................................................................. 286
Organizatio nal Support for Project Management ........................................ 288
PMBOK Knowledge Areas ............................................................................. 289
Project Management Tools ............................................................................ 292
Additional Reading ......................................................................................... 296
Chapter Summary........................................................................................... 297
Review Questions ........................................................................................... 298
Exercises .......................................................................................................... 299
Closing Case ..................................................................................................... 299
Discussion Questions ................................................................................... 299
Ethical Decisio n Making ............................................................................... 300
Endnotes .......................................................................................................... 300
Table of Contents
CHAPTER 6
Risk Management: Assessing Risk ..................................... 303
Introduction to the Management of Risk
in Information Security .................................................................................. 304
Knowing Yourself and Knowing the Enemy ................................................ 305
The Information Security Risk Management Framework ........................... 305
Roles of Communities of Interest in Managing Risk ................................... 308
Executive Governance and Support ............................................................. 308
Framework Design ......................................................................................... 312
Framework Implementation ......................................................................... 315
Framework Monitoring and Review ............................................................. 315
Continuous Improvement ............................................................................. 316
The Risk Management Process ..................................................................... 316
RM Process Preparation-Establishing the Context ...................................... 317
Risk Assessment: Risk Identification ............................................................ 319
Risk Assessment: Risk Analysis .................................................................... 343
Risk Evaluation .............................................................................................. 355
Risk Treatment/Risk Control .........................................................................359
Process Communications, Monitoring. and Review .....................................359
Additional Reading ......................................................................................... 359
Chapter Summary........................................................................................... 360
Review Questions ........................................................................................... 361
Exercises .......................................................................................................... 361
Closing Case ..................................................................................................... 362
Discussion Questions .................................................................................... 362
Ethical Decision Making ................................................................................362
Endnotes .......................................................................................................... 363
CHAPTER 7
Risk Management: Treating Risk ....................................... 365
Introduction to Risk Treatment .................................................................... 366
Risk Treatment Strategies ............................................................................. 368
Managing Risk ................................................................................................. 374
Feasibility and Cost -benefit Analysis ............................................................ 379
Other Methods of Establishing Feasibility ....................................................387
Alternatives to Feasibility Analysis .............................................................. 389
Recommended Alternative Risk Treatment Practices ...................................392
Alternative Risk Management Methodologies............................................ 393
The OCTAVE Methods ....................................................................................393
Microsoft Risk Management Approach ........................................................ 394
Table of Contents
CHAPTERS
Security Management Models ............................................ 411
Introduction to Blueprints, Frameworks,
and Security Models ....................................................................................... 412
Secur ity Management Models ...................................................................... 414
The ISO 27000 Series ..................................................................................... 414
NIST Security Publications ........................................................................... 420
Control Objectives for Information and Related Technology ...................... 428
Committee of Sponsoring Organizations ..................................................... 430
Information Technology Infrastructure Library ............................................ 431
Information Security Governance Framework ............................................. 431
Secur ity Architecture Models ........................................................................ 434
TCSEC and the Trusted Computing Base ...................................................... 434
Information Technology System Evaluation Criteria ................................... 437
The Common Criteria .................................................................................... 437
Access Control Models ................................................................................... 438
Categories of Access Controls ....................................................................... 440
Other Forms of Access Control ..................................................................... 446
Academic Access Control Models ................................................................. 447
Bell-LaPadula Confidentiality Mode l ........................................................... 447
Biba Integrity Model ..................................................................................... 448
Clark-Wilson In tegrity Model ....................................................................... 449
Graham-Denning Access Control Model. ..................................................... 450
Harrison-Ruzzo-Ullman Mode l ................................................................... 450
Brewer-Nash Model (Chinese Wall) ............................................................. 450
Table of Contents
CHAPTER 9
Security Management Practices ........................................ 457
Introduction to Security Practices ................................................................ 458
Security Employment Practices .................................................................... 459
H1nng ............................................................................................................ 459
Contracts and Employment .......................................................................... 462
Security Expectations in the Performance Evaluation ................................ 462
Termination Issues ....................................................................................... 463
Personnel Security Practices ......................................................................... 464
Security of Personnel and Personal Data ..................................................... 466
Security Considerations for Tem porary Employees,
Consultants, and Other Workers .................................................................. 466
Information Security Performance Measurement ..................................... 468
InfoSec Performance Management .............................................................. 469
Building the Performance Measurement Program ....................................... 471
Specifying InfoSec Measurements ................................................................ 473
Collecting lnfoSec Measurements ................................................................. 473
Implementing InfoSec Performance Measurement ..................................... 478
Reporting InfoSec Performance Measurements .......................................... 479
Benchmarking ................................................................................................. 481
Standards of Due Care/Due Diligence .......................................................... 482
Recommended Security Practices ................................................................ 483
Selecting Recommended Practices ............................................................... 484
Limitations to Benchmarking and Recommended Practices ....................... 485
Baselining ..................................................................................................... 486
Support for Benchmarks and Baselines ....................................................... 487
ISO Certification ............................................................................................ 489
Add itional Reading ......................................................................................... 490
Chapter Summary........................................................................................... 491
Review Questions ........................................................................................... 492
xii Table of Contents
CHAPTER 10
Planning for Contingencies ................................................. 497
Introduction to Contingency Planning ......................................................... 498
Fundamentals of Contingency Planning ...................................................... 500
Components of Contingency Planning ........................................................ 504
Business Impact Analysis ............................................................................. 506
Contingency Planning Policies ...................................................................... 513
Incident Response .......................................................................................... 513
Getting Started ............................................................................................... 514
Incident Response Policy ............................................................................... 516
Incident Response Planning .......................................................................... 517
Detecting Incidents ........................................................................................ 522
Reacting to Incidents .................................................................................... 526
Recovering from Incidents ........................................................................... 530
Disaster Recovery ........................................................................................... 538
The Disaster Recovery Process ..................................................................... 540
Disaster Recovery Policy ................................................................................ 541
Disaster Classification.................................................................................... 542
Planning to Recover .......................................................................................545
Responding to the Disaster ........................................................................... 546
Simple Disaster Recovery Plan ..................................................................... 546
Business Continuity ........................................................................................ 549
Business Continuity Policy ........................................................................... 550
Continuity Strategies ..................................................................................... 552
Timing and Sequence of CP Elements .......................................................... 554
Crisis Management ......................................................................................... 556
Business Resumption ..................................................................................... 558
Testing Contingency Plans............................................................................. 558
Final Thoughts on CP.................................................................................... 560
Additional Reading ......................................................................................... 560
Chapter Summary........................................................................................... 561
Review Questions ........................................................................................... 562
Table of Contents xiii
CHAPTER 11
Security Maintenance ......................................................... 567
Introduction to Security Maintenance ......................................................... 568
Security Management Maintenance Models............................................... 569
NIST SP 800-100, Information Security Handbook:
A Guide for Managers ................................................................................... 569
The Security Maintenance Model ................................................................. 587
Add it ional Read ing ......................................................................................... 614
Chapter Summary........................................................................................... 614
Review Questions ........................................................................................... 615
Exercises .......................................................................................................... 616
Closing Case ..................................................................................................... 616
Discussion Questions .................................................................................... 617
Ethical Decision Making ................................................................................ 617
Endnotes .......................................................................................................... 617
CHAPTER 12
Protection Mechanisms ...................................................... 619
Introduction to Protection Mechanisms...................................................... 620
Access Controls and Biometrics .................................................................... 622
Managi ng Network Security .......................................................................... 630
Firewalls ......................................................................................................... 631
Intrusion Detection and Prevention Systems .............................................. 643
Wireless Networking Protection ................................................................... 647
Scanning and Analysis Tools ......................................................................... 651
Managing Server-Based Systems with Logging ............................................ 655
Managing Security for Emerging Technologies ........................................... 660
Cryptography................................................................................................... 662
Encryption Operations ................................................................................. 664
Using Cryptographic Controls ....................................................................... 671
Managing Cryptographic Controls ............................................................... 674
xiv Table of Contents
Approach
This book provides a managerial approach to information security and a thorough
treatment of the secure administration of information assets. It can be used to support
information security coursework for a variety of technology students, as well as for
technology curricula aimed at business students.
Certified Information Systems Security Professional, Certified Information
Security Manager, and NIST Comm on Bodies of Knowledge- As the authors are
Certified Information Systems Security Professionals {CISSP) and Certified Information
Security Managers {CISM), these knowledge domains have had an influence on the
design of this textbook. With the influence of the extensive library of information
available from the Special Publications collection at the National Institute of Standards
and Technology {NIST, at csrc.nist.gov), the authors have also tapped into additional
government and industry standards for information security management. Although
this textbook is by no means a certification study guide, much of the Common Bodies
of Knowledge for the dominant industry certifications, especially in the area of
management of information security; have been integrated into the text.
Overview
Chapter 1-lntroduction to the Management of Information Security
The opening chapter establishes the foundation for understanding the field of
information security by explaining the importance of information technology and
identifying who is responsible for protecting an organization's information assets.
Students learn the definition and key characteristics of information security, as well as
the differences between information security management and general management.
Features
Chapt er Scenarios- Each chapter opens with a short vignette that follows the same
fictional company as it encounters various information security issues. The final part
of each chapter is a conclusion to the scenario that also offers questions to stimulate
Pr eface xix
in-class discussion. These questions give the student and the instructor an opportunity
to explore the issues that underlie the content.
View Points- An essay from an information security practitioner or academic is
included in each chapter. These sections provide a range of commentary that illustrate
interesting topics or share personal opinions, giving the student a wider, applied view
on the topics in the text.
Offline Boxes- These highlight interesting topics and detailed technical issues,
allowing the student to delve more deeply into certain topics.
Hands- On Learning- At the end of each chapter, students will find a Chapter
Summary and Review Questions as well as Exercises and Closing Case exercises,
which give them the opportunity to examine the information security arena from an
experiential perspective. Using the Exercises, students can research, analyze, and write
to reinforce learning objectives and deepen their understanding of the text. The Closing
Case exercises require that students use professional judgment, powers of observation,
and elementary research to create solutions for simple information security scenarios.
Additional Reading- Each chapter includes suggestions for reading outside resources
that might augment or extend understanding of one or more aspects of the chapter.
MindTap
MindTap for Management of Information Security is an online learning solution
designed to help students master the skills they need in today's workforce. Research
shows employers need critical thinkers, troubleshooters, and creative problem-solvers
to stay relevant in our fast-paced, technology-driven world. MindTap helps users
achieve this with assignments and activities that provide hands-on practice, real-life
relevance, and mastery of difficult concepts. Students are guided through assignments
that progress from basic knowledge and understanding to more challenging problems.
All MindTap activities and assignments are tied to learning objectives. The hands-on
exercises provide real-life application and practice. Readings and "Whiteboard Shorts"
support the lecture, while "In the News" assignments encourage students to stay current.
Pre- and post-course assessments allow you to measure how much students have
learned, using analytics and reporting that makes it easy to see where the class stands in
terms of progress, engagement, and completion rates. Use the content and learning path
as-is, or pick and choose how the material will wrap around your own. You control what
the students see and when they see it. Learn more at www.cengage.com/ mindtap/.
Instructor Resources
Free to all instructors who adopt Management of Information Security, 6e, for their
courses is a complete package of instructor resources. These resources are available
from the Cengage Web site, www.cengagebrain.com. Go to the product page for this
book in the online catalog and choose "Instructor Downloads:•
Resources include:
• Instructor's Manual: This manual includes course objectives and additional
information to help your instruction.
• Cengage Learning Testing Powered by Cognero: A flexible, online system that allows
you to import, edit, and manipulate content from the text's test bank or elsewhere,
including your own favorite test questions; create multiple test versions in an
instant; and deliver tests from your LMS, your classroom, or wherever you want.
• PowerPoint Presentations: A set of Microsoft PowerPoint slides is included for
each chapter. These slides are meant to be used as a teaching aid for classroom
presentations, to be made available to students for chapter review, or to be printed
for classroom distribution. Instructors are also at liberty to add their own slides.
• Figure Files: Figure files allow instructors to create their own presentations using
figures taken from the text.
• Appendix: The appendix has been relocated from the bound textbook and
is available for instructor use. It describes methods for evaluating security,
including (1) NIST SP 800- 26, Security Self-Assessment Guide for Information
Technology Systems, (2) ISO 17799: 2005 Overview, (3) The OCTAVE Method of Risk
Management, and (4) the Microsoft Risk Management Approach .
• Lab Exercises: Each chapter includes hands-on exercises designed to reinforce
the theoretical concepts of the corresponding materials. Additional exercises and
labs are available in the MindTap enhanced edition of the textbook.
Preface xxi
• Readings and Cases: Cengage Leaming also produced two texts - Readings and
Cases in the Management of Information Security (!SBN-13: 9780619216276) and
Readings & Cases in Information Security: Law & Ethics (!SBN-13: 9781435441576)-
by the authors, which make excellent companion texts. Contact your Cengage
Learning sales representative for more information.
• Curriculum Model for Programs of Study in Information Security: In addition
to the texts authored by this team, a curriculum model for programs of study
in Information Security and Assurance is available from the Kennesaw State
University Center for Information Security Education (http://infosec.kennesaw
.edu). This document provides details on designing and implementing security
coursework and curricula in academic institutions, as well as guidance and
lessons learned from the auth ors' perspective.
Author Team
Michael Whitman and Herbert Mattord have jointly developed this textbook to merge
knowledge from the world of academic study with practical experience from the
business world.
Michael Whitman, Ph.D., CISM, CISSP is a Professor of Information Security in
the Information Systems Department, Coles College of Business at Kennesaw
State University, Kennesaw, Georgia, where he is also the Executive Director of
the Center for Information Security Education (infosec.kennesaw.edu). He and
Herbert Mattord are th e authors of Principles of Information Security; Principles of
Incident Response and Disaster Recovery; Readings and Cases in the Management of
Information Security; Readings & Cases in Information Security: Law & Ethics; Guide
to Firewall and VPNs; Guide to Network Security; Roadmap to the Management of
Information Security; and Hands- On Information Security Lab Manual, all from
Cengage Learning. Dr. Whitman is an active researcher in Information Security
policy and planning and in Ethical Computing. He currently teaches graduate and
undergraduate courses in Information Security. He has published articles in the top
journals in his field, including Information Systems Research, the Communications
of the ACM, Information and Management, the Journal of International Business
Studies, and th e Journal of Computer Information Systems. He is an active member
of th e Information Systems Security Association, the Association for Computing
Machinery, ISACA, (!SC)', and the Association for Information Systems. Through
his efforts and those of Dr. Mattord, his institution has been recognized by the
Department of Homeland Security and th e National Security Agency as a National
Center of Academic Excellence in Information Assurance Education four times,
most recently in 2015. Dr. Whitman is also th e Editor-in -Chief of th e Journal
of Cybersecurity Education, Research and Practice, and he continually solicits
relevant and well-written articles of interest to faculty teaching and researching
cybersecurity topics for publication. Prior to his employment at Kennesaw State, he
taught at th e University of Nevada, Las Vegas, and served over 13 years as an officer
and soldier in th e U.S. Army.
xxii Pre face
Herbert M atto rd, Ph .D., CISM, CISSP completed years of IT industry experience as
24
an application developer, database administrator, project manager, and information
security practitioner in 2002. He is currently an Associate Professor of Information
Security in the Coles College of Business at Kennesaw State University. He and Michael
Whitman are the authors of Principles of Information Security; Principles of Incident
Response and Disaster Recovery; Readings and Cases in the Management of Information
Security; Guide to Network Security; and Hands -On Information Security Lab Manual,
all from Cengage Learning. During his career as an IT practitioner, Mattord has been an
adjunct professor at Kennesaw State University; Southern Polytechnic State University
in Marietta, Georgia; Austin Community College in Austin, Texas; and Texas State
University, San Marcos. He currently teaches undergraduate courses in Information
Security. He is th e Assistant Chair of the Department of Information Systems and
is also an active member of the Information Systems Security Association and
Information Systems Audit and Control Association. He was formerly the Manager
of Corporate Information Technology Security at Georgia-Pacific Corporation, where
much of the practical knowledge found in this and his earlier textbooks was acquired.
Acknowledgments
The authors would like to thank their families for their support and understanding for
the many hours dedicated to this project- hours taken, in many cases, from family
activities.
Reviewers
We are indebted to the following individuals for their contributions of perceptive
feedback on the initial proposal, the project outline, and the chapter-by-chapter
reviews of the text:
• Paul D. Witman, Ph.D., Associate Professor, Information Technology
Management, California Lutheran University, School of Management, Thousand
Oaks, CA
• Michael Moorman, Ph .D., Professor of Computer Science, Department of
Computer Science and Information Systems, St. Leo University, St. Leo, FL
Special Thanks
The authors wish to thank the Editorial and Production teams at Cengage. Their
diligent and professional efforts greatly enhanced the final product:
Natalie Onderdonk, Learning Designer
Dan Seiter, Developmental Editor
Kristin McNary, Product Team Manager
Amy Savino, Product Manager
Brooke Greenhouse, Senior Content Manager
Preface xxiii
Our Commitment
The authors are committed to serving the needs of the adopters and readers. We
would be pleased and honored to receive feedback on the textbook and its supporting
materials. You can contact us at infosec@kennesaw.edu.
Foreword
By David Rowan, retired Senior Vice President and Director
Technology Risk and Compliance, SunTrust Banks, Inc.
If you are reading this, I want to thank you. Your perusal of this text means you are
interested in a career in Information Security or have actually embarked on one. I am
thanking you because we- and by we I mean all of us- need your help.
You and I live in a world completely enabled, supported by, and allowed by
technology. In almost all practical respects, the things you and I take for granted are
created by our technology. There is technology we see and directly interact with, and
technology we don't see or are only peripherally aware of. For example, the temperature
of my home is monitored and maintained based on a smart thermostat's perception
of my daily habits and preferences. I could check it via the app or wait for an alert via
text message, but I don't- I just assume all is well, confident that I will be informed if
something goes amiss. Besides, I am more interested in reading my personal news feed ....
xxiv Pre face
With respect to technology, we occupy two worlds, one of intent and realized
actions and another of services that simply seem to occur on their own. Both these
worlds are necessary, desirable, growing, and evolving. Also, both these worlds are
profoundly underpinned by one thing: our trust in them to work.
We trust that our phones will work, we trust that we will have electricity, we trust
that our purchases are recorded accurately, we trust th at our streaming services will
have enough bandwidth, we trust that our stock trades and bank transactions are
secure, we trust that our cars will run safely, and I trust that my home will be at the
right temperature when I walk in the door.
The benefits of our trust in technology are immeasurable and hard won. The fact
that we can delegate tasks, share infrastructure, exchange ideas and information, and
buy goods and services almost seamlessly benefits us all. It is good ground worth
defending. However, the inevitable and unfortunate fact is that some among us prey
upon our trust; they will work tirelessly to disrupt, divert, or destroy our intents,
actions, comfort, well-being, information, and whatever else our technology and the
free flow of information offers.
The motives of these actors matter, but regardless of why they threaten what
technology gives us, the actions we take to safeguard it is up to us. That's why I am
glad you are reading this. We need guardians of the trust we place in technology and
the information flow it enables.
I have been in the financial industry for 35 years, and have spent the latter half of it
focused on information security and th e related fields of fraud management, business
continuity, physical security, and legal and regulatory compliance. I have seen the
evolution of technology risk management from a necessary back-office function to a
board-level imperative with global implications. The bound interrelationships among
commerce, infrastructure, basic utilities, safety, and even culture exist to the extent
that providing security is now dominantly a matter of strategy and management, and
less a matter of the tools or technology dejure. There's an old saying that it's not the
tools that make a good cabinet, but the skill of the carpenter. Our tools will change and
evolve; it's how we use them that really matter.
This edition of Management of Information Security is a foundational source that
embodies the current best thinking on how to plan, govern, implement, and manage
an information security program. It is holistic and comprehensive, and provides a
path to consider all aspects of information security and to integrate security into the
fabric of the things we depend on and use. It provides specific guidance on strategy,
policy development, risk identification, personal management, organization, and
legal matters, and places them in the context of a broader ecosystem. Strategy and
management are not merely aspects of information security; they are its essence- and
this text informs the what, why, and how of it.
Management of Information Security is a vital resource in the guardianship of our
world of modern conveniences. I hope you will become a part of this community.
- Atlanta, Georgia, February 2018
CHAPTER 1
INTRODUCTION TO
THE MANAGEMENT OF
INFORMATION SECURITY
Management is, above all, a practice where art, science,
and craft meet.
-HENRY MINTZBERG
One month into her new position at Random Widget Works, Inc. (RWW), Iris Majwubu left
her office early one afternoon to attend a meeting of the local chapter of the Information
Systems Security Association (ISSA). She had recently been promoted from her previous
assignment at RWW as manager of informa tion risk to become the first chief information
security officer (CISO) to be named at RWW.
This occasion marked Iris's first ISSA meeting. Wit h a mountain of pressing matters
on her cluttered desk, Iris wasn't exactly certain why she was m aking it a priority to
attend this meeting. She sighed. Since her early morning wake-up, she had spent many
CHAPTER 1 Introduction to t he Management of Information Secur ity
hours in business m eetings, foll owed by lo ng hours at her desk wo rki ng towa rd d efi ning
her new pos it ion at th e company.
At the ISSA meeting, Iris saw Charl ie Moody, her supervisor from Sequential Label
and Supply (SLS), the company she used to work for. Charlie had been promoted to chief
information officer (CIO) of SLS almost a year ago.
"Hi, Charl ie," she said.
"Hello, Iris," Cha rl ie said, shaking her hand. "Congratulations on your promot ion. How are
things going in your new position?"
"So far," she replied, "t hings are going well- I think."
Charlie noticed Iris's hesitancy. "You t hink?" he said. "Okay, tell me what's going on."
'Well, I'm struggling to get a consensus from t he senior management tea m about
the problems we have," Iris explained. "I'm told t ha t informat ion security is a priority, but
everything is in disarray. Any ideas t ha t I bring up are chopped t o bits before they're even
taken up by senio r managem ent . There's no established policy covering our informatio n
security needs, and it seems t hat we have little hope of gett ing one approved anytime soon.
The informatio n security budget covers my salary plus a litt le bit of f und ing that goes t owa rd
part of one position for a technician in the network departm ent. The IT managers act like I'm
wasting their t ime, and they don't seem to take our security issues as seriously as I do. It's like
trying to d rive a herd of cats!"
Charlie t hought for a moment and then said, "I've got some ideas t hat may help. We
shou ld talk more, but not now; the meet ing is about to start. Here's my new num ber- call me
tomorrow and we'll get toget her for coffee."
Introduction to Security
Key Terms
asset An organizatio nal resou rce that is being protected. An asset can be logica l, such as
a Web site, software information, or data; or an asset can be physical, such as a perso n,
computer system, hardware, or other tangible object . Assets, pa rticularly informat ion assets,
are t he focus of what security effo rts are attempting t o prot ect .
information asset The focus of information security; in formatio n that has va lue to the
organization, and the systems t hat st ore, process, and t ransmit the information.
information security (lnfoSec) Protect ion of t he confidentiality, integrity, and ava ilability
of information assets, w hether in storage, processing, o r transm ission, via the application of
policy, education, training and awareness, and technology.
security A stat e of being secure and free from danger or harm . In addition, t he act ions taken
to make someone o r som et hing secure.
CHAPTER 1 Int roduction to the Ma nagement of I nformation Security
The efforts in each of these areas contribute to the information security program as
a whole. This textbook derives its definition of information security from the standards
published by the Committee on National Security Systems {CNSS), formerly known
as the National Security Telecommunications and Information Systems Security
Committee (NSTISSC), chaired by the U.S. Secretary of Defense.
Information security (lnfoSec) focuses on the protection of information and the
characteristics that give it value, such as confidentiality, integrity, and availability,
and includes the technology that houses and transfers that information through a
variety of protection mechanisms such as policy, training and awareness programs,
and technology. Figure 1- 1 shows that InfoSec includes the broad areas of InfoSec
management {the topic of this text): computer security. data security, and network
security. The figure also shows that policy is the space where these components overlap.
POL.ICY
J .} J
~ a,
~
a, ·c
:,
:.: ·c ..,
:,
..,
:,
..
"'
~
!! "'.!s "'1
f
v I
~ou(o\\011
('j \
--- ---
Confidentiality Confidentiality
---
Integrity Integrity
of the 27 cells is properly addressed by each of the three communities of interest. For
example, the cell representing the intersection of the technology, integrity, and storage
criteria could include controls or safeguards addressing the use of technology to protect
the integrity of information while in storage. Such a control might consist of a host
intrusion detection and prevention system (HIDPS), for example, which would alert the
security administrators when a critical file was modified or deleted.
While the CNSS model covers the three dimensions of InfoSec, it omits any
discussion of guidelines and policies that direct the implementation of controls, which
are essential to an effective InfoSec program. Instead, the main purpose of the model is
to identify gaps in the coverage of an InfoSec program.
Another weakness of this model emerges when it is viewed from a single
perspective. For example, th e HIDPS control described earlier addresses only the needs
and concerns of the InfoSec community, leaving out the needs and concerns of the
broader IT and general business communities. In practice, thorough risk reduction
requires the creation and dissemination of controls of all three types (policy, education,
and technical) by all three communities. These controls can be implemented only
through a process that includes consensus building and constructive conflict to reflect
the balancing act th at each organization faces as it designs and executes an InfoSec
program. The rest of this book will elaborate on these issues.
Note@
For more information on the CNSS and its training standards (known as issuances), visit the
Committee on National Security Systems Web site at www.cnss.gov, and select Directives from
the Library tab.
CHAPTER 1 Introduction to the Management of Information Security
Key Terms
accountability The access control mechanism that ensures all actions on a system-
authorized or unauthorized- can be attributed to an auth enticated identity. Also known as
audita bility.
authentication The access control mechanism t ha t requ ires the validation and verificat ion
of an unauthenticated entity's purported identity.
authorization The access control mechanism that represents the match ing of an
authentica ted entity to a list of information assets and correspond ing access levels.
availability An attribute of information that describes how data is accessible and correctly
formatted for use without interference or obstruction.
C.I.A. triad The indust ry standard for computer security since t he development of the
mainframe. The standard is based on t hree characteristics that describe the utility of
information: confidentiality, integrity, and availability.
confidentiality An attribute of information that describes how data is protected from
disclosure or exposure to unauthorized individuals or systems.
disclosure In information security, t he intentional or unintentiona l exposure of an
information asset to unauthorized parties.
identification The access control mechanism whereby unverified entiti es who seek access to
a resource provide a label by which they are known to the system.
information aggregation The collection and combination of pieces of nonprivate data,
which could result in information that violates privacy. Not to be confused w ith aggregate
information.
integrity An attribut e of information that describes how dat a is whole, complete, and
uncorrupted.
privacy In the context of inf ormation security, the right of individuals or groups
t o p rotect themselves and their information from u nauthorized access, providing
confidenti ality.
To bett er und erstand the management of InfoSec, you must become familiar with
the key characteri stics of information that make it valuabl e t o an organization,
as expressed in the C.I.A . triad characteristics of confidentiali ty, integrity and
availabili ty (see Figure 1- 3). However, present- day needs have rendered these
characteri sti cs i nadequate on th eir own to conceptuali ze InfoSec because th ey
are limited in scope and cannot encom pass today's constantly changing IT
environment, which calls f or a more rob ust model. Th e C.I.A. tri ad, th eref ore,
CHAPTER 1 Introduction to the Management of Inf ormation Security
Services
Availability
has been expanded into a more comprehensive list of critical characteristics and
processes, including privacy, identification, authentication, authorization, and
accountability. These characteristics are explained in more detail in the sections
that follow.
Confidentiality
Confidentiality means limiting access to information only to those who need it, and
preventing access by those who do not. When unauthorized individuals or systems
can view information, confidentiality is breached. To protect the confidentiality of
information, a number of measures are used, including:
• Information classification
• Secure document (and data) storage
• Application of general security policies
• Education of information custodians and end users
• Cryptography (encryption)
Confidentiality is closely related to privacy, another key characteristic of
information that is discussed later in this chapter. The complex relationship between
these two characteristics is examined in detail in later chapters. In an organization,
confidentiality of information is especially important for personal information about
employees, customers, or patients. People expect organizations to closely guard
such information. Whether the organization is a government agency, a commercial
enterprise, or a nonprofit charity, problems arise when organizations disclose
confidential information. Disclosure can occur either deliberately or by mistake.
For example, confidential information could be mistakenly e-mailed to someone
outside the organization rather than the intended person inside the organization. Or
perhaps an employee discards, rather than destroys, a document containing critical
information. Or maybe a hacker successfully breaks into a Web-based organization's
internal database and steals sensitive information about clients, such as names,
addresses, or credit card information.
CHAPT ER 1 Int r oduction to the Ma nagement of I nformation Security
Integrity
The integrity or completeness of information is threatened when it is exposed to
corruption, damage, destruction, or other disruption of its authentic state. Corruption
can occur while information is being entered, stored, or transmitted.
Many computer viruses and worms, for example, are designed to corrupt data.
For this reason, the key method for detecting whether a virus or worm has caused an
integrity failure to a file system is to look for changes in the file's state, as indicated
by th e file's size or, in a more advanced operating system, its hash value or checksum
(discussed in Chapter 12).
File corruption is not always the result of deliberate attacks. Faulty programming
or even noise in the transmission channel or medium can cause data to lose its
integrity. For example, a low-voltage state in a signal carrying a digital bit (a 1 or o) can
cause the receiving system to record the data incorrectly.
To compensate for internal and external threats to the integrity of information,
systems employ a variety of error-control techniques, including the use of redundancy bits
and check bits. During each transmission, algorithms, hash values, and error-correcting
codes ensure the integrity of the information. Data that has not been verified in this
manner is retransmitted or otherwise recovered. Because information is of little or no value
or use if its integrity cannot be verified, information integrity is a cornerstone of InfoSec.
Availability
Availability of information means that users, either people or other systems, have access
to it in a usable format. Availability does not imply that the information is accessible to
any user; rather, it means it can be accessed when needed by authorized users.
To understand this concept more fully, consider the contents of a library- in
particular, research libraries that require identification for access to the library as a
whole or to certain collections. Library patrons must present the required identification
before accessing the collection. Once they are granted access, patrons expect to be able
to locate and access resources in the appropriate languages and formats.
CHAPTER 1 Introduction to the Management of Inf ormation Security
Privacy
Information that is collected, used, and stored by an organization should be used only
for th e purposes stated by the data owner at the time it was collected. In this context,
privacy does not mean freedom from observation (the meaning usually associated
with the word); it means that the information will be used only in ways approved
by the person who provided it. Many organizations collect, swap, and sell personal
information as a commodity. Today, it is possible to collect and combine personal
information from several different sources {known as information aggregation),
which has resulted in databases that could be used in ways the original data owner
has not agreed to or even knows about.
Many people have become aware of these practices and are looking to the
government to protect their information's privacy.
Identification
An information system possesses the characteristic of identification when it is
able to recognize individual users. Identification is the first step in gaining access to
secured material, and it serves as the foundation for subsequent authentication and
authorization. Identification and authentication are essential to establishing the level
of access or authorization that an individual is granted. Identification is typically
performed by means of a user name or other ID.
Authentication
Authentication is the process by which a control establishes whether a user (or
system) is the entity it claims to be. Examples include the use of cryptographic
certificates to establish Secure Sockets Layer {SSL) connections as well as the use of
cryptographic hardware devices- for example, hardware tokens such as RSA's Secur!D.
Individual users may disclose a personal identification number (PIN), a password, or a
passphrase to authenticate their identities to a computer system.
Authorization
After the identity of a user is authenticated, a process called authorization defines
what the user (wheth er a person or a computer) has been specifically and explicitly
authorized by the proper authority to do, such as access, modify, or delete the
contents of an information asset. An example of authorization is the activation and
use of access control lists and authorization groups in a networking environment.
Another example is a database auth orization scheme to verify th at th e user of an
application is authorized for specific functions, such as reading, writing, creating,
and deleting.
Accountability
Accountability of information occurs when a control provides assurance that every
activity undertaken can be attributed to a named person or automated process.
For example, audit logs that track user activity on an information system provide
accountability.
CHAPT ER 1 Introduction to the Management of Information Security
Around 500 BC, the Chinese general Sun Tzu Wu wrote The Art of War, a military treatise
that emphasizes the importance of knowing yourself as well as the threats you face.
Therefore I say: One who knows the enemy and knows himself will not be in danger
in a hundred battles.
One who does not know the enemy but knows himself will sometimes win, sometimes
lose. One who does not know the enemy and does not know himself will be in danger
in every battle. i
To protect your organization's information, you must: (1) know yourself; that
is, be familiar w ith the information assets to be protected, their inherent flaws
and vulnerabilities, and the systems, mechanisms, and methods used to store,
transport, process, and protect them; and (2.) know the threats you face. To make
sound decisions about information security, management must be informed about
the various threats to an organization's people, applications, data, and information
systems. As illustrated in Figure 1-4, a threat represents a potential risk to an
information asset, whereas an attack, sometimes called a threat event, represents
an ongoing act against the asset that could result in a loss. Threat agents damage
or steal an organization's information or physical assets by using exploit s to take
advantage of a vulnerability where controls are not present or no longer effective.
Unlike threats, which are always present, attacks exist only when a specific act may
CHAPTER 1 I ntroduction to the Management of Inf ormation Security
- - - - - - - - - - - - - - ~ . ~ . Vulnerability: SQL
--····---·-- injection in online
---
--
........................
~ - ' Y • database Web interlace
---
-··
-·----·- -
Threat: Theft
Threat agent: Ima Hacker
-------==. . . ..
Attack: Ima Hacker downloads exploit from MadHackz Web site,
then accesses HAL lnc.'s Web site and applies script, resulting in
Loss: download of customer data
cause a loss. For example, the threat of damage from a thunderstorm is present
throughout the summer in many places, but an attack and its associated risk of
loss exist only for the duration of an actual thunderstorm. The following sections
discuss each of the major types of threats and corresponding attacks facing modern
information assets.
To investigate the wide range of threats th at pervade the interconnected world,
many researchers have collected information on threats and attacks from practicing
information security personnel and their organizations. While the categorizations may
vary, threats are relatively well researched and fairly well understood.
There is wide agreement that the threat from external sources increases when
an organization connects to the Internet. The number of Internet users continues to
grow; almost exactly half (49.7 percent) of the world's 7.52. billion people had some form
of Internet access as of mid-2.017.• Therefore, a typical organization with an online
connection to its systems and information faces more than 3.7 billion potential hackers.
CHAPT ER 1 Int r oduction to the Ma nagement of I nformation Security
Note@
For more information on world Internet use, visit the Internet World Stats: Usage and
Population Statistics site at www.internetworldstats.com/stats.htm.
Key Terms
intellectual property (IP) The creation, ownership, and control of original ideas as well as
the representation of those ideas.
software piracy The unauthorized duplication, installation, or distribution of copyrighted
computer software, which is a violation of intellectual property.
this process compromises personal privacy because they never know exactly what
information is obtained from their computers and sent to the software manufacturer.
Intellectual property losses may result from the successful exploitation of
vulnerabilities in asset protection controls. Many of the threats against these controls
are described in this chapter.
Note@
For mo re info rmation on software piracy and intellectual property protection, visit the
Software & Information Industry Association (SIIA) Web site at www.siia.net and the Business
Software All iance (BSA) Web site at www.bsa.org. SIIA is the organization formerly known as
the Softwa re Publishers Association.
Key Terms
availa bility disruption An interruption in service, usually from a service provider, which
causes an adverse event within an organization.
blackout A long-term interruption (outage) in e lectrical power ava ilabi lity.
brownout A long-term decrease in the quality of e lectrical power ava ilability.
fau lt A short-term interruption in electrica l power availability.
noise The presence of add itional and dis ruptive signals in network communications or
electrica l power delivery.
sag A short-term decrease in electrica l power availability.
service level agreement (SLA) A document or part of a document that specifies the
expected level of service from a service provider. An SLA usually contains provisions for
minimum acceptable availability and penalties or remediation procedu res for downtime.
spike A sho rt-term increase in e lectrical power availability, also known as a swell.
surge A long-term increase in electrical power availability.
provider may be online and in service, but may be able to supply only a fraction of
the bandwidth the organization needs for full service. This degradation of service is
a form of availability disruption. Irregularities in Internet service, communications,
and power supplies can dramatically affect the availability of information and systems.
Subcategories of this threat include the following:
• Internet service issues- In organizations that rely heavily on the Internet
and the Web to support continued operations, ISP failures can considerably
undermine the availability of information. Many organizations have
sales staff and telecommuters working at remote locations. When th ese
offsite employees cannot contact th e host systems, they must use manual
procedures to continue operations. When an organization places its Web
servers in the care of a Web hosting provider, that provider assumes
responsibility for all Internet services and for th e hardware and operating
system software used to operate the Web site. These Web hosting services
are usually arranged with a service level agreement (SLA). When a service
provider fails to meet the terms of the SLA, th e provider may accrue fines
to cover losses incurred by the client, but th ese payments seldom cover the
losses generated by the outage.
• Communications and other service provider issues- Other utility services can
affect organizations as well. Among these are telephone, water, wastewater,
trash pickup, cable television, natural or propane gas, and custodial services.
The loss of these services can impair the ability of an organization to function.
For instance, most facilities require water service to operate an air- conditioning
system. Even in Minnesota in February, air-conditioning systems help keep a
modern facility operating. If a wastewater system fails, an organization might
be prevented from allowing employees into th e building. While several online
utilities allow an organization to compare pricing options from various service
providers, only a few show a comparative analysis of availability or downtime.
• Power irregularities- Irregularities from power utilities are common and can
lead to fluctuations such as power excesses, power shortages, and power
losses. These fluctuations can pose problems for organizations that provide
inadequately conditioned power for their information systems equipment.
In the United States, residential users are supplied 120-volt, Go-cycle power,
usually through 15- and 20-amp circuits. Commercial buildings often have
240-volt service and may also have specialized power distribution infrastructure.
When power voltage levels vary from normal, expected levels, such as during
a blackout, brownout, fault, noise, spike, surge, or sag, an organization's
sensitive electronic equipment- especially networking equipment, computers,
and computer-based systems, which are vulnerable to fluctuations- can be
easily damaged or destroyed. Most good uninterruptible power supplies {UPS)
can protect against spikes, surges, and sags, and even brownouts and blackouts
of limited duration.
CHAPTER 1 Introduction to the Management of Information Security
Espionage or Trespass
advanced persistent threat (APT) A collect ion of processes, usually directed by a human
agent, tha t targets a specific organization or individual.
brute force password attack An attempt to guess a password by attempting every possible
combination of characters and numbers in it
competitive intelligence The collection and analysis of information about an organization's
business compet itors through legal and eth ical means to gain business intelligence and
competitive advantage.
cracker A hacker who intentionally removes or bypasses software copyright protection
designed to prevent unauthorized duplication or use.
cracking Attempting to reverse-engineer, remove, or bypass a password or other access
control protection, such as t he copyright protection on software. See also cracker.
dictionary password attack A variation of t he brute force password attack that attempts to
narrow the range of possible passwords guessed by using a list of common passwords and
possibly including attempts based on the target's personal information.
expert hacker A hacker who uses extensive knowledge of the inner workings of computer
hardware and software to gain unauthorized access to systems and information. Also known
as elite hackers, expert hackers often create automated exploits, script s, and tools used by
other hackers.
hacker A person who accesses systems and information without authorizat ion and often illegally.
industrial espionage The collection and analysis of information about an organization's
business compet itors, often t hrough illegal or unethica l means, to gain an unfair competitive
advantage. Also known as corporate spying, which is dist inguished from espionage for
nationa l security reasons.
jail breaking Escalating privileges to gain administ rator-level control over a smart phone
operat ing system (typically associated with Apple iOS smartphones). See also rooting.
novice hacker A relatively unskilled hacker who uses t he work of expert hackers to perform
attacks. Also known as a neophyte, nOOb, or newbie. This category of hackers includes scri pt
kiddies and packet monkeys.
packet monkey A script kiddie who uses automated exploits to engage in denial-of-service
attacks.
penetration tester An information security professiona l with authorization to attempt to
gain syst em access in an effort to identify and recommend resolutions for vuln erabilities in
those systems.
phreaker A hacker who manipulates the public telephone system to make free calls or
disrupt services.
CHAPTER 1 Introduction to the Management of Information Security
entered. Failure to do so constitutes not only a breach of etiquette, but also an affront
to privacy and a threat to the security of confidential information.
Hackers
Acts of trespass can lead to unauthorized real or virtual actions that enable
information gatherers to enter premises or systems without permission. Controls
sometimes mark the boundaries of an organization's virtual territory. These boundaries
give notice to trespassers that they are encroaching on the organization's cyberspace.
Sound principles of authentication and authorization can help organizations protect
valuable information and systems. These control methods and technologies employ
multiple layers or factors to protect against unauthorized access and trespass.
The classic perpetrator of espionage or trespass is the hacker, who is frequently
glamorized in fictional accounts as a person who stealthily manipulates a maze of
computer networks, systems, and data to find information that solves the mystery
and heroically saves th e day. However, the true life of the hacker is far more mundane.
In the real world, a hacker frequently spends long hours examining the types and
structures of targeted systems and uses skill, guile, and/or fraud to attempt to bypass
controls placed on information owned by someone else.
Hackers possess a wide range of skill levels, as with most technology users.
However, most hackers are grouped into two general categories- the expert hacker
and th e novice hacker:
• The expert hacker is usually a master of several programming languages,
networking protocols, and operating systems, and exhibits a mastery of the
technical environment of the chosen targeted system. Once an expert hacker
chooses a target system, the likelihood is high that he or she will successfully
enter the system. Fortunately for the many poorly protected organizations in the
world, there are substantially fewer expert hackers than novice hackers.
A new category of expert hacker has emerged over the last decade. The
professional hacker seeks to conduct attacks for personal benefit or the
benefit of an employer, which is typically a crime organization or government-
sponsored operation (see the section on cyberterrorism). The professional hacker
should not be confused with the penetration tester, who has authorization
from an organization to test its information systems and network defense, and
is expected to provide detailed reports of the findings. The primary differences
between professional hackers and penetration testers are the authorization
provided and the ethical professionalism displayed.
The recent emergence of a method of precisely targeted attacks against
organizations is known as an advanced persistent threat or APT. These attacks
are usually a combination of social engineering, spear phishing, and customized
malware generated by nation-state sponsored organizations or sophisticated
criminal operations. In many cases, these attacks seek to infiltrate high-value
information for economic espionage or attacks against national security.
Another random document with
no related content on Scribd:
absent in Myxinoids, but the gastric branches of the Vagus are
continued, united as a single nerve, along the intestine to the anus.
No fish possesses a Nervus accessorius. Also a separate Nervus
hypoglossus (twelfth pair)[13] is absent, but elements from the first
spinal nerve are distributed in the area normally supplied by this
nerve in higher vertebrates.