Ebook Management of Information Security PDF Full Chapter PDF

Management of Information Security -
eBook PDF
Visit to download the full and correct content document:
https://ebooksecure.com/download/management-of-information-security-ebook-pdf/
INFORMATION SECURITY
MANAGEMENT OF
Sixth Edition
Michael E. Whitman
Herbert J. Mofford
MANAGEMENT OF
Sixth Edition
Michael E. Whitman
Herbert J. Mattord
Au stralia • Brazil • Mexico • Singapore • Un ited Kingdom • United States
This is an e lectronic version of the print textbook. Due to e lectronic right~ restrictions, some third party content
may be suppressed. Editorial review has deemed that any suppressed content does not materially affect the
overall learning experience. The publisher reserves the right to remove content from this title at any time if
subsequent right~ restrictions require it. For valuable information on pric ing, previous editions, changes to
current editions, and alternate formats, please visit www.cengage.com/highered to search by ISBN#, author,
title, or keyword for materials in your areas of interest.
Impo1tant Notice: Media content referenced within the product description or the product text may not be
available in the eBook version.
Management of Information <O 2019, 2017, 2014, 201 o Cengage Learning, Inc.
Security, Sixth Edit i on Unless otherwise noted, all content is <O (engage.
Michael E. Whitman ,
HerbertJ. Mattor d All RIGHTS RESERVED. No part of this work covered by the copyright
herein may be reproduced or distributed in any form or by any
m eans, except as permitted by U.S. copyright law, without the prior
SVP, GM Skills: Jonathan Lau
written permission of the copyright owner.
Product Director: Lauren Murphy
SOURCE FDR ILLUSTRATIONS: Copyright co (engage.
Product Team Manager: Kristin McNary Screenshots are c.t>Microsoft Corporation unless otherwise noted.
Product Manager: Amy Savino
Product Assistant: Jake Toth For product information and technology assistance, contact us at
Executive Director, Content Design: Cengage Custom er & Sales Su pport, 1·800-354-9706 or
Marah Bellegarde support.cengag e.com .
For permission to use material from this text or product, submit
Director, Learning Design: all requests online at www.cengage.com/permissions.
Leigh Hefferon
Learning Designer: Natalie Onderdonk

library of Congress Control Number: 2018936035
Sr. Marketing Director: M ichele McTighe
Assoc. Marketing Manager: ISBN: 978·1·337-40571·3

Cassie Cloutier
Ceng age
Director, Content Delivery: 20 Channel Center Street
Patty Stephan Boston, MA 02210
USA
Sr. Content Manager:
Brooke Greenhouse Cengage is a leading provider of customized learning solutions with
employees residing in nearly 40 different countries and sales in more
Digltal Delivery Lead: Jim Vaughey than 125 countries around the world. Find your local representative
Senior Designer: Diana H. Graham at www.cengage.com.
Production Service/Composition: (engage products are represented in Canada by Nelson

SPi Global Education, l td.
Cover image: iStockPhoto.com/ To learn more about Cengage platforms and services, visit
ValeryBrozhinsky www.cengage.com .
To register or access your online learning solution or purchase

materials for your course, visit www.cengagebrain.com.
Notice to the Reade r

Publisher does not warrant or guarantee any of the products described herein or perform any independent analysis
in connection with any of the product information contained herein. Publisher does not assume, and expressly
disclaims, any obligation to obtain and include information other than that provided to it by the manufacturer.
The reader is expressly warned to consider and adopt all safety precautions that might be indicated by the activities
described herein and to avoid all potential hazards. By following the instructions contained herein, the reader willingly
assumes all risks in connection with such instructions. The publisher makes no representations or warranties of any
kind, including but not limited to, the warranties of fitness for particular purpose or merchantability, nor are any
such representations implied with respect to the material set forth herein, and the publisher takes no responsibility
with respect to such material. The publisher shall not be liable for any special, consequential, or exemplary damages
resulting. in whole or part, from the readers' use of, or reliance upon, this material.
Printed in the United States of America

Print Nu,n ber: 01 Print Year: 2018
Brief Contents
PREFACE ....................................................................................................... xv
CHAPTER 1
Introduction to the Management of Information Secur ity ..................... 1
CHAPTER2
Compliance: Law and Ethics ...................................................................... 63
CHAPTER3
Governance and Strategic Planning for Security .................................. 123
CHAPTER4
Information Security Policy ..................................................................... 169
CHAPTER 5
Developing the Security Program ........................................................... 219
CHAPTER6
Risk Management: Assess ing Risk .......................................................... 303
CHAPTER 7
Risk Management: Treating Risk ............................................................ 365
CHAPTERS
Security Management Models ................................................................ 411
CHAPTER 9
Security Management Practices ............................................................. 457
CHAPTER 10
Pia nni ng for Contingencies ...................................................................... 497
CHAPTER 11
Security Maintenance .............................................................................. 567
CHAPTER 12
Protection Meehan isms ........................................................................... 619
GLOSSARY .................................................................................................. 683
IND E.X.......................................................................................................... 709
...
Ill
Table of Contents
PREFACE ....................................................................................................... xv
CHAPTER 1
Introduction to the Management
of Information Security........................................................... 1
Introducti on to Security ......................................................................................2
CNSS Security Model ........................................................................................ 5
The Value of Information and the C.I.A. Triad ................................................. 7
Key Concept s of Infor mation Security: Threats and Attacks ....................... 11
The 12 Categories of Threats ............................................................................ 13
Management and Lea dership ..........................................................................45
Behavioral Types of Leaders ........................................................................... 46
Management Characteristics .......................................................................... 47
Governance ..................................................................................................... so
Solving Problems ............................................................................................ so
Principles of Information Security Management .......................................... .52
Planning .......................................................................................................... 53
Policy ............................................................................................................... 54
Programs ......................................................................................................... 55
Protection ........................................................................................................ SS
People .............................................................................................................. SS
Projects ............................................................................................................ SS
Additional Reading ............................................................................................57
Chapter Summary............................................................................................. .57
Review Quest ions ............................................................................................. .58
Exercises ............................................................................................................ .59
Closing Case........................................................................................................60
Discussion Questions ..................................................................................... 60
Ethical Decision Making ................................................................................. 60
Endnotes .............................................................................................................61
CHAPTER2
Compliance: Law and Ethics ................................................. 63
Introduction to Law and Ethics ........................................................................64
Table of Contents
Ethics in lnfoSec .................................................................................................66

Ethics and Education ...................................................................................... 70
Deterring Unethical and Illegal Behavior ....................................................... 72
Professional Organizations and Their Codes of Conduct ............................. 74
Association for Computing Machinery (ACM) ............................................... 74
International Information Systems Security Certificatio n Consortium,
Inc. (!SC)• ..........................................................................................................75
SANS ................................................................................................................75
Informatio n Systems Audit and Control Associatio n (ISACA) ....................... 76
Informatio n Systems Security Association (ISSA) ......................................... 77
Information Security and Law..........................................................................78
Types of Law ................................................................................................... 78
Relevant U.S. Laws .......................................................................................... 79
International Laws and Legal Bodies ............................................................. 95
State and Local Regulations ............................................................................ 97
Standards Versus Law .................................................................................... 101
Policy Versus Law ......................................................................................... 104
Organizational Liability and the Management of Digital Forensics ......... 104
Key Law Enforcement Agencies ....................................................................105
Managing Digital Forensics .......................................................................... 109
Additional Reading ......................................................................................... 117
Chapter Summary........................................................................................... 117
Review Questions ........................................................................................... 118
Exercises .......................................................................................................... 119
Closing Case ..................................................................................................... 120
Discussion Questions ....................................................................................120
Ethical Decision Making ................................................................................120
Endnotes .......................................................................................................... 120
CHAPTER3
Governance and Strategic Planning for Security ............. 123
The Role of Planning....................................................................................... 125
Precursors to Planning................................................................................... 127
Strategic Planning ........................................................................................... 129
Creating a Strategic Plan .................................................................................131
Planning Levels .............................................................................................. 132
Planning and the CISO ................................................................................... 133
Information Security Governance ................................................................ 135
The ITGI Approach to Information Security Governance ............................. 136
NCSP Industry Framework for Information Security Governance ............... 138
Table of Contents vii
CERT Governing for Enterprise Security Implementation ........................... 140

ISO/IEC 27014: 2013 Governance of Information Security .............................. 143
Security Convergence .................................................................................... 145
Planning for Information Security Implementation ................................... 147
Implementing the Security Program using the SecSDLC.............................. 154
Chapter Summary........................................................................................... 164
Exercises .......................................................................................................... 165
Closing Case ..................................................................................................... 166
Discussion Questions .................................................................................... 167
Ethical Decision Making ................................................................................ 167
Endnotes .......................................................................................................... 167
CHAPTER4
Information Security Policy ................................................ 169
Why Policy? ...................................................................................................... 170
Policy, Standards, and Practices .................................................................... 175
Enterprise Information Security Policy ........................................................ 177
Integrating an Organization's Mission and Objectives into the EISP ........... 178
EISP Elements ................................................................................................ 178
Example EISP Elements ................................................................................ 180
Issue-Specific Security Policy ......................................................................... 183
Elements of the ISSP ...................................................................................... 185
Implementing the ISSP .................................................................................. 188
System-Specific Security Policy ..................................................................... 190
Managerial Guidance SysSPs ......................................................................... 191
Technical Specification SysSPs ...................................................................... 192
Guidelines for Effective Policy Development and Implement ation ......... 197
Developing Information Security Policy ....................................................... 197
Policy Distribution .........................................................................................198
Policy Reading ................................................................................................199
Policy Comprehension ...................................................................................199
Policy Compliance ........................................................................................ 200
Policy Enforcement ........................................................................................ 201
Policy Development and Implementation Using the SDLC .......................... 201
Software Support for Policy Administration ................................................ 206
Other Approaches to Information Security Policy Development ................ 207
SP 800-18, Rev. 1: Guide for Developing Security Plans
for Federal Information Systems .................................................................. 209
viii Table of Contents
A Final Note on Policy..................................................................................... 212

Add it ional Reading ......................................................................................... 213
Chapter Summary........................................................................................... 214
Exercises .......................................................................................................... 216
Closing Case ..................................................................................................... 217
Ethical Decisio n Making ................................................................................ 217
Endnotes .......................................................................................................... 218
CHAPTER 5
Developing the Security Program ...................................... 219
Organizing fo r Security .................................................................................. 220
Security in Large Organizations .................................................................... 225
Security in Medium-Sized Organizations ..................................................... 228
Security in Small Organizations .................................................................... 229
Placing Information Security Within an Organization ............................... 230
Components of the Security Program .......................................................... 241
Staffing the Security Function ...................................................................... 244
Informatio n Security Professional Credentials ............................................. 254
Entering the Information Security Profession .............................................. 265
Implementing Security Education, Train ing, and Awareness
(SETA) Programs .............................................................................................. 267
Security Education ........................................................................................ 269
Security Training ........................................................................................... 271
Security Awareness ....................................................................................... 278
Proj ect Management in Information Security ............................................ 286
Projects Versus Processes ............................................................................. 286
Organizatio nal Support for Project Management ........................................ 288
PMBOK Knowledge Areas ............................................................................. 289
Project Management Tools ............................................................................ 292
Chapter Summary........................................................................................... 297
Exercises .......................................................................................................... 299
Closing Case ..................................................................................................... 299
Discussion Questions ................................................................................... 299
Ethical Decisio n Making ............................................................................... 300
Endnotes .......................................................................................................... 300
Table of Contents
CHAPTER 6
Risk Management: Assessing Risk ..................................... 303
Introduction to the Management of Risk
in Information Security .................................................................................. 304
Knowing Yourself and Knowing the Enemy ................................................ 305
The Information Security Risk Management Framework ........................... 305
Roles of Communities of Interest in Managing Risk ................................... 308
Executive Governance and Support ............................................................. 308
Framework Design ......................................................................................... 312
Framework Implementation ......................................................................... 315
Framework Monitoring and Review ............................................................. 315
Continuous Improvement ............................................................................. 316
The Risk Management Process ..................................................................... 316
RM Process Preparation-Establishing the Context ...................................... 317
Risk Assessment: Risk Identification ............................................................ 319
Risk Assessment: Risk Analysis .................................................................... 343
Risk Evaluation .............................................................................................. 355
Risk Treatment/Risk Control .........................................................................359
Process Communications, Monitoring. and Review .....................................359
Chapter Summary........................................................................................... 360
Exercises .......................................................................................................... 361
Closing Case ..................................................................................................... 362
Ethical Decision Making ................................................................................362
Endnotes .......................................................................................................... 363
CHAPTER 7
Risk Management: Treating Risk ....................................... 365
Introduction to Risk Treatment .................................................................... 366
Risk Treatment Strategies ............................................................................. 368
Managing Risk ................................................................................................. 374
Feasibility and Cost -benefit Analysis ............................................................ 379
Other Methods of Establishing Feasibility ....................................................387
Alternatives to Feasibility Analysis .............................................................. 389
Recommended Alternative Risk Treatment Practices ...................................392
Alternative Risk Management Methodologies............................................ 393
The OCTAVE Methods ....................................................................................393
Microsoft Risk Management Approach ........................................................ 394
Table of Contents
FAIR ................................................................................................................ 395

ISO Standards for InfoSec Risk Management ............................................... 397
NIST Risk Management Framework (RMF) .................................................. 399
Other Methods .............................................................................................. 403
Selecting the Best Risk Management Model. ............................................... 404
Chapter Summary........................................................................................... 405
Exercises .......................................................................................................... 407
Closi ng Case ..................................................................................................... 408
Ethical Decision Making ............................................................................... 409
Endnotes .......................................................................................................... 409
CHAPTERS
Security Management Models ............................................ 411
Introduction to Blueprints, Frameworks,
and Security Models ....................................................................................... 412
Secur ity Management Models ...................................................................... 414
The ISO 27000 Series ..................................................................................... 414
NIST Security Publications ........................................................................... 420
Control Objectives for Information and Related Technology ...................... 428
Committee of Sponsoring Organizations ..................................................... 430
Information Technology Infrastructure Library ............................................ 431
Information Security Governance Framework ............................................. 431
Secur ity Architecture Models ........................................................................ 434
TCSEC and the Trusted Computing Base ...................................................... 434
Information Technology System Evaluation Criteria ................................... 437
The Common Criteria .................................................................................... 437
Access Control Models ................................................................................... 438
Categories of Access Controls ....................................................................... 440
Other Forms of Access Control ..................................................................... 446
Academic Access Control Models ................................................................. 447
Bell-LaPadula Confidentiality Mode l ........................................................... 447
Biba Integrity Model ..................................................................................... 448
Clark-Wilson In tegrity Model ....................................................................... 449
Graham-Denning Access Control Model. ..................................................... 450
Harrison-Ruzzo-Ullman Mode l ................................................................... 450
Brewer-Nash Model (Chinese Wall) ............................................................. 450
Table of Contents
Add itional Read ing ......................................................................................... 451

Chapter Summary........................................................................................... 451
Exercises .......................................................................................................... 453
Closing Case ..................................................................................................... 453
Endnotes .......................................................................................................... 454
CHAPTER 9
Security Management Practices ........................................ 457
Introduction to Security Practices ................................................................ 458
Security Employment Practices .................................................................... 459
H1nng ............................................................................................................ 459
Contracts and Employment .......................................................................... 462
Security Expectations in the Performance Evaluation ................................ 462
Termination Issues ....................................................................................... 463
Personnel Security Practices ......................................................................... 464
Security of Personnel and Personal Data ..................................................... 466
Security Considerations for Tem porary Employees,
Consultants, and Other Workers .................................................................. 466
Information Security Performance Measurement ..................................... 468
InfoSec Performance Management .............................................................. 469
Building the Performance Measurement Program ....................................... 471
Specifying InfoSec Measurements ................................................................ 473
Collecting lnfoSec Measurements ................................................................. 473
Implementing InfoSec Performance Measurement ..................................... 478
Reporting InfoSec Performance Measurements .......................................... 479
Benchmarking ................................................................................................. 481
Standards of Due Care/Due Diligence .......................................................... 482
Recommended Security Practices ................................................................ 483
Selecting Recommended Practices ............................................................... 484
Limitations to Benchmarking and Recommended Practices ....................... 485
Baselining ..................................................................................................... 486
Support for Benchmarks and Baselines ....................................................... 487
ISO Certification ............................................................................................ 489
Add itional Reading ......................................................................................... 490
Chapter Summary........................................................................................... 491
xii Table of Contents
Exercises .......................................................................................................... 493

Closing Case ..................................................................................................... 493
Endnotes .......................................................................................................... 494
CHAPTER 10
Planning for Contingencies ................................................. 497
Introduction to Contingency Planning ......................................................... 498
Fundamentals of Contingency Planning ...................................................... 500
Components of Contingency Planning ........................................................ 504
Business Impact Analysis ............................................................................. 506
Contingency Planning Policies ...................................................................... 513
Incident Response .......................................................................................... 513
Getting Started ............................................................................................... 514
Incident Response Policy ............................................................................... 516
Incident Response Planning .......................................................................... 517
Detecting Incidents ........................................................................................ 522
Reacting to Incidents .................................................................................... 526
Recovering from Incidents ........................................................................... 530
Disaster Recovery ........................................................................................... 538
The Disaster Recovery Process ..................................................................... 540
Disaster Recovery Policy ................................................................................ 541
Disaster Classification.................................................................................... 542
Planning to Recover .......................................................................................545
Responding to the Disaster ........................................................................... 546
Simple Disaster Recovery Plan ..................................................................... 546
Business Continuity ........................................................................................ 549
Business Continuity Policy ........................................................................... 550
Continuity Strategies ..................................................................................... 552
Timing and Sequence of CP Elements .......................................................... 554
Crisis Management ......................................................................................... 556
Business Resumption ..................................................................................... 558
Testing Contingency Plans............................................................................. 558
Final Thoughts on CP.................................................................................... 560
Chapter Summary........................................................................................... 561
Table of Contents xiii
Exercises .......................................................................................................... 563

Closing Case ..................................................................................................... 563
Endnotes .......................................................................................................... 564
CHAPTER 11
Security Maintenance ......................................................... 567
Introduction to Security Maintenance ......................................................... 568
Security Management Maintenance Models............................................... 569
NIST SP 800-100, Information Security Handbook:
A Guide for Managers ................................................................................... 569
The Security Maintenance Model ................................................................. 587
Add it ional Read ing ......................................................................................... 614
Chapter Summary........................................................................................... 614
Exercises .......................................................................................................... 616
Closing Case ..................................................................................................... 616
Endnotes .......................................................................................................... 617
CHAPTER 12
Protection Mechanisms ...................................................... 619
Introduction to Protection Mechanisms...................................................... 620
Access Controls and Biometrics .................................................................... 622
Managi ng Network Security .......................................................................... 630
Firewalls ......................................................................................................... 631
Intrusion Detection and Prevention Systems .............................................. 643
Wireless Networking Protection ................................................................... 647
Scanning and Analysis Tools ......................................................................... 651
Managing Server-Based Systems with Logging ............................................ 655
Managing Security for Emerging Technologies ........................................... 660
Cryptography................................................................................................... 662
Encryption Operations ................................................................................. 664
Using Cryptographic Controls ....................................................................... 671
Managing Cryptographic Controls ............................................................... 674
xiv Table of Contents

Chapter Summary........................................................................................... 677
Exercises .......................................................................................................... 679
Closi ng Case ..................................................................................................... 680
Endnot es .......................................................................................................... 681
GLOSSARY .................................................................................................. 683

INDE.X .......................................................................................................... 709
Preface
As global use of the Internet continues to expand, the demand
for and reliance on Internet-based information creates an
increasing expectation of access. Global commerce is reliant
on the Internet, which creates an increasing threat of attacks
on information assets and a need for greater numbers of
professionals capable of protecting those assets. With billions
of Internet users capable of accessing and attacking online
information from anywhere at any time, the threat of an attack
from individuals, criminals, and government entities grows daily.
To secure commerce and information assets from ever-
increasing threats, organizations demand both breadth and depth
of expertise from the next generation of information security
practitioners. These professionals are expected to have an optimal
mix of skills and experiences to secure diverse information
environments. Students of technology must learn to recognize
the threats and vulnerabilities present in existing systems.
They must also learn how to manage the use of information
assets securely and support the goals and objectives of their
organizations through effective information security governance,
risk management, and regulatory compliance.
Why This Text Was Written

This textbook strives to fulfill the need for a quality academic
textbook in the discipline of information security management.
While there are dozens of quality publications on information
security and assurance for the practitioner, few textbooks
provide the student with an in-depth study of information
security management. Specifically, those in disciplines such as
information systems, information technology, computer science,
criminal justice, political science, and accounting information
systems must understand the foundations of the management
of information security and the development of managerial
strategy for information security. The underlying tenet of this
textbook is that information security in th e modern organization
is a management problem and not one that technology alone
can answer; it is a problem that has important economic
consequences and one for which management is accountable.
xvi Preface
Approach
This book provides a managerial approach to information security and a thorough
treatment of the secure administration of information assets. It can be used to support
information security coursework for a variety of technology students, as well as for
technology curricula aimed at business students.
Certified Information Systems Security Professional, Certified Information
Security Manager, and NIST Comm on Bodies of Knowledge- As the authors are
Certified Information Systems Security Professionals {CISSP) and Certified Information
Security Managers {CISM), these knowledge domains have had an influence on the
design of this textbook. With the influence of the extensive library of information
available from the Special Publications collection at the National Institute of Standards
and Technology {NIST, at csrc.nist.gov), the authors have also tapped into additional
government and industry standards for information security management. Although
this textbook is by no means a certification study guide, much of the Common Bodies
of Knowledge for the dominant industry certifications, especially in the area of
management of information security; have been integrated into the text.
Overview
Chapter 1-lntroduction to the Management of Information Security
The opening chapter establishes the foundation for understanding the field of
information security by explaining the importance of information technology and
identifying who is responsible for protecting an organization's information assets.
Students learn the definition and key characteristics of information security, as well as
the differences between information security management and general management.
Chapter 2- Compliance: Law and Ethics

In this chapter, students learn about the legal and regulatory environment and its
relationship to information security. This chapter describes the major national and
international laws that affect the practice of information security, as well as the role of
culture in ethics as it applies to information security professionals. In this edition, the
discussion of digital forensics has been moved to Chapter 2. for better alignment with
the primary subjects being covered.
Chapter 3-Governance and Strategic Planning for Security

This chapter explains the importance of planning and describes the principal
components of organizational planning and the role of information security
governance and planning within the organizational context.
Preface xvii
Chapter 4-lnformation Security Policy

This chapter defines information security policy and describes its central role in a
successful information security program. Industry and government best practices
promote three major types of information security policy; this chapter explains what
goes into each type, and demonstrates how to develop, implement, and maintain
various types of information security policies.
Chapter 5- Developing the Security Program

Chapters explores the various organizational approaches to information security and
explains the functional components of an information security program. Students
learn the complexities of planning and staffing for an organization's information
security department based on the size of the organization and other factors, as well
as how to evaluate th e internal and external factors that influence the activities and
organization of an information security program. This chapter also identifies and
describes th e typical job titles and functions performed in the information security
program, and concludes with an exploration of the creation and management of a
security education, training, and awareness program. This chapter also provides an
overview of project management, a necessary skill in any technology or business
professional's portfolio.
Chapter 6-Risk Management Assessing Risk

This chapter defines risk management and its role in the organization, and
demonstrates how to use risk management techniques to identify and prioritize risk
factors for information assets. The risk management model presented here assesses
risk based on the likelihood of adverse events and the effects on information assets
when events occur. This chapter concludes with a brief discussion of how to document
the results of the risk identification process.
Chapter 7-Risk Management: Treating Risk

This chapter presents essential risk mitigation strategy options and opens the
discussion on controlling risk. Students learn how to identify risk control classification
categories, use existing conceptual frameworks to evaluate risk controls, and formulate
a cost-benefit analysis. They also learn how to maintain and perpetuate risk controls.
Chapter 8- Security Management Models

This chapter describes the components of the dominant information security
management models, including U.S. government and internationally sanctioned
models, and discusses how to customize them for a specific organization's needs.
xviii Preface
Students learn how to implement the fundamental elements of key information

security management practices. Models include NIST, ISO, and a host of specialized
information security research models that help students understand confidentiality
and integrity applications in modem systems.
Chapter 9-Security Management Practices

This chapter describes the fundamentals and emerging trends in information security
management practices and explains how these practices help organizations meet U.S.
and international compliance standards. The chapter contains an expanded section
on security performance measurement and covers concepts of certification and
accreditation of IT systems.
Chapter 10- Planning for Contingencies

This chapter describes and explores the major components of contingency planning
and the need for them in an organization. The chapter illustrates the planning and
development of contingency plans, beginning with the business impact analysis, and
continues through the implementation and testing of contingency plans.
Chapter 11-Security Maintenance

This chapter describes the ongoing technical and administrative evaluation of the
information security program that an organization must perform to maintain the
security of its information systems. This chapter explores ongoing risk analysis,
risk evaluation, and measurement, all of which are part of risk management. It also
explores special considerations needed for the varieties of vulnerability analysis in
modern organizations, from Internet penetration testing to wireless network risk
assessment.
Chapter 12- Protection Mechanisms

This chapter introduces students to the world of technical controls by exploring access
control approaches, including authentication, auth orization, and biometric access
controls, as well as firewalls and th e common approaches to firewall implementation.
It also covers the technical control approaches for dial-up access, intrusion detection
and prevention systems, and cryptography.
Features
Chapt er Scenarios- Each chapter opens with a short vignette that follows the same
fictional company as it encounters various information security issues. The final part
of each chapter is a conclusion to the scenario that also offers questions to stimulate
Pr eface xix
in-class discussion. These questions give the student and the instructor an opportunity
to explore the issues that underlie the content.
View Points- An essay from an information security practitioner or academic is
included in each chapter. These sections provide a range of commentary that illustrate
interesting topics or share personal opinions, giving the student a wider, applied view
on the topics in the text.
Offline Boxes- These highlight interesting topics and detailed technical issues,
allowing the student to delve more deeply into certain topics.
Hands- On Learning- At the end of each chapter, students will find a Chapter
Summary and Review Questions as well as Exercises and Closing Case exercises,
which give them the opportunity to examine the information security arena from an
experiential perspective. Using the Exercises, students can research, analyze, and write
to reinforce learning objectives and deepen their understanding of the text. The Closing
Case exercises require that students use professional judgment, powers of observation,
and elementary research to create solutions for simple information security scenarios.
Additional Reading- Each chapter includes suggestions for reading outside resources
that might augment or extend understanding of one or more aspects of the chapter.
New to This Edition

This sixth edition of Management of Information Security tightens its focus on
the managerial aspects of information security, continues to expand the coverage
of governance and compliance issues, and continues to reduce the coverage of
foundational and technical components. While retaining enough foundational material
to allow reinforcement of key concepts, this edition has fewer technical examples. This
edition also contains updated in -depth discussions and Offline features, and additional
coverage in key managerial areas: risk management, information security governance,
access control models, and information security program assessment and metrics.
The material on personnel management has been consolidated and reorganized.
Personnel placement, staffing, and credentials are now covered in Chapter 5, and
employment practices are discussed in Chapter 9. Digital forensics is now covered
in Chapter 2.
In general, the entire text has been updated and re -organized to reflect changes
in the field, including revisions to sections on national and international laws and
standards, such as the ISO 27000 series, among others. Throughout the text, the
content has been updated, with newer and more relevant examples and discussions.
A complete coverage matrix of the topics in this edition is available to instructors to
enable mapping of the previous coverage to the new structure. Please contact your
sales representative for access to the matrix.
Preface
MindTap
MindTap for Management of Information Security is an online learning solution
designed to help students master the skills they need in today's workforce. Research
shows employers need critical thinkers, troubleshooters, and creative problem-solvers
to stay relevant in our fast-paced, technology-driven world. MindTap helps users
achieve this with assignments and activities that provide hands-on practice, real-life
relevance, and mastery of difficult concepts. Students are guided through assignments
that progress from basic knowledge and understanding to more challenging problems.
All MindTap activities and assignments are tied to learning objectives. The hands-on
exercises provide real-life application and practice. Readings and "Whiteboard Shorts"
support the lecture, while "In the News" assignments encourage students to stay current.
Pre- and post-course assessments allow you to measure how much students have
learned, using analytics and reporting that makes it easy to see where the class stands in
terms of progress, engagement, and completion rates. Use the content and learning path
as-is, or pick and choose how the material will wrap around your own. You control what
the students see and when they see it. Learn more at www.cengage.com/ mindtap/.
Instructor Resources
Free to all instructors who adopt Management of Information Security, 6e, for their
courses is a complete package of instructor resources. These resources are available
from the Cengage Web site, www.cengagebrain.com. Go to the product page for this
book in the online catalog and choose "Instructor Downloads:•
Resources include:
• Instructor's Manual: This manual includes course objectives and additional
information to help your instruction.
• Cengage Learning Testing Powered by Cognero: A flexible, online system that allows
you to import, edit, and manipulate content from the text's test bank or elsewhere,
including your own favorite test questions; create multiple test versions in an
instant; and deliver tests from your LMS, your classroom, or wherever you want.
• PowerPoint Presentations: A set of Microsoft PowerPoint slides is included for
each chapter. These slides are meant to be used as a teaching aid for classroom
presentations, to be made available to students for chapter review, or to be printed
for classroom distribution. Instructors are also at liberty to add their own slides.
• Figure Files: Figure files allow instructors to create their own presentations using
figures taken from the text.
• Appendix: The appendix has been relocated from the bound textbook and
is available for instructor use. It describes methods for evaluating security,
including (1) NIST SP 800- 26, Security Self-Assessment Guide for Information
Technology Systems, (2) ISO 17799: 2005 Overview, (3) The OCTAVE Method of Risk
Management, and (4) the Microsoft Risk Management Approach .
• Lab Exercises: Each chapter includes hands-on exercises designed to reinforce
the theoretical concepts of the corresponding materials. Additional exercises and
labs are available in the MindTap enhanced edition of the textbook.
Preface xxi
• Readings and Cases: Cengage Leaming also produced two texts - Readings and
Cases in the Management of Information Security (!SBN-13: 9780619216276) and
Readings & Cases in Information Security: Law & Ethics (!SBN-13: 9781435441576)-
by the authors, which make excellent companion texts. Contact your Cengage
Learning sales representative for more information.
• Curriculum Model for Programs of Study in Information Security: In addition
to the texts authored by this team, a curriculum model for programs of study
in Information Security and Assurance is available from the Kennesaw State
University Center for Information Security Education (http://infosec.kennesaw
.edu). This document provides details on designing and implementing security
coursework and curricula in academic institutions, as well as guidance and
lessons learned from the auth ors' perspective.
Author Team
Michael Whitman and Herbert Mattord have jointly developed this textbook to merge
knowledge from the world of academic study with practical experience from the
business world.
Michael Whitman, Ph.D., CISM, CISSP is a Professor of Information Security in
the Information Systems Department, Coles College of Business at Kennesaw
State University, Kennesaw, Georgia, where he is also the Executive Director of
the Center for Information Security Education (infosec.kennesaw.edu). He and
Herbert Mattord are th e authors of Principles of Information Security; Principles of
Incident Response and Disaster Recovery; Readings and Cases in the Management of
Information Security; Readings & Cases in Information Security: Law & Ethics; Guide
to Firewall and VPNs; Guide to Network Security; Roadmap to the Management of
Information Security; and Hands- On Information Security Lab Manual, all from
Cengage Learning. Dr. Whitman is an active researcher in Information Security
policy and planning and in Ethical Computing. He currently teaches graduate and
undergraduate courses in Information Security. He has published articles in the top
journals in his field, including Information Systems Research, the Communications
of the ACM, Information and Management, the Journal of International Business
Studies, and th e Journal of Computer Information Systems. He is an active member
of th e Information Systems Security Association, the Association for Computing
Machinery, ISACA, (!SC)', and the Association for Information Systems. Through
his efforts and those of Dr. Mattord, his institution has been recognized by the
Department of Homeland Security and th e National Security Agency as a National
Center of Academic Excellence in Information Assurance Education four times,
most recently in 2015. Dr. Whitman is also th e Editor-in -Chief of th e Journal
of Cybersecurity Education, Research and Practice, and he continually solicits
relevant and well-written articles of interest to faculty teaching and researching
cybersecurity topics for publication. Prior to his employment at Kennesaw State, he
taught at th e University of Nevada, Las Vegas, and served over 13 years as an officer
and soldier in th e U.S. Army.
xxii Pre face
Herbert M atto rd, Ph .D., CISM, CISSP completed years of IT industry experience as
24
an application developer, database administrator, project manager, and information
security practitioner in 2002. He is currently an Associate Professor of Information
Security in the Coles College of Business at Kennesaw State University. He and Michael
Whitman are the authors of Principles of Information Security; Principles of Incident
Response and Disaster Recovery; Readings and Cases in the Management of Information
Security; Guide to Network Security; and Hands -On Information Security Lab Manual,
all from Cengage Learning. During his career as an IT practitioner, Mattord has been an
adjunct professor at Kennesaw State University; Southern Polytechnic State University
in Marietta, Georgia; Austin Community College in Austin, Texas; and Texas State
University, San Marcos. He currently teaches undergraduate courses in Information
Security. He is th e Assistant Chair of the Department of Information Systems and
is also an active member of the Information Systems Security Association and
Information Systems Audit and Control Association. He was formerly the Manager
of Corporate Information Technology Security at Georgia-Pacific Corporation, where
much of the practical knowledge found in this and his earlier textbooks was acquired.
Acknowledgments
The authors would like to thank their families for their support and understanding for
the many hours dedicated to this project- hours taken, in many cases, from family
activities.
Reviewers
We are indebted to the following individuals for their contributions of perceptive
feedback on the initial proposal, the project outline, and the chapter-by-chapter
reviews of the text:
• Paul D. Witman, Ph.D., Associate Professor, Information Technology
Management, California Lutheran University, School of Management, Thousand
Oaks, CA
• Michael Moorman, Ph .D., Professor of Computer Science, Department of
Computer Science and Information Systems, St. Leo University, St. Leo, FL
Special Thanks
The authors wish to thank the Editorial and Production teams at Cengage. Their
diligent and professional efforts greatly enhanced the final product:
Natalie Onderdonk, Learning Designer
Dan Seiter, Developmental Editor
Kristin McNary, Product Team Manager
Amy Savino, Product Manager
Brooke Greenhouse, Senior Content Manager
Preface xxiii
In addition, several professional and commercial organizations and individuals have

aided the development of this textbook by providing information and inspiration, and
the authors wish to acknowledge their contributions:
David Rowan
Charles Cresson Wood
Clearwater Compliance
The View Point authors:
• Henry Bonin
• Lee Imrey
• Robert Hayes and Kathleen Kotwicka
• David Lineman
• Paul D. Witman & Scott Mackelprang
• Alison Gunnels
• George V. Hulme
• Tim Callahan
• Mark Reardon
• Martin Lee
• Karen Scarfone
• Donald "Mac" McCarthy
• Todd E. Tucker
Our Commitment
The authors are committed to serving the needs of the adopters and readers. We
would be pleased and honored to receive feedback on the textbook and its supporting
materials. You can contact us at infosec@kennesaw.edu.
Foreword
By David Rowan, retired Senior Vice President and Director
Technology Risk and Compliance, SunTrust Banks, Inc.
If you are reading this, I want to thank you. Your perusal of this text means you are
interested in a career in Information Security or have actually embarked on one. I am
thanking you because we- and by we I mean all of us- need your help.
You and I live in a world completely enabled, supported by, and allowed by
technology. In almost all practical respects, the things you and I take for granted are
created by our technology. There is technology we see and directly interact with, and
technology we don't see or are only peripherally aware of. For example, the temperature
of my home is monitored and maintained based on a smart thermostat's perception
of my daily habits and preferences. I could check it via the app or wait for an alert via
text message, but I don't- I just assume all is well, confident that I will be informed if
something goes amiss. Besides, I am more interested in reading my personal news feed ....
xxiv Pre face
With respect to technology, we occupy two worlds, one of intent and realized
actions and another of services that simply seem to occur on their own. Both these
worlds are necessary, desirable, growing, and evolving. Also, both these worlds are
profoundly underpinned by one thing: our trust in them to work.
We trust that our phones will work, we trust that we will have electricity, we trust
that our purchases are recorded accurately, we trust th at our streaming services will
have enough bandwidth, we trust that our stock trades and bank transactions are
secure, we trust that our cars will run safely, and I trust that my home will be at the
right temperature when I walk in the door.
The benefits of our trust in technology are immeasurable and hard won. The fact
that we can delegate tasks, share infrastructure, exchange ideas and information, and
buy goods and services almost seamlessly benefits us all. It is good ground worth
defending. However, the inevitable and unfortunate fact is that some among us prey
upon our trust; they will work tirelessly to disrupt, divert, or destroy our intents,
actions, comfort, well-being, information, and whatever else our technology and the
free flow of information offers.
The motives of these actors matter, but regardless of why they threaten what
technology gives us, the actions we take to safeguard it is up to us. That's why I am
glad you are reading this. We need guardians of the trust we place in technology and
the information flow it enables.
I have been in the financial industry for 35 years, and have spent the latter half of it
focused on information security and th e related fields of fraud management, business
continuity, physical security, and legal and regulatory compliance. I have seen the
evolution of technology risk management from a necessary back-office function to a
board-level imperative with global implications. The bound interrelationships among
commerce, infrastructure, basic utilities, safety, and even culture exist to the extent
that providing security is now dominantly a matter of strategy and management, and
less a matter of the tools or technology dejure. There's an old saying that it's not the
tools that make a good cabinet, but the skill of the carpenter. Our tools will change and
evolve; it's how we use them that really matter.
This edition of Management of Information Security is a foundational source that
embodies the current best thinking on how to plan, govern, implement, and manage
an information security program. It is holistic and comprehensive, and provides a
path to consider all aspects of information security and to integrate security into the
fabric of the things we depend on and use. It provides specific guidance on strategy,
policy development, risk identification, personal management, organization, and
legal matters, and places them in the context of a broader ecosystem. Strategy and
management are not merely aspects of information security; they are its essence- and
this text informs the what, why, and how of it.
Management of Information Security is a vital resource in the guardianship of our
world of modern conveniences. I hope you will become a part of this community.
- Atlanta, Georgia, February 2018
CHAPTER 1
INTRODUCTION TO
THE MANAGEMENT OF
Management is, above all, a practice where art, science,
and craft meet.
-HENRY MINTZBERG
Upon completion of this material, you should be able to:

List and discuss the key characteristics of information security
List and describe the dominant categories of threats to information security
Discuss the key characteristics of leadership and management
Describe the importance of the manager's role in securing an

organization's information assets
Differentiate information security management from general business

management
One month into her new position at Random Widget Works, Inc. (RWW), Iris Majwubu left
her office early one afternoon to attend a meeting of the local chapter of the Information
Systems Security Association (ISSA). She had recently been promoted from her previous
assignment at RWW as manager of informa tion risk to become the first chief information
security officer (CISO) to be named at RWW.
This occasion marked Iris's first ISSA meeting. Wit h a mountain of pressing matters
on her cluttered desk, Iris wasn't exactly certain why she was m aking it a priority to
attend this meeting. She sighed. Since her early morning wake-up, she had spent many
CHAPTER 1 Introduction to t he Management of Information Secur ity
hours in business m eetings, foll owed by lo ng hours at her desk wo rki ng towa rd d efi ning
her new pos it ion at th e company.
At the ISSA meeting, Iris saw Charl ie Moody, her supervisor from Sequential Label
and Supply (SLS), the company she used to work for. Charlie had been promoted to chief
information officer (CIO) of SLS almost a year ago.
"Hi, Charl ie," she said.
"Hello, Iris," Cha rl ie said, shaking her hand. "Congratulations on your promot ion. How are
things going in your new position?"
"So far," she replied, "t hings are going well- I think."
Charlie noticed Iris's hesitancy. "You t hink?" he said. "Okay, tell me what's going on."
'Well, I'm struggling to get a consensus from t he senior management tea m about
the problems we have," Iris explained. "I'm told t ha t informat ion security is a priority, but
everything is in disarray. Any ideas t ha t I bring up are chopped t o bits before they're even
taken up by senio r managem ent . There's no established policy covering our informatio n
security needs, and it seems t hat we have little hope of gett ing one approved anytime soon.
The informatio n security budget covers my salary plus a litt le bit of f und ing that goes t owa rd
part of one position for a technician in the network departm ent. The IT managers act like I'm
wasting their t ime, and they don't seem to take our security issues as seriously as I do. It's like
trying to d rive a herd of cats!"
Charlie t hought for a moment and then said, "I've got some ideas t hat may help. We
shou ld talk more, but not now; the meet ing is about to start. Here's my new num ber- call me
tomorrow and we'll get toget her for coffee."
Introduction to Security
Key Terms
asset An organizatio nal resou rce that is being protected. An asset can be logica l, such as
a Web site, software information, or data; or an asset can be physical, such as a perso n,
computer system, hardware, or other tangible object . Assets, pa rticularly informat ion assets,
are t he focus of what security effo rts are attempting t o prot ect .
information asset The focus of information security; in formatio n that has va lue to the
organization, and the systems t hat st ore, process, and t ransmit the information.
information security (lnfoSec) Protect ion of t he confidentiality, integrity, and ava ilability
of information assets, w hether in storage, processing, o r transm ission, via the application of
policy, education, training and awareness, and technology.
security A stat e of being secure and free from danger or harm . In addition, t he act ions taken
to make someone o r som et hing secure.
CHAPTER 1 Int roduction to the Ma nagement of I nformation Security
In today's global markets, business operations are enabled by technology. From

the boardroom to the mailroom, businesses make deals, ship goods, track client
accounts, and inventory company assets, all through the implementation of systems
based upon information technology (IT). IT enables the storage and transportation
of information- often a company's most valuable resource - from one business unit
to another. But what happens if the vehicle breaks down, even for a little while?
Business deals fall through, shipments are lost, and company assets become more
vulnerable to threats from both inside and outside the firm. In the past, th e business
manager's response to this possibility was to proclaim, "We have technology people
to handle technology problems." This statement might have been valid in the days
when technology was confined to the climate-controlled rooms of the data center
and when information processing was centralized. In the last 30 years, however,
technology has moved out from the data center to permeate every facet of the
business environment. The business place is no longer static; it moves whenever
employees travel from office to office, from city to city, or even from office to
home. As businesses have become more fluid, "computer security" has evolved
into "information security," or "InfoSec," which covers a broader range of issues,
from the protection of computer-based data to th e protection of human knowledge.
Information security is no longer the sole responsibility of a small, dedicated group of
professionals in th e company. It is now th e responsibility of all employees, especially
managers.
Astute managers increasingly recognize the critical nature of information
security as the vehicle by which the organization's information assets are secured. In
response to this growing awareness, businesses are creating new positions to solve
the newly perceived problems. The emergence of executive-level information security
managers- like Iris in the opening scenario of this chapter- allows for the creation of
professionally managed information security teams that have a primary objective to
protect information asset s, wherever and whatever they may be.
Organizations must realize that information security planning and funding
decisions involve more than managers of information, the members of the information
security team, or the managers of information systems. Altogether, they must involve
the entire organization, as represented by three distinct groups of managers and
professionals, or communities of interest:
• Those in the field of information security
• Those in the field of IT
• Those from the rest of the organization
These three groups should engage in a constructive effort to reach consensus on an
overall plan to protect the organization's information assets.
The communities of interest and the roles they fulfill include the following:
• The information security community protects the organization's information
assets from the many threats they face .
CHAPTER 1 I ntroduction to the Management of Inf ormation Security
• The IT community supports the business objectives of the organization by

supplying and supporting IT that is appropriate to the organization's needs.
• The general business community articulates and communicates organizational
policy and objectives and allocates resources to the other groups.
Working together, these communities of interest make recommendations to
executive management about how to secure an organization's information assets most
effectively. As the discussion between Iris and Charlie in this chapter's opening scenario
suggests, managing a successful information security program takes time, resources,
and a lot of effort by all three communities within the organization. Each community
of interest must understand that information security is about identifying, measuring,
and mitigating (or at least understanding and documenting) the risk associated with
operating information assets in a modern business environment. It is up to the
leadership of the various communities of interest to identify and support initiatives
for controlling the risks faced by the organization's information assets. But to make
sound business decisions concerning the security of information assets, managers must
understand the concept of information security, the roles professionals play within that
field, and the issues organizations face in a fluid, global business environment.
In order to understand the varied aspects of information security, you must know
the definitions of certain key InfoSec terms and concepts. This knowledge enables you
to communicate effectively with the IT and information security communities.
In general, security means being free from danger. To be secure is to be protected
from the risk of loss, damage, unwanted modification, or other hazards. National
security, for example, is a system of multilayered processes that protects the sovereignty
of a state- its assets, resources, and people. Achieving an appropriate level of security
for an organization also depends on the implementation of a multilayered system.
Security is often achieved by means of several strategies undertaken simultaneously or
used in combination with one another. Many of those strategies will focus on specific areas
of security. but they also have many elements in common. It is the role of management to
ensure that each strategy is properly planned, organized, staffed, directed, and controlled.
Specialized areas of security include:
• Physical security - The protection of physical items, objects, or areas from
unauthorized access and misuse.
• Operations security - The protection of the details of an organization's operations
and activities.
• Communications security- The protection of all communications media,
technology, and content.
• Cyber (or computer) security- The protection of computerized information
processing systems and the data they contain and process. The term
cybersecurity is relatively new, so its use might be slightly ambiguous in coming
years as the definition gets sorted out.
• Network security - A subset of communications security and cybersecurity; the
protection of voice and data networking components, connections, and content.
CHAPTER 1 Int roduction to the Ma nagement of I nformation Security
The efforts in each of these areas contribute to the information security program as
a whole. This textbook derives its definition of information security from the standards
published by the Committee on National Security Systems {CNSS), formerly known
as the National Security Telecommunications and Information Systems Security
Committee (NSTISSC), chaired by the U.S. Secretary of Defense.
Information security (lnfoSec) focuses on the protection of information and the
characteristics that give it value, such as confidentiality, integrity, and availability,
and includes the technology that houses and transfers that information through a
variety of protection mechanisms such as policy, training and awareness programs,
and technology. Figure 1- 1 shows that InfoSec includes the broad areas of InfoSec
management {the topic of this text): computer security. data security, and network
security. The figure also shows that policy is the space where these components overlap.
POL.ICY
J .} J
~ a,
~
a, ·c
:,
:.: ·c ..,
:,
..,
:,
..
"'
~
!! "'.!s "'1
f
v I
Confidentiality- Integrity- Availability
Figure 1-1 Components of

information security
CNSS Security Model

The CNSS document NSTISSI No. 4011, "National Training Standard for Information
Systems Security (InfoSec) Professionals;' presents a comprehensive model of InfoSec
known as the Mccumber Cube, which is named after its developer, John Mccumber.
Shown in Figure 1- 2, which is an adaptation of the NSTISSI model, the Mccumber Cube
serves as the standard for understanding many aspects of InfoSec, and shows the three
dimensions that are central to the discussion of InfoSec: information characteristics,
information location, and security control categories. If you extend the relationship
among th e three dimensions that are represented by the axes in the figure, you end up
with a 3 x 3 x 3 cube with 27 cells. Each cell represents an area of intersection among
these three dimensions, which must be addressed to secure information. When using
this model to design or review any InfoSec program, you must make sure that each
~ou(o\\011
('j \
--- ---
Confidentiality Confidentiality
---
Integrity Integrity
--- --- ---

Availability
Storage I Processing I Transmission

Availability
Storage I Processing I Transmission

------
Figure 1-2 CNSS security model'
of the 27 cells is properly addressed by each of the three communities of interest. For
example, the cell representing the intersection of the technology, integrity, and storage
criteria could include controls or safeguards addressing the use of technology to protect
the integrity of information while in storage. Such a control might consist of a host
intrusion detection and prevention system (HIDPS), for example, which would alert the
security administrators when a critical file was modified or deleted.
While the CNSS model covers the three dimensions of InfoSec, it omits any
discussion of guidelines and policies that direct the implementation of controls, which
are essential to an effective InfoSec program. Instead, the main purpose of the model is
to identify gaps in the coverage of an InfoSec program.
Another weakness of this model emerges when it is viewed from a single
perspective. For example, th e HIDPS control described earlier addresses only the needs
and concerns of the InfoSec community, leaving out the needs and concerns of the
broader IT and general business communities. In practice, thorough risk reduction
requires the creation and dissemination of controls of all three types (policy, education,
and technical) by all three communities. These controls can be implemented only
through a process that includes consensus building and constructive conflict to reflect
the balancing act th at each organization faces as it designs and executes an InfoSec
program. The rest of this book will elaborate on these issues.
Note@
For more information on the CNSS and its training standards (known as issuances), visit the
Committee on National Security Systems Web site at www.cnss.gov, and select Directives from
the Library tab.
CHAPTER 1 Introduction to the Management of Information Security
The Value of Information and the C.I.A. Triad
Key Terms
accountability The access control mechanism that ensures all actions on a system-
authorized or unauthorized- can be attributed to an auth enticated identity. Also known as
audita bility.
authentication The access control mechanism t ha t requ ires the validation and verificat ion
of an unauthenticated entity's purported identity.
authorization The access control mechanism that represents the match ing of an
authentica ted entity to a list of information assets and correspond ing access levels.
availability An attribute of information that describes how data is accessible and correctly
formatted for use without interference or obstruction.
C.I.A. triad The indust ry standard for computer security since t he development of the
mainframe. The standard is based on t hree characteristics that describe the utility of
information: confidentiality, integrity, and availability.
confidentiality An attribute of information that describes how data is protected from
disclosure or exposure to unauthorized individuals or systems.
disclosure In information security, t he intentional or unintentiona l exposure of an
information asset to unauthorized parties.
identification The access control mechanism whereby unverified entiti es who seek access to
a resource provide a label by which they are known to the system.
information aggregation The collection and combination of pieces of nonprivate data,
which could result in information that violates privacy. Not to be confused w ith aggregate
information.
integrity An attribut e of information that describes how dat a is whole, complete, and
uncorrupted.
privacy In the context of inf ormation security, the right of individuals or groups
t o p rotect themselves and their information from u nauthorized access, providing
confidenti ality.
To bett er und erstand the management of InfoSec, you must become familiar with
the key characteri stics of information that make it valuabl e t o an organization,
as expressed in the C.I.A . triad characteristics of confidentiali ty, integrity and
availabili ty (see Figure 1- 3). However, present- day needs have rendered these
characteri sti cs i nadequate on th eir own to conceptuali ze InfoSec because th ey
are limited in scope and cannot encom pass today's constantly changing IT
environment, which calls f or a more rob ust model. Th e C.I.A. tri ad, th eref ore,
CHAPTER 1 Introduction to the Management of Inf ormation Security
Services
Availability
Figure 1-3 The C.I.A. t riad
has been expanded into a more comprehensive list of critical characteristics and
processes, including privacy, identification, authentication, authorization, and
accountability. These characteristics are explained in more detail in the sections
that follow.
Confidentiality
Confidentiality means limiting access to information only to those who need it, and
preventing access by those who do not. When unauthorized individuals or systems
can view information, confidentiality is breached. To protect the confidentiality of
information, a number of measures are used, including:
• Information classification
• Secure document (and data) storage
• Application of general security policies
• Education of information custodians and end users
• Cryptography (encryption)
Confidentiality is closely related to privacy, another key characteristic of
information that is discussed later in this chapter. The complex relationship between
these two characteristics is examined in detail in later chapters. In an organization,
confidentiality of information is especially important for personal information about
employees, customers, or patients. People expect organizations to closely guard
such information. Whether the organization is a government agency, a commercial
enterprise, or a nonprofit charity, problems arise when organizations disclose
confidential information. Disclosure can occur either deliberately or by mistake.
For example, confidential information could be mistakenly e-mailed to someone
outside the organization rather than the intended person inside the organization. Or
perhaps an employee discards, rather than destroys, a document containing critical
information. Or maybe a hacker successfully breaks into a Web-based organization's
internal database and steals sensitive information about clients, such as names,
addresses, or credit card information.
CHAPT ER 1 Int r oduction to the Ma nagement of I nformation Security
In the new world of Internet-connected systems, even organizations we would

expect to be diligent and to take suitable precautions can find th emselves holding the
bag after a massive data spill. While U.S. federal agencies have had lapses that resulted
in unwanted data disclosures, an event in July 2015 eclipsed all previous similar lapses.
The loss of 21.5 million federal background-check files rocked the Office of Personnel
Management (OPM), which had to reveal that names, addresses, financial records,
health data, and other sensitive private information had fallen into the hands of
what were believed to be Chinese hackers.' This event followed the widely reported
Sony data spill, illustrating again that the impact from massive data breaches spans
every sector of modern society. Since then there have been a steady drumbeat of
announcements of various data-loss events, such as the Yahoo e -mail breach in late
2016 that compromised as many as 1 billion e-mail credentials.
Integrity
The integrity or completeness of information is threatened when it is exposed to
corruption, damage, destruction, or other disruption of its authentic state. Corruption
can occur while information is being entered, stored, or transmitted.
Many computer viruses and worms, for example, are designed to corrupt data.
For this reason, the key method for detecting whether a virus or worm has caused an
integrity failure to a file system is to look for changes in the file's state, as indicated
by th e file's size or, in a more advanced operating system, its hash value or checksum
(discussed in Chapter 12).
File corruption is not always the result of deliberate attacks. Faulty programming
or even noise in the transmission channel or medium can cause data to lose its
integrity. For example, a low-voltage state in a signal carrying a digital bit (a 1 or o) can
cause the receiving system to record the data incorrectly.
To compensate for internal and external threats to the integrity of information,
systems employ a variety of error-control techniques, including the use of redundancy bits
and check bits. During each transmission, algorithms, hash values, and error-correcting
codes ensure the integrity of the information. Data that has not been verified in this
manner is retransmitted or otherwise recovered. Because information is of little or no value
or use if its integrity cannot be verified, information integrity is a cornerstone of InfoSec.
Availability
Availability of information means that users, either people or other systems, have access
to it in a usable format. Availability does not imply that the information is accessible to
any user; rather, it means it can be accessed when needed by authorized users.
To understand this concept more fully, consider the contents of a library- in
particular, research libraries that require identification for access to the library as a
whole or to certain collections. Library patrons must present the required identification
before accessing the collection. Once they are granted access, patrons expect to be able
to locate and access resources in the appropriate languages and formats.
CHAPTER 1 Introduction to the Management of Inf ormation Security
Privacy
Information that is collected, used, and stored by an organization should be used only
for th e purposes stated by the data owner at the time it was collected. In this context,
privacy does not mean freedom from observation (the meaning usually associated
with the word); it means that the information will be used only in ways approved
by the person who provided it. Many organizations collect, swap, and sell personal
information as a commodity. Today, it is possible to collect and combine personal
information from several different sources {known as information aggregation),
which has resulted in databases that could be used in ways the original data owner
has not agreed to or even knows about.
Many people have become aware of these practices and are looking to the
government to protect their information's privacy.
Identification
An information system possesses the characteristic of identification when it is
able to recognize individual users. Identification is the first step in gaining access to
secured material, and it serves as the foundation for subsequent authentication and
authorization. Identification and authentication are essential to establishing the level
of access or authorization that an individual is granted. Identification is typically
performed by means of a user name or other ID.
Authentication
Authentication is the process by which a control establishes whether a user (or
system) is the entity it claims to be. Examples include the use of cryptographic
certificates to establish Secure Sockets Layer {SSL) connections as well as the use of
cryptographic hardware devices- for example, hardware tokens such as RSA's Secur!D.
Individual users may disclose a personal identification number (PIN), a password, or a
passphrase to authenticate their identities to a computer system.
Authorization
After the identity of a user is authenticated, a process called authorization defines
what the user (wheth er a person or a computer) has been specifically and explicitly
authorized by the proper authority to do, such as access, modify, or delete the
contents of an information asset. An example of authorization is the activation and
use of access control lists and authorization groups in a networking environment.
Another example is a database auth orization scheme to verify th at th e user of an
application is authorized for specific functions, such as reading, writing, creating,
and deleting.
Accountability
Accountability of information occurs when a control provides assurance that every
activity undertaken can be attributed to a named person or automated process.
For example, audit logs that track user activity on an information system provide
accountability.
CHAPT ER 1 Introduction to the Management of Information Security
Key Conceptsof Information Security: Threatsand Attacks

Key Terms
attack An intentiona l or un intentional act that can damage or otherwise compromise

information and the systems that support it.
exploit A technique used to compromise a system. This term can be a verb or a noun. Threat
agents may attempt to exploit a system or other informa tion asset by using it illegally for
their personal gain.
loss A single instance of an information asset suffering damage o r destruction, unintended
o r unauthorized mod ification or disclosure, or denial of use.
threat Any event or circumstance that has the potential to adversely affect operations and
assets. The term threat source is common ly used interchangeably with the more generic term
threat. Wh ile the two terms a re technically d istinct, in order to s implify discussion the text will
continue to use the term threat to describe threat sources.
threat agent The specific insta nce or a component of a threat.
t hreat event See attack.
vulnerability A potential weakness in an asset or its defensive control system(s).
Around 500 BC, the Chinese general Sun Tzu Wu wrote The Art of War, a military treatise
that emphasizes the importance of knowing yourself as well as the threats you face.
Therefore I say: One who knows the enemy and knows himself will not be in danger
in a hundred battles.
One who does not know the enemy but knows himself will sometimes win, sometimes
lose. One who does not know the enemy and does not know himself will be in danger
in every battle. i
To protect your organization's information, you must: (1) know yourself; that
is, be familiar w ith the information assets to be protected, their inherent flaws
and vulnerabilities, and the systems, mechanisms, and methods used to store,
transport, process, and protect them; and (2.) know the threats you face. To make
sound decisions about information security, management must be informed about
the various threats to an organization's people, applications, data, and information
systems. As illustrated in Figure 1-4, a threat represents a potential risk to an
information asset, whereas an attack, sometimes called a threat event, represents
an ongoing act against the asset that could result in a loss. Threat agents damage
or steal an organization's information or physical assets by using exploit s to take
advantage of a vulnerability where controls are not present or no longer effective.
Unlike threats, which are always present, attacks exist only when a specific act may
- - - - - - - - - - - - - - ~ . ~ . Vulnerability: SQL
--····---·-- injection in online
---
--
........................
~ - ' Y • database Web interlace
---
-··
-·----·- -
Threat: Theft
Threat agent: Ima Hacker
-------==. . . ..
Attack: Ima Hacker downloads exploit from MadHackz Web site,
then accesses HAL lnc.'s Web site and applies script, resulting in
Loss: download of customer data
Figure 1-4 Key concepts in information secu rity

Sources: The photo at top left is from © iStock.comflommL The photo at top right is from© iStock.comlnerminmuminovic.
cause a loss. For example, the threat of damage from a thunderstorm is present
throughout the summer in many places, but an attack and its associated risk of
loss exist only for the duration of an actual thunderstorm. The following sections
discuss each of the major types of threats and corresponding attacks facing modern
information assets.
To investigate the wide range of threats th at pervade the interconnected world,
many researchers have collected information on threats and attacks from practicing
information security personnel and their organizations. While the categorizations may
vary, threats are relatively well researched and fairly well understood.
There is wide agreement that the threat from external sources increases when
an organization connects to the Internet. The number of Internet users continues to
grow; almost exactly half (49.7 percent) of the world's 7.52. billion people had some form
of Internet access as of mid-2.017.• Therefore, a typical organization with an online
connection to its systems and information faces more than 3.7 billion potential hackers.
CHAPT ER 1 Int r oduction to the Ma nagement of I nformation Security
Note@
For more information on world Internet use, visit the Internet World Stats: Usage and
Population Statistics site at www.internetworldstats.com/stats.htm.
The 12 Categories of Threats

Table 1- 1 shows the 12. general categories of threats that represent a clear and present
danger to an organization's people, information, and systems. Each organization
must prioritize the threats it faces based on the particular security situation in which
it operates, its organizational strategy regarding risk, and the exposure levels of its
assets. You may notice that many of the attack examples in the table could be listed
in more than one category. For example, theft performed by a hacker falls into the
category of "theft," but it can also be preceded by "espionage or trespass" as the
hacker illegally accesses the information. The theft may also be accompanied by
defacement actions to delay discovery, qualifying it for the category of "sabotage or
vandalism."
~ The 12 Categories of Threats to Information Security 5
Category of Th reat Attack Examples

Compromises to intellectual property Piracy, copyright infringement
Deviations in quality of service Internet service provider (ISP), power, or WAN
service problems
Espionage or trespass Unauthorized access and/o r data collection
Forces of natu re Fire, floods, earthquakes, lightn ing
Human erro r or failure Accidents, employee mistakes
Information extortion Blackmail, information disclosure
Sabotage or vandalism Destruction of systems or information
Software attacks Viruses, worms, macros, denial of service
Technical hardware failures or errors Equipment failure
Technical software failures o r errors Bugs, code problems, unknown loopholes
Technological obsolescence Antiquated o r outdated technologies
Theft Illegal confiscation of equipment or information
Compromises to Intellectual Property
Key Terms
intellectual property (IP) The creation, ownership, and control of original ideas as well as
the representation of those ideas.
software piracy The unauthorized duplication, installation, or distribution of copyrighted
computer software, which is a violation of intellectual property.
Many organizations create or support the development of intellectual property (IP) as

part of their business operations. Intellectual property can be trade secrets, copyrights,
trademarks, and patents. IP is protected by copyright and other Jaws, carries the
expectation of proper attribution or credit to its source, and potentially requires the
acquisition of permission for its use, as specified in those Jaws. For example, the use of
a song in a movie or a photo in a publication may require a specific payment or royalty.
The unauthorized appropriation of IP constitutes a threat to information security.
Employees may have access privileges to the various types of IP, including purchased
and developed software and organizational information. Many employees typically need
to use IP to conduct day-to -day business. This category includes two primary areas:
• Software piracy- Organizations often purchase or lease the IP of other
organizations, and must abide by a purchase or licensing agreement for its
fair and responsible use. The most common IP breach is the unlawful use or
duplication of software-based intellectual property, more commonly known as
software piracy. Many individuals and organizations do not purchase software
as mandated by the owner's license agreements. Because most software is
licensed to a particular purchaser, its use is restricted to a single user or to a
designated user in an organization. If the user copies the program to another
computer without securing another license or transferring the license, the
user has violated the copyright. Software licenses are strictly enforced by
regulatory and private organizations, and software publishers use several control
mechanisms to prevent copyright infringement.
• Copyright protection and user registration - A number of technical mechanisms-
digital watermarks, embedded code, copyright or activation codes, and even the
intentional placement of bad sectors on software media- have been used to
enforce copyright laws. The most common tool is a unique software registration
code in combination with an end-user license agreement (EULA) that usually
pops up during the installation of new software, requiring users to indicate that
they have read and agree to conditions of the software's use.
Another effort to combat piracy is online registration. Users who install software
are often asked or even required to register their software to complete the installation,
obtain technical support, or gain the use of all features. Some users believe that
CHAPT ER 1 Introduction to the Management of Information Security
this process compromises personal privacy because they never know exactly what
information is obtained from their computers and sent to the software manufacturer.
Intellectual property losses may result from the successful exploitation of
vulnerabilities in asset protection controls. Many of the threats against these controls
are described in this chapter.
Note@
For mo re info rmation on software piracy and intellectual property protection, visit the
Software & Information Industry Association (SIIA) Web site at www.siia.net and the Business
Software All iance (BSA) Web site at www.bsa.org. SIIA is the organization formerly known as
the Softwa re Publishers Association.
Deviations in Quality of Service
Key Terms
availa bility disruption An interruption in service, usually from a service provider, which
causes an adverse event within an organization.
blackout A long-term interruption (outage) in e lectrical power ava ilabi lity.
brownout A long-term decrease in the quality of e lectrical power ava ilability.
fau lt A short-term interruption in electrica l power availability.
noise The presence of add itional and dis ruptive signals in network communications or
electrica l power delivery.
sag A short-term decrease in electrica l power availability.
service level agreement (SLA) A document or part of a document that specifies the
expected level of service from a service provider. An SLA usually contains provisions for
minimum acceptable availability and penalties or remediation procedu res for downtime.
spike A sho rt-term increase in e lectrical power availability, also known as a swell.
surge A long-term increase in electrical power availability.
An organization's information system depends on the successful operation of many

interdependent support systems, including power grids, data and telecommunications
networks, parts suppliers, service vendors, and even janitorial staff and garbage
haulers. Any of these support systems can be interrupted by severe weather, employee
illnesses, or other unforeseen events. Deviations in quality of service can result
from such accidents as a backhoe taking out an ISP's fiber-optic link. The backup
provider may be online and in service, but may be able to supply only a fraction of
the bandwidth the organization needs for full service. This degradation of service is
a form of availability disruption. Irregularities in Internet service, communications,
and power supplies can dramatically affect the availability of information and systems.
Subcategories of this threat include the following:
• Internet service issues- In organizations that rely heavily on the Internet
and the Web to support continued operations, ISP failures can considerably
undermine the availability of information. Many organizations have
sales staff and telecommuters working at remote locations. When th ese
offsite employees cannot contact th e host systems, they must use manual
procedures to continue operations. When an organization places its Web
servers in the care of a Web hosting provider, that provider assumes
responsibility for all Internet services and for th e hardware and operating
system software used to operate the Web site. These Web hosting services
are usually arranged with a service level agreement (SLA). When a service
provider fails to meet the terms of the SLA, th e provider may accrue fines
to cover losses incurred by the client, but th ese payments seldom cover the
losses generated by the outage.
• Communications and other service provider issues- Other utility services can
affect organizations as well. Among these are telephone, water, wastewater,
trash pickup, cable television, natural or propane gas, and custodial services.
The loss of these services can impair the ability of an organization to function.
For instance, most facilities require water service to operate an air- conditioning
system. Even in Minnesota in February, air-conditioning systems help keep a
modern facility operating. If a wastewater system fails, an organization might
be prevented from allowing employees into th e building. While several online
utilities allow an organization to compare pricing options from various service
providers, only a few show a comparative analysis of availability or downtime.
• Power irregularities- Irregularities from power utilities are common and can
lead to fluctuations such as power excesses, power shortages, and power
losses. These fluctuations can pose problems for organizations that provide
inadequately conditioned power for their information systems equipment.
In the United States, residential users are supplied 120-volt, Go-cycle power,
usually through 15- and 20-amp circuits. Commercial buildings often have
240-volt service and may also have specialized power distribution infrastructure.
When power voltage levels vary from normal, expected levels, such as during
a blackout, brownout, fault, noise, spike, surge, or sag, an organization's
sensitive electronic equipment- especially networking equipment, computers,
and computer-based systems, which are vulnerable to fluctuations- can be
easily damaged or destroyed. Most good uninterruptible power supplies {UPS)
can protect against spikes, surges, and sags, and even brownouts and blackouts
of limited duration.
Espionage or Trespass
advanced persistent threat (APT) A collect ion of processes, usually directed by a human
agent, tha t targets a specific organization or individual.
brute force password attack An attempt to guess a password by attempting every possible
combination of characters and numbers in it
competitive intelligence The collection and analysis of information about an organization's
business compet itors through legal and eth ical means to gain business intelligence and
competitive advantage.
cracker A hacker who intentionally removes or bypasses software copyright protection
designed to prevent unauthorized duplication or use.
cracking Attempting to reverse-engineer, remove, or bypass a password or other access
control protection, such as t he copyright protection on software. See also cracker.
dictionary password attack A variation of t he brute force password attack that attempts to
narrow the range of possible passwords guessed by using a list of common passwords and
possibly including attempts based on the target's personal information.
expert hacker A hacker who uses extensive knowledge of the inner workings of computer
hardware and software to gain unauthorized access to systems and information. Also known
as elite hackers, expert hackers often create automated exploits, script s, and tools used by
other hackers.
hacker A person who accesses systems and information without authorizat ion and often illegally.
industrial espionage The collection and analysis of information about an organization's
business compet itors, often t hrough illegal or unethica l means, to gain an unfair competitive
advantage. Also known as corporate spying, which is dist inguished from espionage for
nationa l security reasons.
jail breaking Escalating privileges to gain administ rator-level control over a smart phone
operat ing system (typically associated with Apple iOS smartphones). See also rooting.
novice hacker A relatively unskilled hacker who uses t he work of expert hackers to perform
attacks. Also known as a neophyte, nOOb, or newbie. This category of hackers includes scri pt
kiddies and packet monkeys.
packet monkey A script kiddie who uses automated exploits to engage in denial-of-service
attacks.
penetration tester An information security professiona l with authorization to attempt to
gain syst em access in an effort to identify and recommend resolutions for vuln erabilities in
those systems.
phreaker A hacker who manipulates the public telephone system to make free calls or
disrupt services.
pretexting A form of social engineering in which the attacker pretends to be an authority

figure who needs information to confirm the target's identity, but the real object is to trick
the target into revealing confidential information. Pretexting is commonly performed by
telephone.
privilege escalation The unauthorized modification of an authorized or unauthorized
system user account to gain advanced access and control over system resources.
professional hacker A hacker who conducts attacks for personal financial benefit or for a
crime organization or foreign government. Not to be confused with a penetration tester.
rainbow table A table of hash values and their corresponding plaintext va lues that can be
used to look up password values if an attacker is able to steal a system's encrypted password
fi le.
rooting Escalating privileges to gain administrato r-level control over a computer system
(including smartphones). Typically associated with Linux and Android operating systems. See
also jailbreaking.
script kidd ie A hacker of limited skill who uses expertly written software to attack a system.
Also known as skids, skiddies, or script bunnies.
shoulder surfing The direct, covert observation of individua l information or system use.
t respass Unauthorized entry into the real or virtual property of another party.
Espionage or trespass is a well-known and broad category of electronic and human

activities that can breach the confidentiality of information. When an unauthorized
person gains access to information an organization is trying to protect, the act is
categorized as espionage or trespass. Attackers can use many different methods to
access the information stored in an information system. Some information-gathering
techniques are legal- for example, using a Web browser to perform market research.
These legal techniques are collectively called compet itive int elligence. When
information gatherers employ techniques that cross a legal or ethical threshold, they are
conducting industrial espionage. Many countries that are considered allies of the United
States engage in industrial espionage against American organizations. When foreign
governments are involved, these activities are considered a threat to national security.
Some forms of espionage are relatively low tech. One example, called shoulder
surfing, is used in public or semipublic settings when people gather information th ey
are not authorized to have. Instances of shoulder surfing occur at computer terminals,
desks, and ATMs; on a bus, airplane, or subway, where people use smartphones and
tablet PCs; and in other places where employees may access confidential information.
Shoulder surfing flies in the face of the unwritten etiquette among professionals who
address information security in the workplace: If you can see another person entering
personal or private information into a system, look away as the information is
CHAPTER 1 Int r oduction to the Ma nagement of I nformation Security
entered. Failure to do so constitutes not only a breach of etiquette, but also an affront
to privacy and a threat to the security of confidential information.
Hackers
Acts of trespass can lead to unauthorized real or virtual actions that enable
information gatherers to enter premises or systems without permission. Controls
sometimes mark the boundaries of an organization's virtual territory. These boundaries
give notice to trespassers that they are encroaching on the organization's cyberspace.
Sound principles of authentication and authorization can help organizations protect
valuable information and systems. These control methods and technologies employ
multiple layers or factors to protect against unauthorized access and trespass.
The classic perpetrator of espionage or trespass is the hacker, who is frequently
glamorized in fictional accounts as a person who stealthily manipulates a maze of
computer networks, systems, and data to find information that solves the mystery
and heroically saves th e day. However, the true life of the hacker is far more mundane.
In the real world, a hacker frequently spends long hours examining the types and
structures of targeted systems and uses skill, guile, and/or fraud to attempt to bypass
controls placed on information owned by someone else.
Hackers possess a wide range of skill levels, as with most technology users.
However, most hackers are grouped into two general categories- the expert hacker
and th e novice hacker:
• The expert hacker is usually a master of several programming languages,
networking protocols, and operating systems, and exhibits a mastery of the
technical environment of the chosen targeted system. Once an expert hacker
chooses a target system, the likelihood is high that he or she will successfully
enter the system. Fortunately for the many poorly protected organizations in the
world, there are substantially fewer expert hackers than novice hackers.
A new category of expert hacker has emerged over the last decade. The
professional hacker seeks to conduct attacks for personal benefit or the
benefit of an employer, which is typically a crime organization or government-
sponsored operation (see the section on cyberterrorism). The professional hacker
should not be confused with the penetration tester, who has authorization
from an organization to test its information systems and network defense, and
is expected to provide detailed reports of the findings. The primary differences
between professional hackers and penetration testers are the authorization
provided and the ethical professionalism displayed.
The recent emergence of a method of precisely targeted attacks against
organizations is known as an advanced persistent threat or APT. These attacks
are usually a combination of social engineering, spear phishing, and customized
malware generated by nation-state sponsored organizations or sophisticated
criminal operations. In many cases, these attacks seek to infiltrate high-value
information for economic espionage or attacks against national security.
Another random document with
no related content on Scribd:
absent in Myxinoids, but the gastric branches of the Vagus are
continued, united as a single nerve, along the intestine to the anus.
No fish possesses a Nervus accessorius. Also a separate Nervus
hypoglossus (twelfth pair)[13] is absent, but elements from the first
spinal nerve are distributed in the area normally supplied by this
nerve in higher vertebrates.
The number of Spinal nerves corresponds to that of the vertebræ,

through or between which they pass out. Each nerve has two roots,
an anterior and posterior, the former of which has no ganglion, and
exclusively contains motor elements. The posterior or dorsal has a
ganglionic enlargement, and contains sensory elements only. After
leaving the vertebral canal each spinal nerve usually divides into a
dorsal and ventral branch. The Gadoids show that peculiarity that
each of the posterior roots of some or many of the spinal nerves
possesses two separate threads, each of which has a ganglion of its
own; the one of these threads joins the dorsal and the other the
ventral branch. In fishes in which the spinal chord is very short, as in
Plectognaths, Lophius, the roots of the nerves are extremely long,
forming a thick Cauda equina. The additional function which the
(five) anterior spinal nerves of Trigla have to perform in supplying the
sensitive pectoral appendages and their muscles has caused the
development of a paired series of globular swellings of the
corresponding portion of the spinal chord. A similar structure is found
in Polynemus.
Fig. 46.
Brain and anterior portion of the
spinal chord of Trigla
(Gurnard), showing the
globular swellings at the
base of the anterior spinal
nerves.
A Sympathic nervous system appears to be absent in
Branchiostoma, and has not yet been clearly made out in
Cyclostomes. It is well developed in the Palæichthyes, but without
cephalic portion. This latter is present in all Osseous fishes, in which
communication of the Sympathic has been found to exist with all
cerebral nerves, except the olfactory, optic, and acustic. The
sympathic trunks run along each side of the aorta and the back of
the abdomen into the hæmal canal; communicate in their course with
the ventral branches of each of the spinal nerves; and, finally, often
blend together into a common trunk beneath the tail. At the points of
communication with the cerebral and spinal nerves frequently
ganglia are developed, from which nerves emerge which are
distributed to the various viscera.
CHAPTER VII.
THE ORGANS OF SENSE.
Characteristic of the Organ of Smell in Fishes is that it has no

relation whatever to the respiratory function, with the exception of the
Dipnoi, in which possibly part of the water received for respiration
passes through the nasal sac.
The olfactory organ is single in Branchiostoma and the
Cyclostomes. In the former a small depression on the front end of
the body, clothed with a ciliated epithelium, is regarded as a
rudimentary organ of smell. In the adult Petromyzon a membranous
tube leads from the single opening on the top of the head into the
cartilaginous olfactory capsule, the inside of which is clothed by
membranes prolonged into a posterior blind tube (Fig. 30, s), which
penetrates the cartilaginous roof of the palate, but not the mucous
membrane of the buccal cavity. In the Myxinoids the outer tube is
strengthened by cartilaginous rings like a trachea; the capsule is
lined by a longitudinally folded pituitary membrane, and the posterior
tube opens backwards on the roof of the mouth; the opening is
provided with a valve.
In all other Fishes the organ of smell is double, one being on
each side; it consists of a sac lined with a pituitary membrane, and
without, or with one or two, openings. The position of these openings
is very different in the various orders or suborders of Fishes.
In the Dipnoi the nasal sac opens downwards by two wide
openings which are within the boundaries of the cavity of the mouth.
The pituitary membrane is transversely folded, the transverse folds
being divided by one longitudinal fold. The walls of the sac are
strengthened by sundry small cartilages.
Also in Chondropterygians the openings, of which there is one to
each sac, are on the lower part of the snout, and in the Rays,
Holocephali, and some Sharks, each extends into the cleft of the
mouth. The openings are protected by valvular flaps, supported by
small cartilages, and moved by muscles, whence it may be
concluded that these fishes are able to scent (actively) as well as to
smell (passively).
Fig. 47.—Nostrils of Raia lemprieri,

with nasal flaps reverted.
In the majority of Teleostei the olfactory capsules are lateral or
superior on the snout, covered externally by the skin, each usually
pierced by two openings, which are either close together, or more or
less remote from each other; the posterior is generally open, the
anterior provided with a valve or tube. In the Chromides and
Labroidei ctenoidei a single opening only exists for each sac. In the
Murænidæ the two openings of each side are either superior, or
lateral, or labial, that is, they are continued downwards and pierce
the margin of the upper lip. In many Tetrodonts nasal openings are
absent, and replaced by a conical papilla, in which the olfactory
nerve terminates.
It is certain that fishes possess the faculty of perceiving odours,
and that various scents attract or repel them. A mangled carcase or
fresh blood attracts Sharks as well as the voracious Serrasal
monoids of the South American rivers. There is no reason to doubt
that the seat of that perception is in the olfactory sac; and it may be
reasonably conjectured that its strength depends mainly on the
degree of development indicated by the number and extent of the
interior folds of the pituitary membrane.
Organ of Sight.—The position, direction, and dimensions of the
eyes of fishes vary greatly. In some they have an upward aspect,
and are often very close together; in others they are lateral, and in a
few they are even directed downwards. The Flat-fishes represent the
extraordinary anomaly that both eyes are on the same side of the
head, and rarely on the same level, one being generally placed more
forward than the other. In certain species of marine fishes the eyes
are of an extraordinary size, a peculiarity indicating that the fish
either lives at a great depth, to which only a small proportion of the
rays of light penetrate, or that it is of nocturnal habits. In fishes which
have descended to such great depths that no rays whatever can
reach them, or in freshwater fishes living in caves, or in species
which grovel and live constantly in mud, the eyes are more or less
aborted, sometimes quite rudimentary, and covered by the skin. In
very few this organ appears to be entirely absent. In some Gobioids
and Trachinoids (Periophthalmus, Boleophthalmus, Uronoscopus,
etc.) the eyes, which are on the upper side of the head, can be
elevated and depressed at the will of the fish. In the range of their
vision and acuteness of sight, Fishes are very inferior to the higher
classes of Vertebrates, yet at the same time it is evident that they
perceive their prey or approaching danger from a considerable
distance; and it would appear that the visual powers of a
Periophthalmus, when hunting insects on mud-flats of the tropical
coasts, are quite equal to that of a frog. Again, the discrimination
with which fishes sometimes prefer one colour or kind of artificial fly
to another affords sufficient evidence that the vision, at least of
certain species is by no means devoid of clearness and precision.
The eye of Branchiostoma is of the most rudimentary condition. It
is simply a minute speck coated by dark pigment, and receiving the
end of a short nerve. In Myxinoids the minute rudiment of the eye is
covered by the skin and muscles. This is also the case in many of
the blind Teleosteous fishes; however, whilst in the former fishes the
organ of sight has not attained to any degree of development, the
rudimentary eye of blind Teleostei is a retrogressive formation, in
which often a lens and other portions of the eye can be recognised.
In fishes with a well-developed eye it is imbedded in a layer of
gelatinous and adipose substance, which covers the cavity of the
orbit. A lacrymal gland is absent. In the orbit of one fish only,
Chorismodentex, an organ has been found which can be compared
to a saccus lacrymalis. It is a round, blind, wide sac, of the size of a
pea, situated below the anterior corner of the orbit, between the
maxillary bone and the muscles of the cheek, communicating by a
rather wide foramen with the orbital cavity. The membrane by which
it is formed is continuous with that coating the orbita. In the
Chondropterygians the eyeball is supported by and moves on a
cartilaginous peduncle of the orbital wall. In the majority of
Teleosteans, and in Acipenser, a fibrous ligament attaches the
sclerotic to the wall of the orbit. The proper muscles of the eyeball
exist in all fishes, and consist of the four Musculi recti and the two M.
obliqui. In many Teleostei the former rise from a subcranial canal, the
origin of the M. rectus externus being prolonged farthest backwards.
The Recti muscles are extraordinarily long in the Hammerheaded
Sharks, in which they extend from the basis cranii along the lateral
prolongations of the head to the eyes, which are situated at the
extremities of the hammer.
In all fishes the general integument of the head passes over the
eye, and becomes transparent where it enters the orbit; sometimes it
simply passes over the orbit, sometimes it forms a circular fold. The
anterior and posterior portions may be especially broad and the seat
of an adipose deposit (adipose eyelids), as in Scomber, Caranx,
Mugil, etc. In many of these fishes the extent of these eyelids varies
with the seasons; during the spawning season they are so much
loaded with fat as nearly to hide the whole eye. Many Sharks
possess a nictitating membrane, developed from the lower part of
the palpebral fold, and moved by a proper set of muscles.
Fig. 48.
Vertical section through eye of
Xiphias. (After Owen.)
co, Cornea; sc, sclerotica; o, nervus
opticus; c, sclerotic capsule; a,
membrana argentea; v,
membrana vasculosa; u,
membrana uvea; ch, choroid
gland; r, retina; f, processus
falciformis; h, humor vitreus; l,
lens; i, iris.
The form of the bulbus (Fig. 48) is subhemispherical, the cornea

(co) being flat. If it were convex, as in higher Vertebrates, it would be
more liable to injury; but being level with the side of the head the
chances of injury by friction are diminished. The sclerotica (sc) is
cartilaginous in Chondropterygians and Acipensers, fibrous and of
varying thickness in Teleosteans, in the majority of which it is
supported by a pair of cartilaginous or ossified hemispheroid cups
(c). In a few fishes, as in Ceratodus, Xiphias, the cups are confluent
into one cup, which possesses a foramen behind to allow the
passage of the optic nerve (o). The cornea of Anableps shows an
unique peculiarity. It is crossed by a dark horizontal stripe of the
conjunctiva, dividing it into an upper and lower portion; also the iris is
perforated by two pupils. This fish is observed to swim frequently
with half of its head out of the water, and it is a fact that it can see
out of the water as well as in it.
The membranes situated between the sclerotica and retina are
collectively called choroidea, and three in number. The one in
immediate contact with the sclerotic, and continued upon the iris, is
by no means constantly present; it is the membrana argentea (a),
and composed of microscopical crystals reflecting a silvery or
sometimes golden lustre. The middle layer is the membrana
vasculosa s. halleri (v), the chief seat of the ramifications of the
choroid vessels; the innermost layer is the membrana ruyscheana or
uvea (u), which is composed of hexagonal pigment-cells, usually of a
deep brown or black colour.
In many Teleostei a rete mirabile surrounds the entry of the optic
nerve; it is situated between the membrana argentea and vasculosa,
and called the choroid gland (ch). It receives its arterial blood from
the artery issuing from the pseudobranchia; the presence of a
choroid gland always being combined with that of a pseudobranchia.
Teleosteans without pseudobranchia lack a choroid gland. In the
Palæichthyes, on the other hand, the pseudobranchia is present and
a choroid gland absent.
The iris (i) is merely the continuation of the choroid membrane; its
capability of contracting and expanding is much more limited than in
higher Vertebrates. The pupil is generally round, sometimes
horizontally or vertically elliptical, sometimes fringed. In the Rays and
Pleuronectidæ a lobe descends from the upper margin of the pupil,
and the outer integument overlying this lobe is coloured and non-
transparent; a structure evidently preventing light from entering the
eye from above.
In most Teleostei a fold of the Choroidea, called the Processus
falciformis (f), extends from the vicinity of the entrance of the optic
nerve to the lens. It seems to be constantly absent in Ganoids.
The retina (r) is the membrane into which the optic nerve
penetrates, and in which its terminal filaments are distributed. It
consists of several layers (Fig. 49). The outermost is an extremely
delicate membrane (a), followed by a layer of nerve-cells (b), from
which the terminal filaments issue, passing through several granular
strata (c, d, e), on which the innermost stratum rests. This stratum is
composed of cylindrical rods (f) vertically arranged, between which
twin fusiform corpuscles (g) are intercalated. This last layer is thickly
covered with a dark pigment. The retina extends over a portion of the
iris, and a well-defined raised rim runs along its anterior margin.
Fig. 49.—Vertical section of

the Retina of the Perch, magn. X
350.
The vitreous humour (Fig. 48, h) which fills the posterior cavity of
the eyeball, is of a firmer consistency than in the higher Vertebrates.
The lens is spherical, or nearly so; firm, denser towards the centre,
and lies in a hollow of the vitreous humour. When a falciform process
is present, it is with one end attached to the lens, which is thus
steadied in its position. It consists of concentric layers consisting of
fibres, which in the nucleus of the body have marginal teeth, by
which they are interlocked together. In Petromyzon this serrature is
absent, or but faintly indicated.
Fig. 50.—Interlocking fibres of lens,

highly magnified.
The anterior cavity of the eye is very small in Fishes, in
consequence of the small degree of convexity of the cornea; the
quantity of the aqueous humour, therefore, is very small, just
sufficient to float the free border of the iris; and the lessened
refractive power of the aqueous humour is compensated by the
greater convexity of the lens.
Organ of Hearing.—No trace of an organ of hearing has been

found in Branchiostoma. In the Cyclostomes the labyrinth is
enclosed in externally visible cartilaginous capsules laterally
attached to the skull; it consists of a single semicircular canal in the
Myxinoids, whilst the Petromyzontes possess two semicircular
canals with a vestibulum.
In all other fishes the labyrinth consists of a vestibule and three
semicircular canals, the vestibule dilating into one or more sacs
which contain the otoliths. A tympanum, tympanic cavity, and
external parts, are entirely absent in the class of fishes.
In the Chondropterygians and Dipnoi, the labyrinth is enclosed in
the cartilaginous substance of the skull. In the former the excavation
in the cartilage is larger than the membranous labyrinth, but nearly
corresponds to it in form; the part which receives the membranous
vestibulum is called Vestibulum cartilagineum, from which a canal
issues and penetrates to the surface of the skull, where it is closed
by the skin in Sharks, but opens by a minute foramen in Rays. The
otolithic contents are soft and chalklike.
In the Holocephali part of the labyrinth is enclosed in the cartilage
of the skull, another part being in the cranial cavity, as in Ganoids
and Teleosteans. The membranous vestibulum is continued by a
canal to a single opening in the roof of the skull, from which two
smaller canals are continued to two small foramina in the skin
covering the occipital region.
In the Teleosteans the sac which contains the otoliths lies on
each side of the base of the cranial cavity and is often divided by a
septum into two compartments of unequal size, each containing a
firm and solid otolith; these bodies (Fig. 51), possess indented
margins, frequently other impressions and grooves, in which nerves
from the N. acusticus are lodged; they vary much in size and form,
but in both respects show a remarkable constancy in the same kind
of fishes. The vestibule is outwards in contact with the osseous side
wall of the skull, inwards with the metencephalon and medulla
oblongata; it contains another firm concretion, and opens by five
foramina into the three semicircular canals. The terminations of the
acustic nerve are distributed over the vestibular concretion and the
ampulliform ends (Fig. 52 p) of the semicircular canals, without being
continued into the latter, which are filled with fluid. The semicircular
canals (Fig. 52 g), are sometimes lodged in the cranial bones,
sometimes partly free in the cranial cavity. Many Teleostei have
fontanelles in the roof of the skull, closed by skin or very thin bone
only at the place where the auditory organ approaches the surface,
by which means sonorous undulations must be conducted with
greater ease to the ear.
Fig. 51.—Otolith of Haddock (Gadus

æglefinus). I. Outer, II. Inner aspect.
In many Teleostei a most remarkable relation obtains between
the organ of hearing and the air-bladder. In the most simple form this
connection is established in Percoids and the allied families, in which
the two anterior horns of the air-bladder are attached to fontanelles
of the occipital region of the skull, the vestibulum occupying the
opposite side of the membrane by which the fontanelle is closed.
The condition is similar, but more complicated in many Clupeoids.
The anterior narrow end of the air-bladder is produced into a canal at
the base of the skull, and divided into two very narrow branches,
which again bifurcate and terminate in a globular swelling. An
appendage of the vestibulum meets the anterior of these swellings,
and comes into close contact with it. Besides, the two vestibules
communicate with each other by a transverse canal, crossing the
cranial cavity below the brain.
Fig. 52.—Communication between auditory organ and air-bladder in the Carp.
(After E. H. Weber.)
a, Basisphenoid; b, Occipital; c, Supraoccipital; d, Exoccipital; e, Paroccipital; f,
Alisphenoid; g, Neural arch of first vertebra; h, i, k, second, third, and fourth
vertebra; h’, i’, Parapophyses of second and third vertebra; i", process of the
third vertebra for the attachment of the air-bladder; k, l, m, Chain of ossicles;
n, Air-bladder; o, vestibulum; p, p, Ampullæ; q, q, Canales semicirculares; r,
Sinus impar.
The connection is effected by means of a chain of ossicles in
Siluridæ, Characinidæ, Cyprinidæ and Gymnotidæ. A canal issues
from the communication between vestibule and its sac, and meeting
that from the other side forms with it a common sinus impar (Fig. 52,
r), lodged in the substance of the basi-occipital; this communicates
on each side by a small orifice with two subspherical atria, on the
body of the atlas, close to the foramen magnum. Each atrium is
supported externally by a small bone (m); a third larger bone (k)
completes the communication with the anterior part of the air-
bladder. From the sinus impar a bifid canal penetrates into the
alisphenoids, in which it terminates. In Cobitis and several Loach-like
Siluroids the small air-bladder consists of two globular portions
placed side by side, and wholly included within two bullæ, formed by
the modified parapophyses of the second and third vertebræ. The
three ossicles on each side are present, but concealed by the fore
part of the osseous bulla.
Organ of Taste.—Some fishes, especially vegetable feeders, or

those provided with broad molar-like teeth, masticate their food; and
it may be observed in Carps and other Cyprinoid fish, that this
process of mastication frequently takes some time. But the majority
of fish swallow their food rapidly, and without mastication, and
therefore we may conclude that the sense of taste cannot be acute.
The tongue is often entirely absent, and even when it exists in its
most distinct state, it consists merely of ligamentous or cellular
substance, and is never furnished with muscles capable of producing
the movements of extension or retraction as in most higher
Vertebrates. A peculiar organ on the roof of the palate of Cyprinoids,
is perhaps an organ adapted for perception of this sense; in these
fishes the palate between and below the upper pharyngeal bones is
cushioned with a thick, soft contractile substance, richly supplied
with nerves from the Nervi vagus and glossopharyngeus.
Organs of Touch.—The faculty of touch is more developed than
that of taste, and there are numerous fishes which possess special
organs of touch. Most fishes are very sensitive to external touch,
although their body may be protected by hard horny scales. They
perceive impressions even on those parts which are covered by
osseous scutes, in the same manner as a tortoise perceives the
slightest touch of its carapace. The seat of the greatest
sensitiveness, however, appears to be the snout and the labial folds
surrounding the mouth. Many species possess soft and delicate
appendages, called barbels, which are almost constantly in action,
and clearly used as organs of touch. Among the Triglidæ and allied
families, there are many species which have one or more rays of the
pectoral fin detached from the membrane, and supplied with strong
nerves. Such detached rays (also found in the Polynemidæ,
Bathypterois) are used partly for locomotion, partly for the purpose of
exploring the ground over which the fish moves.
Some fish appear to be much less sensitive than others, or at
least lose their sensitiveness under peculiar circumstances. It is well
known that a Pike, whose mouth has been lacerated and torn by the
hook, continues to yield to the temptation of a bait immediately
afterwards. The Greenland Shark when feeding on the carcass of a
whale allows itself to be repeatedly stabbed in the head without
abandoning its prey. A pair of Congers are so dead to external
impression at the time of copulation, and so automatically, as it were,
engaged, that they have been taken by the hand together out of the
water.
CHAPTER VIII.
THE ORGANS OF NUTRITION AND DIGESTION.
Fishes are either exclusively carnivorous or herbivorous, but not

a few feed on vegetable substances as well as animal, or on mud
containing alimentary substance in a living or decomposing state.
Generally they are very voracious, especially the carnivorous kinds,
and the rule of “eat or be eaten” applies to them with unusual force.
They are almost constantly engaged in the pursuit and capture of
their prey, the degree of their power in these respects depending on
the dimensions of the mouth and gullet and the strength of the teeth
and jaws. If the teeth are sharp and hooked, they are capable of
securing the most slender and agile animals; if this kind of teeth is
combined with a wide gullet and distensible stomach, they are able
to overpower and swallow other fish larger than themselves; if the
teeth are broad, strong molars, they are able to crush the hardest
aliments; if they are feeble, they are only serviceable in procuring
some small or inert and unresisting prey. Teeth may be wanting
altogether. Whatever the prey, in the majority of cases it is swallowed
whole; but some of the most voracious fishes, like some Sharks and
Characinidæ, are provided with cutting teeth, which enable them to
tear their prey to pieces if too large to be swallowed whole. Auxiliary
organs for the purpose of overpowering their prey, which afterwards
is seized or torn by the teeth, like the claws of some carnivorous
mammals and birds, are not found in this class; but in a few fishes
the jaws themselves are modified for that purpose. In the Sword-
fishes the bones of the upper jaw form a long dagger-shaped
weapon, with which they not only attack large animals, but also
frequently kill fishes on which they feed. The Saw-fishes are armed
with a similar but still more complicated weapon, the saw, which is
armed on each side with large teeth implanted in deep sockets,
specially adapted for killing and tearing the prey before it is seized
and masticated by the small teeth within the mouth. Fishes show but
little choice in the selection of their food, and some devour their own
offspring indiscriminately with other fishes. Their digestive powers
are strong and rapid, but subject in some degree to the temperature,
which, when sinking below a certain point, lowers the vital powers of
these cold-blooded animals. On the whole, marine fishes are more
voracious than those inhabiting fresh waters; and whilst the latter
may survive total abstinence from food for weeks or months, the
marine species succumb to hunger within a few days. The growth of
fishes depends greatly on the nature and supply of food, and
different individuals of the same species may exhibit a great disparity
in their respective dimensions. They grow less rapidly and to smaller
dimensions in small ponds or shallow streams than in large lakes
and deep rivers. The young of coast fishes, when driven out to sea,
where they find a much smaller supply of food, remain in an
undeveloped condition, assuming an hydropic appearance. The
growth itself seems to continue in most fishes for a great length of
time, and we can scarcely set bounds to—certainly we know not with
precision—the utmost range of the specific size of fishes. Even
among species in no way remarkable for their dimensions we
sometimes meet with old individuals, favourably situated, which
more or less exceed the ordinary weight and measurement of their
kind. However, there are certain evidently short-lived species of
fishes which attain a remarkably uniform size within a very short
time; for instance, the Stickleback, many species of Gobius and
Clupea.
The organs of nutrition, manducation, and deglutition, are lodged

in two large cavities—an anterior (the mouth or buccal cavity), and a
posterior (the abdominal cavity). In the former the alimentary organs
are associated with those fulfilling the respiratory functions, the
transmission of food to the stomach and of water to the gills being
performed by similar acts of deglutition. The abdominal cavity
commences immediately behind the head, so, however, that an
extremely short thoracic cavity for the heart is partitioned off in front.
Beside the alimentary organs it contains also those of the urogenital
system and the air-bladder. The abdominal cavity is generally
situated in the trunk only, but in numerous fishes it extends into the
tail, being continued for some distance along each side of the hæmal
apophyses.
In numerous fishes the abdominal cavity opens outwards by one
or two openings. A single porus abdominalis in front of the vent is
found in Lepidosiren and some Sturgeons; a paired one, one on
each side of the vent, in Ceratodus, some species of Sturgeon,
Lepidosteus, Polypterus, Amia, and all Chondropterygians. As in
these fishes semen and ova are discharged by proper ducts, the
abdominal openings may serve for the expulsion of semen, and
those ova only which, having lost their way to the abdominal
aperture of the oviduct, would be retained in the abdominal cavity. In
those Teleosteans which lack an oviduct a single porus genitalis
opens behind the vent.
The mouth of fishes shows extreme variation with regard to form,
extent, and position. Generally opening in front, it may be turned
upwards, or may lie at the lower side of the snout, as in most
Chondropterygians, Sturgeons, and some Teleosteans. Vogt regards
this position as a persistent fœtal condition. In most fishes the jaws
are covered by the skin, which, before passing over the jaws, is often
folded, forming more or less fleshy lips. In the Sharks the skin retains
its external character even within the teeth, but in other fishes it
changes into a mucous membrane. A tongue may exist as a more or
less free and short projection, formed by the glosso*-hyal and a soft
covering, or may be entirely absent. Salivary glands and a velum
palati are absent in fishes.
With regard to the dentition, the class of Fishes offers an amount
of variation such as is not found in any of the other classes of
Vertebrates. As the teeth form one of the most important elements in
the classification of fishes, their special arrangement and form will be
referred to in the account of the various families and genera. Whilst
not a few fishes are entirely edentulous, in others most of the bones
of the buccal cavity, or some of them, may be toothed, as the bones
of the jaws, the palatines, pterygoids, vomers, basisphenoid,
glossohyal, branchial arches, upper and lower pharyngeals. In others
teeth may be found fixed in some portion of the buccal membrane
without being supported by underlying bone or cartilage; or the teeth

Ebook Management of Information Security PDF Full Chapter PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Ebook Management of Information Security PDF Full Chapter PDF

Uploaded by

Copyright:

Available Formats

Management of Information Security -

Learning Designer: Natalie Onderdonk

Assoc. Marketing Manager: ISBN: 978·1·337-40571·3

Production Service/Composition: (engage products are represented in Canada by Nelson

To register or access your online learning solution or purchase

Notice to the Reade r

Printed in the United States of America

GLOSSARY .................................................................................................. 683

IND E.X.......................................................................................................... 709

Ethics in lnfoSec .................................................................................................66

CERT Governing for Enterprise Security Implementation ........................... 140

A Final Note on Policy..................................................................................... 212

FAIR ................................................................................................................ 395

Add itional Read ing ......................................................................................... 451

Exercises .......................................................................................................... 493

Exercises .......................................................................................................... 563

Additional Reading ......................................................................................... 677

GLOSSARY .................................................................................................. 683

Why This Text Was Written

Chapter 2- Compliance: Law and Ethics

Chapter 3-Governance and Strategic Planning for Security

Chapter 4-lnformation Security Policy

Chapter 5- Developing the Security Program

Chapter 6-Risk Management Assessing Risk

Chapter 7-Risk Management: Treating Risk

Chapter 8- Security Management Models

Students learn how to implement the fundamental elements of key information

Chapter 9-Security Management Practices

Chapter 10- Planning for Contingencies

Chapter 11-Security Maintenance

Chapter 12- Protection Mechanisms

New to This Edition

In addition, several professional and commercial organizations and individuals have

Upon completion of this material, you should be able to:

List and describe the dominant categories of threats to information security

Discuss the key characteristics of leadership and management

Describe the importance of the manager's role in securing an

Differentiate information security management from general business

In today's global markets, business operations are enabled by technology. From

• The IT community supports the business objectives of the organization by

Confidentiality- Integrity- Availability

Figure 1-1 Components of

CNSS Security Model

--- --- ---

Storage I Processing I Transmission

Storage I Processing I Transmission

The Value of Information and the C.I.A. Triad

Figure 1-3 The C.I.A. t riad

In the new world of Internet-connected systems, even organizations we would

Key Conceptsof Information Security: Threatsand Attacks

attack An intentiona l or un intentional act that can damage or otherwise compromise

Figure 1-4 Key concepts in information secu rity

The 12 Categories of Threats

~ The 12 Categories of Threats to Information Security 5

Category of Th reat Attack Examples

Compromises to Intellectual Property

Many organizations create or support the development of intellectual property (IP) as

Deviations in Quality of Service

An organization's information system depends on the successful operation of many

pretexting A form of social engineering in which the attacker pretends to be an authority

Espionage or trespass is a well-known and broad category of electronic and human

The number of Spinal nerves corresponds to that of the vertebræ,

THE ORGANS OF SENSE.