Management of Information Security 6Th Edition Michael E Whitman Download PDF Chapter

Management of Information Security
6th Edition Michael E. Whitman

Visit to download the full and correct content document:
https://ebookmass.com/product/management-of-information-security-6th-edition-mich
ael-e-whitman/
INFORMATION SECURITY
MANAGEMENT OF
Sixth Edition
Michael E. Whitman
Herbert J. Mofford
MANAGEMENT OF
Sixth Edition
Michael E. Whitman
Herbert J. Mattord
Au stralia • Brazil • Mexico • Singapore • Un ited Kingdom • United States
This is an e lectronic version of the print textbook. Due to e lectronic right~ restrictions, some third party content
may be suppressed. Editorial review has deemed that any suppressed content does not materially affect the
overall learning experience. The publisher reserves the right to remove content from this title at any time if
subsequent right~ restrictions require it. For valuable information on pric ing, previous editions, changes to
current editions, and alternate formats, please visit www.cengage.com/highered to search by ISBN#, author,
title, or keyword for materials in your areas of interest.
Impo1tant Notice: Media content referenced within the product description or the product text may not be
available in the eBook version.
Management of Information <O 2019, 2017, 2014, 201 o Cengage Learning, Inc.
Security, Sixth Edit i on Unless otherwise noted, all content is <O (engage.
Michael E. Whitman ,
HerbertJ. Mattor d All RIGHTS RESERVED. No part of this work covered by the copyright
herein may be reproduced or distributed in any form or by any
m eans, except as permitted by U.S. copyright law, without the prior
SVP, GM Skills: Jonathan Lau
written permission of the copyright owner.
Product Director: Lauren Murphy
SOURCE FDR ILLUSTRATIONS: Copyright co (engage.
Product Team Manager: Kristin McNary Screenshots are c.t>Microsoft Corporation unless otherwise noted.
Product Manager: Amy Savino
Product Assistant: Jake Toth For product information and technology assistance, contact us at
Executive Director, Content Design: Cengage Custom er & Sales Su pport, 1·800-354-9706 or
Marah Bellegarde support.cengag e.com .
For permission to use material from this text or product, submit
Director, Learning Design: all requests online at www.cengage.com/permissions.
Leigh Hefferon
Learning Designer: Natalie Onderdonk

library of Congress Control Number: 2018936035
Sr. Marketing Director: M ichele McTighe
Assoc. Marketing Manager: ISBN: 978·1·337-40571·3

Cassie Cloutier
Ceng age
Director, Content Delivery: 20 Channel Center Street
Patty Stephan Boston, MA 02210
USA
Sr. Content Manager:
Brooke Greenhouse Cengage is a leading provider of customized learning solutions with
employees residing in nearly 40 different countries and sales in more
Digltal Delivery Lead: Jim Vaughey than 125 countries around the world. Find your local representative
Senior Designer: Diana H. Graham at www.cengage.com.
Production Service/Composition: (engage products are represented in Canada by Nelson

SPi Global Education, l td.
Cover image: iStockPhoto.com/ To learn more about Cengage platforms and services, visit
ValeryBrozhinsky www.cengage.com .
To register or access your online learning solution or purchase

materials for your course, visit www.cengagebrain.com.
Notice to the Reade r

Publisher does not warrant or guarantee any of the products described herein or perform any independent analysis
in connection with any of the product information contained herein. Publisher does not assume, and expressly
disclaims, any obligation to obtain and include information other than that provided to it by the manufacturer.
The reader is expressly warned to consider and adopt all safety precautions that might be indicated by the activities
described herein and to avoid all potential hazards. By following the instructions contained herein, the reader willingly
assumes all risks in connection with such instructions. The publisher makes no representations or warranties of any
kind, including but not limited to, the warranties of fitness for particular purpose or merchantability, nor are any
such representations implied with respect to the material set forth herein, and the publisher takes no responsibility
with respect to such material. The publisher shall not be liable for any special, consequential, or exemplary damages
resulting. in whole or part, from the readers' use of, or reliance upon, this material.
Printed in the United States of America

Print Nu,n ber: 01 Print Year: 2018
Brief Contents
PREFACE ....................................................................................................... xv
CHAPTER 1
Introduction to the Management of Information Secur ity ..................... 1
CHAPTER2
Compliance: Law and Ethics ...................................................................... 63
CHAPTER3
Governance and Strategic Planning for Security .................................. 123
CHAPTER4
Information Security Policy ..................................................................... 169
CHAPTER 5
Developing the Security Program ........................................................... 219
CHAPTER6
Risk Management: Assess ing Risk .......................................................... 303
CHAPTER 7
Risk Management: Treating Risk ............................................................ 365
CHAPTERS
Security Management Models ................................................................ 411
CHAPTER 9
Security Management Practices ............................................................. 457
CHAPTER 10
Pia nni ng for Contingencies ...................................................................... 497
CHAPTER 11
Security Maintenance .............................................................................. 567
CHAPTER 12
Protection Meehan isms ........................................................................... 619
GLOSSARY .................................................................................................. 683
IND E.X.......................................................................................................... 709
...
Ill
Table of Contents
PREFACE ....................................................................................................... xv
CHAPTER 1
Introduction to the Management
of Information Security........................................................... 1
Introducti on to Security ......................................................................................2
CNSS Security Model ........................................................................................ 5
The Value of Information and the C.I.A. Triad ................................................. 7
Key Concept s of Infor mation Security: Threats and Attacks ....................... 11
The 12 Categories of Threats ............................................................................ 13
Management and Lea dership ..........................................................................45
Behavioral Types of Leaders ........................................................................... 46
Management Characteristics .......................................................................... 47
Governance ..................................................................................................... so
Solving Problems ............................................................................................ so
Principles of Information Security Management .......................................... .52
Planning .......................................................................................................... 53
Policy ............................................................................................................... 54
Programs ......................................................................................................... 55
Protection ........................................................................................................ SS
People .............................................................................................................. SS
Projects ............................................................................................................ SS
Additional Reading ............................................................................................57
Chapter Summary............................................................................................. .57
Review Quest ions ............................................................................................. .58
Exercises ............................................................................................................ .59
Closing Case........................................................................................................60
Discussion Questions ..................................................................................... 60
Ethical Decision Making ................................................................................. 60
Endnotes .............................................................................................................61
CHAPTER2
Compliance: Law and Ethics ................................................. 63
Introduction to Law and Ethics ........................................................................64
Table of Contents
Ethics in lnfoSec .................................................................................................66

Ethics and Education ...................................................................................... 70
Deterring Unethical and Illegal Behavior ....................................................... 72
Professional Organizations and Their Codes of Conduct ............................. 74
Association for Computing Machinery (ACM) ............................................... 74
International Information Systems Security Certificatio n Consortium,
Inc. (!SC)• ..........................................................................................................75
SANS ................................................................................................................75
Informatio n Systems Audit and Control Associatio n (ISACA) ....................... 76
Informatio n Systems Security Association (ISSA) ......................................... 77
Information Security and Law..........................................................................78
Types of Law ................................................................................................... 78
Relevant U.S. Laws .......................................................................................... 79
International Laws and Legal Bodies ............................................................. 95
State and Local Regulations ............................................................................ 97
Standards Versus Law .................................................................................... 101
Policy Versus Law ......................................................................................... 104
Organizational Liability and the Management of Digital Forensics ......... 104
Key Law Enforcement Agencies ....................................................................105
Managing Digital Forensics .......................................................................... 109
Additional Reading ......................................................................................... 117
Chapter Summary........................................................................................... 117
Review Questions ........................................................................................... 118
Exercises .......................................................................................................... 119
Closing Case ..................................................................................................... 120
Discussion Questions ....................................................................................120
Ethical Decision Making ................................................................................120
Endnotes .......................................................................................................... 120
CHAPTER3
Governance and Strategic Planning for Security ............. 123
The Role of Planning....................................................................................... 125
Precursors to Planning................................................................................... 127
Strategic Planning ........................................................................................... 129
Creating a Strategic Plan .................................................................................131
Planning Levels .............................................................................................. 132
Planning and the CISO ................................................................................... 133
Information Security Governance ................................................................ 135
The ITGI Approach to Information Security Governance ............................. 136
NCSP Industry Framework for Information Security Governance ............... 138
Table of Contents vii
CERT Governing for Enterprise Security Implementation ........................... 140

ISO/IEC 27014: 2013 Governance of Information Security .............................. 143
Security Convergence .................................................................................... 145
Planning for Information Security Implementation ................................... 147
Implementing the Security Program using the SecSDLC.............................. 154
Chapter Summary........................................................................................... 164
Exercises .......................................................................................................... 165
Closing Case ..................................................................................................... 166
Discussion Questions .................................................................................... 167
Ethical Decision Making ................................................................................ 167
Endnotes .......................................................................................................... 167
CHAPTER4
Information Security Policy ................................................ 169
Why Policy? ...................................................................................................... 170
Policy, Standards, and Practices .................................................................... 175
Enterprise Information Security Policy ........................................................ 177
Integrating an Organization's Mission and Objectives into the EISP ........... 178
EISP Elements ................................................................................................ 178
Example EISP Elements ................................................................................ 180
Issue-Specific Security Policy ......................................................................... 183
Elements of the ISSP ...................................................................................... 185
Implementing the ISSP .................................................................................. 188
System-Specific Security Policy ..................................................................... 190
Managerial Guidance SysSPs ......................................................................... 191
Technical Specification SysSPs ...................................................................... 192
Guidelines for Effective Policy Development and Implement ation ......... 197
Developing Information Security Policy ....................................................... 197
Policy Distribution .........................................................................................198
Policy Reading ................................................................................................199
Policy Comprehension ...................................................................................199
Policy Compliance ........................................................................................ 200
Policy Enforcement ........................................................................................ 201
Policy Development and Implementation Using the SDLC .......................... 201
Software Support for Policy Administration ................................................ 206
Other Approaches to Information Security Policy Development ................ 207
SP 800-18, Rev. 1: Guide for Developing Security Plans
for Federal Information Systems .................................................................. 209
viii Table of Contents
A Final Note on Policy..................................................................................... 212

Add it ional Reading ......................................................................................... 213
Chapter Summary........................................................................................... 214
Exercises .......................................................................................................... 216
Closing Case ..................................................................................................... 217
Ethical Decisio n Making ................................................................................ 217
Endnotes .......................................................................................................... 218
CHAPTER 5
Developing the Security Program ...................................... 219
Organizing fo r Security .................................................................................. 220
Security in Large Organizations .................................................................... 225
Security in Medium-Sized Organizations ..................................................... 228
Security in Small Organizations .................................................................... 229
Placing Information Security Within an Organization ............................... 230
Components of the Security Program .......................................................... 241
Staffing the Security Function ...................................................................... 244
Informatio n Security Professional Credentials ............................................. 254
Entering the Information Security Profession .............................................. 265
Implementing Security Education, Train ing, and Awareness
(SETA) Programs .............................................................................................. 267
Security Education ........................................................................................ 269
Security Training ........................................................................................... 271
Security Awareness ....................................................................................... 278
Proj ect Management in Information Security ............................................ 286
Projects Versus Processes ............................................................................. 286
Organizatio nal Support for Project Management ........................................ 288
PMBOK Knowledge Areas ............................................................................. 289
Project Management Tools ............................................................................ 292
Chapter Summary........................................................................................... 297
Exercises .......................................................................................................... 299
Closing Case ..................................................................................................... 299
Discussion Questions ................................................................................... 299
Ethical Decisio n Making ............................................................................... 300
Endnotes .......................................................................................................... 300
Table of Contents
CHAPTER 6
Risk Management: Assessing Risk ..................................... 303
Introduction to the Management of Risk
in Information Security .................................................................................. 304
Knowing Yourself and Knowing the Enemy ................................................ 305
The Information Security Risk Management Framework ........................... 305
Roles of Communities of Interest in Managing Risk ................................... 308
Executive Governance and Support ............................................................. 308
Framework Design ......................................................................................... 312
Framework Implementation ......................................................................... 315
Framework Monitoring and Review ............................................................. 315
Continuous Improvement ............................................................................. 316
The Risk Management Process ..................................................................... 316
RM Process Preparation-Establishing the Context ...................................... 317
Risk Assessment: Risk Identification ............................................................ 319
Risk Assessment: Risk Analysis .................................................................... 343
Risk Evaluation .............................................................................................. 355
Risk Treatment/Risk Control .........................................................................359
Process Communications, Monitoring. and Review .....................................359
Chapter Summary........................................................................................... 360
Exercises .......................................................................................................... 361
Closing Case ..................................................................................................... 362
Ethical Decision Making ................................................................................362
Endnotes .......................................................................................................... 363
CHAPTER 7
Risk Management: Treating Risk ....................................... 365
Introduction to Risk Treatment .................................................................... 366
Risk Treatment Strategies ............................................................................. 368
Managing Risk ................................................................................................. 374
Feasibility and Cost -benefit Analysis ............................................................ 379
Other Methods of Establishing Feasibility ....................................................387
Alternatives to Feasibility Analysis .............................................................. 389
Recommended Alternative Risk Treatment Practices ...................................392
Alternative Risk Management Methodologies............................................ 393
The OCTAVE Methods ....................................................................................393
Microsoft Risk Management Approach ........................................................ 394
Table of Contents
FAIR ................................................................................................................ 395

ISO Standards for InfoSec Risk Management ............................................... 397
NIST Risk Management Framework (RMF) .................................................. 399
Other Methods .............................................................................................. 403
Selecting the Best Risk Management Model. ............................................... 404
Chapter Summary........................................................................................... 405
Exercises .......................................................................................................... 407
Closi ng Case ..................................................................................................... 408
Ethical Decision Making ............................................................................... 409
Endnotes .......................................................................................................... 409
CHAPTERS
Security Management Models ............................................ 411
Introduction to Blueprints, Frameworks,
and Security Models ....................................................................................... 412
Secur ity Management Models ...................................................................... 414
The ISO 27000 Series ..................................................................................... 414
NIST Security Publications ........................................................................... 420
Control Objectives for Information and Related Technology ...................... 428
Committee of Sponsoring Organizations ..................................................... 430
Information Technology Infrastructure Library ............................................ 431
Information Security Governance Framework ............................................. 431
Secur ity Architecture Models ........................................................................ 434
TCSEC and the Trusted Computing Base ...................................................... 434
Information Technology System Evaluation Criteria ................................... 437
The Common Criteria .................................................................................... 437
Access Control Models ................................................................................... 438
Categories of Access Controls ....................................................................... 440
Other Forms of Access Control ..................................................................... 446
Academic Access Control Models ................................................................. 447
Bell-LaPadula Confidentiality Mode l ........................................................... 447
Biba Integrity Model ..................................................................................... 448
Clark-Wilson In tegrity Model ....................................................................... 449
Graham-Denning Access Control Model. ..................................................... 450
Harrison-Ruzzo-Ullman Mode l ................................................................... 450
Brewer-Nash Model (Chinese Wall) ............................................................. 450
Table of Contents
Add itional Read ing ......................................................................................... 451

Chapter Summary........................................................................................... 451
Exercises .......................................................................................................... 453
Closing Case ..................................................................................................... 453
Endnotes .......................................................................................................... 454
CHAPTER 9
Security Management Practices ........................................ 457
Introduction to Security Practices ................................................................ 458
Security Employment Practices .................................................................... 459
H1nng ............................................................................................................ 459
Contracts and Employment .......................................................................... 462
Security Expectations in the Performance Evaluation ................................ 462
Termination Issues ....................................................................................... 463
Personnel Security Practices ......................................................................... 464
Security of Personnel and Personal Data ..................................................... 466
Security Considerations for Tem porary Employees,
Consultants, and Other Workers .................................................................. 466
Information Security Performance Measurement ..................................... 468
InfoSec Performance Management .............................................................. 469
Building the Performance Measurement Program ....................................... 471
Specifying InfoSec Measurements ................................................................ 473
Collecting lnfoSec Measurements ................................................................. 473
Implementing InfoSec Performance Measurement ..................................... 478
Reporting InfoSec Performance Measurements .......................................... 479
Benchmarking ................................................................................................. 481
Standards of Due Care/Due Diligence .......................................................... 482
Recommended Security Practices ................................................................ 483
Selecting Recommended Practices ............................................................... 484
Limitations to Benchmarking and Recommended Practices ....................... 485
Baselining ..................................................................................................... 486
Support for Benchmarks and Baselines ....................................................... 487
ISO Certification ............................................................................................ 489
Add itional Reading ......................................................................................... 490
Chapter Summary........................................................................................... 491
xii Table of Contents
Exercises .......................................................................................................... 493

Closing Case ..................................................................................................... 493
Endnotes .......................................................................................................... 494
CHAPTER 10
Planning for Contingencies ................................................. 497
Introduction to Contingency Planning ......................................................... 498
Fundamentals of Contingency Planning ...................................................... 500
Components of Contingency Planning ........................................................ 504
Business Impact Analysis ............................................................................. 506
Contingency Planning Policies ...................................................................... 513
Incident Response .......................................................................................... 513
Getting Started ............................................................................................... 514
Incident Response Policy ............................................................................... 516
Incident Response Planning .......................................................................... 517
Detecting Incidents ........................................................................................ 522
Reacting to Incidents .................................................................................... 526
Recovering from Incidents ........................................................................... 530
Disaster Recovery ........................................................................................... 538
The Disaster Recovery Process ..................................................................... 540
Disaster Recovery Policy ................................................................................ 541
Disaster Classification.................................................................................... 542
Planning to Recover .......................................................................................545
Responding to the Disaster ........................................................................... 546
Simple Disaster Recovery Plan ..................................................................... 546
Business Continuity ........................................................................................ 549
Business Continuity Policy ........................................................................... 550
Continuity Strategies ..................................................................................... 552
Timing and Sequence of CP Elements .......................................................... 554
Crisis Management ......................................................................................... 556
Business Resumption ..................................................................................... 558
Testing Contingency Plans............................................................................. 558
Final Thoughts on CP.................................................................................... 560
Chapter Summary........................................................................................... 561
Table of Contents xiii
Exercises .......................................................................................................... 563

Closing Case ..................................................................................................... 563
Endnotes .......................................................................................................... 564
CHAPTER 11
Security Maintenance ......................................................... 567
Introduction to Security Maintenance ......................................................... 568
Security Management Maintenance Models............................................... 569
NIST SP 800-100, Information Security Handbook:
A Guide for Managers ................................................................................... 569
The Security Maintenance Model ................................................................. 587
Add it ional Read ing ......................................................................................... 614
Chapter Summary........................................................................................... 614
Exercises .......................................................................................................... 616
Closing Case ..................................................................................................... 616
Endnotes .......................................................................................................... 617
CHAPTER 12
Protection Mechanisms ...................................................... 619
Introduction to Protection Mechanisms...................................................... 620
Access Controls and Biometrics .................................................................... 622
Managi ng Network Security .......................................................................... 630
Firewalls ......................................................................................................... 631
Intrusion Detection and Prevention Systems .............................................. 643
Wireless Networking Protection ................................................................... 647
Scanning and Analysis Tools ......................................................................... 651
Managing Server-Based Systems with Logging ............................................ 655
Managing Security for Emerging Technologies ........................................... 660
Cryptography................................................................................................... 662
Encryption Operations ................................................................................. 664
Using Cryptographic Controls ....................................................................... 671
Managing Cryptographic Controls ............................................................... 674
xiv Table of Contents

Chapter Summary........................................................................................... 677
Exercises .......................................................................................................... 679
Closi ng Case ..................................................................................................... 680
Endnot es .......................................................................................................... 681
GLOSSARY .................................................................................................. 683

INDE.X .......................................................................................................... 709
Preface
As global use of the Internet continues to expand, the demand
for and reliance on Internet-based information creates an
increasing expectation of access. Global commerce is reliant
on the Internet, which creates an increasing threat of attacks
on information assets and a need for greater numbers of
professionals capable of protecting those assets. With billions
of Internet users capable of accessing and attacking online
information from anywhere at any time, the threat of an attack
from individuals, criminals, and government entities grows daily.
To secure commerce and information assets from ever-
increasing threats, organizations demand both breadth and depth
of expertise from the next generation of information security
practitioners. These professionals are expected to have an optimal
mix of skills and experiences to secure diverse information
environments. Students of technology must learn to recognize
the threats and vulnerabilities present in existing systems.
They must also learn how to manage the use of information
assets securely and support the goals and objectives of their
organizations through effective information security governance,
risk management, and regulatory compliance.
Why This Text Was Written

This textbook strives to fulfill the need for a quality academic
textbook in the discipline of information security management.
While there are dozens of quality publications on information
security and assurance for the practitioner, few textbooks
provide the student with an in-depth study of information
security management. Specifically, those in disciplines such as
information systems, information technology, computer science,
criminal justice, political science, and accounting information
systems must understand the foundations of the management
of information security and the development of managerial
strategy for information security. The underlying tenet of this
textbook is that information security in th e modern organization
is a management problem and not one that technology alone
can answer; it is a problem that has important economic
consequences and one for which management is accountable.
xvi Preface
Approach
This book provides a managerial approach to information security and a thorough
treatment of the secure administration of information assets. It can be used to support
information security coursework for a variety of technology students, as well as for
technology curricula aimed at business students.
Certified Information Systems Security Professional, Certified Information
Security Manager, and NIST Comm on Bodies of Knowledge- As the authors are
Certified Information Systems Security Professionals {CISSP) and Certified Information
Security Managers {CISM), these knowledge domains have had an influence on the
design of this textbook. With the influence of the extensive library of information
available from the Special Publications collection at the National Institute of Standards
and Technology {NIST, at csrc.nist.gov), the authors have also tapped into additional
government and industry standards for information security management. Although
this textbook is by no means a certification study guide, much of the Common Bodies
of Knowledge for the dominant industry certifications, especially in the area of
management of information security; have been integrated into the text.
Overview
Chapter 1-lntroduction to the Management of Information Security
The opening chapter establishes the foundation for understanding the field of
information security by explaining the importance of information technology and
identifying who is responsible for protecting an organization's information assets.
Students learn the definition and key characteristics of information security, as well as
the differences between information security management and general management.
Chapter 2- Compliance: Law and Ethics

In this chapter, students learn about the legal and regulatory environment and its
relationship to information security. This chapter describes the major national and
international laws that affect the practice of information security, as well as the role of
culture in ethics as it applies to information security professionals. In this edition, the
discussion of digital forensics has been moved to Chapter 2. for better alignment with
the primary subjects being covered.
Chapter 3-Governance and Strategic Planning for Security

This chapter explains the importance of planning and describes the principal
components of organizational planning and the role of information security
governance and planning within the organizational context.
Preface xvii
Chapter 4-lnformation Security Policy

This chapter defines information security policy and describes its central role in a
successful information security program. Industry and government best practices
promote three major types of information security policy; this chapter explains what
goes into each type, and demonstrates how to develop, implement, and maintain
various types of information security policies.
Chapter 5- Developing the Security Program

Chapters explores the various organizational approaches to information security and
explains the functional components of an information security program. Students
learn the complexities of planning and staffing for an organization's information
security department based on the size of the organization and other factors, as well
as how to evaluate th e internal and external factors that influence the activities and
organization of an information security program. This chapter also identifies and
describes th e typical job titles and functions performed in the information security
program, and concludes with an exploration of the creation and management of a
security education, training, and awareness program. This chapter also provides an
overview of project management, a necessary skill in any technology or business
professional's portfolio.
Chapter 6-Risk Management Assessing Risk

This chapter defines risk management and its role in the organization, and
demonstrates how to use risk management techniques to identify and prioritize risk
factors for information assets. The risk management model presented here assesses
risk based on the likelihood of adverse events and the effects on information assets
when events occur. This chapter concludes with a brief discussion of how to document
the results of the risk identification process.
Chapter 7-Risk Management: Treating Risk

This chapter presents essential risk mitigation strategy options and opens the
discussion on controlling risk. Students learn how to identify risk control classification
categories, use existing conceptual frameworks to evaluate risk controls, and formulate
a cost-benefit analysis. They also learn how to maintain and perpetuate risk controls.
Chapter 8- Security Management Models

This chapter describes the components of the dominant information security
management models, including U.S. government and internationally sanctioned
models, and discusses how to customize them for a specific organization's needs.
xviii Preface
Students learn how to implement the fundamental elements of key information

security management practices. Models include NIST, ISO, and a host of specialized
information security research models that help students understand confidentiality
and integrity applications in modem systems.
Chapter 9-Security Management Practices

This chapter describes the fundamentals and emerging trends in information security
management practices and explains how these practices help organizations meet U.S.
and international compliance standards. The chapter contains an expanded section
on security performance measurement and covers concepts of certification and
accreditation of IT systems.
Chapter 10- Planning for Contingencies

This chapter describes and explores the major components of contingency planning
and the need for them in an organization. The chapter illustrates the planning and
development of contingency plans, beginning with the business impact analysis, and
continues through the implementation and testing of contingency plans.
Chapter 11-Security Maintenance

This chapter describes the ongoing technical and administrative evaluation of the
information security program that an organization must perform to maintain the
security of its information systems. This chapter explores ongoing risk analysis,
risk evaluation, and measurement, all of which are part of risk management. It also
explores special considerations needed for the varieties of vulnerability analysis in
modern organizations, from Internet penetration testing to wireless network risk
assessment.
Chapter 12- Protection Mechanisms

This chapter introduces students to the world of technical controls by exploring access
control approaches, including authentication, auth orization, and biometric access
controls, as well as firewalls and th e common approaches to firewall implementation.
It also covers the technical control approaches for dial-up access, intrusion detection
and prevention systems, and cryptography.
Features
Chapt er Scenarios- Each chapter opens with a short vignette that follows the same
fictional company as it encounters various information security issues. The final part
of each chapter is a conclusion to the scenario that also offers questions to stimulate
Pr eface xix
in-class discussion. These questions give the student and the instructor an opportunity
to explore the issues that underlie the content.
View Points- An essay from an information security practitioner or academic is
included in each chapter. These sections provide a range of commentary that illustrate
interesting topics or share personal opinions, giving the student a wider, applied view
on the topics in the text.
Offline Boxes- These highlight interesting topics and detailed technical issues,
allowing the student to delve more deeply into certain topics.
Hands- On Learning- At the end of each chapter, students will find a Chapter
Summary and Review Questions as well as Exercises and Closing Case exercises,
which give them the opportunity to examine the information security arena from an
experiential perspective. Using the Exercises, students can research, analyze, and write
to reinforce learning objectives and deepen their understanding of the text. The Closing
Case exercises require that students use professional judgment, powers of observation,
and elementary research to create solutions for simple information security scenarios.
Additional Reading- Each chapter includes suggestions for reading outside resources
that might augment or extend understanding of one or more aspects of the chapter.
New to This Edition

This sixth edition of Management of Information Security tightens its focus on
the managerial aspects of information security, continues to expand the coverage
of governance and compliance issues, and continues to reduce the coverage of
foundational and technical components. While retaining enough foundational material
to allow reinforcement of key concepts, this edition has fewer technical examples. This
edition also contains updated in -depth discussions and Offline features, and additional
coverage in key managerial areas: risk management, information security governance,
access control models, and information security program assessment and metrics.
The material on personnel management has been consolidated and reorganized.
Personnel placement, staffing, and credentials are now covered in Chapter 5, and
employment practices are discussed in Chapter 9. Digital forensics is now covered
in Chapter 2.
In general, the entire text has been updated and re -organized to reflect changes
in the field, including revisions to sections on national and international laws and
standards, such as the ISO 27000 series, among others. Throughout the text, the
content has been updated, with newer and more relevant examples and discussions.
A complete coverage matrix of the topics in this edition is available to instructors to
enable mapping of the previous coverage to the new structure. Please contact your
sales representative for access to the matrix.
Preface
MindTap
MindTap for Management of Information Security is an online learning solution
designed to help students master the skills they need in today's workforce. Research
shows employers need critical thinkers, troubleshooters, and creative problem-solvers
to stay relevant in our fast-paced, technology-driven world. MindTap helps users
achieve this with assignments and activities that provide hands-on practice, real-life
relevance, and mastery of difficult concepts. Students are guided through assignments
that progress from basic knowledge and understanding to more challenging problems.
All MindTap activities and assignments are tied to learning objectives. The hands-on
exercises provide real-life application and practice. Readings and "Whiteboard Shorts"
support the lecture, while "In the News" assignments encourage students to stay current.
Pre- and post-course assessments allow you to measure how much students have
learned, using analytics and reporting that makes it easy to see where the class stands in
terms of progress, engagement, and completion rates. Use the content and learning path
as-is, or pick and choose how the material will wrap around your own. You control what
the students see and when they see it. Learn more at www.cengage.com/ mindtap/.
Instructor Resources
Free to all instructors who adopt Management of Information Security, 6e, for their
courses is a complete package of instructor resources. These resources are available
from the Cengage Web site, www.cengagebrain.com. Go to the product page for this
book in the online catalog and choose "Instructor Downloads:•
Resources include:
• Instructor's Manual: This manual includes course objectives and additional
information to help your instruction.
• Cengage Learning Testing Powered by Cognero: A flexible, online system that allows
you to import, edit, and manipulate content from the text's test bank or elsewhere,
including your own favorite test questions; create multiple test versions in an
instant; and deliver tests from your LMS, your classroom, or wherever you want.
• PowerPoint Presentations: A set of Microsoft PowerPoint slides is included for
each chapter. These slides are meant to be used as a teaching aid for classroom
presentations, to be made available to students for chapter review, or to be printed
for classroom distribution. Instructors are also at liberty to add their own slides.
• Figure Files: Figure files allow instructors to create their own presentations using
figures taken from the text.
• Appendix: The appendix has been relocated from the bound textbook and
is available for instructor use. It describes methods for evaluating security,
including (1) NIST SP 800- 26, Security Self-Assessment Guide for Information
Technology Systems, (2) ISO 17799: 2005 Overview, (3) The OCTAVE Method of Risk
Management, and (4) the Microsoft Risk Management Approach .
• Lab Exercises: Each chapter includes hands-on exercises designed to reinforce
the theoretical concepts of the corresponding materials. Additional exercises and
labs are available in the MindTap enhanced edition of the textbook.
Preface xxi
• Readings and Cases: Cengage Leaming also produced two texts - Readings and
Cases in the Management of Information Security (!SBN-13: 9780619216276) and
Readings & Cases in Information Security: Law & Ethics (!SBN-13: 9781435441576)-
by the authors, which make excellent companion texts. Contact your Cengage
Learning sales representative for more information.
• Curriculum Model for Programs of Study in Information Security: In addition
to the texts authored by this team, a curriculum model for programs of study
in Information Security and Assurance is available from the Kennesaw State
University Center for Information Security Education (http://infosec.kennesaw
.edu). This document provides details on designing and implementing security
coursework and curricula in academic institutions, as well as guidance and
lessons learned from the auth ors' perspective.
Author Team
Michael Whitman and Herbert Mattord have jointly developed this textbook to merge
knowledge from the world of academic study with practical experience from the
business world.
Michael Whitman, Ph.D., CISM, CISSP is a Professor of Information Security in
the Information Systems Department, Coles College of Business at Kennesaw
State University, Kennesaw, Georgia, where he is also the Executive Director of
the Center for Information Security Education (infosec.kennesaw.edu). He and
Herbert Mattord are th e authors of Principles of Information Security; Principles of
Incident Response and Disaster Recovery; Readings and Cases in the Management of
Information Security; Readings & Cases in Information Security: Law & Ethics; Guide
to Firewall and VPNs; Guide to Network Security; Roadmap to the Management of
Information Security; and Hands- On Information Security Lab Manual, all from
Cengage Learning. Dr. Whitman is an active researcher in Information Security
policy and planning and in Ethical Computing. He currently teaches graduate and
undergraduate courses in Information Security. He has published articles in the top
journals in his field, including Information Systems Research, the Communications
of the ACM, Information and Management, the Journal of International Business
Studies, and th e Journal of Computer Information Systems. He is an active member
of th e Information Systems Security Association, the Association for Computing
Machinery, ISACA, (!SC)', and the Association for Information Systems. Through
his efforts and those of Dr. Mattord, his institution has been recognized by the
Department of Homeland Security and th e National Security Agency as a National
Center of Academic Excellence in Information Assurance Education four times,
most recently in 2015. Dr. Whitman is also th e Editor-in -Chief of th e Journal
of Cybersecurity Education, Research and Practice, and he continually solicits
relevant and well-written articles of interest to faculty teaching and researching
cybersecurity topics for publication. Prior to his employment at Kennesaw State, he
taught at th e University of Nevada, Las Vegas, and served over 13 years as an officer
and soldier in th e U.S. Army.
xxii Pre face
Herbert M atto rd, Ph .D., CISM, CISSP completed years of IT industry experience as
24
an application developer, database administrator, project manager, and information
security practitioner in 2002. He is currently an Associate Professor of Information
Security in the Coles College of Business at Kennesaw State University. He and Michael
Whitman are the authors of Principles of Information Security; Principles of Incident
Response and Disaster Recovery; Readings and Cases in the Management of Information
Security; Guide to Network Security; and Hands -On Information Security Lab Manual,
all from Cengage Learning. During his career as an IT practitioner, Mattord has been an
adjunct professor at Kennesaw State University; Southern Polytechnic State University
in Marietta, Georgia; Austin Community College in Austin, Texas; and Texas State
University, San Marcos. He currently teaches undergraduate courses in Information
Security. He is th e Assistant Chair of the Department of Information Systems and
is also an active member of the Information Systems Security Association and
Information Systems Audit and Control Association. He was formerly the Manager
of Corporate Information Technology Security at Georgia-Pacific Corporation, where
much of the practical knowledge found in this and his earlier textbooks was acquired.
Acknowledgments
The authors would like to thank their families for their support and understanding for
the many hours dedicated to this project- hours taken, in many cases, from family
activities.
Reviewers
We are indebted to the following individuals for their contributions of perceptive
feedback on the initial proposal, the project outline, and the chapter-by-chapter
reviews of the text:
• Paul D. Witman, Ph.D., Associate Professor, Information Technology
Management, California Lutheran University, School of Management, Thousand
Oaks, CA
• Michael Moorman, Ph .D., Professor of Computer Science, Department of
Computer Science and Information Systems, St. Leo University, St. Leo, FL
Special Thanks
The authors wish to thank the Editorial and Production teams at Cengage. Their
diligent and professional efforts greatly enhanced the final product:
Natalie Onderdonk, Learning Designer
Dan Seiter, Developmental Editor
Kristin McNary, Product Team Manager
Amy Savino, Product Manager
Brooke Greenhouse, Senior Content Manager
Preface xxiii
In addition, several professional and commercial organizations and individuals have

aided the development of this textbook by providing information and inspiration, and
the authors wish to acknowledge their contributions:
David Rowan
Charles Cresson Wood
Clearwater Compliance
The View Point authors:
• Henry Bonin
• Lee Imrey
• Robert Hayes and Kathleen Kotwicka
• David Lineman
• Paul D. Witman & Scott Mackelprang
• Alison Gunnels
• George V. Hulme
• Tim Callahan
• Mark Reardon
• Martin Lee
• Karen Scarfone
• Donald "Mac" McCarthy
• Todd E. Tucker
Our Commitment
The authors are committed to serving the needs of the adopters and readers. We
would be pleased and honored to receive feedback on the textbook and its supporting
materials. You can contact us at infosec@kennesaw.edu.
Foreword
By David Rowan, retired Senior Vice President and Director
Technology Risk and Compliance, SunTrust Banks, Inc.
If you are reading this, I want to thank you. Your perusal of this text means you are
interested in a career in Information Security or have actually embarked on one. I am
thanking you because we- and by we I mean all of us- need your help.
You and I live in a world completely enabled, supported by, and allowed by
technology. In almost all practical respects, the things you and I take for granted are
created by our technology. There is technology we see and directly interact with, and
technology we don't see or are only peripherally aware of. For example, the temperature
of my home is monitored and maintained based on a smart thermostat's perception
of my daily habits and preferences. I could check it via the app or wait for an alert via
text message, but I don't- I just assume all is well, confident that I will be informed if
something goes amiss. Besides, I am more interested in reading my personal news feed ....
xxiv Pre face
With respect to technology, we occupy two worlds, one of intent and realized
actions and another of services that simply seem to occur on their own. Both these
worlds are necessary, desirable, growing, and evolving. Also, both these worlds are
profoundly underpinned by one thing: our trust in them to work.
We trust that our phones will work, we trust that we will have electricity, we trust
that our purchases are recorded accurately, we trust th at our streaming services will
have enough bandwidth, we trust that our stock trades and bank transactions are
secure, we trust that our cars will run safely, and I trust that my home will be at the
right temperature when I walk in the door.
The benefits of our trust in technology are immeasurable and hard won. The fact
that we can delegate tasks, share infrastructure, exchange ideas and information, and
buy goods and services almost seamlessly benefits us all. It is good ground worth
defending. However, the inevitable and unfortunate fact is that some among us prey
upon our trust; they will work tirelessly to disrupt, divert, or destroy our intents,
actions, comfort, well-being, information, and whatever else our technology and the
free flow of information offers.
The motives of these actors matter, but regardless of why they threaten what
technology gives us, the actions we take to safeguard it is up to us. That's why I am
glad you are reading this. We need guardians of the trust we place in technology and
the information flow it enables.
I have been in the financial industry for 35 years, and have spent the latter half of it
focused on information security and th e related fields of fraud management, business
continuity, physical security, and legal and regulatory compliance. I have seen the
evolution of technology risk management from a necessary back-office function to a
board-level imperative with global implications. The bound interrelationships among
commerce, infrastructure, basic utilities, safety, and even culture exist to the extent
that providing security is now dominantly a matter of strategy and management, and
less a matter of the tools or technology dejure. There's an old saying that it's not the
tools that make a good cabinet, but the skill of the carpenter. Our tools will change and
evolve; it's how we use them that really matter.
This edition of Management of Information Security is a foundational source that
embodies the current best thinking on how to plan, govern, implement, and manage
an information security program. It is holistic and comprehensive, and provides a
path to consider all aspects of information security and to integrate security into the
fabric of the things we depend on and use. It provides specific guidance on strategy,
policy development, risk identification, personal management, organization, and
legal matters, and places them in the context of a broader ecosystem. Strategy and
management are not merely aspects of information security; they are its essence- and
this text informs the what, why, and how of it.
Management of Information Security is a vital resource in the guardianship of our
world of modern conveniences. I hope you will become a part of this community.
- Atlanta, Georgia, February 2018
CHAPTER 1
INTRODUCTION TO
THE MANAGEMENT OF
Management is, above all, a practice where art, science,
and craft meet.
-HENRY MINTZBERG
Upon completion of this material, you should be able to:

List and discuss the key characteristics of information security
List and describe the dominant categories of threats to information security
Discuss the key characteristics of leadership and management
Describe the importance of the manager's role in securing an

organization's information assets
Differentiate information security management from general business

management
One month into her new position at Random Widget Works, Inc. (RWW), Iris Majwubu left
her office early one afternoon to attend a meeting of the local chapter of the Information
Systems Security Association (ISSA). She had recently been promoted from her previous
assignment at RWW as manager of informa tion risk to become the first chief information
security officer (CISO) to be named at RWW.
This occasion marked Iris's first ISSA meeting. Wit h a mountain of pressing matters
on her cluttered desk, Iris wasn't exactly certain why she was m aking it a priority to
attend this meeting. She sighed. Since her early morning wake-up, she had spent many
CHAPTER 1 Introduction to t he Management of Information Secur ity
hours in business m eetings, foll owed by lo ng hours at her desk wo rki ng towa rd d efi ning
her new pos it ion at th e company.
At the ISSA meeting, Iris saw Charl ie Moody, her supervisor from Sequential Label
and Supply (SLS), the company she used to work for. Charlie had been promoted to chief
information officer (CIO) of SLS almost a year ago.
"Hi, Charl ie," she said.
"Hello, Iris," Cha rl ie said, shaking her hand. "Congratulations on your promot ion. How are
things going in your new position?"
"So far," she replied, "t hings are going well- I think."
Charlie noticed Iris's hesitancy. "You t hink?" he said. "Okay, tell me what's going on."
'Well, I'm struggling to get a consensus from t he senior management tea m about
the problems we have," Iris explained. "I'm told t ha t informat ion security is a priority, but
everything is in disarray. Any ideas t ha t I bring up are chopped t o bits before they're even
taken up by senio r managem ent . There's no established policy covering our informatio n
security needs, and it seems t hat we have little hope of gett ing one approved anytime soon.
The informatio n security budget covers my salary plus a litt le bit of f und ing that goes t owa rd
part of one position for a technician in the network departm ent. The IT managers act like I'm
wasting their t ime, and they don't seem to take our security issues as seriously as I do. It's like
trying to d rive a herd of cats!"
Charlie t hought for a moment and then said, "I've got some ideas t hat may help. We
shou ld talk more, but not now; the meet ing is about to start. Here's my new num ber- call me
tomorrow and we'll get toget her for coffee."
Introduction to Security
Key Terms
asset An organizatio nal resou rce that is being protected. An asset can be logica l, such as
a Web site, software information, or data; or an asset can be physical, such as a perso n,
computer system, hardware, or other tangible object . Assets, pa rticularly informat ion assets,
are t he focus of what security effo rts are attempting t o prot ect .
information asset The focus of information security; in formatio n that has va lue to the
organization, and the systems t hat st ore, process, and t ransmit the information.
information security (lnfoSec) Protect ion of t he confidentiality, integrity, and ava ilability
of information assets, w hether in storage, processing, o r transm ission, via the application of
policy, education, training and awareness, and technology.
security A stat e of being secure and free from danger or harm . In addition, t he act ions taken
to make someone o r som et hing secure.
CHAPTER 1 Int roduction to the Ma nagement of I nformation Security
In today's global markets, business operations are enabled by technology. From

the boardroom to the mailroom, businesses make deals, ship goods, track client
accounts, and inventory company assets, all through the implementation of systems
based upon information technology (IT). IT enables the storage and transportation
of information- often a company's most valuable resource - from one business unit
to another. But what happens if the vehicle breaks down, even for a little while?
Business deals fall through, shipments are lost, and company assets become more
vulnerable to threats from both inside and outside the firm. In the past, th e business
manager's response to this possibility was to proclaim, "We have technology people
to handle technology problems." This statement might have been valid in the days
when technology was confined to the climate-controlled rooms of the data center
and when information processing was centralized. In the last 30 years, however,
technology has moved out from the data center to permeate every facet of the
business environment. The business place is no longer static; it moves whenever
employees travel from office to office, from city to city, or even from office to
home. As businesses have become more fluid, "computer security" has evolved
into "information security," or "InfoSec," which covers a broader range of issues,
from the protection of computer-based data to th e protection of human knowledge.
Information security is no longer the sole responsibility of a small, dedicated group of
professionals in th e company. It is now th e responsibility of all employees, especially
managers.
Astute managers increasingly recognize the critical nature of information
security as the vehicle by which the organization's information assets are secured. In
response to this growing awareness, businesses are creating new positions to solve
the newly perceived problems. The emergence of executive-level information security
managers- like Iris in the opening scenario of this chapter- allows for the creation of
professionally managed information security teams that have a primary objective to
protect information asset s, wherever and whatever they may be.
Organizations must realize that information security planning and funding
decisions involve more than managers of information, the members of the information
security team, or the managers of information systems. Altogether, they must involve
the entire organization, as represented by three distinct groups of managers and
professionals, or communities of interest:
• Those in the field of information security
• Those in the field of IT
• Those from the rest of the organization
These three groups should engage in a constructive effort to reach consensus on an
overall plan to protect the organization's information assets.
The communities of interest and the roles they fulfill include the following:
• The information security community protects the organization's information
assets from the many threats they face .
Another random document with
no related content on Scribd:
upon the enemy was complete.
{612}
"At 2 p. m. on this date, the 11th, the surrender of the city

was again demanded. The firing ceased and was not again
renewed. By this date the sickness in the army was increasing
very rapidly as a result of exposure in the trenches to the
intense heat of the sun and the heavy rains. Moreover, the
dews in Cuba are almost equal to rains. The weakness of the
troops was becoming so apparent I was anxious to bring the
siege to an end, but in common with most of the officers of
the army I did not think an assault would be justifiable,
especially as the enemy seemed to be acting in good faith in
their preliminary propositions to surrender. On July 11 I
wrote General Toral as follows: 'With the largely increased
forces which have come to me, and the fact that I have your
line of retreat securely in my hands, the time seems fitting
that I should again demand of your excellency the surrender of
Santiago and of your excellency's army. I am authorized to
state that should your excellency so desire the Government of
the United States will transport the entire command of your
excellency to Spain.' General Toral replied that he had
communicated my proposition to his general-in-chief, General
Blanco.
"July 12 I informed the Spanish commander that Major-General

Miles, commander-in-chief of the American Army, had just
arrived in my camp, and requested him to grant us a personal
interview on the following day. He replied he would be pleased
to meet us. The interview took place on the 13th, and I
informed him his surrender only could be considered, and that
as he was without hope of escape he had no right to continue
the fight. On the 14th another interview took place, during
which General Toral agreed to surrender, upon the basis of his
army, the Fourth Army Corps, being returned to Spain, the
capitulation embracing all of eastern Cuba east of a line
passing from Acerraderos on the south to Sagua de Tanamo on
the north, via Palma Soriano. It was agreed commissioners
should meet during the afternoon to definitely arrange the
terms. … The terms of surrender finally agreed upon included
about 12,000 Spanish troops in the city and as many more in
the surrendered district. It was arranged the formal surrender
should take place between the lines on the morning of July 17,
each army being represented by 100 armed men. At the time
appointed, I appeared at the place agreed upon with my general
officers, staff, and 100 troopers of the Second Cavalry under
Captain Brett. General Toral also arrived with a number of his
officers and 100 infantry. We met midway between the
representatives of our two armies, and the Spanish commander
formally consummated the surrender of the city and the 24,000
troops in Santiago and the surrendered district. After this
ceremony I entered the city with my staff and escort, and at
12 o'clock noon the American flag was raised over the
governor's palace with appropriate ceremonies."
Annual Reports of the War Department, 1898,

volume 2, pages 157-159.
UNITED STATES OF AMERICA: A. D. 1898

(July-August: Army administration).
Red-tape and politics.
Their working in the campaign.
"The Cuban campaign had been foreseen by intelligent officers

for more than a year, but the department which clothes the
army had taken no steps toward providing a suitable uniform
for campaigning in the tropics until war was declared. The
Fifth Army Corps, a comparatively small body of 17,000 men,
was concentrated at Tampa on the railroad within reach of all
the appliances for expediting business. Between April 26, when
war was declared, and, June 6, when the corps embarked for
Cuba, sufficient time elapsed to have clothed 1,000,000 men if
the matter had been handled in the same manner a wholesale
clothing firm would handle similar business. Yet the corps
went to Cuba wearing the winter clothing it had brought on its
backs from Montana, Wyoming, and Michigan. It endured the heat
of the tropics clad in this, and was furnished with light
summer clothing by the department to wear for its return to
Montauk, where the breezes were so bracing that the teeth
chattered even when the men were clad in winter clothing. The
only reason for this absolute failure to properly clothe the
army was that the methods of the department are too slow and
antiquated for the proper performance of business. There was
no lack of money. It was a simple case of red-tape delays.
There can be no doubt that the intention was that the summer
clothing should be worn in Cuba and that there should be warm
clothing issued at Montauk. It was issued after the troops had
shivered for days in their light clothes. The delays
unavoidably connected with an obsolete method caused great
suffering that should not have been inflicted upon men
expected to do arduous duty. A sensible man would not put a
heavy blanket on a horse to do draught work on a hot day; but
the red tape of an antiquated way of doing business caused our
soldiers to wear heavy woolen clothes in torrid heat, when every
nerve was to be strained to the breaking point in athletic
exertion. This is not pointed out in a fault-finding spirit.
The men are proud to have been in the Fifth Corps and to have
endured these things for the country and the flag; but these
unnecessary sufferings impaired the fighting strength of the
army, caused much of the sickness that visited the Fifth
Corps, and might have caused the failure of the whole
expedition. …
"The difficulty here depicted was one which beset the

department at every turn in the whole campaign. It is a
typical case. Transports, tentage, transportation—it was the
same in everything. With the most heroic exertions the
department was able to meet emergencies only after they had
passed. This was caused partly by lack of ready material, but
mainly by an inelastic system of doing business which broke
down in emergencies. This, in turn, was caused mainly by the
illiberal treatment accorded to this, as well as to every
other department of the army by Congress. It uniformly cuts
mercilessly all estimates of this, as of every other
department, and leaves no margin of expenditure or chance of
improvement. It dabbles in matters which are purely technical
and require the handling of expert executive talent. …
"Plans for war should be prepared in advance. This was

especially true of the last war, which had been foreseen for
years and considered a probability for several months. All
details should have been previously worked out, all
contingencies foreseen before hostilities began. Such plans
would require some modifications, of course, but would form a
working basis.
{613}
Neither Santiago nor Manila Bay would have been foreseen; but
any plans for war would have involved the consideration and
solution of the following problems: How to raise, arm, equip,
organize, mobilize, clothe, feed, shelter, and transport large
bodies of soldiers. The point where the battle might occur
would be a mere tactical detail to be worked out at the proper
time. The above problems could all be solved in time of peace and
should have been solved. The general staff performs this
function in foreign armies, but we had no such body in our
service and nothing to imperfectly take its place. …
"The most urgently needed reform is the absolute divorcement

of the army in all of its departments from politics. … No
department of the army should be more exempt from political
influence than the staff. This points at once to the most
urgent reform, viz., make the commanding general the real
working head of the army, instead of the Secretary of War. No
good results have come to the service by the extension of the
Secretary's powers in Grant's first administration. Most of
the evils of the service can be traced to the fact that the
general commanding has since that time been practically
deprived of his proper functions, and the real head of the
army has been a politician."
Lieutenant J. H. Parker,
Our Army Supply Department and the need of a General Staff
(Review of Reviews, December, 1898).
UNITED STATES OF AMERICA: A. D. 1898 (July-August: Cuba).

The War with Spain.
Sickness in the American army at Santiago.
Its alarming state.
Hurried removal of troops to Montauk Point, Long Island.
"After the surrender of General Toral's army General Shafter

urged the War Department from time to time to hasten the
shipment of the Spanish prisoners to their homes, in order
that the American Army, whose condition was now deplorable,
might be transported to the United States. At this time about
half the command had been attacked by malarial fever, with a
few cases of yellow fever, dysentery, and typhoid fever. The
yellow-fever cases were mainly confined to the troops at
Siboney, and the few cases found among the troops at the front
were at once transferred to that place. … There was great
fear, and excellent grounds for it, that the yellow fever, now
sporadic throughout the command, would become epidemic. With
the command weakened by malarial fevers, and its general tone
and vitality much reduced by all the circumstances incident to
the campaign, the effects of such an epidemic would
practically mean its annihilation. The first step taken to
check the spread of disease was the removal of all the troops
to new camping grounds. … It was directed that the command be
moved in this way every few days, isolating the cases of
yellow fever as they arose, and it was expected that in a
short time the yellow fever would be stamped out. … But the
effect produced on the command by the work necessary to set up
the tents and in the removal of the camps increased the number
on the sick report to an alarming degree. Convalescents from
malarial fever were taken again with the fever, and yellow
fever, dysentery, and typhoid increased. It was useless now to
attempt to confine the yellow-fever cases to Siboney, and
isolation hospitals were established around Santiago. It was
apparent that to keep moving the command every few days simply
weakened the troops and increased the fever cases. Any exertion
in this heat caused a return of the fever, and it must be
remembered that the convalescents now included about 75 per
cent. of the command. The Commanding General was now directed
to move the entire command into the mountains to the end of
the San Luis railroad, where the troops would be above the
yellow fever limit; but this was a physical impossibility. …
"The situation was desperate; the yellow-fever cases were

increasing in number, and the month of August, the period in
which it is epidemic, was at hand. It was with these
conditions staring them in the face, that the officers
commanding divisions and brigades and the Chief Surgeon were
invited by General Shafter to discuss the situation. As a
result of this conference the General sent the following
telegram giving his views [and those of the General Officers
and Medical Officers]. … 'In reply to telegram of this date
[August 3], stating that it is deemed best that my command be
moved to end of railroad, where yellow fever is impossible, I
have to say that under the circumstances this move is
practically impossible. The railroad is not yet repaired,
although it will be in about a week. Its capacity is not to
exceed 1,000 men a day, at the best, and it will take until
the end of August to make this move, even if the sick-list
should not increase. An officer of my staff, Lieutenant Miley,
who has looked over the ground, says it is not a good camping
ground. … In my opinion there is but one course to take, and
that is to immediately transport the Fifth Corps and the
detached regiments that came with it, and were sent
immediately after it, with the least delay possible, to the
United States. If this is not done I believe the death-rate
will be appalling. I am sustained in this view by every
medical officer present. I called together to-day the General
Officers and the senior Medical Officers and telegraph you
their views.' …
"On August 4th instructions were received from the War

Department to begin the removal of the command to Montauk
Point, Long Island. Some of the immune regiments were on the
way to Santiago, and other regiments were at once ordered
there to garrison the district as General Shafter's command
was withdrawn. The first of the fleet of vessels to return the
Spanish troops arrived in time to be loaded and leave August
9th, and by the end of the month nearly all were transported.
"After the surrender the relations between the American and

Spanish troops were very cordial. There could be little or no
conversation between individuals, but in many ways the respect
each had for the other was shown, and there seemed to be no
hatred on either side. Most of the Spanish officers remained
in their quarters in town, and they shared in the feeling
displayed by their men. Salutations were generally exchanged
between the officers, and American ways and manners became
very popular among the Spaniards. …
{614}
"By the 25th of the month General Shafter's entire command,
with the exception of a few organizations just ready to
embark, had departed, and, turning over the command to General
Lawton, he sailed that day with his staff on the 'Mexico,' one
of the captured transports, and at noon September 1st went
ashore at Montauk Point, Long Island."
J. D. Miley, In Cuba with Shafter,

chapter 12 (New York: Charles Scribner's Sons).
UNITED STATES OF AMERICA: A. D. 1898 (July-August: Philippines).

Correspondence between the General commanding
United States forces at Cavite and Manila,
and Aguinaldo, the Filipino leader.
On the 4th of July, General Thomas M. Anderson, then
commanding the "United States Expeditionary Forces" at Cavite
Arsenal, addressed the following communication to "Señor Don
Emilio Aguinaldo y Famy, Commanding Philippine Forces":
"General: I have the honor to inform you that the United

States of America, whose land forces I have the honor to
command in this vicinity, being at war with the Kingdom of
Spain, has entire sympathy and most friendly sentiments for
the native people of the Philippine Islands. For these reasons
I desire to have the most amicable relations with you, and to
have you and your people co-operate with us in military
operations against the Spanish forces. In our operations it
has become necessary for us to occupy the town of Cavite as a
base of operations. In doing this I do not wish to interfere
with your residence here and the exercise by yourself and
other native citizens of all functions and privileges not
inconsistent with military rule. I would be pleased to be
informed at once of any misconduct of soldiers under my
command, as it is the intention of my Government to maintain
order and to treat all citizens with justice, courtesy, and
kindness. I have therefore the honor to ask your excellency to
instruct your officials not to interfere with my officers in
the performance of their duties and not to assume that they
can not visit Cavite without permission."
On the following day Aguinaldo replied:
"General: Interpreting the sentiments of the Philippine

people, I have the honor to express to your excellency my most
profound gratefulness for the sympathy and amicable sentiments
with which the natives of these islands inspire the great North
American nation and your excellency. I also thank most
profoundly your desire of having friendly relations with us,
and of treating us with justice, courtesy, and kindness, which
is also our constant wish to prove the same, and special
satisfaction whenever occasion represents. I have already
ordered my people not to interfere in the least with your
officers and men, orders which I shall reiterate to prevent
their being unfulfilled; hoping that you will inform me of
whatever misconduct that may be done by those in my command,
so as to reprimand them and correspond with your wishes." …
To this communication General Anderson returned the following

on the 6th: "General: I am encouraged by the friendly
sentiment expressed by your excellency in your welcome letter
received on the 5th instant to endeavor to come to a definite
understanding, which I hope will be advantageous to both. Very
soon we expect a large addition to our forces, and it must be
apparent to you as a military officer that we will require
much more room to camp our soldiers, and also storeroom for
our supplies. For this I would like to have your excellency's
advice and co-operation, as you are best acquainted with the
resources of this country. It must be apparent to you that we
do not intend to remain here inactive, but to move promptly
against our common enemy. But for a short time we must
organize and land supplies, and also retain a place for
storing them near our fleet and transports. I am solicitous to
avoid any conflict of authority which may result from having
two sets of military officers exercising command in the same
place. I am also anxious to avoid sickness by taking sanitary
precaution. Your own medical officers have been making
voluntary inspections with mine, and fear epidemic diseases if
the vicinity is not made clean. Would it not be well to have
prisoners work to this end under the advice of the surgeons?"
…
On the 9th of July General Anderson reported to the War

Department at Washington: "General Aguinaldo tells me he has
about 15,000 fighting men, but only 11,000 armed with guns,
which mostly were taken from the Spaniards. He claims to have
in all 4,000 prisoners. When we first landed he seemed very
suspicious, and not at all friendly, but I have now come to a
better understanding with him and he is much more friendly and
seems willing to co-operate. But he has declared himself
dictator and president, and is trying to take Manila without
our assistance. This is not probable, but if he can effect his
purpose he will, I apprehend, antagonize any attempt on our
part to establish a provisional government."
On the 17th the American commander caused another

communication to be addressed to "General Emilio Aguinaldo" as
follows: "Sir: General Anderson wishes me to say that, the
second expedition having arrived, he expects to encamp in the
vicinity of Paranaque from 5,000 to 7,000 men. To do this,
supply this army and shelter, will require certain assistance
from the Filipinos in this neighborhood. We will want horses,
buffaloes, carts, etc., for transportation, bamboo for
shelter, wood to cook with, etc. For all this we are willing
to pay a fair price, but no more. We find so far that the
native population are not willing to give us this assistance
as promptly as required. But we must have it, and if it
becomes necessary we will be compelled to send out parties to
seize what we may need. We would regret very much to do this,
as we are here to befriend the Filipinos. Our nation has spent
millions of money to send forces here to expel the Spaniards
and to give good government to the whole people, and the
return we are asking is comparatively slight. General Anderson
wishes you to inform your people that we are here for their
good, and that they must supply us with labor and material at
the current market prices. We are prepared to purchase 500
horses at a fair price, but can not undertake to bargain for
horses with each individual owner. I regret very much that I
am unable to see you personally, as it is of the utmost
importance that these arrangements should be made as soon as
possible."
To this communication there seems to have been no written

reply until the 24th; and, on the 20th, the Chief
Quartermaster reported to General Anderson "that it is
impossible to procure transportation except upon Señor
Aguinaldo's order, in this section, who has an inventory of
everything. The natives have removed their wheels and hid
them." On the 23d General Anderson repeated his request, as
follows:
{615}
"General: When I came here three weeks ago I requested your

excellency to give what assistance you could to procure means
of transportation for the American Army, as it was to fight
the cause of your people. So far we have received no response.
As you represent your people, I now have the honor to make
requisition on you for 500 horses and 50 oxen and ox carts. If
you can not secure these, I will have to pass you and make
requisition directly on the people. I beg leave to request an
answer at your earliest convenience."
The next day Aguinaldo replied: "I have the honor to manifest
to your excellency that I am surprised beyond measure at that
which you say to me in it, lamenting the nonreceipt of any
response relative to the needs (or aids) that you have asked
of me in the way of horses, buffaloes, and carts, because I
replied in a precise manner, through the bearer, that I was
disposed to give convenient orders whenever you advised me of
the number of these with due anticipation (notice). I have
circulated orders in the provinces in the proximity that in
the shortest time possible horses be brought for sale, but I
cannot assure your excellency that we have the number of 500
that is needed, because horses are not abundant in these
vicinities, owing to deaths caused by epizootic diseases in
January and March last. Whenever we have them united (or
collected), I shall have the pleasure to advise your
excellency. I have also ordered to be placed at my disposal 50
carts that I shall place at your disposition whenever
necessary, always (premising) that you afford me a previous
advice of four days in anticipation."
Meantime, General Anderson had written to the War Department,
on the 18th: "Since reading the President's instructions to
General Merritt, I think I should state to you that the
establishment of a provisional government on our part will
probably bring us in conflict with insurgents, now in active
hostility to Spain. The insurgent chief, Aguinaldo, has
declared himself dictator and self-appointed president. He has
declared martial law and promulgated a minute method of rule and
administration under it. We have observed all official
military courtesies, and he and his followers express great
admiration and gratitude to the great American Republic of the
north, yet in many ways they obstruct our purposes and are
using every effort to take Manila without us. I suspect also
that Aguinaldo is secretly negotiating with the Spanish
authorities, as his confidential aid is in Manila. The city is
strongly fortified and hard to approach in the rainy season.
If a bombardment fails we should have the best engineering
ability here." And, again on the 21st, he had written: "Since
I wrote last, Aguinaldo has put in operation an elaborate
system of military government, under his assumed authority as
dictator, and has prohibited any supplies being given us,
except by his order. As to this last I have written to him
that our requisitions on the country for horses, ox carts,
fuel and bamboo (to make scaling ladders) must be filled, and
that he must aid in having them filled. His assumption of
civil authority I have ignored, and let him know verbally that
I could, and would, not recognize it, while I did not
recognize him as a military leader. It may seem strange that I
have made no formal protest against his proclamation as
dictator, his declaration of martial law, and publication and
execution of a despotic form of government. I wrote such a
protest, but did not publish it, at Admiral Dewey's request,
and also for fear of wounding the susceptibilities of
Major-General Merritt, but I have let it be known in every
other way that we do not recognize the dictatorship. These
people only respect force and firmness. I submit, with all
deference, that we have heretofore underrated the natives.
They are not ignorant, savage tribes, but have a civilization
of their own; and although insignificant in appearance, are
fierce fighters, and for a tropical people they are
industrious. A small detail of natives will do more work in a
given time than a regiment of volunteers."
On the 24th General Anderson received from the Philippine

leader a very clear and definite statement of his attitude
towards the "Expeditionary Forces of the United States," and
the intentions with which he and the people whom he
represented were acting. "I came," he wrote, "from Hongkong to
prevent my countrymen from making common cause with the
Spanish against the North Americans, pledging before my word
to Admiral Dewey to not give place [to allow] to any internal
discord, because, [being] a judge of their desires, I had the
strong convictions that I would succeed in both objects,
establishing a government according to their desires. Thus it
is that in the beginning I proclaimed the dictatorship, and
afterwards, when some of the provinces had already liberated
themselves from Spanish domination, I established a
revolutionary government that to-day exists, giving it a
democratic and popular character as far as the abnormal
circumstances of war permitted, in order that they [the
provinces] might be justly represented, and administered to
their satisfaction. It is true that my government has not been
acknowledged by any of the foreign powers, but we expected
that the great North American nation, which struggled first
for its independence, and afterwards for the abolition of
slavery, and is now actually struggling for the independence
of Cuba, would look upon it with greater benevolence than any
other nation. Because of this we have always acknowledged the
right of preference to our gratitude.
"Debtor to the generosity of the North Americans, and to the

favors we have received through Admiral Dewey, and [being]
more desirous than any other person of preventing any conflict
which would have as a result foreign intervention, which must be
extremely prejudicial, not alone to my nation but also to that
of your excellency, I consider it my duty to advise you of the
undesirability of disembarking North American troops in the
places conquered by the Filipinos from the Spanish, without
previous notice to this government, because as no formal
agreement yet exists between the two nations the Philippine
people might consider the occupation of its territories by
North American troops as a violation of its rights.
"I comprehend that without the destruction of the Spanish

squadron the Philippine revolution would not have advanced so
rapidly. Because of this I take the liberty of indicating to
your excellency the necessity that, before disembarking, you
should communicate in writing to this government the places
that are to be occupied and also the object of the occupation,
that the people may be advised in due form and [thus] prevent
the commission of any transgression against friendship.
{616}
I can answer for my people, because they have given me evident
proofs of their absolute confidence in my government, but I
can not answer for that which another nation whose friendship
is not well guaranteed might inspire in it [the people]; and
it is certain that I do this not as a menace, but as a further
proof of the true and sincere friendship which I have always
professed for the North American people, in the complete
security that it will find itself completely identified with
our cause of liberty."
In the same strain, on the 1st of August, Aguinaldo wrote to

United States Consul Williams, as to a "distinguished friend:"
"I have said always, and I now repeat, that we recognize the
right of the North Americans to our gratitude, for we do not
forget for a moment the favors which we have received and are
now receiving; but however great those favors may be, it is
not possible for me to remove the distrust of my compatriots.
These say that if the object of the United States is to annex
these islands, why not recognize the government established in
them, in order in that manner to join with it the same as by
annexation? Why do not the American generals operate in
conjunction with the Filipino generals and, uniting the
forces, render the end more decisive? Is it intended, indeed,
to carry out annexation against the wish of these people,
distorting the legal sense of that word? If the revolutionary
government is the genuine representative by right and deed of
the Filipino people, as we have proved when necessary, why is
it wished to oppress instead of gaining their confidence and
friendship?
"It is useless for me to represent to my compatriots the

favors received through Admiral Dewey, for they assert that up
to the present the American forces have shown not an active,
only a passive, co-operation, from which they suppose that the
intentions of these forces are not for the best. They assert,
besides, that it is possible to suppose that I was brought
from Hongkong to assure those forces by my presence that the
Filipinos would not make common cause with the Spaniards, and
that they have delivered to the Filipinos the arms abandoned
by the former in the Cavite Arsenal, in order to save
themselves much labor, fatigue, blood, and treasure that a war
with Spain would cost. But I do not believe these unworthy
suspicions. I have full confidence in the generosity and
philanthropy which shine in characters of gold in the history
of the privileged people of the United States, and for that
reason, invoking the friendship which you profess for me and
the love which you have for my people, I pray you earnestly,
as also the distinguished generals who represent your country
in these islands, that you entreat the Government at
Washington to recognize the revolutionary government of the
Filipinos, and I, for my part, will labor with all my power
with my people that the United States shall not repent their
sentiments of humanity in coming to the aid of an oppressed
people.
"Say to the Government at Washington that the Filipino people

abominate savagery; that in the midst of their past
misfortunes they have learned to love liberty, order, justice,
and civil life, and that they are not able to lay aside their
own wishes when their future lot and history are under
discussion. Say also that I and my leaders know what we owe to
our unfortunate country; that we know how to admire and are
ready to imitate the disinterestedness, the abnegation, and
the patriotism of the grand men of America, among whom stands
pre-eminent the immortal General Washington."
United States, 56th Congress, 1st Session,

Senate Document Number 208.
In an article published in the "North American Review,"

February, 1900, General Anderson discussed his relations with
Aguinaldo very frankly, in part as follows: "On the 1st of
July, 1898, I called on Aguinaldo with Admiral Dewey. He asked
me at once whether 'the United States of the North' either had
recognized or would recognize his government—I am not quite
sure as to the form of his question, whether it was 'had' or
'would.' In either form it was embarrassing. My orders were,
in substance, to effect a landing, establish a base, not to go
beyond the zone of naval co-operation, to consult Admiral
Dewey and to wait for Merritt. Aguinaldo had proclaimed his
government only a few days before (June 28), and Admiral Dewey
had no instructions as to that assumption. The facts as to the
situation at that time I believe to be these: Consul Williams
states in one of his letters to the State Department that
several thousand Tagals were in open insurrection before our
declaration of war with Spain. I do not know as to the number,
yet I believe the statement has foundation in fact. Whether
Admiral Dewey and Consuls Pratt, Wildman and Williams did or
did not give Aguinaldo assurances that a Filipino government
would be recognized, the Filipinos certainly thought so,
probably inferring this from their acts rather than from their
statements. If an incipient rebellion was already in progress,
what could be inferred from the fact that Aguinaldo and
thirteen other banished Tagals were brought down on a naval
vessel and landed in Cavite? Admiral Dewey gave them arms and
ammunition, as I did subsequently, at his request. They were
permitted to gather up a lot of arms which the Spaniards had
thrown into the bay; and, with the four thousand rifles taken
from Spanish prisoners and two thousand purchased in Hong
Kong, they proceeded to organize three brigades and also to
arm a small steamer they had captured. I was the first to tell
Admiral Dewey that there was any disposition on the part of
the American people to hold the Philippines, if they were
captured. The current of opinion was setting that way when the
first expeditionary force left San Francisco, but this the
Admiral had had no reason to surmise.
"But to return to our interview with Aguinaldo. I told him I

was acting only in a military capacity; that I had no
authority to recognize his government; that we had come to
whip the Spaniards, and that, if we were successful, the
indirect effect would be to free them from Spanish tyranny. I
added that, as we were fighting a common enemy, I hoped we
would get along amicably together. He did not seem pleased
with this answer. The fact is, he hoped and expected to take
Manila with Admiral Dewey's assistance, and he was bitterly
disappointed when our soldiers landed at Cavite. … A few days
thereafter, he made an official call, coming with cabinet and
staff and a band of music. On that occasion he handed me an
elaborate schedule for an autonomous government which he had
received from some Filipinos in Manila, with a statement that
they had reason to believe that Spain would grant them such a
form of government.
{617}
With this was an open letter addressed to the Filipino people
from Pedro Alexandre Paterno, advising them to put their trust
in Spain rather than America. The day before, two German
officers had called on Aguinaldo and I believed they had
brought him these papers. I asked him if the scheme was
agreeable to him. He did not answer, but asked if we, the
North Americans, as he called us, intended to hold the
Philippines as dependencies. I said I could not answer that,
but that in one hundred and twenty years we had established no
colonies. He then made this remarkable statement: 'I have studied
attentively the Constitution of the United States, and I find
in it no authority for colonies and I have no fear.' It may
seem that my answer was somewhat evasive, but I was at the
time trying to contract with the Filipinos for horses, carts,
fuel and forage. …
"The origin of our controversies and conflicts with the

Filipinos can … be traced back to our refusal to recognize the
political authority of Aguinaldo. Our first serious break with
them arose from our refusal to let them co-operate with us.
About nine o'clock on the evening of August 12, I received
from General Merritt an order to notify Aguinaldo to forbid
the Filipino insurgents under his command from entering
Manila. This notification was delivered to him at twenty
minutes past ten that night. The Filipinos had made every
preparation to assail the Spanish lines in their front.
Certainly, they would not have given up part of their line to
us unless they thought they were to fight with us. They,
therefore, received General Merritt's interdict with anger and
indignation. They considered the war as their war, and Manila
as their capital, and Luzon as their country. … At seven
o'clock I received an order from General Merritt to remove the
Filipinos from the city. … I therefore took the responsibility
of telegraphing Aguinaldo, who was at Bacoor, ten miles below,
requesting him to withdraw his troops and intimating that
serious consequences would follow if he did not do so. I
received his answer at eleven, saying that a Commission would
come to me the next morning with full powers. Accordingly the
next day Señors Buencomeno, Lagarde, Araneto and Sandeco came
to Division Headquarters in Manila and stated that they were
authorized to order the withdrawal of their troops, if we
would promise to reinstate them in their present positions on
our making peace with Spain. Thereupon I took them over to
General Merritt. Upon their repeating their demands, he told
them he could not give such a pledge, but that they could rely
on the honor of the American people. The General then read to
them the proclamation he intended to issue to the Filipino
people. …
"There is a great diversity of opinion as to whether a

conflict with the Filipinos could not have been avoided if a
more conciliatory course had been followed in dealing with
them. I believe we came to a parting of the ways when we
refused their request to leave their military force in a good
strategic position on the contingency of our making peace with
Spain without a guarantee of their independence."
T. M. Anderson,
Our Rule in the Philippines
(North American Review, volume 170, page 275).
UNITED STATES OF AMERICA: A. D. 1898 (July-August: Porto Rico).

Occupation of Porto Rico.
"With the fall of Santiago the occupation of Porto Rico became

the next strategic necessity. General Miles had previously been
assigned to organize an expedition for that purpose.
Fortunately, he was already at Santiago, where he had arrived
on the 11th of July with reinforcements for General Shafter's
army. With these troops, consisting of 3,415 infantry and
artillery, 2 companies of engineers and 1 company of the
signal corps, General Miles left Guantanamo on July 21st,
having 9 transports, convoyed by the fleet, under Captain
Higginson, with the 'Massachusetts' (flagship), 'Dixie,',
Gloucester,' 'Columbia' and 'Yale,' the two latter carrying
troops. The expedition landed at on July 25th, which port
was entered with little opposition. Here the fleet was joined
by the 'Annapolis' and the 'Wasp,' while the 'Puritan' and
'Amphitrite' went to San Juan and joined the 'New Orleans,'
which was engaged in blockading that port. The major general
commanding was subsequently reinforced by General Schwan's
brigade of the Third Army Corps, by General Wilson with a part
of his division and also by General Brooke with a part of his
corps, numbering in all 16,973 officers and men. On July 27th
he entered Ponce, one of the most important ports in the
island, from which he thereafter directed operations for the
capture of the island. With the exception of encounters with
the enemy at Guayama, Hormigueros [the Rio Prieto], Coamo, and
Yauco and an attack on a force landed at Cape San Juan, there
was no serious resistance. The campaign was prosecuted with
great vigor and by the 12th of August much of the island was
in our possession and the acquisition of the remainder was
only a matter of a short time. At most of the points in the
island our troops were enthusiastically welcomed.
Protestations of loyalty to the flag and gratitude for
delivery from Spanish rule met our commanders at every stage."
Message of the President of the United States

to Congress, December 5, 1898.
"During the nineteen days of active campaign on the island of

Puerto Rico a large portion of the island was captured by the
United States forces and brought under our control. Our forces
were in such a position as to make the positions of the
Spanish forces, outside of the garrison at San Juan, utterly
untenable. The Spaniards had been defeated or captured in the
six different engagements which took place, and in every
position they had occupied up to that time. The volunteers had
deserted their colors, and many of them had surrendered to our
forces and taken the oath of allegiance. This had a
demoralizing effect upon the regular Spanish troops. … The
loss of the enemy in killed, wounded and captured was nearly
ten times our own, which was only 3 killed and 40 wounded."

Management of Information Security 6Th Edition Michael E Whitman Download PDF Chapter

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Management of Information Security 6Th Edition Michael E Whitman Download PDF Chapter

Uploaded by

Copyright:

Available Formats

Management of Information Security

6th Edition Michael E. Whitman

Learning Designer: Natalie Onderdonk

Assoc. Marketing Manager: ISBN: 978·1·337-40571·3

Production Service/Composition: (engage products are represented in Canada by Nelson

To register or access your online learning solution or purchase

Notice to the Reade r

Printed in the United States of America

GLOSSARY .................................................................................................. 683

IND E.X.......................................................................................................... 709

Ethics in lnfoSec .................................................................................................66

CERT Governing for Enterprise Security Implementation ........................... 140

A Final Note on Policy..................................................................................... 212

FAIR ................................................................................................................ 395

Add itional Read ing ......................................................................................... 451

Exercises .......................................................................................................... 493

Exercises .......................................................................................................... 563

Additional Reading ......................................................................................... 677

GLOSSARY .................................................................................................. 683

Why This Text Was Written

Chapter 2- Compliance: Law and Ethics

Chapter 3-Governance and Strategic Planning for Security

Chapter 4-lnformation Security Policy

Chapter 5- Developing the Security Program

Chapter 6-Risk Management Assessing Risk

Chapter 7-Risk Management: Treating Risk

Chapter 8- Security Management Models

Students learn how to implement the fundamental elements of key information

Chapter 9-Security Management Practices

Chapter 10- Planning for Contingencies

Chapter 11-Security Maintenance

Chapter 12- Protection Mechanisms

New to This Edition

In addition, several professional and commercial organizations and individuals have

Upon completion of this material, you should be able to:

List and describe the dominant categories of threats to information security

Discuss the key characteristics of leadership and management

Describe the importance of the manager's role in securing an

Differentiate information security management from general business

In today's global markets, business operations are enabled by technology. From

"At 2 p. m. on this date, the 11th, the surrender of the city

"July 12 I informed the Spanish commander that Major-General

Annual Reports of the War Department, 1898,

UNITED STATES OF AMERICA: A. D. 1898

"The Cuban campaign had been foreseen by intelligent officers

"The difficulty here depicted was one which beset the

"Plans for war should be prepared in advance. This was

"The most urgently needed reform is the absolute divorcement

UNITED STATES OF AMERICA: A. D. 1898 (July-August: Cuba).

"After the surrender of General Toral's army General Shafter

"The situation was desperate; the yellow-fever cases were

"On August 4th instructions were received from the War

"After the surrender the relations between the American and

J. D. Miley, In Cuba with Shafter,

UNITED STATES OF AMERICA: A. D. 1898 (July-August: Philippines).

"General: I have the honor to inform you that the United

On the following day Aguinaldo replied:

"General: Interpreting the sentiments of the Philippine

To this communication General Anderson returned the following

On the 9th of July General Anderson reported to the War

On the 17th the American commander caused another

To this communication there seems to have been no written

"General: When I came here three weeks ago I requested your