Description
Principles of Information Security 7th Edition by Michael Whitman, ISBN-13: 978-0357506431
[PDF eBook eTextbook] – Available Instantly
- Publisher: Cengage Learning; 7th edition (June 27, 2021)
- Language: English
- 752 pages
- ISBN-10: 035750643X
- ISBN-13: 978-0357506431
Discover the latest trends, developments and technology in information security with Whitman/Mattord’s market-leading PRINCIPLES OF INFORMATION SECURITY, 7th Edition. Designed specifically to meet the needs of information systems students like you, this edition’s balanced focus addresses all aspects of information security, rather than simply offering a technical control perspective. This overview explores important terms and examines what is needed to manage an effective information security program. A new module details incident response and detection strategies. In addition, current, relevant updates highlight the latest practices in security operations as well as legislative issues, information management toolsets, digital forensics and the most recent policies and guidelines that correspond to federal and international standards.
Table of Contents:
Cover Page
Title Page
Copyright Page
Dedication
Preface
Acknowledgments
Foreword
Module 1. Introduction to Information Security
Introduction to Information Security
The 1960s
The 1970s and ’80s
The 1990s
2000 to Present
What Is Security?
Key Information Security Concepts
Critical Characteristics of Information
CNSS Security Model
Components of an Information System
Software
Hardware
Data
People
Procedures
Networks
Security and the Organization
Balancing Information Security and Access
Approaches to Information Security Implementation
Security Professionals
Data Responsibilities
Communities of Interest
Information Security: Is It an Art or a Science?
Security as Art
Security as Science
Security as a Social Science
Module Summary
Review Questions
Exercises
Module 2. The Need for Information Security
Introduction to the Need for Information Security
Business Needs First
Information Security Threats and Attacks
4.8 Billion Potential Hackers
Other Studies of Threats
Common Attack Pattern Enumeration and Classification (CAPEC)
The 12 Categories of Threats
Compromises to Intellectual Property
Deviations in Quality of Service
Espionage or Trespass
Forces of Nature
Human Error or Failure
Information Extortion
Sabotage or Vandalism
Software Attacks
Technical Hardware Failures or Errors
Technical Software Failures or Errors
Technological Obsolescence
Theft
Module Summary
Review Questions
Exercises
Module 3. Information Security Management
Introduction to the Management of Information Security
Planning
Policy
Programs
Protection
People
Projects
Information Security Planning and Governance
Information Security Leadership
Information Security Governance Outcomes
Planning Levels
Planning and the CISO
Information Security Policy, Standards, and Practices
Policy as the Foundation for Planning
Enterprise Information Security Policy
Issue-Specific Security Policy
Systems-Specific Security Policy (SysSP)
Developing and Implementing Effective Security Policy
Policy Management
Security Education, Training, and Awareness Program
Security Education
Security Training
Security Awareness
Information Security Blueprint, Models, and Frameworks
The ISO 27000 Series
NIST Security Models
Other Sources of Security Frameworks
Design of the Security Architecture
Module Summary
Review Questions
Exercises
Module 4. Risk Management
Introduction to Risk Management
Sun Tzu and the Art of Risk Management
The Risk Management Framework
The Roles of the Communities of Interest
The RM Policy
Framework Design
Defining the Organization’s Risk Tolerance and Risk Appetite
Framework Implementation
Framework Monitoring and Review
The Risk Management Process
RM Process Preparation—Establishing the Context
Risk Assessment: Risk Identification
Risk Assessment: Risk Analysis
Risk Evaluation
Risk Treatment/Risk Response
Risk Mitigation
Risk Transference
Risk Acceptance
Risk Termination
Process Communications, Monitoring, and Review
Mitigation and Risk
Managing Risk
Feasibility and Cost-Benefit Analysis
Alternative Risk Management Methodologies
The OCTAVE Methods
FAIR
ISO Standards for InfoSec Risk Management
NIST Risk Management Framework (RMF)
Selecting the Best Risk Management Model
Module Summary
Review Questions
Exercises
Module 5. Incident Response and Contingency Planning
Introduction to Incident Response and Contingency Planning
Fundamentals of Contingency Planning
Components of Contingency Planning
Business Impact Analysis
Contingency Planning Policies
Incident Response
Getting Started
Incident Response Policy
Incident Response Planning
Detecting Incidents
Reacting to Incidents
Recovering from Incidents
Digital Forensics
The Digital Forensics Team
Affidavits and Search Warrants
Digital Forensics Methodology
Evidentiary Procedures
Disaster Recovery
The Disaster Recovery Process
Disaster Recovery Policy
Disaster Classification
Planning to Recover
Responding to the Disaster
Business Continuity
Business Continuity Policy
Business Resumption
Continuity Strategies
Timing and Sequence of CP Elements
Crisis Management
Testing Contingency Plans
Final Thoughts on CP
Module Summary
Review Questions
Exercises
Module 6. Legal, Ethical, and Professional Issues in Information Security
Introduction to Law and Ethics in Information Security
Organizational Liability and the Need for Counsel
Policy Versus Law
Types of Law
Relevant U.S. Laws
General Computer Crime Laws
Privacy
Identity Theft
Export and Espionage Laws
U.S. Copyright Law
Financial Reporting
Freedom of Information Act of 1966
Payment Card Industry Data Security Standards (PCI DSS)
State and Local Regulations
International Laws and Legal Bodies
U.K. Computer Security Laws
Australian Computer Security Laws
Council of Europe Convention on Cybercrime
World Trade Organization and the Agreement on Trade-Related Aspects of Intellectual Property Rights
Digital Millennium Copyright Act
Ethics and Information Security
Ethical Differences Across Cultures
Ethics and Education
Deterring Unethical and Illegal Behavior
Codes of Ethics of Professional Organizations
Major IT and InfoSec Professional Organizations
Key U.S. Federal Agencies
Department of Homeland Security
U.S. Secret Service
Federal Bureau of Investigation (FBI)
National Security Agency (NSA)
Module Summary
Review Questions
Exercises
Module 7. Security and Personnel
Introduction to Security and Personnel
Positioning the Security Function
Staffing the Information Security Function
Qualifications and Requirements
Entry into the Information Security Profession
Information Security Positions
Credentials for Information Security Professionals
( ISC ) 2 Certifications
ISACA Certifications
SANS Certifications
EC-Council Certifications
CompTIA Certifications
Cloud Security Certifications
Certification Costs
Advice for Information Security Professionals
Employment Policies and Practices
Job Descriptions
Interviews
Background Checks
Employment Contracts
New Hire Orientation
On-the-Job Security Training
Evaluating Performance
Termination
Personnel Control Strategies
Privacy and the Security of Personnel Data
Security Considerations for Temporary Employees, Consultants, and Other Workers
Module Summary
Review Questions
Exercises
Module 8. Security Technology: Access Controls, Firewalls, and VPNs
Introduction to Access Controls
Access Control Mechanisms
Biometrics
Access Control Architecture Models
Firewall Technologies
Firewall Processing Modes
Firewall Architectures
Selecting the Right Firewall
Configuring and Managing Firewalls
Content Filters
Protecting Remote Connections
Remote Access
Virtual Private Networks (VPNs)
Final Thoughts on Remote Access and Access Controls
Deperimeterization
Remote Access in the Age of COVID-19
Module Summary
Review Questions
Exercises
Module 9. Security Technology: Intrusion Detection and Prevention Systems and Other Security Tools
Introduction to Intrusion Detection and Prevention Systems
IDPS Terminology
Why Use an IDPS?
Types of IDPSs
IDPS Detection Methods
Log File Monitors
Security Information and Event Management (SIEM)
IDPS Response Behavior
Selecting IDPS Approaches and Products
Strengths and Limitations of IDPSs
Deployment and Implementation of an IDPS
Measuring the Effectiveness of IDPSs
Honeypots, Honeynets, and Padded Cell Systems
Trap-and-Trace Systems
Active Intrusion Prevention
Scanning and Analysis Tools
Port Scanners
Firewall Analysis Tools
Operating System Detection Tools
Vulnerability Scanners
Packet Sniffers
Wireless Security Tools
Module Summary
Review Questions
Exercises
Module 10. Cryptography
Introduction to Cryptography
The History of Cryptology
Key Cryptology Terms
Encryption Methods
Substitution Cipher
Transposition Cipher
Exclusive OR
Vernam Cipher
Book-Based Ciphers
Hash Functions
Cryptographic Algorithms
Symmetric Encryption
Asymmetric Encryption
Encryption Key Size
Cryptographic Tools
Public Key Infrastructure (PKI)
Digital Signatures
Digital Certificates
Hybrid Cryptography Systems
Steganography
Protocols for Secure Communications
Securing Internet Communication with HTTPS and SSL
Securing E-Mail with S/MIME, PEM, and PGP
Securing Web Transactions with SET, SSL, and HTTPS
Securing Wireless Networks with WPA and RSN
Securing TCP/IP with IPSec and PGP
Module Summary
Review Questions
Exercises
Module 11. Implementing Information Security
Introduction to Information Security Implementation
The Systems Development Life Cycle
Traditional Development Methods
Software Assurance
The NIST Approach to Securing the SDLC
Information Security Project Management
Developing the Project Plan
Project Planning Considerations
The Need for Project Management
Security Project Management Certifications
Technical Aspects of Implementation
Conversion Strategies
The Bull’s-Eye Model
To Outsource or Not
Technology Governance and Change Control
The Center for Internet Security’s Critical Security Controls
Nontechnical Aspects of Implementation
The Culture of Change Management
Considerations for Organizational Change
Module Summary
Review Questions
Exercises
Module 12. Information Security Maintenance
Introduction to Information Security Maintenance
Security Management Maintenance Models
NIST SP 800-100, “Information Security Handbook: A Guide for Managers”
The Security Maintenance Model
Monitoring the External Environment
Monitoring the Internal Environment
Planning and Risk Assessment
Vulnerability Assessment and Remediation
Readiness and Review
Physical Security
Physical Access Controls
Physical Security Controls
Fire Security and Safety
Failure of Supporting Utilities and Structural Collapse
Heating, Ventilation, and Air Conditioning
Power Management and Conditioning
Interception of Data
Securing Mobile and Portable Systems
Special Considerations for Physical Security
Module Summary
Review Questions
Exercises
Michael E. Whitman, Ph.D., C.I.S.M., C.I.S.S.P., is the executive director of the Institute for Cybersecurity Workforce Development and a professor of information security at Kennesaw State University. In 2004, 2007, 2012 and 2015, under Dr. Whitman’s direction, the Center for Information Security Education spearheaded K.S.U.’s successful bid for the prestigious National Center of Academic Excellence recognitions (CAE/IAE and CAE/CDE), awarded jointly by the Department of Homeland Security and the National Security Agency. Dr. Whitman is also the editor-in-chief of the Journal of Cybersecurity Education and Research and Practice and director of the Southeast Collegiate Cyber Defense Competition. Dr. Whitman is an active researcher and author in information security policy, threats, curriculum development and ethical computing. He currently teaches graduate and undergraduate courses in information security. Dr. Whitman has several information security textbooks currently in print, including “Principles of Information Security,” “Principles of Incident Response and Disaster Recovery,” “Management of Information Security,” “Readings and Cases in the Management of Information Security, Volumes I and II, “The Hands-On Information Security Lab Manual,” “The Guide to Network Security” and “The Guide to Firewalls and Network Security.” He has published articles in Information Systems Research, the Communications of the ACM, the Journal of International Business Studies, Information and Management and the Journal of Computer Information Systems. Dr. Whitman is a member of the Information Systems Security Association, ISACA and the Association for Information Systems. Previously, Dr. Whitman served the U.S. Army as an armored cavalry officer with additional duties as the automated data processing system security officer (ADPSSO).
Herbert Mattord, Ph.D., C.I.S.M., C.I.S.S.P., completed 24 years of IT industry experience as an application developer, database administrator, project manager and information security practitioner before joining the faculty at Kennesaw State University, where he serves as a professor of information security and assurance and cybersecurity. Dr. Mattord currently teaches graduate and undergraduate courses. He is also a senior editor of the Journal of Cybersecurity Education, Research and Practice. He and Dr. Michael Whitman have authored “Principles of Information Security,” “Principles of Incident Response and Disaster Recovery,” “Management of Information Security,” “Readings and Cases in the Management of Information Security,” “The Guide to Network Security” and “The Hands-On Information Security Lab Manual.” Dr. Mattord is an active researcher, author and consultant in information security management and related topics. He has published articles in the Information Resources Management Journal, Journal of Information Security Education, the Journal of Executive Education and the International Journal of Interdisciplinary Telecommunications and Networking. Dr. Mattord is a member of the Information Systems Security Association, ISACA and the Association for Information Systems. During his career as an IT practitioner, Dr. Mattord was an adjunct professor at Kennesaw State University, Southern Polytechnic State University, Austin Community College and Texas State University: San Marcos. He was formerly the manager of corporate information technology security at Georgia-Pacific Corporation, where he acquired much of the practical knowledge found in this and his other textbooks.
What makes us different?
• Instant Download
• Always Competitive Pricing
• 100% Privacy
• FREE Sample Available
• 24-7 LIVE Customer Support
