Principles of Information Security,. Fourth Edition. Michael E. Whitman and. Herbert J. Mattord. Vice President Editorial, Career Education &. Training Solutions. PDF | Specifically oriented to the needs of information systems students, PRINCIPLES OF INFORMATION SECURITY, 5e delivers the latest. PDF | On Jan 1, , Michael E. Whitman and others published Principles of Information Security.
|Language:||English, Spanish, Indonesian|
|Genre:||Fiction & Literature|
|Distribution:||Free* [*Register to download]|
principles of information security pdf. 1 Information Security Principles This chapter covers the basic principles of Information Security. It introduces some. Official Syllabus (PDF); Textbook: Principles of Information Security by Michael E. Whitman and Herbert J. Mattord, 5th ed., Thomson/Cengage Learning, (c) - page 1 of 8 - Get Instant Access to PDF File: f9 Principles Of Information Security By Michael E Whitman, Herbert J. Mattord [PDF.
The COSO framework defines internal control as a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:. According to the COSO framework, internal control consists of five interrelated components.
These components provide an effective framework for describing and analyzing the internal control system implemented in an organization. The five components are the following:. Adopting its guidance offers users a huge range of benefits that include:. COBIT provides managers, auditors, and IT users with a set of generally accepted measures, indicators, processes and best practices to assist them in maximizing the benefits derived through the use of information technology and developing appropriate IT governance and control in a company.
Like the other control and governance models, the ISO series provides a set of guidelines and best practices for information security management. The International Standards Organization ISO also develops standards for quality control, environmental protection, product usability, manufacturing, etc.
The series provides best practice recommendations on information security management, risks and controls within the context of an overall Information Security Management System ISMS , similar in design to management systems for quality assurance the ISO series and environmental protection the ISO series. The series is deliberately broad in scope, covering more than just privacy, confidentiality and IT or technical security issues. It is applicable to organizations of all shapes and sizes.
All organizations are encouraged to assess their information security risks, then implement appropriate information security controls according to their needs, using the guidance and suggestions where relevant. Given the dynamic nature of information security, the ISMS concept incorporates continuous feedback and improvement activities, summarized by Deming's "plan-do-check-act" approach, that seek to address changes in the threats, vulnerabilities or impacts of information security incidents.
Although the list of ISO series standards for information security management continues to grow in number. Job Rotation is an approach to management development where an individual is moved through a schedule of assignments designed to give him or her a breath of exposure to the entire operation.
Job rotation is also practiced to allow qualified employees to gain more insights into the processes of a company and to increase job satisfaction through job variation. Separation of duties SoD is the concept of having more than one person required to complete a task. It is alternatively called segregation of duties or, in the political realm, separation of powers. Especially as each separated department individual will just glance at their application software used to manage their specified section on their monitor screen and seeing no obvious errors assume the unknown error causing complete system or process failure problem is not within their section and go back to the practice of effective communicating while writing all the great accomplishments they delivered that furthered the entity's stated goals to have available for their next review with management because that's what HR told them to do.
Not that this behavior is faulty or wrong in any sense and it is actually doing what the entity's incentives are geared to encourage not only for advancement but to keep a job as well.
Without those few and far between expert level techs who can have or get the administration rights to view all aspects of any given production process it will be nearly impossible to determine the underlying cause and can lead to outrageous decisions as to what the problem must of been. For example: Or nobody realizing the automated software machine was running into RAM issues because every automated job was set to auto start at exactly 6: The principle of least privilege, also known as the principle of minimal privilege or just least privilege, requires that in a particular abstraction layer of a computing environment every module such as a process, a user or a program on the basis of the layer we are considering must be able to access only such information and resources that are necessary to its legitimate purpose.
This principle is a useful security tool, but it has never been successful at enforcing high assurance security on a system. Mandatory vacations of one to two weeks are used to audit and verify the work tasks and privileges of employees. This often results in easy detection of abuse, fraud, or negligence. There are many facets of personnel responsibilities that fall under management's umbrella and several of these facets have a direct correlation to the overall security of the environment such as.
Depending on the position that needs to be filled, a level of screening should be done by human resources to ensure that the company hires the right individual for the right job. The management's directives pertaining to security are captured in the security policy, and the standards, procedures, and guidelines are developed to support these directives.
However, these directives will not be effective if no one knows about them and how the company expects them to be implemented. There are usually at least three separate audiences for a security-awareness program: Security-awareness training is a type of control, and just like any other control it should be monitored and evaluated for its effectiveness. Information risk management IRM is the process of identifying and assessing risk, realizing the limitations in reducing it to an acceptable level, and implementing the right mechanisms to maintain that level.
A risk management team should have the ability and follow the best practices, some of them which include. As it is impossible to have a system or an environment to be percent secure, there should be an acceptable level of risk. Once given console access sitting at the actual hardware device be it computer, server, router there is no security that can keep a skilled person from getting into that system.
Not one. This is the "beginning of knowledge" of computer system security. And increasing knowledge increases sorrow. These two things you must accept as they are the facts. If you can't handle these two absolute facts like an adult maybe you should go do something else. Try becoming an actor maybe, or poet, but do not continue with believing you have any computer security knowledge if you can't get into this mindset. It's OK not everyone can handle dealing with the truth, it's hard, uncomfortable and it literally hurts that feeling of pain is called cognitive indifference.
Risk analysis is a method of identifying vulnerabilities and threat and assessing the possible damage to determine where to implement security safeguards.
There are many types of threat agents that can take advantage of several types of vulnerabilities, resulting in a variety of specific threats.
The following shows some of the characteristics to be considered before committing for a safeguard mechanism.
The type of control implemented per classification depends upon the level of protection that management and the security team have determined is needed. Some of the controls are:. Ethics are the standards, values, morals, principles, etc. Certified professionals, including those holding the CISSP, are held morally,and sometimes legally, to a higher standard of ethical behavior.
In promoting proper computing behavior within the industry and the confines of our corporate boundaries, professionals should incorporate ethics into their organizational policies and awareness programs.
Several organizations have addressed the issue of ethical behavior through ethics guidelines. These include organizations such as. It is an independent committee of researchers and professionals with a technical interest in the health and evolution of the Internet. The IAB issues ethics-related statements concerning the use of the Internet. It considers the Internet to be a resource that depends upon availability and accessibility to be useful to a wide range of people.
It is mainly concerned with irresponsible acts on the Internet that could threaten its existence or negatively affect others. It sees the Internet as a great gift and works hard to protect it for all who depend upon it. IAB sees the use of the Internet as a privilege, which should be treated as such and used with respect.
All information systems security professionals who are certified by ISC 2 recognize that such certification is a privilege that must be both earned and maintained. CISSPs who intentionally or knowingly violate any provision of the Code will be subject to action by a peer review panel, which may result in the revocation of certification. As a "universal tool" that can, in principle, perform almost any task, computers obviously pose a threat to jobs. In this era of computer "viruses" and international spying by "hackers" who are thousands of miles away, it is clear that computer security is a topic of concern in the field of Computer Ethics.
The problem is not so much the physical security of the hardware protecting it from theft, fire, flood, etc. Malicious kinds of software, or "programmed threats", provide a significant challenge to computer security. These include. And even more concerning is the chance of actually having criminally charges brought against the once "most trusted" but now criminal falls virtually to zero at the very top levels as those criminals will settle before charges get filed for a fraction of the amount stolen with no damage coming to their reputation whatsoever thus allowing them to maintain that "most trusted" status.
Is there an all inclusive-systems risk more frightening than this? Some are of the opinion every act of hacking is harmful, because any known successful penetration of a computer system requires the owner to thoroughly check for damaged or lost data and programs.
They claim even if the hacker did indeed make no changes, the computer's owner must run through a costly and time-consuming investigation of the compromised system.
And if you are of the latter opinion should you be held financial or criminally responsible since you willingly prefer this option? In any incarnation, a security course based on this book is an ideal venue for individual or group projects. The annotated bibliography provides an excellent starting point to search for suitable projects.
In addition, many topics and problems lend themselves well to class discussions or in-class assignments see, for example, Problem 13 in Chapter 10 or Problem 11 in Chapter In addition, a solutions manual is available to instructors sorry students from the publisher. The Math Essentials of Appendix A-2 are required in various places.
Elementary modular arithmetic A Permutations A The elementary linear algebra in A Appendix A-3 is only used as a reference for problems in Chapter 3. Just as any large and complex piece of software must have bugs, this book inevitably has errors. I will try to maintain a reasonably up-to-data errata on the textbook website.
Also, I would appreciate a copy of any software that you develop that is related to the topics in this book. Applets that illustrate algorithms and protocols would be especially nice. My work experience includes seven years at the National Security Agency followed by two years at a Silicon Valley startup company where I helped design and develop a digital rights management security product.
This real-world work was sandwiched between academic jobs.
While in academia, my research interests have included a wide variety of security topics. With my return to academia in , I quickly realized that none of the available security textbooks had much connection with the real world. I can say that many of my former students who are now at leading Silicon Valley companies tell me that the information they learned in my course has proved useful in the real world.
I do have a life outside of information security. I also spend too much time watching cartoons. Another favorite activity of mine is complaining about the absurd price of housing in the San Francisco Bay Area. I want to thank my thesis advisor, Clyde F. Martin for introducing me to this fascinating subject. In my seven years at NSA, I learned more about security than I could have learned in a lifetime anywhere else.
Unfortunately, the people who taught me so much must remain anonymous. At my ill-fated startup company, MediaSnap, Inc. In spite of these pressures, we produced a high-quality digital rights management product that was far ahead of its time. I want to thank all at MediaSnap, and especially Joe Pasqua and Paul Clarke, for giving me the chance to work on such a fascinating and challenging project. Richard Low, a colleague here at SJSU, provided helpful feedback on an early version of the manuscript.
David Blockus deserves special mention for giving me detailed comments on each chapter at a particularly critical juncture in the writing of this book. I want to thank all of the people at Wiley who applied their vast expertise to make the book writing process as painless as possible.
Trudy is a generic bad guy who is trying to attack the system in some way. Some authors employ a team of bad guys where the name implies the particular nefarious activity. Trudy will be our all-purpose bad guy. Alice, Bob, Trudy and the rest of the gang need not be humans. For example, one possible scenario would be that Alice is a laptop, Bob a server, and Trudy a human.
Information has integrity if unauthorized writing is prohibited.
Denial of service, or DoS, attacks are a relatively recent concern. Such attacks try to reduce access to information. As a result of the rise in DoS attacks, data availability has become a fundamental issue in information security. Bob might then take his business elsewhere.
Although these two authentication problems look similar on the surface, under the surface they are completely different. Authentication over a network is open to many kinds of attacks. The messages sent over a network can be viewed by Trudy. To make matters worse, Trudy can not only intercept messages, she can alter messages and insert messages of her own making.
She can also replay old messages in an effort to, say, convince AOB that she is really Bob. Authentication in such a situation requires careful attention to the protocols that are used. Cryptography also has an important role to play in security protocols. Enforcing such restrictions is the domain of authorization.
Note that authorization places restrictions on the actions of authenticated users. Modern software systems tend to be large, complex, and rife with bugs. How can AOB be sure that its software is behaving correctly? On the other hand, some software is written with the intent of doing evil. Such malicious software, or malware, includes the all-too-familiar computer viruses and worms that plague the Internet today.
What can Trudy do to increase the nastiness of such pests? Bob also has many software concerns. For example, when Bob enters his password on his computer, how does he know that his password has not been captured and sent to Trudy?
If Bob conducts a transaction at www.
Operating systems are themselves large and complex pieces of software. OSs also enforce much of the security in any system, so some knowledge of OSs is necessary in order to more fully appreciate the challenges of information security. I believe this is appropriate, since the strengths, weaknesses, and inherent limitations of the mechanisms directly affect all of the other critical aspects of security.
In other words, without a reasonable understanding of the mechanisms, it is not possible to have an informed discussion of any of the other three issues.