1st Edition

Information Security Management
Concepts and Practice

ISBN 9781420078541
Published January 29, 2010 by CRC Press
868 Pages 222 B/W Illustrations

USD $115.00

Prices & shipping based on shipping country


Book Description

Information security cannot be effectively managed unless secure methods and standards are integrated into all phases of the information security life cycle. And, although the international community has been aggressively engaged in developing security standards for network and information security worldwide, there are few textbooks available that provide clear guidance on how to properly apply the new standards in conducting security audits and creating risk-driven information security programs.

An authoritative and practical classroom resource, Information Security Management: Concepts and Practice provides a general overview of security auditing before examining the various elements of the information security life cycle. It explains the ISO 17799 standard and walks readers through the steps of conducting a nominal security audit that conforms to the standard. The text also provides detailed guidance for conducting an in-depth technical security audit leading to certification against the 27001 standard. Topics addressed include cyber security, security risk assessments, privacy rights, HIPAA, SOX, intrusion detection systems, security testing activities, cyber terrorism, and vulnerability assessments.

This self-contained text is filled with review questions, workshops, and real-world examples that illustrate effective implementation and security auditing methodologies. It also includes a detailed security auditing methodology students can use to devise and implement effective risk-driven security programs that touch all phases of a computing environment—including the sequential stages needed to maintain virtually air-tight IS management systems that conform to the latest ISO standards.

Table of Contents


Introduction to Information Security Management
Why Information Security Matters
Information Sensitivity Classification
Information Security Governance
The Computing Environment
Security of Various Components in the Computing
Security Interdependence
CIA Triad
Security Goals versus Business Goals
The Security Star
Parker’s View of Information Security
What Is Information Security Management?
Defense-In-Depth Security
Security Controls
The NSA Triad for Security Assessment

Introduction to Management Concepts
Brief History of Management
Traditional Management Skills and Security Literacy
Managerial Skills
Redefining Mintzberg’s Managerial Roles
Strategic Management Concepts
IS Security Management Activities
Do We Really Need an Independent Information Security Functional Unit?
The Information Security Management Cycle
IS Security Management versus Functional Management

The Information Security Life Cycle
Security Planning in the SLC
Security Analysis
Security Design
Security Implementation
Security Review
Continual Security


Security Plan
SP Development Guidelines
SP Methodology

Security Policy
Security Policy, Standards, and Guidelines
Security Policy Methodologies

Business Continuity Planning
Business Disruptions
Business Continuity
Disaster Recovery
Responding to Business Disruptions
Developing a BCP


Security Risk Management
The Risk Management Life Cycle
The Preparation Effort for Risk Management
A Sustainable Security Culture
Information Needed to Manage Risks
Factors Affecting Security Risk
The ALE Risk Methodology
Operational, Functional, and Strategic Risks
Operational Risk Management: Case of the Naval Safety Center
The ABLE Methodology

Continual Security: Integrated Fault-Event Analysis and Response Framework (IFEAR)
IFEAR Methodology
Fault Tree Analysis
Event Tree Analysis
FTA-ETA Integration
Risk Management
|Simulation and Sensitivity Analysis

Active Security Assessment
Standards for Active Security Assessment
Limits of Active Security Assessment
Can You Hack Your Own System?
Ethical Hacking of a Computing Environment
Ethics in Ethical Hacking
ASA through Penetration Testing
Strategies for Active Security Assessment
Guidelines and Terms between Testers and the Organization
The Active Security Assessment Project

System Availability
Computer Clustering
Review of Cluster Concepts
Types of Clusters
Web Site Availability
Application Centers No Longer the Only Sound Implementation
Computation of Availability in High-Availability Cluster
Related Availability Definitions
How to Obtain Higher Availability: The Cisco Process Nines’ Availability
Common Configurations for Clusters
Self-Healing and Availability


Nominal Security Enhancement Design Based on ISO/IEC 27002
History of the ISO/IEC 27002
ISO/IEC 27002
How to Use the ISO/IEC 27002 to Enhance Security
Measurement and Implementations
Strategies to Enhance the ISO/IEC 27002-Based Security Posture
Comparing the ISO/IEC 27002-Based Security Posture Enhancement Strategies

Technical Security Enhancement Based on ISO/IEC 27001
How Organizations Interact with the Standards
General ISMS Framework
The ISMS Model
The Process Approach Ensures the Continual Improvement of the ISMS
Development of the Information Security Management System
Design of the ISMS
Security Inventory Needs
The Integration of ISMS Subsystems
Self-Assessment for Compliance
Revisiting ISMS Scoping


Security Solutions
Security Solutions
The NIST Security Solution Taxonomy
The ISO Security Solution Taxonomy

The Common Criteria
The Birth of the Common Criteria
Common Uses of the CC
The CC Document
The CC Security Approach
Information Resource Evaluation Methodology
CC Security Evaluation Programs
The American Model of CC Evaluation Programs
A National Model
Some Other CC Evaluation Requirements


Security Review through Security Audit
Security Audit Means Different Things to Different People
Some Security Audit Activities
Our Definition of Security Audit
Main Features in Security Audit
Application Audit
How Does Security Audit Relate to the Corporate Security Policy?
Structure of a Security Audit
Security Audit versus IT Auditing
Applicable Security-Related Standards
Security Audit Grades

Privacy Rights, Information Technology, and HIPAA
The Problem of Privacy
The Meaning of Privacy
Regulatory Standards: The Privacy Rule
The HIPAA Security Rule
Administrative Safeguards
Conducting Effective Risk Analysis


The Sarbanes–Oxley Act and IT Compliance
Methods of Doing Business
Background of the SarbanesOxley Act
SarbanesOxley Act of 2002
Major Provisions of SO
Management Assessment of Internal Controls and IT
IT Compliance
International Responses
Advantages to SOX Compliance
Foreign Whistleblowers and SOX
Reconciling SOX and European Conflicting Standards
EU Corporate Governance Initiatives
E.U.’s Eighth Directive
Planning IT Management for SOX: Delayed SOX Impact

Cyberterrorism and Homeland Security
Security Economic Intelligence
Homeland Security
Cyberterrorism in the Literature
Cyberterrorism in the Real World: The FBI Perspective
U.S. Legislative Enactments and Proposed Programs
U.S. Criminal Statutes Affecting the Internet
Statutes and Executive Orders Concerned with Cyberterrorism
International Initiatives
Individual European State Approaches to Security and Counterterrorism
Other International Efforts


Each chapter begins with an Introduction and concludes with a Summary, Review Questions, Workshops, and References

View More


… a comprehensive overview of security topics related to the management and development of secure systems. This rich collection of literature reviews matches every stage of security management, implementation, and deployment. … The extensive breakdown of risk analysis and threat assessment will be of particular interest to practitioners with background in this area… one of the most comprehensive works to date on the topic, and includes lengthy examples of how to determine and manage the risks associated with a new development project. The book describes most, if not all, security paradigms that are in practice today in terms of analyzing the goals of a project and establishing priorities. … a valuable resource for anyone conducting research in the field of information security as well as for experienced managers seeking to concentrate on security in future endeavors. Summing Up: Highly recommended.
— T.D. Richardson, South University, in CHOICE, November 2010, Vol. 48 No. 03