Information Security Management: Concepts and Practice, 1st Edition (Hardback) book cover

Information Security Management

Concepts and Practice, 1st Edition

By Bel G. Raggad

CRC Press

868 pages | 222 B/W Illus.

Purchasing Options:$ = USD
Hardback: 9781420078541
pub: 2010-01-29
SAVE ~$16.50
eBook (VitalSource) : 9780429111457
pub: 2010-01-29
from $28.98

FREE Standard Shipping!


Information security cannot be effectively managed unless secure methods and standards are integrated into all phases of the information security life cycle. And, although the international community has been aggressively engaged in developing security standards for network and information security worldwide, there are few textbooks available that provide clear guidance on how to properly apply the new standards in conducting security audits and creating risk-driven information security programs.

An authoritative and practical classroom resource, Information Security Management: Concepts and Practice provides a general overview of security auditing before examining the various elements of the information security life cycle. It explains the ISO 17799 standard and walks readers through the steps of conducting a nominal security audit that conforms to the standard. The text also provides detailed guidance for conducting an in-depth technical security audit leading to certification against the 27001 standard. Topics addressed include cyber security, security risk assessments, privacy rights, HIPAA, SOX, intrusion detection systems, security testing activities, cyber terrorism, and vulnerability assessments.

This self-contained text is filled with review questions, workshops, and real-world examples that illustrate effective implementation and security auditing methodologies. It also includes a detailed security auditing methodology students can use to devise and implement effective risk-driven security programs that touch all phases of a computing environment—including the sequential stages needed to maintain virtually air-tight IS management systems that conform to the latest ISO standards.


… a comprehensive overview of security topics related to the management and development of secure systems. This rich collection of literature reviews matches every stage of security management, implementation, and deployment. … The extensive breakdown of risk analysis and threat assessment will be of particular interest to practitioners with background in this area… one of the most comprehensive works to date on the topic, and includes lengthy examples of how to determine and manage the risks associated with a new development project. The book describes most, if not all, security paradigms that are in practice today in terms of analyzing the goals of a project and establishing priorities. … a valuable resource for anyone conducting research in the field of information security as well as for experienced managers seeking to concentrate on security in future endeavors. Summing Up: Highly recommended.

— T.D. Richardson, South University, in CHOICE, November 2010, Vol. 48 No. 03

Table of Contents


Introduction to Information Security Management

Why Information Security Matters

Information Sensitivity Classification

Information Security Governance

The Computing Environment

Security of Various Components in the Computing


Security Interdependence

CIA Triad

Security Goals versus Business Goals

The Security Star

Parker’s View of Information Security

What Is Information Security Management?

Defense-In-Depth Security

Security Controls

The NSA Triad for Security Assessment

Introduction to Management Concepts

Brief History of Management

Traditional Management Skills and Security Literacy

Managerial Skills

Redefining Mintzberg’s Managerial Roles

Strategic Management Concepts

IS Security Management Activities

Do We Really Need an Independent Information Security Functional Unit?

The Information Security Management Cycle

IS Security Management versus Functional Management

The Information Security Life Cycle

Security Planning in the SLC

Security Analysis

Security Design

Security Implementation

Security Review

Continual Security


Security Plan

SP Development Guidelines

SP Methodology

Security Policy

Security Policy, Standards, and Guidelines

Security Policy Methodologies

Business Continuity Planning

Business Disruptions

Business Continuity

Disaster Recovery

Responding to Business Disruptions

Developing a BCP


Security Risk Management

The Risk Management Life Cycle

The Preparation Effort for Risk Management

A Sustainable Security Culture

Information Needed to Manage Risks

Factors Affecting Security Risk

The ALE Risk Methodology

Operational, Functional, and Strategic Risks

Operational Risk Management: Case of the Naval Safety Center

The ABLE Methodology

Continual Security: Integrated Fault-Event Analysis and Response Framework (IFEAR)

IFEAR Methodology

Fault Tree Analysis

Event Tree Analysis

FTA-ETA Integration

Risk Management

|Simulation and Sensitivity Analysis

Active Security Assessment

Standards for Active Security Assessment

Limits of Active Security Assessment

Can You Hack Your Own System?

Ethical Hacking of a Computing Environment

Ethics in Ethical Hacking

ASA through Penetration Testing

Strategies for Active Security Assessment

Guidelines and Terms between Testers and the Organization

The Active Security Assessment Project

System Availability

Computer Clustering

Review of Cluster Concepts

Types of Clusters

Web Site Availability

Application Centers No Longer the Only Sound Implementation

Computation of Availability in High-Availability Cluster

Related Availability Definitions

How to Obtain Higher Availability: The Cisco Process Nines’ Availability

Common Configurations for Clusters

Self-Healing and Availability


Nominal Security Enhancement Design Based on ISO/IEC 27002

History of the ISO/IEC 27002

ISO/IEC 27002

How to Use the ISO/IEC 27002 to Enhance Security

Measurement and Implementations

Strategies to Enhance the ISO/IEC 27002-Based Security Posture

Comparing the ISO/IEC 27002-Based Security Posture Enhancement Strategies

Technical Security Enhancement Based on ISO/IEC 27001

How Organizations Interact with the Standards

General ISMS Framework

The ISMS Model

The Process Approach Ensures the Continual Improvement of the ISMS

Development of the Information Security Management System

Design of the ISMS

Security Inventory Needs

The Integration of ISMS Subsystems

Self-Assessment for Compliance

Revisiting ISMS Scoping


Security Solutions

Security Solutions

The NIST Security Solution Taxonomy

The ISO Security Solution Taxonomy

The Common Criteria

The Birth of the Common Criteria

Common Uses of the CC

The CC Document

The CC Security Approach

Information Resource Evaluation Methodology

CC Security Evaluation Programs

The American Model of CC Evaluation Programs

A National Model

Some Other CC Evaluation Requirements



Security Review through Security Audit

Security Audit Means Different Things to Different People

Some Security Audit Activities

Our Definition of Security Audit

Main Features in Security Audit

Application Audit

How Does Security Audit Relate to the Corporate Security Policy?

Structure of a Security Audit

Security Audit versus IT Auditing

Applicable Security-Related Standards

Security Audit Grades

Privacy Rights, Information Technology, and HIPAA

The Problem of Privacy

The Meaning of Privacy


Regulatory Standards: The Privacy Rule

The HIPAA Security Rule

Administrative Safeguards


Conducting Effective Risk Analysis


The Sarbanes–Oxley Act and IT Compliance

Methods of Doing Business

Background of the SarbanesOxley Act

SarbanesOxley Act of 2002

Major Provisions of SO

Management Assessment of Internal Controls and IT


IT Compliance

International Responses

Advantages to SOX Compliance

Foreign Whistleblowers and SOX

Reconciling SOX and European Conflicting Standards

EU Corporate Governance Initiatives

E.U.’s Eighth Directive

Planning IT Management for SOX: Delayed SOX Impact

Cyberterrorism and Homeland Security

Security Economic Intelligence

Homeland Security

Cyberterrorism in the Literature

Cyberterrorism in the Real World: The FBI Perspective

U.S. Legislative Enactments and Proposed Programs

U.S. Criminal Statutes Affecting the Internet

Statutes and Executive Orders Concerned with Cyberterrorism

International Initiatives

Individual European State Approaches to Security and Counterterrorism

Other International Efforts


Each chapter begins with an Introduction and concludes with a Summary, Review Questions, Workshops, and References

Subject Categories

BISAC Subject Codes/Headings:
BUSINESS & ECONOMICS / Information Management
COMPUTERS / Information Technology
COMPUTERS / Security / General