The Executive MBA in Information Security  book cover
1st Edition

The Executive MBA in Information Security

ISBN 9781439810071
Published October 9, 2009 by CRC Press
352 Pages 25 B/W Illustrations

SAVE $45.00
was $150.00
USD $105.00

Prices & shipping based on shipping country


Book Description

According to the Brookings Institute, an organization’s information and other intangible assets account for over 80 percent of its market value. As the primary sponsors and implementers of information security programs, it is essential for those in key leadership positions to possess a solid understanding of the constantly evolving fundamental concepts of information security management. Developing this knowledge and keeping it current however, requires the time and energy that busy executives like you simply don’t have.

Supplying a complete overview of key concepts, The Executive MBA in Information Security provides the tools needed to ensure your organization has an effective and up-to-date information security management program in place. This one-stop resource provides a ready-to use security framework you can use to develop workable programs and includes proven tips for avoiding common pitfalls—so you can get it right the first time.

Allowing for quick and easy reference, this time-saving manual provides those in key leadership positions with a lucid understanding of:

  • The difference between information security and IT security
  • Corporate governance and how it relates to information security
  • Steps and processes involved in hiring the right information security staff
  • The different functional areas related to information security
  • Roles and responsibilities of the chief information security officer (CISO)

Presenting difficult concepts in a straightforward manner, this concise guide allows you to get up to speed, quickly and easily, on what it takes to develop a rock-solid information security management program that is as flexible as it is secure.


Table of Contents



The Author


Information Security Overview

Information Security Management

What Is Information Security?




Ideal Traits of an Information Security Professional

Certification Requirements




Reference Checks


Trust and Loyalty

Why Is Information Security Important?

Information Security Concepts

Laws of Security

Information Security Requirements

Interrelationship of Regulations, Policies, Standards, Procedures, and Guidelines


Sarbanes–Oxley Act

Gramm–Leach–Bliley Act

Health Insurance Portability and Accountability Act

Federal Financial Institutions Examination Council

Payment Card Industry (PCI) Data Security Standard

Common Elements of Compliance

Security Controls

Industry Best Practice Guidelines


Measurement Techniques

Control Objectives for Information and Related Technology


ISO 27002 Overview

Capability Maturity Model (CMM)

Generally Accepted Information Security Principles (GAISP)

Common Pitfalls of an Effective Information Security Program

Defense in Depth

Managing Risks

Risk Management

System Characterization

Threat Identification

Vulnerability Identification and


Control Analysis

Likelihood Rating

Impact Rating (Premitigation)

Risk Determination


Technical Evaluation Plan (TEP)

Methodology Overview

Role of Common Vulnerabilities and Exposures (CVE)

Executive Summary



Conflict Resolution

Test Plans

Physical Security

Access Control Systems and Methods

Discretionary Access Controls (DACs)

Mandatory Access Controls (MACs)

Nondiscretionary Access Controls

Administrative Access Controls

Physical Access Controls

Technical Access Controls

Logical Access Controls

Common Access Control Practices


Physical Security

Social Engineering




Passive Information Gathering

Active Information Gathering

Covert Testing

Clean Desk Policy

Dumpster Diving

Business Continuity Plans and Disaster Recovery

Business Continuity

Phase 1—Project Management and Initiation

Phase 2—Business Impact Analysis

Phase 3—Recovery Strategies

Phase 4—Plan, Design, and Develop

Phase 5—Testing, Maintenance, and

Awareness Training

Complications to Consider in BCP

Disaster Recovery


Facilities and Supplies




Event Stages

Disaster Recovery Testing

Business Continuity Planning and Disaster Recovery Training

Administrative Controls

Change Management

Request Phase

Process Phase

Release Phase

Change Management Steps

Computer Forensics

Computer Investigation Model

Incident Management

Reporting Information



Incident Details

Incident Handler

Actions to Date

Recommended Actions

Laws, Investigations, and Ethics




Operations Security

OPSEC Controls

Separation of Duties

Job Rotation

Least Privileges

Records Retention

Federal Rules of Civil Procedure

Security Awareness Training

A Cracker’s Story

Security Management Practices

Security Countermeasures

Service Providers, Service-Level Agreements, and Vendor


Vendor Relationship Policy

Service-Level Agreements

Vendor Reviews

Managing Security Risks in Vendor Relationships

Due Diligence: The First Tool

Key Contractual Protections: The Second Tool

Information Security Requirements Exhibit: The Third


Technical Controls

Host Security

System Hardening Checklist

Host Services

Other Host Security Controls

Malware Protection

Viruses, Worms, and Backdoors

DAT Signatures

Multimedia Devices

Network Security

Seven Layers of the OSI Model

Other Layers

Protocol Data Units

TCP/IP Model

Decimal, Binary, and Hexadecimal Compared

Network Addressing

Network Security Controls


Patch or Vulnerability Management

Application Controls

Application and System Development



Private Key Encryption (Symmetric Key Encryption)

Choosing a Symmetric Key Cryptography Method

Public Key Encryption (Asymmetric Key


Choosing an Asymmetric Key Cryptography Method

Digital Signature

One-Way Encryption

e-Mail Encryption

Choosing e-Mail Encryption

Internet Encryption

Choosing an Internet Security Method

Encrypting Hard Drives

Encryption Attacks

Multifactor Authentication

Perimeter Controls

Security Architecture

Internal Controls

External Controls

Telecommunications Security

Voice over IP Security

Virtual Private Network

Wireless Security

Web Filtering

Audit and Compliance

Audit and Compliance

Information Security Governance Metrics

Testing—Vulnerability Assessment

Appendix A: Information Security Policy

Appendix B: Technology Resource Policy

Appendix C: Log-on Warning Banner

Appendix D: Penetration Test Waiver

Appendix E: Tools

Appendix F: How to Report Internet Crime



Web References


View More