Management of Information Security 5Th Edition Michael E Whitman Online Ebook Texxtbook Full Chapter PDF

Management of Information Security
5th Edition Michael E. Whitman

Visit to download the full and correct content document:
https://ebookmeta.com/product/management-of-information-security-5th-edition-mich
ael-e-whitman/
More products digital (pdf, epub, mobi) instant
download maybe you interests ...
Principles of Information Security 7th Edition Michael

E. Whitman
https://ebookmeta.com/product/principles-of-information-
security-7th-edition-michael-e-whitman/
Information Security Management 2nd Edition Workman
https://ebookmeta.com/product/information-security-
management-2nd-edition-workman/
Of the People 5th Edition Michael E. Mcgerr
https://ebookmeta.com/product/of-the-people-5th-edition-michael-
e-mcgerr/
Principles of Incident Response & Disaster Recovery

(MindTap Course List) 3rd Edition Michael E. Whitman &
Herbert J. Mattord
https://ebookmeta.com/product/principles-of-incident-response-
disaster-recovery-mindtap-course-list-3rd-edition-michael-e-
whitman-herbert-j-mattord/
Foundations of Library and Information Science 5th
Edition Richard E. Rubin
https://ebookmeta.com/product/foundations-of-library-and-
information-science-5th-edition-richard-e-rubin/
Fundamentals of Information Systems Security 4th

Edition David Kim & Michael G. Solomon
https://ebookmeta.com/product/fundamentals-of-information-
systems-security-4th-edition-david-kim-michael-g-solomon/
ISO/IEC 27001:2022: Information security, cybersecurity

and privacy protection — Information security
management systems — Requirements 3rd Edition Iso
https://ebookmeta.com/product/iso-iec-270012022-information-
security-cybersecurity-and-privacy-protection-information-
security-management-systems-requirements-3rd-edition-iso/
International security politics policy prospects 2nd

Edition Michael E. Smith
https://ebookmeta.com/product/international-security-politics-
policy-prospects-2nd-edition-michael-e-smith/
Access Control and Identity Management Information

Systems Security Assurance 3rd Edition Mike Chapple
https://ebookmeta.com/product/access-control-and-identity-
management-information-systems-security-assurance-3rd-edition-
mike-chapple/
Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
This is an electronic version of the print textbook. Due to electronic rights restrictions,
some third party content may be suppressed. Editorial review has deemed that any suppressed
content does not materially affect the overall learning experience. The publisher reserves the right
to remove content from this title at any time if subsequent rights restrictions require it. For
valuable information on pricing, previous editions, changes to current editions, and alternate
formats, please visit www.cengage.com/highered to search by ISBN, author, title, or keyword for
materials in your areas of interest.
Important notice: Media content referenced within the product description or the product
text may not be available in the eBook version.
Management of Information Security
Fifth Edition
Michael Whitman, Ph.D., CISM, CISSP

Herbert Mattord, Ph.D., CISM, CISSP
Kennesaw State University
Australia • Brazil • Mexico • Singapore • United Kingdom • United States
Management of Information Security, © 2017, 2014, 2010 Cengage Learning
Fifth Edition
ALL RIGHTS RESERVED. No part of this work covered by the copyright
Michael E. Whitman and Herbert J. Mattord herein may be reproduced or distributed in any form or by any means,
SVP, GM Skills & Global Product Management: except as permitted by U.S. copyright law, without the prior written
permission of the copyright owner.
Dawn Gerrain
Product Director: Kathleen McMahon SOURCE FOR ILLUSTRATIONS: Copyright © Cengage Learning.
Product Team Manager: Kristin McNary All screenshots, unless otherwise noted, are used with permission from
Associate Product Manager: Amy Savino Microsoft Corporation. Microsoft® is a registered trademark of the
Microsoft Corporation.
Senior Director, Development: Marah
Bellegarde
For product information and technology assistance, contact us at
Product Development Manager: Leigh
Cengage Learning Customer & Sales Support, 1-800-354-9706
Hefferon
For permission to use material from this text or product,
Managing Content Developer: Emma Newsom submit all requests online at www.cengage.com/permissions.
Senior Content Developer: Natalie Pashoukos Further permissions questions can be e-mailed to
Product Assistant: Abigail Pufpaff permissionrequest@cengage.com.
Vice President, Marketing Services: Jennifer

Ann Baker Library of Congress Control Number: 2016932028
Marketing Coordinator: Cassie Cloutier ISBN: 978-1-305-50125-6
Senior Production Director: Wendy Troeger
Production Director: Patty Stephan Cengage Learning
20 Channel Center Street
Senior Content Project Manager: Brooke
Boston, MA 02210
Greenhouse
USA
Managing Art Director: Jack Pendleton
Software Development Manager: Pavan Cengage Learning is a leading provider of customized learning solutions
Ethakota with employees residing in nearly 40 different countries and sales in more
than 125 countries around the world. Find your local representative at
Cover Image(s): iStockPhoto.com/4X-image
www.cengage.com.
Cengage Learning products are represented in Canada by

Nelson Education, Ltd.
To learn more about Cengage Learning, visit www.cengage.com.
Purchase any of our products at your local college store or at our preferred
online store www.cengagebrain.com.
Notice to the Reader

Publisher does not warrant or guarantee any of the products described herein or perform any
independent analysis in connection with any of the product information contained herein. Pub-
lisher does not assume, and expressly disclaims, any obligation to obtain and include information
other than that provided to it by the manufacturer. The reader is expressly warned to consider and
adopt all safety precautions that might be indicated by the activities described herein and to avoid
all potential hazards. By following the instructions contained herein, the reader willingly assumes
all risks in connection with such instructions. The publisher makes no representations or warranties
of any kind, including but not limited to, the warranties of fitness for particular purpose or mer-
chantability, nor are any such representations implied with respect to the material set forth herein,
and the publisher takes no responsibility with respect to such material. The publisher shall not be
liable for any special, consequential, or exemplary damages resulting, in whole or part, from the
readers’ use of, or reliance upon, this material.
Printed in the United States of America

Print Number: 01 Print Year: 2016
Brief Contents
PREFACE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
CHAPTER 1
Introduction to the Management of Information Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
CHAPTER 2
Compliance: Law and Ethics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
CHAPTER 3
Governance and Strategic Planning for Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
CHAPTER 4
Information Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
CHAPTER 5
Developing the Security Program. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
CHAPTER 6
Risk Management: Identifying and Assessing Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
CHAPTER 7
Risk Management: Controlling Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
CHAPTER 8
Security Management Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
CHAPTER 9
Security Management Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
CHAPTER 10
Planning for Contingencies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397
CHAPTER 11
Personnel and Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469
CHAPTER 12
Protection Mechanisms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521
APPENDIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 583
GLOSSARY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 625
INDEX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 637
iii
Table of Contents
PREFACE. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
CHAPTER 1
Introduction to the Management of Information Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Introduction to Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
CNSS Security Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
The Value of Information and the C.I.A. Triad . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Key Concepts of Information Security: Threats and Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
The 12 Categories of Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
What Is Management? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Behavioral Types of Leaders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Management Characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Governance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Solving Problems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Principles of Information Security Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Programs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
People . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Closing Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Discussion Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Ethical Decision Making . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
CHAPTER 2
Compliance: Law and Ethics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
InfoSec and the Law . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Types of Law . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Relevant U.S. Laws . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
International Laws and Legal Bodies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
State and Local Regulations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Policy Versus Law . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Ethics in InfoSec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Ethics and Education . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Deterring Unethical and Illegal Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Professional Organizations and Their Codes of Conduct . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Association for Computing Machinery (ACM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
International Information Systems Security Certification Consortium, Inc. (ISC)2 . . . . . . . . . . . . . . . . . 83
SANS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Information Systems Audit and Control Association (ISACA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Information Systems Security Association (ISSA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
v
vi Table of Contents
Organizational Liability and the Need for Counsel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Key Law Enforcement Agencies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Closing Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
CHAPTER 3
Governance and Strategic Planning for Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
The Role of Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Precursors to Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Strategic Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Creating a Strategic Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Planning Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Planning and the CISO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Information Security Governance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
The ITGI Approach to Information Security Governance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
NCSP Industry Framework for Information Security Governance . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
CERT Governing for Enterprise Security Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
ISO/IEC 27014:2013 Governance of Information Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Security Convergence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Planning for Information Security Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Introduction to the Security Systems Development Life Cycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Closing Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
CHAPTER 4
Information Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Why Policy?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Policy, Standards, and Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Enterprise Information Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Integrating an Organization’s Mission and Objectives into the EISP . . . . . . . . . . . . . . . . . . . . . . . . . 146
EISP Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
Example EISP Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Issue-Specific Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Elements of the ISSP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Implementing the ISSP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
System-Specific Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Managerial Guidance SysSPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Technical Specification SysSPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Table of Contents vii
Guidelines for Effective Policy Development and Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162

Developing Information Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Policy Distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Policy Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Policy Comprehension . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Policy Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Policy Enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Policy Development and Implementation Using the SecSDLC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Automated Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
Other Approaches to Information Security Policy Development . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
SP 800-18, Rev. 1: Guide for Developing Security Plans for Federal Information Systems . . . . . . . . . . . . 173
A Final Note on Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Closing Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
CHAPTER 5
Developing the Security Program. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Organizing for Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
Security in Large Organizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Security in Medium-Sized Organizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Security in Small Organizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
Placing Information Security Within an Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Components of the Security Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Information Security Roles and Titles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Chief Information Security Officer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Convergence and the Rise of the True CSO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Security Managers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Security Administrators and Analysts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
Security Technicians . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
Security Staffers and Watchstanders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Security Consultants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Security Officers and Investigators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Help Desk Personnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Implementing Security Education, Training, and Awareness Programs . . . . . . . . . . . . . . . . . . . . . . . . . . 210
Security Education . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
Security Training. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
Training Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
Security Awareness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Project Management in Information Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
Projects Versus Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
PMBOK Knowledge Areas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Project Management Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
viii Table of Contents
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
Closing Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
CHAPTER 6
Risk Management: Identifying and Assessing Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Introduction to Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
Knowing Yourself . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
Knowing the Enemy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
Accountability for Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
Risk Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
Identification and Prioritization of Information Assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Threat Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
The TVA Worksheet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
Risk Assessment and Risk Appetite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
Assessing Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
Likelihood . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
Assessing Potential Impact on Asset Value (Consequences) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
Percentage of Risk Mitigated by Current Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Uncertainty . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Risk Determination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Likelihood and Consequences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
Documenting the Results of Risk Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Risk Appetite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
Closing Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
CHAPTER 7
Risk Management: Controlling Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
Introduction to Risk Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
Risk Control Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
Defense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
Transference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
Mitigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
Acceptance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
Termination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
Managing Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
Feasibility and Cost–Benefit Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
Other Methods of Establishing Feasibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
Alternatives to Feasibility Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
Recommended Risk Control Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
Qualitative and Hybrid Measures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
Delphi Technique . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
The OCTAVE Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
Table of Contents ix
Microsoft Risk Management Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310

FAIR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
ISO 27005 Standard for InfoSec Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
NIST Risk Management Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
Other Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
Selecting the Best Risk Management Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
Closing Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
CHAPTER 8
Security Management Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
Introduction to Blueprints, Frameworks, and Security Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
Access Control Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
Categories of Access Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
Other Forms of Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
Security Architecture Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
Trusted Computing Base . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
Information Technology System Evaluation Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
The Common Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
Academic Access Control Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
Bell-LaPadula Confidentiality Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
Biba Integrity Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
Clark-Wilson Integrity Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
Graham-Denning Access Control Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
Harrison-Ruzzo-Ullman Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
Brewer-Nash Model (Chinese Wall) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
Other Security Management Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
The ISO 27000 Series. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
NIST Security Publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
Control Objectives for Information and Related Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
Committee of Sponsoring Organizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
Information Technology Infrastructure Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
Information Security Governance Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
Closing Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
CHAPTER 9
Security Management Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
Introduction to Security Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
Benchmarking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
x Table of Contents
Standards of Due Care/Due Diligence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365

Selecting Recommended Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368
Limitations to Benchmarking and Recommended Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369
Baselining . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370
Support for Benchmarks and Baselines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
Performance Measurement in InfoSec Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373
InfoSec Performance Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374
Building the Performance Measurement Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376
Specifying InfoSec Measurements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
Collecting InfoSec Measurements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
Implementing InfoSec Performance Measurement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381
Reporting InfoSec Performance Measurements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
Trends in Certification and Accreditation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385
NIST SP 800-37, Rev. 1: Guide for Applying the Risk Management Framework
to Federal Information Systems: A Security Life Cycle Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . 386
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
Closing Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394
CHAPTER 10
Planning for Contingencies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397
Introduction to Contingency Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398
Fundamentals of Contingency Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400
Components of Contingency Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404
Business Impact Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
Contingency Planning Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
Incident Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412
Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412
Incident Response Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413
Incident Response Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414
Detecting Incidents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419
Reacting to Incidents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422
Recovering from Incidents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424
Disaster Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431
The Disaster Recovery Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433
Disaster Recovery Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434
Disaster Classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435
Planning to Recover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437
Responding to the Disaster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438
Simple Disaster Recovery Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438
Business Continuity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442
Business Continuity Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444
Continuity Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445
Timing and Sequence of CP Elements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447
Crisis Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449
Business Resumption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 450
Table of Contents xi
Testing Contingency Plans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453

Final Thoughts on CP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 454
Managing Investigations in the Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455
Digital Forensics Team . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456
Affidavits and Search Warrants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456
Digital Forensics Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457
Evidentiary Policy and Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459
Law Enforcement Involvement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465
Closing Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466
CHAPTER 11
Personnel and Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469
Introduction to Personnel and Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471
Staffing the Security Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471
Information Security Positions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472
Information Security Professional Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485
(ISC)2 Certifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485
ISACA Certifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 489
GIAC Certifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492
EC-Council Certifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493
CompTIA Certifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495
ISFCE Certifications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496
Certification Costs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497
Entering the Information Security Profession . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498
Employment Policies and Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 500
Hiring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501
Contracts and Employment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503
Security as Part of Performance Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504
Termination Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504
Personnel Security Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 506
Security of Personnel and Personal Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507
Security Considerations for Temporary Employees, Consultants, and Other Workers . . . . . . . . . . . . . . 507
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515
Closing Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516
CHAPTER 12
Protection Mechanisms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521
Introduction to Protection Mechanisms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523
Access Controls and Biometrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 524
xii Table of Contents
Managing Network Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531

Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 532
Intrusion Detection and Prevention Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543
Remote Access Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 547
Wireless Networking Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 550
Scanning and Analysis Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 553
Managing Server-Based Systems with Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 557
Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 562
Encryption Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564
Using Cryptographic Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 571
Managing Cryptographic Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 575
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 577
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 579
Closing Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 580
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 581
APPENDIX
NIST SP 800-26, Security Self-Assessment Guide for Information Technology Systems . . . . . . . . . . . . . . . 583
ISO 17799: 2005 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607
The OCTAVE Method of Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 611
Microsoft Risk Management Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 616
GLOSSARY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 625
INDEX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 637
Preface
As global use of the Internet continues to expand, the demand for and reliance on
Internet-based information creates an increasing expectation of access. Modern businesses
take advantage of this and have dramatically increased their Internet presence over the past
decade. This creates an increasing threat of attacks on information assets and a need for
greater numbers of professionals capable of protecting those assets.
To secure these information assets from ever-increasing threats, organizations demand
both breadth and depth of expertise from the next generation of information security prac-
titioners. These professionals are expected to have an optimal mix of skills and experiences
to secure diverse information environments. Students of technology must learn to recog-
nize the threats and vulnerabilities present in existing systems. They must also learn how
to manage the use of information assets securely and support the goals and objectives of
their organizations through effective information security governance, risk management,
and regulatory compliance.
Why This Text Was Written

The purpose of this textbook is to fulfill the need for a quality academic textbook in the dis-
cipline of information security management. While there are dozens of quality publications
on information security and assurance for the practitioner, there are fewer textbooks that
xiii
xiv Preface
provide the student with an in-depth study of information security management. Specifically,
those in disciplines such as information systems, information technology, computer science,
criminal justice, political science, and accounting information systems must understand the
foundations of the management of information security and the development of managerial
strategy for information security. The underlying tenet of this textbook is that information
security in the modern organization is a management problem and not one that technology
alone can answer; it is a problem that has important economic consequences and one for
which management is accountable.
Approach
This book provides a managerial approach to information security and a thorough treatment
of the secure administration of information assets. It can be used to support information
security coursework for a variety of technology students, as well as for technology curricula
aimed at business students.
Certified Information Systems Security Professional, Certified Information Security Manager,
and NIST Common Bodies of Knowledge—As the authors are Certified Information Systems
Security Professionals (CISSP) and Certified Information Security Managers (CISM), these
knowledge domains have had an influence on the design of this textbook. With the influence
of the extensive library of information available from the Special Publications collection at
the National Institute of Standards and Technology (NIST, at csrc.nist.gov), the authors
have also tapped into additional government and industry standards for information security
management. Although this textbook is by no means a certification study guide, much of the
Common Bodies of Knowledge for the dominant industry certifications, especially in the area
of management of information security, have been integrated into the text.
Overview
Chapter 1—Introduction to the Management
of Information Security
The opening chapter establishes the foundation for understanding the field of information
security by explaining the importance of information technology and identifying who is
responsible for protecting an organization’s information assets. Students learn the definition
and key characteristics of information security, as well as the differences between information
security management and general management.
Chapter 2—Compliance: Law and Ethics

In this chapter, students learn about the legal and regulatory environment and its relationship
to information security. This chapter describes the major national and international laws that
affect the practice of information security, as well as the role of culture in ethics as it applies
to information security professionals.
Preface xv
Chapter 3—Governance and Strategic Planning for Security

This chapter explains the importance of planning and describes the principal components of
organizational planning and the role of information security governance and planning within
the organizational context.
Chapter 4—Information Security Policy

This chapter defines information security policy and describes its central role in a successful
information security program. Industry and government best practices promote three major
types of information security policy; this chapter explains what goes into each type, and
demonstrates how to develop, implement, and maintain various types of information security
policies.
Chapter 5—Developing the Security Program

Chapter 5 explores the various organizational approaches to information security and
explains the functional components of an information security program. Students learn the
complexities of planning and staffing for an organization’s information security department
based on the size of the organization and other factors, as well as how to evaluate the inter-
nal and external factors that influence the activities and organization of an information secu-
rity program. This chapter also identifies and describes the typical job titles and functions
performed in the information security program, and concludes with an exploration of the
creation and management of a security education, training, and awareness program. This
chapter also provides an overview of project management, a necessary skill in any technology
or business professional’s portfolio.
Chapter 6—Risk Management: Identifying and Assessing Risk

This chapter defines risk management and its role in the organization, and demonstrates
how to use risk management techniques to identify and prioritize risk factors for informa-
tion assets. The risk management model presented here assesses risk based on the likeli-
hood of adverse events and the effects on information assets when events occur. This
chapter concludes with a brief discussion of how to document the results of the risk iden-
tification process.
Chapter 7—Risk Management: Controlling Risk

This chapter presents essential risk mitigation strategy options and opens the discussion on
controlling risk. Students learn how to identify risk control classification categories, use exist-
ing conceptual frameworks to evaluate risk controls, and formulate a cost benefit analysis.
They also learn how to maintain and perpetuate risk controls.
Chapter 8—Security Management Models

This chapter describes the components of the dominant information security management
models, including U.S. government and internationally sanctioned models, and discusses
how to customize them for a specific organization’s needs. Students learn how to implement
the fundamental elements of key information security management practices. Models include
NIST, ISO, and a host of specialized information security research models that help students
understand confidentiality and integrity applications in modern systems.
xvi Preface
Chapter 9—Security Management Practices

This chapter describes the fundamentals and emerging trends in information security man-
agement practices and explains how these practices help organizations meet U.S. and
international compliance standards. The chapter contains an expanded section on security
performance measurement and covers concepts of certification and accreditation of IT
systems.
Chapter 10—Planning for Contingencies

This chapter describes and explores the major components of contingency planning and the
need for them in an organization. The chapter illustrates the planning and development of
contingency plans, beginning with the business impact analysis, and continues through the
implementation and testing of contingency plans.
Chapter 11—Personnel and Security

This chapter expands upon the discussion of the skills and requirements for information
security positions introduced in Chapter 5. It explores the various information security pro-
fessional certifications and identifies which skills are encompassed by each. The second half
of the chapter explores the integration of information security issues associated with person-
nel management to regulate employee behavior and prevent misuse of information, as part of
an organization’s human resources function.
Chapter 12—Protection Mechanisms

This chapter introduces students to the world of technical controls by exploring access con-
trol approaches, including authentication, authorization, and biometric access controls, as
well as firewalls and the common approaches to firewall implementation. It also covers the
technical control approaches for dial-up access, intrusion detection and prevention systems,
and cryptography.
Appendix
The appendix reproduces an essential security management self-assessment model from the
NIST library. It also includes a questionnaire from the ISO 27002 body that could be used
for organizational assessment. The appendix provides additional detail on various risk man-
agement models, including OCTAVE and the OCTAVE variants, the Microsoft Risk Manage-
ment Model, Factor Analysis of Information Risk (FAIR), ISO 27007, and NIST SP 800-30.
Features
Chapter Scenarios—Each chapter opens with a short vignette that follows the same fictional
company as it encounters various information security issues. The final part of each chapter
is a conclusion to the scenario that also offers questions to stimulate in-class discussion.
These questions give the student and the instructor an opportunity to explore the issues that
underlie the content.
View Points—An essay from an information security practitioner or academic is included in
each chapter. These sections provide a range of commentary that illustrate interesting topics
or share personal opinions, giving the student a wider, applied view on the topics in the text.
Preface xvii
Offline Boxes—These highlight interesting topics and detailed technical issues, allowing the
student to delve more deeply into certain topics.
Hands-On Learning—At the end of each chapter, students will find a Chapter Summary and
Review Questions as well as Exercises and Closing Case exercises, which give them the
opportunity to examine the information security arena from an experiential perspective.
Using the Exercises, students can research, analyze, and write to reinforce learning objectives
and deepen their understanding of the text. The Closing Case exercises require that students
use professional judgment, powers of observation, and elementary research to create solu-
tions for simple information security scenarios.
New to This Edition

This fifth edition of Management of Information Security tightens its focus on the managerial
aspects of information security, continues to expand the coverage of governance and compli-
ance issues, and continues to reduce the coverage of foundational and technical components.
While retaining enough foundational material to allow reinforcement of key concepts, this
edition has fewer technical examples. This edition also contains updated in-depth discussions
and Offline features, and additional coverage in key managerial areas: risk management,
information security governance, access control models, and information security program
assessment and metrics. Chapter 1 consolidates all the introductory and general IT manage-
rial material.
Each chapter now has key terms clearly delineated and defined in the preface of each
major section. This approach provides clear, concise definitions for use in instruction and
assessment.
In general, the entire text has been updated and re-organized to reflect changes in the field,
including revisions to sections on national and international laws and standards, such as the
ISO 27000 series, among others. Throughout the text, the content has been updated, with
newer and more relevant examples and discussions. A complete coverage matrix of the topics
in this edition is available to instructors to enable mapping of the previous coverage to the
new structure. Please contact your sales representative for access to the matrix.
MindTap
MindTap for Management of Information Security is an online learning solution designed to
help students master the skills they need in today’s workforce. Research shows employers
need critical thinkers, troubleshooters, and creative problem-solvers to stay relevant in our
fast-paced, technology-driven world. MindTap helps users achieve this with assignments and
activities that provide hands-on practice, real-life relevance, and mastery of difficult concepts.
Students are guided through assignments that progress from basic knowledge and under-
standing to more challenging problems.
All MindTap activities and assignments are tied to learning objectives. The hands-on exer-
cises provide real-life application and practice. Readings and “Whiteboard Shorts” support
the lecture, while “In the News” assignments encourage students to stay current. Pre- and
post-course assessments allow you to measure how much students have learned using analyt-
ics and reporting that makes it easy to see where the class stands in terms of progress,
engagement, and completion rates. Use the content and learning path as-is, or pick and
xviii Preface
choose how the material will wrap around your own. You control what the students see and
when they see it. Learn more at www.cengage.com/mindtap/.
Instructor Resources
Free to all instructors who adopt Management of Information Security, 5e for their courses is
a complete package of instructor resources. These resources are available from the Cengage
Learning Web site, www.cengagebrain.com. Go to the product page for this book in the
online catalog and choose “Instructor Downloads.”
Resources include:
● Instructor’s Manual: This manual includes course objectives and additional informa-
tion to help your instruction.
● Cengage Learning Testing Powered by Cognero: A flexible, online system that allows
you to import, edit, and manipulate content from the text’s test bank or elsewhere,
including your own favorite test questions; create multiple test versions in an instant;
and deliver tests from your LMS, your classroom, or wherever you want.
● PowerPoint Presentations: A set of Microsoft PowerPoint slides is included for each
chapter. These slides are meant to be used as a teaching aid for classroom presentations,
to be made available to students for chapter review, or to be printed for classroom dis-
tribution. Instructors are also at liberty to add their own slides.
● Figure Files: Figure files allow instructors to create their own presentations using figures
taken from the text.
● Lab Manual: Cengage Learning has produced a lab manual (Hands-On Information
Security Lab Manual, Fourth Edition) written by the authors that can be used to
provide technical experiential exercises in conjunction with this book. Contact your
Cengage Learning sales representative for more information.
● Readings and Cases: Cengage Learning also produced two texts—Readings and Cases
in the Management of Information Security (ISBN-13: 9780619216276) and Readings
& Cases in Information Security: Law & Ethics (ISBN-13: 9781435441576)—by the
authors, which make excellent companion texts. Contact your Cengage Learning sales
representative for more information.
● Curriculum Model for Programs of Study in Information Security: In addition to the
texts authored by this team, a curriculum model for programs of study in Information
Security and Assurance is available from the Kennesaw State University Center for
Information Security Education (http://infosec.kennesaw.edu). This document provides
details on designing and implementing security coursework and curricula in academic
institutions, as well as guidance and lessons learned from the authors’ perspective.
Author Team
Michael Whitman and Herbert Mattord have jointly developed this textbook to merge knowl-
edge from the world of academic study with practical experience from the business world.
Michael Whitman, Ph.D., CISM, CISSP is a Professor of Information Security in the Informa-
tion Systems Department, Coles College of Business at Kennesaw State University, Kennesaw,
Preface xix
Georgia, where he is also the Executive Director of the Center for Information Security Educa-
tion (infosec.kennesaw.edu), Coles College of Business. He and Herbert Mattord are the
authors of Principles of Information Security; Principles of Incident Response and Disaster
Recovery; Readings and Cases in the Management of Information Security; Readings &
Cases in Information Security: Law & Ethics; Guide to Firewall and VPNs; Guide to
Network Security; Roadmap to the Management of Information Security; and Hands-On
Information Security Lab Manual, all from Cengage Learning. Dr. Whitman is an active
researcher in Information Security, Fair and Responsible Use Policies, and Ethical Computing.
He currently teaches graduate and undergraduate courses in Information Security. He has
published articles in the top journals in his field, including Information Systems Research, the
Communications of the ACM, Information and Management, the Journal of International
Business Studies, and the Journal of Computer Information Systems. He is an active member
of the Information Systems Security Association, the Association for Computing Machinery,
ISACA, (ISC)2, and the Association for Information Systems. Through his efforts and those
of Dr. Mattord, his institution has been recognized by the Department of Homeland Security
and the National Security Agency as a National Center of Academic Excellence in Information
Assurance Education four times, most recently in 2015. Dr. Whitman is also the Editor-in-
Chief of the Information Security Education Journal, a DLINE publication, and he continually
solicits relevant and well-written articles on InfoSec pedagogical topics for publication. Prior
to his employment at Kennesaw State, he taught at the University of Nevada Las Vegas, and
served over 13 years as an officer in the U.S. Army.
Herbert Mattord, Ph.D., CISM, CISSP completed 24 years of IT industry experience as an
application developer, database administrator, project manager, and information security
practitioner in 2002. He is currently an Associate Professor of Information Security in the
Coles College of Business at Kennesaw State University. He and Michael Whitman are the
authors of Principles of Information Security; Principles of Incident Response and Disaster
Recovery; Readings and Cases in the Management of Information Security; Guide to
Network Security; and Hands-On Information Security Lab Manual, all from Cengage
Learning. During his career as an IT practitioner, Mattord has been an adjunct professor
at Kennesaw State University; Southern Polytechnic State University in Marietta, Georgia;
Austin Community College in Austin, Texas; and Texas State University: San Marcos. He
currently teaches undergraduate courses in Information Security. He is the Assistant Chair
of the Department of Information Systems and is also an active member of the Information
Systems Security Association and Information Systems Audit and Control Association. He
was formerly the Manager of Corporate Information Technology Security at Georgia-
Pacific Corporation, where much of the practical knowledge found in this and his earlier
textbooks was acquired.
Acknowledgments
The authors would like to thank their families for their support and understanding for the
many hours dedicated to this project—hours taken, in many cases, from family activities.
Special thanks to Carola Mattord, Ph.D., Professor of English at Kennesaw State University.
Her reviews of early drafts and suggestions for keeping the writing focused on the students
resulted in a more readable manuscript.
xx Preface
Reviewers
We are indebted to the following individuals for their contributions of perceptive feedback on
the initial proposal, the project outline, and the chapter-by-chapter reviews of the text:
● Wasim A. AlHamdani, Ph.D., IACR, IEEE, ACM, CSAB (ABET Eva.), Professor of
Cryptography and InfoSec, College of Business and Computer Sciences, Kentucky State
University, Frankfort, KY
● James W. Rust, MSIS, MCSE: Security, MCSA: Security, MCDBA, MCP, CompTIA,
CTT+, Project+, Security+, Network+, A+, Implementation Engineer, Buford, GA
● Paul D. Witman, Ph.D., Associate Professor, Information Technology Management,
California Lutheran University, School of Management, Thousand Oaks, CA
Special Thanks
The authors wish to thank the Editorial and Production teams at Cengage Learning. Their
diligent and professional efforts greatly enhanced the final product:
Natalie Pashoukos, Senior Content Developer
Dan Seiter, Developmental Editor
Kristin McNary, Product Team Manager
Amy Savino, Associate Product Manager
Brooke Baker, Senior Content Project Manager
In addition, several professional and commercial organizations and individuals have aided
the development of this textbook by providing information and inspiration, and the authors
wish to acknowledge their contributions:
Charles Cresson Wood
NetIQ Corporation
The View Point authors:
● Henry Bonin
● Lee Imrey
● Robert Hayes and Kathleen Kotwicka
● David Lineman
● Paul D. Witman & Scott Mackelprang
● George V. Hulme
● Tim Callahan
● Mark Reardon
● Martin Lee
● Karen Scarfone
● Alison Gunnels
● Todd E. Tucker
Preface xxi
Our Commitment
The authors are committed to serving the needs of the adopters and readers. We would be
pleased and honored to receive feedback on the textbook and its supporting materials. You
can contact us through Cengage Learning at infosec@kennesaw.edu.
Foreword
By David Rowan, Senior Vice President and Director
Technology Risk and Compliance, SunTrust Banks, Inc.
If you are reading this, I want to thank you. Your perusal of this text means you are inter-
ested in a career in Information Security or have actually embarked on one. I am thanking
you because we—and by we I mean all of us—need your help.
You and I live in a world completely enabled, supported by, and allowed by technology.
In almost all practical respects, the things you and I take for granted are created by our
technology. There is technology we see and directly interact with, and technology we
don’t see or are only peripherally aware of. For example, the temperature of my home is
monitored and maintained based on a smart thermostat’s perception of my daily habits
and preferences. I could check it via the app or wait for an alert via text message, but I
don’t—I just assume all is well, confident that I will be informed if something goes amiss.
Besides, I am more interested in reading my personal news feed….
With respect to technology, we occupy two worlds, one of intent and realized actions and
another of services that simply seem to occur on their own. Both these worlds are necessary,
desirable, growing, and evolving. Also, both these worlds are profoundly underpinned by one
thing: our trust in them to work.
We trust that our phones will work, we trust that we will have electricity, we trust that our
purchases are recorded accurately, we trust that our streaming services will have enough
bandwidth, we trust that our stock trades and bank transactions are secure, we trust that
our cars will run safely, and I trust that my home will be at the right temperature when I
walk in the door.
The benefits of our trust in technology are immeasurable and hard won. The fact that we
can delegate tasks, share infrastructure, exchange ideas and information, and buy goods
and services almost seamlessly benefits us all. It is good ground worth defending. How-
ever, the inevitable and unfortunate fact is that some among us prey upon our trust; they
will work tirelessly to disrupt, divert, or destroy our intents, actions, comfort, well-being,
information, and whatever else our technology and the free flow of information offers.
The motives of these actors matter, but regardless of why they threaten what technology
gives us, the actions we take to safeguard it is up to us. That’s why I am glad you are
reading this. We need guardians of the trust we place in technology and the information
flow it enables.
xxii Preface
I have been in the financial industry for 35 years, and have spent the latter half of it focused
on information security and the related fields of fraud management, business continuity,
physical security, and legal and regulatory compliance. I have seen the evolution of technol-
ogy risk management from a necessary back-office function to a board-level imperative with
global implications. The bound interrelationships among commerce, infrastructure, basic util-
ities, safety, and even culture exist to the extent that providing security is now dominantly a
matter of strategy and management, and less a matter of the tools or technology de jure.
There’s an old saying that it’s not the tools that make a good cabinet, but the skill of the car-
penter. Our tools will change and evolve; it’s how we use them that really matter.
This fifth edition of Management of Information Security is a foundational source that embo-
dies the current best thinking on how to plan, govern, implement, and manage an informa-
tion security program. It is holistic and comprehensive, and provides a path to consider all
aspects of information security and to integrate security into the fabric of the things we
depend on and use. It provides specific guidance on strategy, policy development, risk identi-
fication, personal management, organization, and legal matters, and places them in the con-
text of a broader ecosystem. Strategy and management are not merely aspects of information
security; they are its essence—and this text informs the what, why, and how of it.
Management of Information Security is a vital resource in the guardianship of our world of
modern conveniences. I hope you will become a part of this community.
—Atlanta, Georgia, February 2016
chapter 1
Introduction to the Management

of Information Security
Management is, above all, a practice where art, science, and craft meet.
—HENRY MINTZBERG
One month into her new position at Random Widget Works, Inc. (RWW), Iris Majwubu
left her office early one afternoon to attend a meeting of the local chapter of the Information
Systems Security Association (ISSA). She had recently been promoted from her previous
assignment at RWW as an information security risk manager to become the first chief infor-
mation security officer (CISO) to be named at RWW.
This occasion marked Iris’s first ISSA meeting. With a mountain of pressing matters on her clut-
tered desk, Iris wasn’t exactly certain why she was making it a priority to attend this meeting. She
sighed. Since her early morning wake-up, she had spent many hours in business meetings, fol-
lowed by long hours at her desk working toward defining her new position at the company.
At the ISSA meeting, Iris saw Charlie Moody, her supervisor from the company she used to
work for, Sequential Label and Supply (SLS). Charlie had been promoted to chief information
officer (CIO) of SLS almost a year ago.
“Hi, Charlie,” she said.
“Hello, Iris,” Charlie said, shaking her hand. “Congratulations on your promotion. How are
things going in your new position?”
“So far,” she replied, “things are going well—I think.”
Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203 1
2 Chapter 1
Charlie noticed Iris’s hesitancy. “You think?” he said. “Okay, tell me what’s going on.”
“Well, I’m struggling to get a consensus from the rest of the management team about the pro-
blems we have,” Iris explained. “I’m told that information security is a priority, but every-
thing is in disarray. Any ideas that are brought up, especially my ideas, are chopped to bits
before they’re even taken up by senior management. There’s no established policy covering
our information security needs, and it seems that we have little hope of getting one approved.
The information security budget covers my salary plus a little bit of funding that goes toward
part of one position for a technician in the network department. The IT managers act like I’m
a waste of their time, and they don’t seem to take security issues as seriously as I do. It’s like
trying to drive a herd of cats!”
Charlie thought for a moment and then said, “I’ve got some ideas that may help. We should
talk more, but not now; the meeting is about to start. Here’s my new number—call me tomor-
row and we’ll arrange to get together for coffee.”
LEARNING OBJECTIVES
Upon completion of this material, you should be able to:
• Describe the importance of the manager’s role in securing an organization’s

information assets
• List and discuss the key characteristics of information security
• List and describe the dominant categories of threats to information security
• Discuss the key characteristics of leadership and management
• Differentiate information security management from general business
management
Introduction to Security
Key Terms
information security (InfoSec): Protection of the confidentiality, integrity, and availability of
information assets, whether in storage, processing, or transmission, via the application of policy,
education, training and awareness, and technology.
security: A state of being secure and free from danger or harm. Also, the actions taken to make
someone or something secure.
In today’s global markets, business operations are enabled by technology. From the board-
room to the mailroom, businesses make deals, ship goods, track client accounts, and inventory
company assets, all through the implementation of systems based upon information technol-
ogy (IT). IT enables the storage and transportation of information—often a company’s most
valuable resource—from one business unit to another. But what happens if the vehicle breaks
Introduction to the Management of Information Security 3
down, even for a little while? Business deals fall through, shipments are lost, and company
assets become more vulnerable to threats from both inside and outside the firm. In the past, 1
the business manager’s response to this possibility was to proclaim, “We have technology peo-
ple to handle technology problems.” This statement might have been valid in the days when
technology was confined to the climate-controlled rooms of the data center and when infor-
mation processing was centralized. In the last 30 years, however, technology has moved out
from the data center to permeate every facet of the business environment. The business place
is no longer static; it moves whenever employees travel from office to office, from city to city,
or even from office to home. As businesses have become more fluid, “computer security” has
evolved into “information security,” or “InfoSec,” which covers a broader range of issues,
from the protection of computer-based data to the protection of human knowledge. Informa-
tion security is no longer the sole responsibility of a small, dedicated group of professionals in
the company. It is now the responsibility of all employees, especially managers.
Astute managers increasingly recognize the critical nature of information security as the vehi-
cle by which the organization’s information assets are secured. In response to this growing
awareness, businesses are creating new positions to solve the newly perceived problems. The
emergence of executive-level information security managers—like Iris in the opening scenario
of this chapter—allows for the creation of professionally managed information security teams
that have a primary objective to protect information assets, wherever they may be.
Organizations must realize that information security planning and funding decisions involve
more than managers of information, the members of the information security team, or the
managers of information systems. Altogether, they should involve the entire organization, as
represented by three distinct groups of managers and professionals, or communities of interest:
• Those in the field of information security
• Those in the field of IT
• Those from the rest of the organization
These three groups should engage in a constructive effort to reach consensus on an overall
plan to protect the organization’s information assets.
The communities of interest and the roles they fulfill include the following:
• The information security community protects the organization’s information assets
from the many threats they face.
• The IT community supports the business objectives of the organization by supplying
and supporting IT that is appropriate to the organization’s needs.
• The general business community articulates and communicates organizational policy
and objectives and allocates resources to the other groups.
Working together, these communities of interest make decisions about how to secure an orga-
nization’s information assets most effectively. As the discussion between Iris and Charlie in
this chapter’s opening scenario suggests, managing a successful information security program
takes time, resources, and a lot of effort by all three communities within the organization.
Each community of interest must understand that information security is about identifying,
measuring, and mitigating (or at least understanding and documenting) the risk associated
with operating information assets in a modern business environment. It is up to the leadership
4 Chapter 1
of the various communities of interest to identify and support initiatives for controlling the
risks faced by the organization’s information assets. But to make sound business decisions
concerning the security of information assets, managers must understand the concept of infor-
mation security, the roles professionals play within that field, and the issues organizations face
in a fluid, global business environment.
In order to understand the varied aspects of information security, you must know the defini-
tions of certain key InfoSec terms and concepts. This knowledge enables you to communicate
effectively with the IT and information security communities.
In general, security means being free from danger. To be secure is to be protected from the
risk of loss, damage, unwanted modification, or other hazards. National security, for example,
is a system of multilayered processes that protects the sovereignty of a state—its assets,
resources, and people. Achieving an appropriate level of security for an organization also
depends on the implementation of a multilayered system.
Security is often achieved by means of several strategies undertaken simultaneously or used in
combination with one another. Many of those strategies will focus on specific areas of secu-
rity, but they also have many elements in common. It is the role of management to ensure
that each strategy is properly planned, organized, staffed, directed, and controlled.
Specialized areas of security include:
• Physical security—The protection of physical items, objects, or areas from unautho-
rized access and misuse.
• Operations security—The protection of the details of an organization’s operations and
activities.
• Communications security—The protection of all communications media, technology,
and content.
• Cyber (or computer) security—The protection of computerized information processing
systems and the data they contain and process. The term cybersecurity is relatively
new, so its use might be slightly ambiguous in coming years as the definition gets
sorted out.
• Network security—A subset of communications security and cybersecurity; the protec-
tion of voice and data networking components, connections, and content.
The efforts in each of these areas contribute to the information security program as a whole.
This textbook derives its definition of information security from the standards published
by the Committee on National Security Systems (CNSS), formerly known as the National
Security Telecommunications and Information Systems Security Committee (NSTISSC),
chaired by the U.S. Secretary of Defense.
Information security (InfoSec) focuses on the protection of information and the characteristics
that give it value, such as confidentiality, integrity, and availability, and includes the technol-
ogy that houses and transfers that information through a variety of protection mechanisms
such as policy, training and awareness programs, and technology. Figure 1-1 shows that Info-
Sec includes the broad areas of InfoSec management (the topic of this book): computer secu-
rity, data security, and network security. The figure also shows that policy is the space where
these components overlap.
TY
IO
N
SE
CU
RI GO
VE
RN
AN
1
AT Management of CE
RM
FO Information Security
IN
POLICY
Computer Security
Network Security
Data Security
Confidentiality Integrity Availability
Figure 1-1 Components of information security
CNSS Security Model

The CNSS document NSTISSI No. 4011, “National Training Standard for Information Sys-
tems Security (InfoSec) Professionals,” presents a comprehensive model of InfoSec known as
the McCumber Cube, which is named after its developer, John McCumber. Shown in
Figure 1-2, which is an adaptation of the NSTISSI model, the McCumber Cube serves as the
standard for understanding many aspects of InfoSec, shows the three dimensions that are
central to the discussion of InfoSec: information characteristics, information location, and
security control categories. If you extend the relationship among the three dimensions that
are represented by the axes in the figure, you end up with a 3 × 3 × 3 cube with 27 cells.
Each cell represents an area of intersection among these three dimensions, which must be
addressed to secure information. When using this model to design or review any InfoSec pro-
gram, you must make sure that each of the 27 cells is properly addressed by each of the three
communities of interest. For example, the cell representing the intersection of the technology,
y
nolog
n| Tech
| Educatio
Policy
Confidentiality Confidentiality
y
log
no
ch
Te
n|
tio
Integrity Integrity
ca
du
y |E
lic
Po
Availability Availability
Storage | Processing | Transmission Storage | Processing | Transmission
Figure 1-2 CNSS security model1
6 Chapter 1
integrity, and storage criteria could include controls or safeguards addressing the use of tech-
nology to protect the integrity of information while in storage. Such a control might consist
of a host intrusion detection and prevention system (HIDPS), for example, which would
alert the security administrators when a critical file was modified or deleted.
While the CNSS model covers the three dimensions of InfoSec, it omits any discussion of
guidelines and policies that direct the implementation of controls, which are essential to an
effective InfoSec program. Instead, the main purpose of the model is to identify gaps in the
coverage of an InfoSec program.
Another weakness of this model emerges when it is viewed from a single perspective. For
example, the HIDPS control described earlier addresses only the needs and concerns of the
InfoSec community, leaving out the needs and concerns of the broader IT and general busi-
ness communities. In practice, thorough risk reduction requires the creation and dissemina-
tion of controls of all three types (policy, education, and technical) by all three communities.
These controls can be implemented only through a process that includes consensus building
and constructive conflict to reflect the balancing act that each organization faces as it designs
and executes an InfoSec program. The rest of this book will elaborate on these issues.
For more information on the CNSS and its training standards (known as issuances), visit the
Committee on National Security Systems Web site at www.cnss.gov, and select Directives from
the Library tab.
The Value of Information and the C.I.A. Triad
Key Terms
accountability: The access control mechanism that ensures all actions on a system—authorized
or unauthorized—can be attributed to an authenticated identity. Also known as auditability.
authentication: The access control mechanism that requires the validation and verification of an
unauthenticated entity’s purported identity.
authorization: The access control mechanism that represents the matching of an authenticated
entity to a list of information assets and corresponding access levels.
availability: An attribute of information that describes how data is accessible and correctly
formatted for use without interference or obstruction.
C.I.A. triad: The industry standard for computer security since the development of the
mainframe. The standard is based on three characteristics that describe the utility of information:
confidentiality, integrity, and availability.
confidentiality: An attribute of information that describes how data is protected from
disclosure or exposure to unauthorized individuals or systems.
disclosure: In InfoSec, the intentional or unintentional exposure of an information asset to
unauthorized parties.
identification: The access control mechanism whereby unverified entities who seek access to a
resource provide a label by which they are known to the system.
information aggregation: Pieces of non-private data that, when combined, may create
information that violates privacy. Not to be confused with aggregate information.
integrity: An attribute of information that describes how data is whole, complete, and
uncorrupted.
privacy: In the context of information security, the right of individuals or groups to protect
themselves and their information from unauthorized access, providing confidentiality.
To better understand the management of InfoSec, you must become familiar with the key
characteristics of information that make it valuable to an organization, as expressed in the 1
C.I.A. triad characteristics of confidentiality, integrity and availability (see Figure 1-3). How-
ever, present-day needs have rendered these characteristics inadequate on their own to con-
ceptualize InfoSec because they are limited in scope and cannot encompass today’s
constantly changing IT environment, which calls for a more robust model. The C.I.A. triad,
therefore, has been expanded into a more comprehensive list of critical characteristics and
processes, including privacy, identification, authentication, authorization, and accountability.
These characteristics are explained in more detail in the sections that follow.
Confidentiality Confidentiality means limiting access to information only to those who

need it, and preventing access by those who don’t. When unauthorized individuals or sys-
tems can view information, confidentiality is breached. To protect the confidentiality of
information, a number of measures are used, including:
• Information classification
• Secure document (and data) storage
• Application of general security policies
• Education of information custodians and end users
• Cryptography (encryption)
Confidentiality is closely related to privacy, another key characteristic of information that is
discussed later in this chapter. The complex relationship between these two characteristics is
examined in detail in later chapters. In an organization, confidentiality of information is espe-
cially important for personal information about employees, customers, or patients. People
expect organizations to closely guard such information. Whether the organization is a govern-
ment agency, a commercial enterprise, or a nonprofit charity, problems arise when organiza-
tions disclose confidential information. Disclosure can occur either deliberately or by mistake.
For example, confidential information could be mistakenly e-mailed to someone outside the
organization rather than the intended person inside the organization. Or perhaps an employee
discards, rather than destroys, a document containing critical information. Or maybe a hacker
successfully breaks into a Web-based organization’s internal database and steals sensitive
information about clients, such as names, addresses, or credit card information.
ity
ial
nt
In
te
de
Data
gr
nfi
ity
&
Co
Services
Availability
Figure 1-3 The C.I.A. triad
8 Chapter 1
In the new world of Internet-connected systems, even organizations we would expect to be

diligent and to take suitable precautions can find themselves holding the bag after a massive
data spill. While U.S. federal agencies have had lapses that resulted in unwanted data disclo-
sures, an event in July 2015 eclipsed all previous similar lapses. The loss of 21.5 million fed-
eral background-check files rocked the Office of Personnel Management (OPM), which had
to reveal that names, addresses, financial records, health data, and other sensitive private
information had fallen into the hands of what were believed to be Chinese hackers.2 This
event followed the widely reported Sony data spill in 2014, illustrating again that the impact
from massive data breaches spans every sector of modern society.
Integrity The integrity or completeness of information is threatened when it is exposed to

corruption, damage, destruction, or other disruption of its authentic state. Corruption can
occur while information is being entered, stored, or transmitted.
Many computer viruses and worms, for example, are designed to corrupt data. For this rea-
son, the key method for detecting whether a virus or worm has caused an integrity failure to
a file system is to look for changes in the file’s state, as indicated by the file’s size or, in a
more advanced operating system, its hash value or checksum (discussed in Chapter 12).
File corruption is not always the result of deliberate attacks. Faulty programming or even
noise in the transmission channel or medium can cause data to lose its integrity. For exam-
ple, a low-voltage state in a signal carrying a digital bit (a 1 or 0) can cause the receiving
system to record the data incorrectly.
To compensate for internal and external threats to the integrity of information, systems
employ a variety of error-control techniques, including the use of redundancy bits and
check bits. During each transmission, algorithms, hash values, and error-correcting codes
ensure the integrity of the information. Data that has not been verified in this manner is
retransmitted or otherwise recovered. Because information is of little or no value or use if
its integrity cannot be verified, information integrity is a cornerstone of InfoSec.
Availability Availability of information means that users, either people or other systems,
have access to it in a usable format. Availability does not imply that the information is
accessible to any user; rather, it means it can be accessed when needed by authorized users.
To understand this concept more fully, consider the contents of a library—in particular,
research libraries that require identification for access to the library as a whole or to certain
collections. Library patrons must present the required identification before accessing the col-
lection. Once they are granted access, patrons expect to be able to locate and access
resources in the appropriate languages and formats.
Privacy Information that is collected, used, and stored by an organization should be used
only for the purposes stated by the data owner at the time it was collected. In this context,
privacy does not mean freedom from observation (the meaning usually associated with the
word); it means that the information will be used only in ways approved by the person
who provided it. Many organizations collect, swap, and sell personal information as a com-
modity. Today, it is possible to collect and combine personal information from several dif-
ferent sources, (known as information aggregation), which has resulted in databases that
could be used in ways the original data owner hasn’t agreed to or even knows about.
Many people have become aware of these practices and are looking to the government to
protect their information’s privacy. 1
Identification An information system possesses the characteristic of identification when
it is able to recognize individual users. Identification is the first step in gaining access to
secured material, and it serves as the foundation for subsequent authentication and authori-
zation. Identification and authentication are essential to establishing the level of access or
authorization that an individual is granted. Identification is typically performed by means
of a user name or other ID.
Authentication Authentication is the process by which a control establishes whether a

user (or system) is the entity it claims to be. Examples include the use of cryptographic certi-
ficates to establish Secure Sockets Layer (SSL) connections as well as the use of crypto-
graphic hardware devices—for example, hardware tokens such as RSA’s SecurID.
Individual users may disclose a personal identification number (PIN), a password, or a pass-
phrase to authenticate their identities to a computer system.
Authorization After the identity of a user is authenticated, a process called authoriza-

tion defines what the user (whether a person or a computer) has been specifically and explic-
itly authorized by the proper authority to do, such as access, modify, or delete the contents
of an information asset. An example of authorization is the activation and use of access con-
trol lists and authorization groups in a networking environment. Another example is a data-
base authorization scheme to verify that the user of an application is authorized for specific
functions, such as reading, writing, creating, and deleting.
Accountability Accountability of information occurs when a control provides assurance

that every activity undertaken can be attributed to a named person or automated process.
For example, audit logs that track user activity on an information system provide
accountability.
Key Concepts of Information Security: Threats and Attacks

Key Terms
attack: An ongoing act against an asset that could result in a loss of its value.
exploit: A vulnerability that can be used to cause a loss to an asset.
loss: The unauthorized and/or unexpected theft, damage, destruction or disclosure of an
information asset.
threat: A potential risk to an asset, specifically a potential loss in value.
threat agent: A person or other entity that may cause a loss in an asset’s value.
vulnerability: A potential weakness in an asset or its defensive control system(s).
Around 500 B.C., the Chinese general Sun Tzu Wu wrote The Art of War, a military treatise
that emphasizes the importance of knowing yourself as well as the threats you face.
10 Chapter 1
Therefore I say: One who knows the enemy and knows himself will not be in
danger in a hundred battles.
One who does not know the enemy but knows himself will sometimes win,
sometimes lose. One who does not know the enemy and does not know himself
will be in danger in every battle.3
To protect your organization’s information, you must: (1) know yourself; that is, be familiar
with the information assets to be protected and the systems, mechanisms, and methods used
to store, transport, process, and protect them; and (2) know the threats you face. To make
sound decisions about information security, management must be informed about the various
threats to an organization’s people, applications, data, and information systems. As illustrated
in Figure 1-4, a threat represents a potential risk to an information asset, whereas an attack
represents an ongoing act against the asset that could result in a loss. Threat agents damage
or steal an organization’s information or physical assets by using exploits to take advantage
of a vulnerability where controls are not present or no longer effective. Unlike threats, which
are always present, attacks exist only when a specific act may cause a loss. For example, the
threat of damage from a thunderstorm is present throughout the summer in many places, but
Vulnerability: Buffer
overflow in online
database Web interface
Threat: Theft
Threat agent: Ima Hacker
Exploit: Script from MadHackz

Web site
Attack: Ima Hacker downloads an exploit from MadHackz

Web site and then accesses Buybay’s Web site. Ima then applies
the script, which runs and compromises Buybay's security controls
and steals customer data. These actions cause Buybay to
experience a loss.
Information
Asset: Buybay’s
customer database
Figure 1-4 Key concepts in information security

Sources (top left to bottom right): © iStockphoto.com/tadija, Internet Explorer, © iStockphoto.com/darrenwise, Internet Explorer, Microsoft Excel.
an attack and its associated risk of loss exist only for the duration of an actual thunderstorm.
The following sections discuss each of the major types of threats and corresponding attacks 1
facing modern information assets.
To investigate the wide range of threats that pervade the interconnected world, many
researchers have collected information on threats and attacks from practicing information
security personnel and their organizations. While the categorizations may vary, threats are rel-
atively well researched and fairly well understood.
There is wide agreement that the threat from external sources increases when an organization
connects to the Internet. The number of Internet users continues to grow; about 45.0 percent
of the world’s 7.26 billion people (as of mid-2015) have some form of Internet access.4 There-
fore, a typical organization with an online connection to its systems and information faces
more than 3 billion potential hackers.
For more information on world Internet use, visit the Internet World Stats: Usage and Population
Statistics site at www.internetworldstats.com/stats.htm.
The 12 Categories of Threats

Table 1-1 shows the 12 general categories of threats that represent a clear and present danger
to an organization’s people, information, and systems. Each organization must prioritize the
threats it faces based on the particular security situation in which it operates, its organiza-
tional strategy regarding risk, and the exposure levels of its assets. You may notice that
many of the attack examples in the table could be listed in more than one category. For
example, theft performed by a hacker falls into the category of “theft,” but it can also be pre-
ceded by “espionage or trespass” as the hacker illegally accesses the information. The theft
may also be accompanied by defacement actions to delay discovery, qualifying it for the cate-
gory of “sabotage or vandalism.”
Category of Threat Attack Examples
Compromises to intellectual property Piracy, copyright infringement

Deviations in quality of service Internet service provider (ISP), power, or WAN service problems
Espionage or trespass Unauthorized access and/or data collection
Forces of nature Fire, floods, earthquakes, lightning
Human error or failure Accidents, employee mistakes
Information extortion Blackmail, information disclosure
Sabotage or vandalism Destruction of systems or information
Software attacks Viruses, worms, macros, denial of service
Technical hardware failures or errors Equipment failure
Technical software failures or errors Bugs, code problems, unknown loopholes
Technological obsolescence Antiquated or outdated technologies
Theft Illegal confiscation of equipment or information
Table 1-1 The 12 categories of threats to information security5
12 Chapter 1
Key Terms
intellectual property (IP): The creation, ownership, and control of original ideas as well as the
representation of those ideas.
software piracy: The unauthorized duplication, installation, or distribution of copyrighted
computer software, which is a violation of intellectual property.
Compromises to Intellectual Property Many organizations create or support the

development of intellectual property (IP) as part of their business operations. Intellectual
property can be trade secrets, copyrights, trademarks, and patents. IP is protected by copy-
right and other laws, carries the expectation of proper attribution or credit to its source,
and potentially requires the acquisition of permission for its use, as specified in those laws.
For example, the use of a song in a movie or a photo in a publication may require a specific
payment or royalty. The unauthorized appropriation of IP constitutes a threat to informa-
tion security. Employees may have access privileges to the various types of IP, including pur-
chased and developed software and organizational information. Many employees typically
need to use IP to conduct day-to-day business. This category includes two primary areas:
• Software Piracy—Organizations often purchase or lease the IP of other organizations,
and must abide by a purchase or licensing agreement for its fair and responsible use.
The most common IP breach is the unlawful use or duplication of software-based
intellectual property, more commonly known as software piracy. Many individuals and
organizations do not purchase software as mandated by the owner’s license agree-
ments. Because most software is licensed to a particular purchaser, its use is restricted
to a single user or to a designated user in an organization. If the user copies the pro-
gram to another computer without securing another license or transferring the license,
the user has violated the copyright. Software licenses are strictly enforced by regulatory
and private organizations, and software publishers use several control mechanisms to
prevent copyright infringement.
• Copyright Protection and User Registration—A number of technical mechanisms—
digital watermarks, embedded code, copyright codes, and even the intentional place-
ment of bad sectors on software media—have been used to enforce copyright laws. The
most common tool is a unique software registration code in combination with an end-
user license agreement (EULA) that usually pops up during the installation of new
software, requiring users to indicate that they have read and agree to conditions of the
software’s use.
Another effort to combat piracy is online registration. Users who install software are often
asked or even required to register their software to complete the installation, obtain techni-
cal support, or gain the use of all features. Some users believe that this process compromises
personal privacy because they never know exactly what information is obtained from their
computers and sent to the software manufacturer.
Intellectual property losses may result from the successful exploitation of vulnerabilities in
asset protection controls. Many of the threats against these controls are described in this
chapter.
For more information on software piracy and intellectual property protection, visit the Software &
Information Industry Association (SIIA) Web site at www.siia.net and the Business Software 1
Alliance (BSA) Web site at www.bsa.org. SIIA is the organization formerly known as the Software
Publishers Association.
Key Terms
availability disruption: An interruption in service, usually from a service provider, which causes
an adverse event within an organization.
blackout: A long-term interruption (outage) in electrical power availability.
brownout: A long-term reduction in the quality of electrical power availability.
fault: A short-term interruption in electrical power availability.
noise: The presence of additional and disruptive signals in network communications or electrical
power delivery.
sag: A short-term decrease in electrical power availability.
service level agreement (SLA): A document or part of a document that specifies the expected
level of service from a service provider. An SLA usually contains provisions for minimum
acceptable availability and penalties or remediation procedures for downtime.
spike: A short-term increase in electrical power availability, also known as a swell.
surge: A long-term increase in electrical power availability.
Deviations in Quality of Service An organization’s information system depends on

the successful operation of many interdependent support systems, including power grids,
data and telecommunications networks, parts suppliers, service vendors, and even janitorial
staff and garbage haulers. Any of these support systems can be interrupted by severe
weather, employee illnesses, or other unforeseen events. Deviations in quality of service can
result from such accidents as a backhoe taking out an ISP’s fiber-optic link. The backup pro-
vider may be online and in service, but may be able to supply only a fraction of the band-
width the organization needs for full service. This degradation of service is a form of
availability disruption. Irregularities in Internet service, communications, and power supplies
can dramatically affect the availability of information and systems. Subcategories of this
threat include the following:
• Internet Service Issues—In organizations that rely heavily on the Internet and the Web
to support continued operations, ISP failures can considerably undermine the availabil-
ity of information. Many organizations have sales staff and telecommuters working at
remote locations. When these offsite employees cannot contact the host systems, they
must use manual procedures to continue operations. When an organization places its
Web servers in the care of a Web hosting provider, that provider assumes responsibility
for all Internet services and for the hardware and operating system software used to
operate the Web site. These Web hosting services are usually arranged with a service
level agreement (SLA). When a service provider fails to meet the terms of the SLA, the
provider may accrue fines to cover losses incurred by the client, but these payments
seldom cover the losses generated by the outage.
• Communications and Other Service Provider Issues—Other utility services can affect
organizations as well. Among these are telephone, water, wastewater, trash pickup,
14 Chapter 1
cable television, natural or propane gas, and custodial services. The loss of these ser-
vices can impair the ability of an organization to function. For instance, most facilities
require water service to operate an air-conditioning system. Even in Minnesota in Feb-
ruary, air-conditioning systems help keep a modern facility operating. If a wastewater
system fails, an organization might be prevented from allowing employees into the
building. While several online utilities allow an organization to compare pricing
options from various service providers, only a few show a comparative analysis of
availability or downtime.
• Power Irregularities—Irregularities from power utilities are common and can lead to
fluctuations such as power excesses, power shortages, and power losses. These fluctua-
tions can pose problems for organizations that provide inadequately conditioned power
for their information systems equipment. In the United States, residential users are sup-
plied 120-volt, 60-cycle power, usually through 15- and 20-amp circuits. Commercial
buildings often have 240-volt service and may also have specialized power distribution
infrastructure. When power voltage levels vary from normal, expected levels, such as
during a blackout, brownout, fault, noise, spike, surge, or sag, an organization’s sensi-
tive electronic equipment—especially networking equipment, computers, and computer-
based systems, which are vulnerable to fluctuations—can be easily damaged or
destroyed. Most good uninterruptible power supplies (UPS) can protect against spikes,
surges and sags, and even brownouts and blackouts of limited duration.
Key Terms
advanced persistent threat (APT): A collection of processes, usually directed by a human
agent, that targets a specific organization or individual.
brute force password attack: An attempt to guess a password by attempting every possible
combination of characters and numbers in it.
competitive intelligence: The collection and analysis of information about an organization’s
business competitors through legal and ethical means to gain business intelligence and
competitive advantage.
cracker: A hacker who intentionally removes or bypasses software copyright protection designed
to prevent unauthorized duplication or use.
cracking: Attempting to reverse-engineer, remove, or bypass a password or other access control
protection, such as the copyright protection on software. See also cracker.
dictionary password attack: A variation of the brute force attack that narrows the field by
using a dictionary of common passwords and includes information related to the target user.
expert hacker: A hacker who uses extensive knowledge of the inner workings of computer
hardware and software to gain unauthorized access to systems and information. Also known as
elite hackers, expert hackers often create automated exploits, scripts, and tools used by other
hackers.
hacker: A person who accesses systems and information without authorization and often
illegally.
industrial espionage: The collection and analysis of information about an organization’s
business competitors, often through illegal or unethical means, to gain an unfair competitive
advantage. Also known as corporate spying, which is distinguished from espionage for national
security reasons.
jailbreaking: Escalating privileges to gain administrator-level control over a smartphone
operating system (typically associated with Apple iOS smartphones). See also rooting.
novice hacker: A relatively unskilled hacker who uses the work of expert hackers to perform
attacks. Also known as a neophyte, n00b, or newbie. This category of hackers includes script 1
kiddies and packet monkeys.
packet monkey: A script kiddie who uses automated exploits to engage in denial-of-service
attacks.
penetration tester: An information security professional with authorization to attempt to gain
system access in an effort to identify and recommend resolutions for vulnerabilities in those
systems.
phreaker: A hacker who manipulates the public telephone system to make free calls or disrupt
services.
privilege escalation: The unauthorized modification of an authorized or unauthorized system
user account to gain advanced access and control over system resources.
professional hacker: A hacker who conducts attacks for personal financial benefit or for a
crime organization or foreign government. Not to be confused with a penetration tester.
rainbow table: A table of hash values and their corresponding plaintext values that can be used
to look up password values if an attacker is able to steal a system’s encrypted password file.
rooting: Escalating privileges to gain administrator-level control over a computer system
(including smartphones). Typically associated with Android OS smartphones. See also jailbreaking.
script kiddie: A hacker of limited skill who uses expertly written software to attack a system.
Also known as skids, skiddies, or script bunnies.
shoulder surfing: The direct, covert observation of individual information or system use.
trespass: Unauthorized entry into the real or virtual property of another party.
Espionage or Trespass Espionage or trespass is a well-known and broad category of

electronic and human activities that can breach the confidentiality of information. When an
unauthorized person gains access to information an organization is trying to protect, the act
is categorized as espionage or trespass. Attackers can use many different methods to access
the information stored in an information system. Some information-gathering techniques are
legal—for example, using a Web browser to perform market research. These legal techni-
ques are collectively called competitive intelligence. When information gatherers employ
techniques that cross a legal or ethical threshold, they are conducting industrial espionage.
Many countries that are considered allies of the United States engage in industrial espionage
against American organizations. When foreign governments are involved, these activities are
considered a threat to national security.
Some forms of espionage are relatively low tech. One example, called shoulder surfing, is used
in public or semipublic settings when people gather information they are not authorized to
have. Instances of shoulder surfing occur at computer terminals, desks, and ATMs; on a bus,
airplane, or subway, where people use smartphones and tablet PCs; and in other places where
employees may access confidential information. Shoulder surfing flies in the face of the
unwritten etiquette among professionals who address information security in the workplace:
If you can see another person entering personal or private information into a system, look
away as the information is entered. Failure to do so constitutes not only a breach of etiquette,
but an affront to privacy and a threat to the security of confidential information.
Hackers Acts of trespass can lead to unauthorized real or virtual actions that enable infor-
mation gatherers to enter premises or systems without permission. Controls sometimes mark
the boundaries of an organization’s virtual territory. These boundaries give notice to
16 Chapter 1
trespassers that they are encroaching on the organization’s cyberspace. Sound principles of
authentication and authorization can help organizations protect valuable information and
systems. These control methods and technologies employ multiple layers or factors to pro-
tect against unauthorized access and trespass.
The classic perpetrator of espionage or trespass is the hacker, who is frequently glamorized
in fictional accounts as a person who stealthily manipulates a maze of computer networks,
systems, and data to find information that solves the mystery and heroically saves the day.
However, the true life of the hacker is far more mundane. In the real world, a hacker fre-
quently spends long hours examining the types and structures of targeted systems and uses
skill, guile, and/or fraud to attempt to bypass controls placed on information owned by
someone else.
Hackers possess a wide range of skill levels, as with most technology users. However, most
hackers are grouped into two general categories—the expert hacker and the novice hacker:
• The expert hacker is usually a master of several programming languages, networking
protocols, and operating systems, and exhibits a mastery of the technical environment
of the chosen targeted system. Once an expert hacker chooses a target system, the like-
lihood is high that he or she will successfully enter the system. Fortunately for the
many poorly protected organizations in the world, there are substantially fewer expert
hackers than novice hackers.
A new category of expert hacker has emerged over the last few years. The professional
hacker seeks to conduct attacks for personal benefit or the benefit of an employer,
which is typically a crime organization or illegal government operation (see the section
on cyberterrorism). The professional hacker should not be confused with the penetra-
tion tester, who has authorization from an organization to test its information systems
and network defense, and is expected to provide detailed reports of the findings. The
primary differences between professional hackers and penetration testers are the autho-
rization provided and the ethical professionalism displayed.
The recent emergence of a method of precisely targeted attacks against organizations is
known as an advanced persistent threat or APT. These attacks are usually a combina-
tion of social engineering, spear phishing, and customized malware generated by
nation-state sponsored organizations or sophisticated criminal operations. In many
cases these attacks seek to infiltrate high-value information for economic espionage or
attacks against national security.
The most notorious hacker in recent times is Kevin Mitnick, who was considered an
expert hacker by most, yet he often used social engineering rather than technical skills
to collect information for his attacks.
• Novice hackers have little or no real expertise of their own, but rely upon the expertise
of expert hackers, who often become dissatisfied with attacking systems directly and
turn their attention to writing software. These programs are automated exploits that
allow novice hackers to act as script kiddies or packet monkeys. The good news is that
if an expert hacker can post a script tool where a script kiddie or packet monkey can
find it, then systems and security administrators can find it, too. The developers of
protection software and hardware and the service providers who keep defensive sys-
tems up to date also stay informed about the latest in exploit scripts. As a result of
preparation and continued vigilance, attacks conducted by scripts are usually predict-
able and can be adequately defended against. 1
Once an attacker gains access to a system, the next step is to increase his or her privileges
(privilege escalation). While most accounts associated with a system have only rudimentary
“use” permissions and capabilities, the attacker needs administrative or “root” privileges.
These privileges allow attackers to access information, modify the system itself to view all
information in it, and hide their activities by modifying system logs. The escalation of privi-
leges is a skill set in and of itself. However, just as novice hackers can use tools to gain
access, they can use tools to escalate privileges.
A common example of privilege escalation is called jailbreaking or rooting. Owners of cer-
tain smartphones can download and use particular tools to gain control over system func-
tions, often against the original intentions of the designers. The term jailbreaking is more
commonly associated with Apple’s iOS devices, while the term rooting is more common
with Android-based devices.
Other terms for system rule breakers may be less familiar. The term cracker is now com-
monly associated with software copyright bypassing and password decryption. With the
removal of the copyright protection, software can be easily distributed and installed. With
the decryption of user passwords from stolen system files, user accounts can be illegally
accessed. In current usage, the terms hacker and cracker both denote criminal intent.
Phreakers grew in fame in the 1970s when they developed devices called blue boxes that
enabled them to make free calls from pay phones. Later, red boxes were developed to simu-
late the tones of coins falling in a pay phone, and finally black boxes emulated the line volt-
age. With the advent of digital communications, these boxes became practically obsolete.
Even with the loss of the colored box technologies, however, phreakers continue to cause
problems for all telephone systems.
Password Attacks Password attacks fall under the category of espionage or trespass just
as lock-picking falls under breaking and entering. Attempting to guess or reverse-calculate a
password is often called cracking. There are a number of alternative approaches to pass-
word cracking:
• Brute Force—The application of computing and network resources to try every possi-
ble password combination is called a brute force password attack. If attackers can nar-
row the field of target accounts, they can devote more time and resources to these
accounts. This is one reason to always change the default administrator password
assigned by the manufacturer.
Brute force password attacks are rarely successful against systems that have adopted
the manufacturer’s recommended security practices. Controls that limit the number of
unsuccessful access attempts within a certain time are very effective against brute force
attacks. The strength of a password is a combination of its length and complexity,
which help determine its ability to withstand a brute force attack. Using best-practice
policies for passwords can greatly enhance their strength; use passwords of at least 10
characters and at least one uppercase and lowercase letter, one number and one special
character, and systems that allow case-sensitive passwords.
• Dictionary Attacks—The dictionary password attack, or simply dictionary attack, is a
variation of the brute force attack that narrows the field by using a dictionary of
18 Chapter 1
common passwords and includes information related to the target user, such as names
of relatives or pets, and familiar numbers such as phone numbers, addresses, and even
Social Security numbers. Organizations can use similar dictionaries to disallow pass-
words during the reset process and thus guard against passwords that are easy to
guess. In addition, rules requiring numbers and special characters in passwords make
the dictionary attack less effective.
• Rainbow Tables—A far more sophisticated and potentially much faster password
attack is possible if the attacker can gain access to an encrypted password file, such as
the Security Account Manager (SAM) data file. While these password files contain
hashed representations of users’ passwords—not the actual passwords, and thus cannot
be used by themselves—the hash values for a wide variety of passwords can be looked
up in a database known as a rainbow table. These plain text files can be quickly
searched, and a hash value and its corresponding plaintext value can be easily located.
• —While social engineering is discussed in detail
—
Social Engineering Password Attacks—While
later in the section called “Human Error or Failure,” it is worth mentioning here as a
mechanism to gain password information. Attackers posing as an organization’s IT
professionals may attempt to gain access to systems information by contacting low-
level employees and offering to help with their computer issues. After all, what
employee doesn’t have issues with computers? By posing as a friendly and helpful
helpdesk or repair technician, the attacker asks employees for their usernames and
passwords, then uses the information to gain access to organizational systems. Some
even go so far as to actually resolve the user’s issues. Social engineering password
attacks are much easier than hacking servers for password files.
Forces of Nature Forces of nature, sometimes called acts of God, can present some of
the most dangerous threats because they usually occur with little warning and are beyond
the control of people. These threats, which include events such as fires, floods, earthquakes,
and lightning as well as volcanic eruptions and insect infestations, can disrupt not only peo-
ple’s lives but the storage, transmission, and use of information. Because it is not possible to
avoid threats from forces of nature, organizations must implement controls to limit damage
and prepare contingency plans for continued operations, such as disaster recovery plans,
business continuity plans, and incident response plans, as discussed in Chapter 10.
Another term you may encounter, force majeure, is roughly translated as “superior force,”
which includes forces of nature as well as civil disorder and acts of war. Most forces of
nature can only be mitigated through casualty or business interruption insurance, although
careful facilities design and placement can reduce the likelihood of damage to an organiza-
tion’s systems, buildings, or local infrastructure. Some typical force of nature attacks include
the following:
• Fire—The ignition of combustible material; damage can also be caused by smoke from
fires or by water from sprinkler systems or firefighters.
• Flood Water overflowing into an area that is normally dry, causing direct damage,
Flood—
and subsequent indirect damage from high humidity and moisture.
• Earthquake—A sudden movement of the earth’s crust caused by volcanic activity or
the release of stress accumulated along geologic faults.
• Lightning An abrupt, discontinuous natural electric discharge in the atmosphere,

Lightning—
which can cause direct damage through an electrical surge or indirect damage from 1
fires. Damage from lightning can usually be prevented with specialized lightning rods
and by installing special electrical circuit protectors.
• Landslide or Mudslide—The downward slide of a mass of earth and rock. Landslides
or mudslides also disrupt operations by interfering with access to buildings.
• Tornados or Severe Windstorms—Violent wind effects in which air moves at destruc-
tively high speeds, causing direct damage and indirect damage from thrown debris. A
tornado is a rotating column of whirling air that can be more than a mile wide. Wind
shear is a much smaller and linear wind effect, but it can have similar devastating
consequences.
• Hurricanes, Typhoons, and Tropical Depressions—Severe tropical storms that commonly
originate at sea and move to land, bringing excessive rainfall, flooding, and high winds.
• Tsunami A very large ocean wave caused by an underwater earthquake or volcanic
Tsunami—
eruption; it can reach miles inland as it crashes into land masses.
• Electrostatic Discharge (ESD)—Also known as static electricity, and usually little more
than a nuisance. However, an employee walking across a carpet on a cool, dry day can
generate up to 12,000 volts of electricity, and sensitive electronics can suffer damage
from as little as 10 volts.6
• Dust Contamination—Can dramatically reduce the effectiveness of cooling mechanisms
and potentially cause components to overheat. Specialized optical technology, such as
CD or DVD drives, can suffer failures due to excessive dust contamination inside
systems.
Key Terms
advance-fee fraud (AFF): A form of social engineering, typically conducted via e-mail, in which
an organization or some third party indicates that the recipient is due an exorbitant amount of
money and needs only a small advance fee or personal banking information to facilitate the
transfer.
phishing: A form of social engineering in which the attacker provides what appears to be a
legitimate communication (usually e-mail), but it contains hidden or embedded code that
redirects the reply to a third-party site in an effort to extract personal or confidential
information.
pretexting: A form of social engineering in which the attacker pretends to be an authority
figure who needs information to confirm the target’s identity, but the real object is to trick the
target into revealing confidential information. Pretexting is commonly performed by telephone.
social engineering: The process of using social skills to convince people to reveal access
credentials or other valuable information to an attacker.
spear phishing: Any highly targeted phishing attack.
Human Error or Failure This category includes acts performed without intent or mali-
cious purpose or in ignorance by an authorized user. When people use information systems,
mistakes happen. Similar errors happen when people fail to follow established policy.
20 Chapter 1
Inexperience, improper training, and incorrect assumptions are just a few things that can cause
human error or failure. Regardless of the cause, even innocuous mistakes can produce exten-
sive damage.
One of the greatest threats to an organization’s information security is its own employees, as
they are the threat agents closest to the information. Because employees use data and infor-
mation in everyday activities to conduct the organization’s business, their mistakes represent
a serious threat to the confidentiality, integrity, and availability of data—even relative to
threats from outsiders. Employee mistakes can easily lead to revelation of classified data,
entry of erroneous data, accidental deletion or modification of data, storage of data in
unprotected areas, and failure to protect information. Leaving classified information in
unprotected areas, such as on a desktop, on a Web site, or even in the trash can, is as
much a threat as a person who seeks to exploit the information, because the carelessness
can create a vulnerability and thus an opportunity for an attacker. However, if someone
damages or destroys data on purpose, the act belongs to a different threat category.
Human error or failure often can be prevented with training, ongoing awareness activities,
and controls. These controls range from simple activities, such as requiring the user to type
a critical command twice, to more complex procedures, such as verifying commands by a
second party. An example of the latter is the performance of key recovery actions in PKI
(public key infrastructure) systems. Many military applications have robust, dual-approval
controls built in. Some systems that have a high potential for data loss or system outages
use expert systems to monitor human actions and request confirmation of critical inputs.
Some common types of human error include the following:
• Engineering—In the context of information security, social engineering is used
Social Engineering
by attackers to gain system access or information that may lead to system access. There
are several social engineering techniques, which usually involve a perpetrator posing as
a person who is higher in the organizational hierarchy than the victim.
• Fraud—Another social engineering attack called the advance-fee fraud
Advance-fee Fraud
(AFF), internationally known as the 4-1-9 fraud, is named after a section of the Niger-
ian penal code. The perpetrators of 4-1-9 schemes often use the names of legitimate
companies, such as the Nigerian National Petroleum Company. Alternatively, they may
invent other entities, such as a bank, government agency, long-lost relative, lottery, or
other nongovernmental organization.
• Phishing Some attacks are sent by e-mail and may consist of a notice that one’s
Phishing—
e-mail storage allotment has been exceeded. The user is asked to log in, to run a test
program attached to the e-mail, or even to log into their “bank” account (spoofed by
the attacker) to verify their balance. While these attacks may seem crude to experienced
users, the fact is that many e-mail users have fallen for them. These tricks and similar
variants are called phishing attacks.
Phishing attacks use two primary techniques, often in combination with one another: URL
manipulation and Web site forgery. In URL manipulation, attackers send an HTML
embedded e-mail message or a hyperlink whose HTML code opens a forged Web site. In
Web forgery, the attacker copies the HTML code from a legitimate Web site and then
modifies key elements. When victims type their banking ID and password, the attacker
records that information and displays a message that the Web site is now offline. 1
Spear Phishing
Phishing—While normal phishing attacks target as many recipients as possi-
ble, spear phishing involves an attacker sending a targeted message that appears
to be from an employer, a colleague, or other legitimate correspondent to a small
group or even one person.
Pretexting Pretexting, sometimes referred to as phone phishing, is a purely social
Pretexting—
engineering attack in which the attacker calls a potential victim on the telephone
and pretends to be an authority figure in order to gain access to private or confi-
dential information, such as health, employment, or financial records.
For more information on the preceding attacks and other fraudulent cyberattacks, visit the FBI’s
high-tech (cyber) crimes Web site at www.fbi.gov/about-us/investigate/cyber.
Key Terms
information extortion: The act of an attacker or trusted insider who steals information from a
computer system and demands compensation for its return or for an agreement not to disclose
the information. Also known as cyberextortion.
ransomware: A specialized form of information extortion where the victim’s data is encrypted
by malware and the victim is offered the return of their data only if they pay the attacker.
Information Extortion Information extortion, also known as cyberextortion, is com-

mon in the theft of credit card numbers. In 2010, Anthony Digati allegedly threatened to con-
duct a spam attack on the insurance company New York Life. He reportedly sent dozens of e-
mails to company executives threatening to conduct a negative image campaign by sending
over 6 million e-mails to people throughout the country. He then demanded approximately
$200,000 to stop the attack, and next threatened to increase the demand to more than $3 mil-
lion if the company ignored him. His arrest thwarted the spam attack.
In 2012, a programmer from Walachi Innovation Technologies allegedly broke into the
organization’s systems and changed the access passwords and codes, locking legitimate
users out of the system. He then reportedly demanded $300,000 in exchange for the new
codes. A court order eventually forced him to surrender the information to the organiza-
tion. In Russia, a talented hacker created malware that installed inappropriate materials
on an unsuspecting user’s system, along with a banner threatening to notify the authorities
if a bribe was not paid. At 500 rubles (about $17), victims in Russia and other countries
were more willing to pay the bribe than risk prosecution by less considerate law
enforcement.7
Recent information extortion attacks have involved specialized forms of malware known as
ransomware that encrypt the user’s data and offer to unlock it if the user pays the attacker.
Loss events to victims of the Cryptowall ransomware are from ransom payments ranging
from $200 to $10,000 per incident as well as costs for lost productivity, legal fees, and
other recovery expenses.8
Another random document with
no related content on Scribd:
Neger-Engelsch. Nederlandsche vertaling.
6. Te brafoe fájà, joe de téki 6. Als de soep heet is,
spoen de driéngi hem, ma gebruikt men een lepel,
te a kóuroe, han sa wakka maar als zij koud is, steekt
na ini. men er de hand in. De zin
is: Den zachtzinnige durft
men aan, den driftige
ontziet men.[380]
7. Joe sa kìbri óuwroe 7. Ge zult een oude bes
mamá, ma joe no sa kìbri (vrouw) verbergen, maar
hém froekóutoe. haren hoest kunt ge niet
verbergen; d.i. de aap
komt altijd uit de mouw.
8. Grabóe njanjám, ma no 8. Grabbel naar spijs, maar
grabóe taki. niet naar praatjes.
9. Tángi foe boen da kódja. 9. Stank voor dank.
10. Tóngo tjári hem mássra na 10. De tong voert haren
boen, atjári hem mássra meester tot geluk, maar
na ógri toe. brengt hem ook dikwerf in
het ongeluk.
11. Tódo táki, iffi joe de táki 11. De kikvorsch zegt: zoo er
foe gogó, mi no kan piki, van billen gesproken
mára iffi joe de taki foe wordt, kan ik niet
hai, mi kon piki. meespreken, maar als ge
over oogen handelt, zal ik
U te woord staan.
12. Sáni móro keeskési, a 12. Als de aap in de
brasà makà. benauwdheid zit, omvat hij
den doornstruik.
Neger-Engelsch. Nederlandsche vertaling.
13. Joe ha’ prasénsi, joe sa si 13. Als ge geduld hebt, kunt
míra bére. ge de ingewanden van
een mier zien. De zin is:
geduld overwint alles.
14. Bósi swíti, ma a tjári 14. Kussen is zoet, maar baart
sábiso. wel eens berouw.
15. Hattí-bron no de méki wan 15. Gramschap brengt geen
boen pikíen. goed kroost voort.[381]
16. Nanái de háli tetéi, tetéi de 16. De naald trekt de draad en
háli nanái. de draad trekt de naald.
De zin is: Wij hebben
elkander onderling noodig.
17. Móni kabà, kómpe kabà. 17. Als het geld op is, is ’t met
de vrienden gedaan.
18. Te joe tráppoe na míra 18. Wanneer ge in een
hóso, joe sabi ho disi béti mierennest trapt, weet ge
joe. dan, welke mier u gebeten
heeft?
19. Bégi móro bétre léki 19. Bedelen is beter dan
foefóeroe, ma wróko da stelen, maar werken is de
bási. baas!
20. Joe lóbi okró*, joe moe 20. Houdt ge van de okra*,
lóbi hem síri toe. dan moet ge ook van de
pitten houden. De zin is:
Zoo ge van mij houdt,
houdt ge ook van mijn
kinderen.
B. West-Afrika.
a. De Ewe-taal sprekende Negerstammen van de Goudkust.
1. Hij, die geen zitbankje vindt, moet op den grond zitten.
2. Als een mensch geen kleine mat tot zijn beschikking heeft, moet
hij staande slapen.
NB. Beide spreekwoorden worden gebruikt, om uit te drukken, dat

men zich naar de omstandigheden behoort te voegen. [382]
3. Hoewel men twee oogen heeft, ziet men toch geen twee dingen
tegelijk.
4. Men kan niet op twee vogels tegelijk jacht maken.
NB. Deze beide spreekwoorden behooren tot een groep, die moet
leeren, dat men nooit twee dingen tegelijk kan doen.
5. Rijken kunnen slaven koopen, doch niet hun leven.
6. Wanneer een jongen beweert, dat hij water met een touw wil
ophalen, vraag hem dan, of hij het water
NB. Dit spreekwoord wil zooveel zeggen als: Antwoord een dwaas
in overeenstemming met zijn dwaasheden.
7. De vogel in het hok is onbekend met den dag van zijn dood.
8. Geen menschenkind weet, wanneer hij sterven zal.
NB. Beide spreekwoorden werden eertijds gebruikt, om het volk er

aan te herinneren, dat zij er ieder oogenblik aan blootstonden, als
slaven verkocht te worden.
9. Kauris* maken den mensch.
10. De zoon van den vreemdeling maakt het volk toornig.
NB. Dit spreekwoord heeft betrekking op vreemdelingen, die

lachen om de gebruiken van den inboorling. De zoon doelt op de
ervaring, dat jongeren hiertoe eerder geneigd zijn dan menschen
van meer ondervinding.
11. Door babbelpraatjes in de woning blinkt de mensch niet uit.
NB. De zin is: Daden, geen woorden.
12. Hij, die voor zich zelf werkt, kan doen wat hem bevalt.
13. De mond zegt een menigte dingen, die het hart niet uitbrengen
kan. [383]
14. Steenen zijn zwaar, doch de steenen stamper is nog zwaarder.
NB. Daar de steen, waarmede het koren wordt gestampt, in

verhouding tot zijn grootte zeer zwaar is, beduidt dit spreekwoord:
Oordeel niet naar den schijn.
b. De Yoruba-taal sprekende stammen der slavenkust.
1. Hij die vergeeft, maakt een einde aan den twist.
2. Een scherp woord is even taai als een boogpees.
NB. De zin is: Een scherp woord kan niet geheeld worden, een
wond wel.
3. Begin niets, wat ge niet tot een goed einde kunt brengen.
4. Hij die een schoonheid huwt, trouwt verdriet en ellende. 1

5. Met fortuin kan men geboren worden, doch wijsheid komt eerst
later.
6. Waar de mensch ook heen trekt, altijd neemt hij zijn karakter meê.
7. Goud moest alleen verkocht kunnen worden aan hem, die de

waarde er van kent.
8. Wanneer ge niemand naar de markt zendt, zal de markt niemand

naar U zenden.
9. Datgene, waarvan een kind houdt, zal zijn maag geen kwaad
doen.
10. Wanneer ge te gauw een vrouw lief hebt, zult ge haar spoedig
niet meer beminnen. [384]
[Inhoud]
II. AVOND OP HET WATER
in Sierra Leone
naar
Florence M. Cronise en Henry W. Ward.
Sobah was een geboren handelsman en als zoodanig het type van
zijn stamgenooten, wier meest op den voorgrond tredende
eigenschappen koopmansgeest was.
Dikwijls had hij ver het land in tochten gemaakt, om waren te
verhandelen en hij had ook nu en dan een bootlading met produkten
naar de markt van Freetown 2 gebracht. Heden kwam de
handelsman weêr bij hem te voorschijn. Nadat hij zich van een
zestal mannen voor den boottocht had verzekerd, besteedde hij den
dag om zijn waren bijeen te brengen en in de boot te laden.
De lading bestond uit manden met rijst, palmolie, peper, kolanoten*,

kleedingstukken van het land, rubber en ivoor. Een witte vogel werd
voor in de boot geplaatst, in de vaste overtuiging, dat diens
tegenwoordigheid een voorspoedige reis zou kunnen verzekeren.
Laat in den namiddag, kort voordat de vloed voor eb plaats maakte

en de stroom meê werd, stak de boot van wal en namen de zes
sterke bootslieden de riemen op, om, den ganschen nacht
doorroeiende, de riviermonding te bereiken. Spoedig bewogen zij
hunne riemen in regelmatigen slag en door de eentonige melodie
van het roeilied schenen de boot, de stroom, de voor- en
achterwaartsche bewegingen der lichamen, en de slag der riemen
tot een onafscheidelijke harmonie van geluid en beweging samen te
smelten.
Wanneer deze eenvoudige zielen evenzoo op de schoone [385]en

verheven natuurtafereelen konden reageeren 3, als zij het doen op de
rythmische bewegingen en de melodieën van het bootgezang,
zouden zij zeker door het panorama zijn aangegrepen, dat bij een
plotselinge rivierbocht in het gezicht kwam.
Groote mangrove-boomen*, die aan beide oevers naar de rivierzijde

heenbogen, strengelden hunne stammen, gedragen door hunne op
stelten gelijkende luchtwortels, hier en daar tot een hoog gewelf
boven den stroom. Laag kreupelhout vulde overal de
tusschenruimten op. Op touwen gelijkende lianen kropen door alles
heen, boomen en struiken in rijken overdaad verstrikkend of in
sierlijke guirlandes uit het groen van de takken der boomen omlaag
hangend.
Waterlelies vormden langs den oever een dichte massa, landwaarts

in een verrukkelijke varen-vegetatie overgaande. Uit de
donkergroene massa op de zandbanken in de rivier verhief zich het
schitterende karmozijnrood van het jonge gebladerte, dat op
bloemen geleek, die de takuiteinden kroonden. Elders ontplooide
zich een wereld van bladeren, eindeloos verschillend in vorm en tint,
die soms aan bloemen deden denken.
Vogels, met de schitterendste kleuren getooid, zweefden hier en

daar tusschen de boomen; apen snapten en kijfden, terwijl hunne
slanke lichamen zich op hooge rietstengels in evenwicht hielden of
uitgestrekt lagen op een bed van mos. Krokodillen koesterden zich
vadzig in de avondzon.
Van de kromming de rivier benedenwaarts beschouwende, geleek

de stroom wel een onafgebroken laan van groen, waartusschen zich
hier en daar slechts een tikje kleur vertoonde. Wanneer de
onheilspellende gedachte aan de [386]tegenwoordigheid van slangen
en krokodillen niet onaangenaam had gestemd, zou deze plek een
stukje tooverland kunnen geweest zijn, zóó stil en zóó eenzaam,
alsof geen menschelijk wezen ooit deze heiligheid had betreden. Het
was voor den ontwikkelden sterveling een plek, om in stille vereering
te blijven wijlen bij den Geest der Oneindigheid.
Maar onze zwarte roeiers in hunne primitieve kleeding hadden nu

geen oog voor al de schoonheid, die zich hier ten toon spreidde,
geen ziel om in trilling te geraken tegenover dit geheiligde
natuurtafereel. Hun gemoed was te veel vervuld van vrees en
bijgeloovigen angst. Voor hun verduisterden geest scheen het een
plek te zijn, waar onzichtbare, booze geesten bij voorkeur ronddolen.
Een krokodil schoot met een zachten plons in het water, en
verdween uit het gezicht. De zon daalde in het Westen neêr en wierp
onheilspellende schaduwen in het dichte gebladerte. De bootslieden
werden van een naamlooze vrees vervuld; hun gezang 4, zoo lang
volgehouden, stierf eindelijk geheel weg, en terwijl zij een zilverstuk
in het water wierpen, om den Geest van de rivier gunstig te
stemmen 5, lichtten zij de riemen uit het water, opdat het geluid, dat
deze maakten, den Geest van deze plek niet zou verontrusten.
Daarop lieten zij zich te midden eener ademlooze stilte door den
stroom meêvoeren, totdat de boot verderop breeder water had
bereikt. Toen weêr vrijer ademend, gingen zij met roeien voort, eerst
langzaam, doch daarna met steeds toenemende kracht, totdat het
geluid der riemen met de echo van het bootgezang volkomen
harmonieerde. [387]
Terwijl bij de eerste teekenen van den aanbrekenden dag de

zandbanken aan de riviermonding bereikt waren, maakte een sterke
zeebries het onmogelijk vooruit te komen, zoodat het gezelschap
zich genoodzaakt zag, voor onbepaalden tijd te stoppen.
Vermoeid van het roeien, den langen nacht door, bereidden zij zich
twee aan twee in minder gemakkelijke houding tot den slaap voor,
waaruit zij eerst na vele uren ontwaakten. Op de met steenen
bedekte plaats vóór in de boot werd nu een vuur aangelegd, en
daarop een overvloedige hoeveelheid rijst en visch gereed gemaakt.
Nadat zij zich nu allen om den grooten rijstpot hadden neêrgezet,
begonnen zij het eten in zulke groote hoeveelheden naar binnen te
werken, als slechts een negermaag kan bevatten.
Gedurende het geheele verdere deel van den dag bleef de zeebries
met slechts een kleine vermindering voortduren, zoodat het hun
duidelijk werd, dat ook de nacht rustend zou moeten worden
doorgebracht, alvorens de reis kon worden hervat. Het avondeten
was een herhaling van den morgen, de hoeveelheid niet
uitgezonderd, en toen zij daarmede gereed waren, hielden zij zich op
hunne eigene bijzondere wijze bezig.
De volle maag bracht een beminnelijke gemoedsstemming te weeg,

en de toenemende schaduwen van den avond wekten bij het volk
een gevoel van saamhoorigheid en gezelligheid op, die de tongen
losmaakt. Het uur was nu gunstig voor vertellingen: het lichaam was
in rust, men verzuimde niets en de nachtelijke duisternis dreef den
geest daar vanzelf heen.
In zulke omstandigheden waren vertellingen onvermijdelijk, en er

was slechts een ingeving voor noodig, om er meê te beginnen.
De buitengewone ruimte, die Dogbah tot zijn beschikking had, om

zooveel rijst te kunnen bergen, waarvan [388]hij kort tevoren bij het
avondeten blijk had gegeven, was een ongezochte aanleiding, om
een korte grap te maken, waarover allen, het slachtoffer inbegrepen,
hartelijk moesten lachen.
Onwillekeurig bracht dit Sobah den ontzettenden eetlust van Heer

Spin in de gedachte, de personificatie van de deugden van den
Neger, maar ook van zijn ondeugden. Met een guitige flikkering in
zijn oog en met een veelzeggende schokschoudering nam Sobah
een meer bevelende houding aan, om zich voor zijn vertelling voor te
bereiden.
De mannen, gewoon, om de helft hunner gesprekken door meer of

minder geheime teekens te voeren, begrepen dadelijk, wat er komen
ging, en zetten zich in luisterende houdingen neêr.
De vertelling was vol leven en beweging, en bracht spoedig zoowel

den verteller als de luisteraars in de stemming, die de vertelavonden,
nog beter vertelnachten bij de negers kenmerkten.
Nadat Sobah een tweetal vertellingen had gedaan, waarnaar de
mannen met aandacht geluisterd hadden, en die hen herhaaldelijk in
onbedaarlijke lachbuien hadden doen uitbarsten, begon hij in zijn
geheugen naar een of anderen daad van vriend Spin te zoeken,
waardoor de weinig eervolle rol, die deze kleine held in de beide
vertellingen had gespeeld, eenigzins zou kunnen worden
goedgemaakt.
Met een „Wel! Spin, sterke kerel!” beantwoordde hij eenigzins vinnig
een minachtende opmerking van Dogbah, en als protest tegen diens
uitdagende bewering, begon hij het wonderbaarlijke heldenfeit van
Heer Spin te vertellen bij een wedstrijd in sterkte tusschen Olifant en
Hippopotamus 6: [389]
Spin, Olifant en Hippopotamus.
„In Afrika heerschte er hongersnood. Ook de dieren konden geen

voedsel vinden, want tengevolge van langdurige droogte was het
gras verschroeid, waren de planten verdord.
In die troostelooze wereld ontmoette Spin op zekeren dag Olifant.

„Wel! Hoe gaat het?” vroeg Spin. „Niet best”, antwoordde Olifant.
„Maar, wat ik zeggen wil, hoe kom jij aan den kost? Ik heb al in
dagen niets gegeten”.
Spin, die niets bezat en van den honger rammelde, wilde dit echter
niet laten blijken en zei dus: „Het is waar, alles ziet er dor en dood
uit, maar ik zal spoedig wel een gelegenheid vinden, om mij en mijn
gezin rijkelijk van voedsel te voorzien”. „Als je dus een plaats vind”—
liet Olifant er op volgen, „verzuim dan niet, mij dadelijk te roepen”.
Spin beloofde dit op zijn woord van waarachtig. „Het gaat mij aan het
hart, je zoo mager te zien” zei Spin, „je wordt met den dag kleiner.
Vroeger was je zoo reusachtig groot en dik en nu ben je haast van
mijn postuur. Je ziet er uit, of je te veel drinkt. Ik geloof stellig, dat ik
in staat ben, je van den wal in de rivier te trekken”.
Olifant begreep niet, dat Spin hem een poets wilde bakken en het op
zijn leven gemunt had; de goede slungel ging daarom gaarne op de
uitdaging van Spin in en riep uit: „Ik zal je toonen, wie sterker is; kom
maar op!”
„Goed”, zei Spin, „we zullen touwtrekken en ik zal voor een mooi, dik
touw zorgen”.
Hij ging nu naar het bosch op zoek naar een liaan*, een boschtouw,
en vond er al spoedig een, zoo dik als een krokodillenkop. Hij sneed
dit af en bracht het naar den rivieroever. Daar keek hij uit naar vriend
Hippopotamus*, en toen hij dezen zwemmende ontdekte, riep hij
hem toe: „Wedden, dat ik sterker ben dan jij en je uit het water trek?”
[390]
Hippopotamus begon te lachen en antwoordde: „Wat een bluffer ben

je toch; je bent immers veel te klein voor zoo iets. Met mijn kleinen
teen 7 trek ik jou met gemak van den kant in de rivier”.
„Best”, zei Spin. „We zullen zien. Wanneer zullen we de proef

nemen?”
„Morgen ochtend”, riep Hippopotamus terug.
„Afgesproken”, riep Spin, „ik zal het trektouw wel meêbrengen”.
Spin liep daarop het bosch in naar Olifant en maakte met hem
dezelfde afspraak voor den volgenden morgen.
De beide groote dieren hadden in het minst geen vermoeden, dat zij
tegen elkaar zouden moeten trekken.
Spin stond op de afgesproken plaats en was met het boschtouw

gereed, bond het eene einde daarvan om Olifant, het andere om
Hippopotamus, en zorgde dat zij elkander niet konden zien. Toen hij
nu zoover gereed was, riep hij de dieren, die met de koppen van
elkander afgewend stonden, toe: „houd je gereed; ik begin nu te
trekken!”
Spin plaatste zich nu in het midden van het touw, deed er een ruk
aan en kroop toen achter een boom weg.
De twee reusachtig sterke dieren begonnen nu met alle macht te

trekken. Zij trokken en rukten, tot zij bijna niet meer konden. Spin
vuurde hen voortdurend aan met zijn geschreeuw. Geen van beiden
wilde het opgeven en zij trokken zóó lang, tot zij buiten adem waren.
Hun ijdelheid belette hen te erkennen, dat Spin de sterkere was.
Maar de ijdelheid werd hen noodlottig, want na lang worstelen,

vielen zij beiden dood neêr”.— — — — — — — — — — — — — —
————————
Woorden alleen kunnen geen juisten indruk geven van [391]de

werkelijkheid. Sobah wist dezen ook niet bij zijn schildering van den
wonderlijken strijd teweeg te brengen, want, geheel medelevend met
de toenemende spanning van het verhaal, was hij overeind gaan
staan, en ging hij nu zóó geheel op in den strijd, dien hij schilderde,
dat hij door toon, blik en gebaar op ieder moment van den
verschrikkelijken strijd reageerde, totdat hij bij het van vermoeienis
dood neêrvallen der beide strijders eveneens op zijn zitbank uitgeput
neêrzonk.
Het was een zeldzaam stukje ongeoefende welsprekendheid. De
lange pauze, die de verteller op den dood der beide groote dieren
liet volgen, was noodig om de gespannen aandacht weder te
vestigen op het slot van het verhaal. Daarna ging hij tot een zachter
stemming over, toen hij aldus vervolgde:
„Spin was in zijn nopjes, toen hij de dieren zag bezwijken, en hij riep uit:
„Jullie heeten sterker dan ik, maar dat is mis hoor! Ik ben sterker, omdat ik
meer verstand heb”. 8 Toen nam hij de dieren op en bracht ze een voor
een naar een veilige plaats”.
Dit was een wonderbaarlijk heldenfeit, zelfs voor Heer Spin zelf, en
Sobah wierp een blik uit een zijner ooghoeken, om te zien, hoe dit
feit door zijn toehoorders ontvangen was geworden. Op hun gelaat
stond duidelijk te lezen: „hoe kan dat? Zoo’n kleine spin kan toch
geen olifant dragen!” De verteller had echter zijn antwoord dadelijk
gereed en zei:
„Toch is het zoo! Spin is te lui om te werken; de [392]lichtste taak valt hem
zwaar, maar geroofd voedsel kan hij altijd tillen. Spin droeg dus de dieren
naar een plaats, waar hij ze kon villen en in stukken hakken. Hij liet nu
dieren aanrukken, om hem bij te staan en het vleesch naar huis te
brengen. Zijn helpers beloonde hij op keurige wijze met afval van Olifant
en Spin en zijn gezin leefden nu rijkelijk van het door list verkregen
voedsel, totdat de hongersnood langzamerhand uit het land verdwenen
was”.
„Vóór dien tijd”, moeten jelui weten, „leefden er nog geen visschen in het
water. Toen Spin zijn gedoode dieren had afgehakt en het vleesch had
weggedragen, wierp hij de rest van den afval in de rivier en ziet, toen
kwamen er visschen te voorschijn. Zoo is dus Spin eigenlijk de schepper
der visschen geworden, en zoo heeft alles wat visch eet, veel aan hem te
danken”. 9
Deze geheel nieuwe verklaring van den oorsprong der in het water
zoo overvloedig voorkomende dieren, scheen voor het kinderlijke
brein der zwarte bootslieden niet zoo heel ongeloofelijk. Het water
rondom hun boot wemelde op dat oogenblik van visschen, 10 en als
Spin ze niet had voortgebracht, wie had het dan gedaan?
Hobahky, voor wiens neus de geur van een dampenden vischpot

een heerlijkheid was, uitte dadelijk zijn gevoelens met: „Spin, goed
man is; hij gemaakt heeft visch, en wij kan eet die!”
Oleemah was geneigd, geloof te schenken aan het verhaal van Spin,
en vereerde in stilte zijn Held, die door zijn behendigheid en list voor
zich en zijn familie gedurende den hongersnood aan eten had weten
te komen. [393]
In dien tusschentijd was de wind verminderd, en naar een gunstiger

kant gedraaid. De wolken, die de maan in den vroegen avond
verduisterd hadden, waren opgetrokken. De volle maan verspreidde
zijn zilveren glans over het water en Sobah, die met zijn geoefend
oog den toestand van weêr en water had geïnspecteerd, besliste,
dat het oogenblik nu gunstig was, om de reis voort te zetten.
De kleine mast werd nu omhoog gezet, het zeil geheschen en

onmiddellijk daarop joegen de mannen voort in de richting van
Freetown, hunne gedachten aan Spin voor minder inspannende uren
bewarende.
[Inhoud]
III. DIEREN-FABEL 11,
verteld door een Bantoe-neger van den Mpongwe-stam in Libreville,

hoofdplaats aan de Gaboon-rivier, naar den Engelschen tekst van
Robert H. Nassau (N.).
Wie zijn Krokodil’s verwanten?
Personen:
Ngando (Krokodil).
Sinyani (Vogels).
Sinyama (Beesten). 12
Krokodil was oud. Ten slotte stierf hij. Snel verspreidde zich het
nieuws van zijn dood onder de Beesten. Zijn verwanten en vrienden
begaven zich naar de Droefheid. Nadat een daartoe vastgesteld
aantal dagen was verstreken, werd de vraag omtrent de verdeeling
van zijn eigendommen besproken. Dadelijk reeds ontstond er
oneenigheid over de vraag, wie zijn naaste verwanten waren. [394]
De stam der Vogels zei: „Hij behoort tot den onzen en wij zijn dus de
eenigen, die op de eigendommen aanspraak maken”.
Hun eisch werd besproken, waarna de anderen vroegen:
„Waarop gronden jullie de verwantschap? Jullie dragen veêren, en

geen beschermende platen, zooals hij”.
De vogels antwoordden: „Het is waar, hij droeg onze veêren niet,

maar jullie moeten niet kijken naar wat hij bij zijn leven droeg.
Oordeel naar wat hij was, toen zijn leven begon. Kijk! Hij begon
immers net als wij. Wij gelooven in eieren. Zijn moeder bracht hem
als ei ter wereld. Hij is onze naaste verwante, en wij zijn dus zijne
erfgenamen”.
Maar de Beesten zeiden: „Niet waar! Wij zijn zijn verwanten, en zijn
eigendommen moeten onder ons verdeeld worden”.
Toen kwam de groote Dierenraad bijeen, en deze vroeg aan de

Beesten, op welken grond zij dan hunne verwantschap wilden
aantoonen en welk antwoord zij konden geven op het argument der
vogels met betrekking tot den oorsprong van den Krokodil uit een ei.
De Beesten zeiden: „Wij verklaren, dat het stamkenteeken in het

begin moet gezocht worden, niet in een ei. Want alle wezens vangen
als eieren aan. Leven is het oorspronkelijke begin. Kijk? Wanneer
het leven werkelijk in het ei begint, dan is het stamkenteeken
duidelijk. Toen Ngando’s leven begon, had hij vier pooten, evenals
wij. Wij oordeelen naar pooten, niet naar eieren. Alzoo is hij onze
verwante. En wij zullen zijne eigendommen nemen”.
Maar de Vogels antwoordden: „Jullie beweren, dat wij zijn verwanten

niet zijn, omdat wij veêren hebben en geen Ngando-platen. Maar,
jullie, kijk naar je zelf! Oordeel naar je eigen woorden. Ook jullie
dragen geen Ngando-platen, jullie met jelui haar en dik vel! Jelui
woorden zijn [395]niet juist. Het begin van zijn leven was niet, zooals
jelui zeggen, het oogenblik, toen de ledematen van de kleine
Ngando ontsproten. Reeds daarvóór was er al leven in het ei. En zijn
ei was geheel als ons ei, niet wat jullie eieren gelieven te noemen.
Jullie zijn dus zijn verwanten niet. Hij behoort bij ons”.
Maar de Beesten bleven redetwisten; het gekrakeel bleef heen en

weêr gaan en kwam nooit tot een einde 13. [396]
1 Dit spreekwoord komt merkwaardig overeen met het Fransche: Les belles
femmes, il faut les aimer, les épouser jamais. ↑
2 Hoofdstad van Sierra Leone. ↑
3 Dat hiermede niet bedoeld kan zijn de ongevoeligheid van den Neger voor de
schoonheden der natuur in algemeenen zin, weet hij wel beter, die met negers
dagen achtereen te midden eener weelderige tropische natuur verkeerd heeft. (C.
b. en f). ↑
4 Opgemerkt mag worden, dat de zang der Afrikaansche Negers, evenals die der
Surinaamsche Boschnegers (C.a.) van meer primitieven aard is dan die der
Negers van Jamaica, waarin de invloed van Engelsche melodieën vaak duidelijk te
herkennen is. (J.e. blz. 278–288). ↑
5 Zie blz. 29 en No. 19 en 31 van de Surinaamsche Stadsneger-vertellingen en
No. 18 der Indiaansche serie. ↑
6 Vergelijk No. 17 der Stadsneger-vertellingen. ↑
7 De vier van hoeven voorziene teenen zijn allen even groot, zoodat bij hem van
een kleinen teen geen sprake is. ↑
8 Hier brengt de Neger weder zijn overtuiging tot uiting, dat de mensch door zijn
verstand over de sterkste dieren het overwicht heeft verkregen (zie blz. 205). ↑
9 Met dergelijke eenvoudige verklaringen voor het ontstaan van het geschapene
is de kinderlijke neger volkomen tevreden. Dat het op andere wijze ontstaan
kan zijn, komt in zijn brein niet op. ↑
10 Dit doet denken aan den enormen vischrijkdom van de Surinaamsche rivieren
(C. b., blz. 43, 48, 90 en 93). ↑
11 In deze fabel wordt de vraag behandeld: Hoe is het leven begonnen? ↑
12 Opmerking verdient het, dat, evenals bij de Indianen (zie blz. 17), hier de vogels
tegenover de overige dieren worden geplaatst. ↑
13 De Afrikaansche inboorling is zeer gevoelig in kwesties van gelijkheid of
verschil in rang en leeftijd. ↑
[Inhoud]
VERKLAREND REGISTER 1.
N.B. In dit register zijn de volgende afkortingen gebruikt:
A = Arowakken of Arowaksch. N = Negers.

B = Boschnegers. N.E. = Neger-Engelsch.
C = Caraïben of Caraïbisch. S = Suriname en Surinaamsch.
G = Guyana. Z = Zie.
I = Indianen of Indiaansch. a = aldaar.
De tusschen haakjes geplaatste letters hebben ook hier betrekking op

de geschriften, in het litteratuuroverzicht genoemd.
[Inhoud]
A.
Aardeten of geophagie is een ziekteverschijnsel, dat zich uit in het

eten van aarde, stukken griffels, krijt enz. In S. komt het veel voor bij
lijders aan mijnwormziekte (Anchylostomiasis). In den slaventijd
kregen de „grondvreters” maskers voor den mond. Dit grondeten is
vermoedelijk een verschijnsel der bedoelde mijnwormziekte,
veroorzaakt door een parasitischen rondworm (Anchylostoma
duodenalis). De lijders aan deze ziekte, die ook veel bij immigranten
voorkomt, en waaraan kinderen veelal sterven, worden bleek en
voelen zich zeer vermoeid. De hartwerking is verhoogd en de eetlust
gestoord.
Aars. Uitmonding van het darmkanaal, waardoor de faeces verwijderd
worden.
Aboma. N.E. naam voor Anaconda (Z. a.).
Abonjera. N.E. naam voor een plant (Sesamum indicum L.) uit de
fam. der Pedaliaceën, waarvan het zaad, in koekjes gebakken,
gegeten wordt. Ook olie wordt uit het zaad geperst (Sesam-olie).
Acouri, ook wel Agoeti (in het N.E. Koni-Koni) genoemd, is een
knaagdier (Dasyprocta agoeti), dat in holle boomen huist en van
wortels en vruchten leeft. Het vleesch is smakelijk.
Agoeti. Zie Acouri.
Alligator. In G. komen drie soorten van dit Krokodillengeslacht voor.

De soorten van dit geslacht, ook Kaaiman (Kaikoetji der A.) genoemd,
worden 1.20 M. tot 2.60 M. lang en zijn voor den mensch niet
gevaarlijk.
Amalivaca. Mythische Held, die door de C., meer in het bijzonder door
de Tamanaca’s, een oorspronkelijken stam der C., vereerd wordt.
Anaconda. De grootste slang van G., ook wel Waterboa genoemd. De

A. (Eunectes murinus) wordt 6–8 M., soms 10 M. lang en leeft in de
nabijheid van het water. Zie Aboma en Camoedi.
Ananas. Schijnvrucht van Ananas sativus, bevat geen zetmeel, doch

veel suiker. De I. Ananas heeft wit vleesch, is ronder en minder geurig.
Animisme is de bij primitieve volken heerschende voorstelling, dat alle

[397]natuurverschijnselen uitingen zijn van persoonlijke, denkende,
willende wezens. Alle bewerktuigde en onbewerktuigde wezens
hebben volgens hen een eigen ziel (anima) of geest. De zielen of
geesten hebben volgens dit geloof het vermogen, het dier, de plant of
het voorwerp, waarin zij huizen, te verlaten en vrij rond te dolen.

Management of Information Security 5Th Edition Michael E Whitman Online Ebook Texxtbook Full Chapter PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Management of Information Security 5Th Edition Michael E Whitman Online Ebook Texxtbook Full Chapter PDF

Uploaded by

Copyright:

Available Formats

Management of Information Security

5th Edition Michael E. Whitman

Principles of Information Security 7th Edition Michael

Information Security Management 2nd Edition Workman

Of the People 5th Edition Michael E. Mcgerr

Principles of Incident Response & Disaster Recovery

Fundamentals of Information Systems Security 4th

ISO/IEC 27001:2022: Information security, cybersecurity

International security politics policy prospects 2nd

Access Control and Identity Management Information

Michael Whitman, Ph.D., CISM, CISSP

Australia • Brazil • Mexico • Singapore • United Kingdom • United States

Vice President, Marketing Services: Jennifer

Cengage Learning products are represented in Canada by

To learn more about Cengage Learning, visit www.cengage.com.

Notice to the Reader

Printed in the United States of America

Organizational Liability and the Need for Counsel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Guidelines for Effective Policy Development and Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162

Microsoft Risk Management Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310

Standards of Due Care/Due Diligence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365

Testing Contingency Plans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453

Managing Network Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531

Why This Text Was Written

Chapter 2—Compliance: Law and Ethics

Chapter 3—Governance and Strategic Planning for Security

Chapter 4—Information Security Policy

Chapter 5—Developing the Security Program

Chapter 6—Risk Management: Identifying and Assessing Risk

Chapter 7—Risk Management: Controlling Risk

Chapter 8—Security Management Models

Chapter 9—Security Management Practices

Chapter 10—Planning for Contingencies

Chapter 11—Personnel and Security

Chapter 12—Protection Mechanisms

New to This Edition

Introduction to the Management

• Describe the importance of the manager’s role in securing an organization’s

Confidentiality Integrity Availability

Figure 1-1 Components of information security

CNSS Security Model

Storage | Processing | Transmission Storage | Processing | Transmission

Figure 1-2 CNSS security model1

The Value of Information and the C.I.A. Triad

Confidentiality Confidentiality means limiting access to information only to those who

Figure 1-3 The C.I.A. triad

In the new world of Internet-connected systems, even organizations we would expect to be

Integrity The integrity or completeness of information is threatened when it is exposed to

Authentication Authentication is the process by which a control establishes whether a

Authorization After the identity of a user is authenticated, a process called authoriza-

Accountability Accountability of information occurs when a control provides assurance

Key Concepts of Information Security: Threats and Attacks

Exploit: Script from MadHackz

Attack: Ima Hacker downloads an exploit from MadHackz

Figure 1-4 Key concepts in information security

The 12 Categories of Threats

Category of Threat Attack Examples

Compromises to intellectual property Piracy, copyright infringement

Table 1-1 The 12 categories of threats to information security5

Compromises to Intellectual Property Many organizations create or support the

Deviations in Quality of Service An organization’s information system depends on

Espionage or Trespass Espionage or trespass is a well-known and broad category of

• Lightning An abrupt, discontinuous natural electric discharge in the atmosphere,