Professional Documents
Culture Documents
Management of Information Security 5Th Edition Michael E Whitman Online Ebook Texxtbook Full Chapter PDF
Management of Information Security 5Th Edition Michael E Whitman Online Ebook Texxtbook Full Chapter PDF
https://ebookmeta.com/product/principles-of-information-
security-7th-edition-michael-e-whitman/
https://ebookmeta.com/product/information-security-
management-2nd-edition-workman/
https://ebookmeta.com/product/of-the-people-5th-edition-michael-
e-mcgerr/
https://ebookmeta.com/product/principles-of-incident-response-
disaster-recovery-mindtap-course-list-3rd-edition-michael-e-
whitman-herbert-j-mattord/
Foundations of Library and Information Science 5th
Edition Richard E. Rubin
https://ebookmeta.com/product/foundations-of-library-and-
information-science-5th-edition-richard-e-rubin/
https://ebookmeta.com/product/fundamentals-of-information-
systems-security-4th-edition-david-kim-michael-g-solomon/
https://ebookmeta.com/product/iso-iec-270012022-information-
security-cybersecurity-and-privacy-protection-information-
security-management-systems-requirements-3rd-edition-iso/
https://ebookmeta.com/product/international-security-politics-
policy-prospects-2nd-edition-michael-e-smith/
https://ebookmeta.com/product/access-control-and-identity-
management-information-systems-security-assurance-3rd-edition-
mike-chapple/
Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
This is an electronic version of the print textbook. Due to electronic rights restrictions,
some third party content may be suppressed. Editorial review has deemed that any suppressed
content does not materially affect the overall learning experience. The publisher reserves the right
to remove content from this title at any time if subsequent rights restrictions require it. For
valuable information on pricing, previous editions, changes to current editions, and alternate
formats, please visit www.cengage.com/highered to search by ISBN, author, title, or keyword for
materials in your areas of interest.
Important notice: Media content referenced within the product description or the product
text may not be available in the eBook version.
Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
Management of Information Security
Fifth Edition
Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
Management of Information Security, © 2017, 2014, 2010 Cengage Learning
Fifth Edition
ALL RIGHTS RESERVED. No part of this work covered by the copyright
Michael E. Whitman and Herbert J. Mattord herein may be reproduced or distributed in any form or by any means,
SVP, GM Skills & Global Product Management: except as permitted by U.S. copyright law, without the prior written
permission of the copyright owner.
Dawn Gerrain
Product Director: Kathleen McMahon SOURCE FOR ILLUSTRATIONS: Copyright © Cengage Learning.
Product Team Manager: Kristin McNary All screenshots, unless otherwise noted, are used with permission from
Associate Product Manager: Amy Savino Microsoft Corporation. Microsoft® is a registered trademark of the
Microsoft Corporation.
Senior Director, Development: Marah
Bellegarde
For product information and technology assistance, contact us at
Product Development Manager: Leigh
Cengage Learning Customer & Sales Support, 1-800-354-9706
Hefferon
For permission to use material from this text or product,
Managing Content Developer: Emma Newsom submit all requests online at www.cengage.com/permissions.
Senior Content Developer: Natalie Pashoukos Further permissions questions can be e-mailed to
Product Assistant: Abigail Pufpaff permissionrequest@cengage.com.
Purchase any of our products at your local college store or at our preferred
online store www.cengagebrain.com.
Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
Brief Contents
PREFACE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
CHAPTER 1
Introduction to the Management of Information Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
CHAPTER 2
Compliance: Law and Ethics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
CHAPTER 3
Governance and Strategic Planning for Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
CHAPTER 4
Information Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
CHAPTER 5
Developing the Security Program. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
CHAPTER 6
Risk Management: Identifying and Assessing Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
CHAPTER 7
Risk Management: Controlling Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
CHAPTER 8
Security Management Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
CHAPTER 9
Security Management Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
CHAPTER 10
Planning for Contingencies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397
CHAPTER 11
Personnel and Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469
CHAPTER 12
Protection Mechanisms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521
APPENDIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 583
GLOSSARY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 625
INDEX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 637
Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
iii
Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
Table of Contents
PREFACE. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
CHAPTER 1
Introduction to the Management of Information Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Introduction to Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
CNSS Security Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
The Value of Information and the C.I.A. Triad . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Key Concepts of Information Security: Threats and Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
The 12 Categories of Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
What Is Management? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Behavioral Types of Leaders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Management Characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Governance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Solving Problems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Principles of Information Security Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Programs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
People . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Closing Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Discussion Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Ethical Decision Making . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
CHAPTER 2
Compliance: Law and Ethics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
InfoSec and the Law . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Types of Law . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Relevant U.S. Laws . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
International Laws and Legal Bodies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
State and Local Regulations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Policy Versus Law . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Ethics in InfoSec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Ethics and Education . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Deterring Unethical and Illegal Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Professional Organizations and Their Codes of Conduct . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Association for Computing Machinery (ACM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
International Information Systems Security Certification Consortium, Inc. (ISC)2 . . . . . . . . . . . . . . . . . 83
SANS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Information Systems Audit and Control Association (ISACA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Information Systems Security Association (ISSA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
v
vi Table of Contents
CHAPTER 3
Governance and Strategic Planning for Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
The Role of Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Precursors to Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Strategic Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Creating a Strategic Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Planning Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Planning and the CISO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Information Security Governance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
The ITGI Approach to Information Security Governance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
NCSP Industry Framework for Information Security Governance . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
CERT Governing for Enterprise Security Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
ISO/IEC 27014:2013 Governance of Information Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Security Convergence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Planning for Information Security Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Introduction to the Security Systems Development Life Cycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Closing Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Discussion Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Ethical Decision Making . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
CHAPTER 4
Information Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Why Policy?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Policy, Standards, and Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Enterprise Information Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Integrating an Organization’s Mission and Objectives into the EISP . . . . . . . . . . . . . . . . . . . . . . . . . 146
EISP Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
Example EISP Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Issue-Specific Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Elements of the ISSP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Implementing the ISSP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
System-Specific Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Managerial Guidance SysSPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Technical Specification SysSPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
Table of Contents vii
CHAPTER 5
Developing the Security Program. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Organizing for Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
Security in Large Organizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Security in Medium-Sized Organizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Security in Small Organizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
Placing Information Security Within an Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Components of the Security Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Information Security Roles and Titles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Chief Information Security Officer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Convergence and the Rise of the True CSO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Security Managers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Security Administrators and Analysts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
Security Technicians . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
Security Staffers and Watchstanders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Security Consultants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Security Officers and Investigators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Help Desk Personnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Implementing Security Education, Training, and Awareness Programs . . . . . . . . . . . . . . . . . . . . . . . . . . 210
Security Education . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
Security Training. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
Training Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
Security Awareness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Project Management in Information Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
Projects Versus Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
PMBOK Knowledge Areas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Project Management Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
viii Table of Contents
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
Closing Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
Discussion Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
Ethical Decision Making . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
CHAPTER 6
Risk Management: Identifying and Assessing Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Introduction to Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
Knowing Yourself . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
Knowing the Enemy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
Accountability for Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
Risk Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
Identification and Prioritization of Information Assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Threat Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
The TVA Worksheet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
Risk Assessment and Risk Appetite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
Assessing Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
Likelihood . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
Assessing Potential Impact on Asset Value (Consequences) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
Percentage of Risk Mitigated by Current Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Uncertainty . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Risk Determination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Likelihood and Consequences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
Documenting the Results of Risk Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Risk Appetite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
Closing Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
Discussion Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
Ethical Decision Making . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
CHAPTER 7
Risk Management: Controlling Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
Introduction to Risk Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
Risk Control Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
Defense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
Transference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
Mitigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
Acceptance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
Termination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
Managing Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
Feasibility and Cost–Benefit Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
Other Methods of Establishing Feasibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
Alternatives to Feasibility Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
Recommended Risk Control Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
Qualitative and Hybrid Measures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
Delphi Technique . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
The OCTAVE Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
Table of Contents ix
CHAPTER 8
Security Management Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
Introduction to Blueprints, Frameworks, and Security Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
Access Control Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
Categories of Access Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
Other Forms of Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
Security Architecture Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
Trusted Computing Base . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
Information Technology System Evaluation Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
The Common Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
Academic Access Control Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
Bell-LaPadula Confidentiality Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
Biba Integrity Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
Clark-Wilson Integrity Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
Graham-Denning Access Control Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
Harrison-Ruzzo-Ullman Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
Brewer-Nash Model (Chinese Wall) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
Other Security Management Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
The ISO 27000 Series. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
NIST Security Publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
Control Objectives for Information and Related Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
Committee of Sponsoring Organizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
Information Technology Infrastructure Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
Information Security Governance Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357
Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
Closing Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Discussion Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Ethical Decision Making . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
CHAPTER 9
Security Management Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
Introduction to Security Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
Benchmarking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
x Table of Contents
CHAPTER 10
Planning for Contingencies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397
Introduction to Contingency Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398
Fundamentals of Contingency Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400
Components of Contingency Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404
Business Impact Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
Contingency Planning Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
Incident Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412
Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412
Incident Response Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413
Incident Response Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414
Detecting Incidents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419
Reacting to Incidents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422
Recovering from Incidents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424
Disaster Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431
The Disaster Recovery Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433
Disaster Recovery Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434
Disaster Classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435
Planning to Recover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437
Responding to the Disaster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438
Simple Disaster Recovery Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438
Business Continuity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442
Business Continuity Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444
Continuity Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445
Timing and Sequence of CP Elements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447
Crisis Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449
Business Resumption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 450
Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
Table of Contents xi
CHAPTER 11
Personnel and Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469
Introduction to Personnel and Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471
Staffing the Security Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471
Information Security Positions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472
Information Security Professional Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485
(ISC)2 Certifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485
ISACA Certifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 489
GIAC Certifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492
EC-Council Certifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493
CompTIA Certifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495
ISFCE Certifications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496
Certification Costs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497
Entering the Information Security Profession . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498
Employment Policies and Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 500
Hiring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501
Contracts and Employment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503
Security as Part of Performance Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504
Termination Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504
Personnel Security Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 506
Security of Personnel and Personal Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507
Security Considerations for Temporary Employees, Consultants, and Other Workers . . . . . . . . . . . . . . 507
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513
Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515
Closing Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515
Discussion Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516
Ethical Decision Making . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516
CHAPTER 12
Protection Mechanisms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521
Introduction to Protection Mechanisms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523
Access Controls and Biometrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 524
Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
xii Table of Contents
APPENDIX
NIST SP 800-26, Security Self-Assessment Guide for Information Technology Systems . . . . . . . . . . . . . . . 583
ISO 17799: 2005 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607
The OCTAVE Method of Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 611
Microsoft Risk Management Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 616
GLOSSARY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 625
INDEX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 637
Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
Preface
As global use of the Internet continues to expand, the demand for and reliance on
Internet-based information creates an increasing expectation of access. Modern businesses
take advantage of this and have dramatically increased their Internet presence over the past
decade. This creates an increasing threat of attacks on information assets and a need for
greater numbers of professionals capable of protecting those assets.
To secure these information assets from ever-increasing threats, organizations demand
both breadth and depth of expertise from the next generation of information security prac-
titioners. These professionals are expected to have an optimal mix of skills and experiences
to secure diverse information environments. Students of technology must learn to recog-
nize the threats and vulnerabilities present in existing systems. They must also learn how
to manage the use of information assets securely and support the goals and objectives of
their organizations through effective information security governance, risk management,
and regulatory compliance.
Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
xiii
xiv Preface
provide the student with an in-depth study of information security management. Specifically,
those in disciplines such as information systems, information technology, computer science,
criminal justice, political science, and accounting information systems must understand the
foundations of the management of information security and the development of managerial
strategy for information security. The underlying tenet of this textbook is that information
security in the modern organization is a management problem and not one that technology
alone can answer; it is a problem that has important economic consequences and one for
which management is accountable.
Approach
This book provides a managerial approach to information security and a thorough treatment
of the secure administration of information assets. It can be used to support information
security coursework for a variety of technology students, as well as for technology curricula
aimed at business students.
Certified Information Systems Security Professional, Certified Information Security Manager,
and NIST Common Bodies of Knowledge—As the authors are Certified Information Systems
Security Professionals (CISSP) and Certified Information Security Managers (CISM), these
knowledge domains have had an influence on the design of this textbook. With the influence
of the extensive library of information available from the Special Publications collection at
the National Institute of Standards and Technology (NIST, at csrc.nist.gov), the authors
have also tapped into additional government and industry standards for information security
management. Although this textbook is by no means a certification study guide, much of the
Common Bodies of Knowledge for the dominant industry certifications, especially in the area
of management of information security, have been integrated into the text.
Overview
Chapter 1—Introduction to the Management
of Information Security
The opening chapter establishes the foundation for understanding the field of information
security by explaining the importance of information technology and identifying who is
responsible for protecting an organization’s information assets. Students learn the definition
and key characteristics of information security, as well as the differences between information
security management and general management.
Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
Preface xv
Appendix
The appendix reproduces an essential security management self-assessment model from the
NIST library. It also includes a questionnaire from the ISO 27002 body that could be used
for organizational assessment. The appendix provides additional detail on various risk man-
agement models, including OCTAVE and the OCTAVE variants, the Microsoft Risk Manage-
ment Model, Factor Analysis of Information Risk (FAIR), ISO 27007, and NIST SP 800-30.
Features
Chapter Scenarios—Each chapter opens with a short vignette that follows the same fictional
company as it encounters various information security issues. The final part of each chapter
is a conclusion to the scenario that also offers questions to stimulate in-class discussion.
These questions give the student and the instructor an opportunity to explore the issues that
underlie the content.
View Points—An essay from an information security practitioner or academic is included in
each chapter. These sections provide a range of commentary that illustrate interesting topics
or share personal opinions, giving the student a wider, applied view on the topics in the text.
Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
Preface xvii
Offline Boxes—These highlight interesting topics and detailed technical issues, allowing the
student to delve more deeply into certain topics.
Hands-On Learning—At the end of each chapter, students will find a Chapter Summary and
Review Questions as well as Exercises and Closing Case exercises, which give them the
opportunity to examine the information security arena from an experiential perspective.
Using the Exercises, students can research, analyze, and write to reinforce learning objectives
and deepen their understanding of the text. The Closing Case exercises require that students
use professional judgment, powers of observation, and elementary research to create solu-
tions for simple information security scenarios.
MindTap
MindTap for Management of Information Security is an online learning solution designed to
help students master the skills they need in today’s workforce. Research shows employers
need critical thinkers, troubleshooters, and creative problem-solvers to stay relevant in our
fast-paced, technology-driven world. MindTap helps users achieve this with assignments and
activities that provide hands-on practice, real-life relevance, and mastery of difficult concepts.
Students are guided through assignments that progress from basic knowledge and under-
standing to more challenging problems.
All MindTap activities and assignments are tied to learning objectives. The hands-on exer-
cises provide real-life application and practice. Readings and “Whiteboard Shorts” support
the lecture, while “In the News” assignments encourage students to stay current. Pre- and
post-course assessments allow you to measure how much students have learned using analyt-
ics and reporting that makes it easy to see where the class stands in terms of progress,
engagement, and completion rates. Use the content and learning path as-is, or pick and
Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
xviii Preface
choose how the material will wrap around your own. You control what the students see and
when they see it. Learn more at www.cengage.com/mindtap/.
Instructor Resources
Free to all instructors who adopt Management of Information Security, 5e for their courses is
a complete package of instructor resources. These resources are available from the Cengage
Learning Web site, www.cengagebrain.com. Go to the product page for this book in the
online catalog and choose “Instructor Downloads.”
Resources include:
● Instructor’s Manual: This manual includes course objectives and additional informa-
tion to help your instruction.
● Cengage Learning Testing Powered by Cognero: A flexible, online system that allows
you to import, edit, and manipulate content from the text’s test bank or elsewhere,
including your own favorite test questions; create multiple test versions in an instant;
and deliver tests from your LMS, your classroom, or wherever you want.
● PowerPoint Presentations: A set of Microsoft PowerPoint slides is included for each
chapter. These slides are meant to be used as a teaching aid for classroom presentations,
to be made available to students for chapter review, or to be printed for classroom dis-
tribution. Instructors are also at liberty to add their own slides.
● Figure Files: Figure files allow instructors to create their own presentations using figures
taken from the text.
● Lab Manual: Cengage Learning has produced a lab manual (Hands-On Information
Security Lab Manual, Fourth Edition) written by the authors that can be used to
provide technical experiential exercises in conjunction with this book. Contact your
Cengage Learning sales representative for more information.
● Readings and Cases: Cengage Learning also produced two texts—Readings and Cases
in the Management of Information Security (ISBN-13: 9780619216276) and Readings
& Cases in Information Security: Law & Ethics (ISBN-13: 9781435441576)—by the
authors, which make excellent companion texts. Contact your Cengage Learning sales
representative for more information.
● Curriculum Model for Programs of Study in Information Security: In addition to the
texts authored by this team, a curriculum model for programs of study in Information
Security and Assurance is available from the Kennesaw State University Center for
Information Security Education (http://infosec.kennesaw.edu). This document provides
details on designing and implementing security coursework and curricula in academic
institutions, as well as guidance and lessons learned from the authors’ perspective.
Author Team
Michael Whitman and Herbert Mattord have jointly developed this textbook to merge knowl-
edge from the world of academic study with practical experience from the business world.
Michael Whitman, Ph.D., CISM, CISSP is a Professor of Information Security in the Informa-
tion Systems Department, Coles College of Business at Kennesaw State University, Kennesaw,
Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
Preface xix
Georgia, where he is also the Executive Director of the Center for Information Security Educa-
tion (infosec.kennesaw.edu), Coles College of Business. He and Herbert Mattord are the
authors of Principles of Information Security; Principles of Incident Response and Disaster
Recovery; Readings and Cases in the Management of Information Security; Readings &
Cases in Information Security: Law & Ethics; Guide to Firewall and VPNs; Guide to
Network Security; Roadmap to the Management of Information Security; and Hands-On
Information Security Lab Manual, all from Cengage Learning. Dr. Whitman is an active
researcher in Information Security, Fair and Responsible Use Policies, and Ethical Computing.
He currently teaches graduate and undergraduate courses in Information Security. He has
published articles in the top journals in his field, including Information Systems Research, the
Communications of the ACM, Information and Management, the Journal of International
Business Studies, and the Journal of Computer Information Systems. He is an active member
of the Information Systems Security Association, the Association for Computing Machinery,
ISACA, (ISC)2, and the Association for Information Systems. Through his efforts and those
of Dr. Mattord, his institution has been recognized by the Department of Homeland Security
and the National Security Agency as a National Center of Academic Excellence in Information
Assurance Education four times, most recently in 2015. Dr. Whitman is also the Editor-in-
Chief of the Information Security Education Journal, a DLINE publication, and he continually
solicits relevant and well-written articles on InfoSec pedagogical topics for publication. Prior
to his employment at Kennesaw State, he taught at the University of Nevada Las Vegas, and
served over 13 years as an officer in the U.S. Army.
Herbert Mattord, Ph.D., CISM, CISSP completed 24 years of IT industry experience as an
application developer, database administrator, project manager, and information security
practitioner in 2002. He is currently an Associate Professor of Information Security in the
Coles College of Business at Kennesaw State University. He and Michael Whitman are the
authors of Principles of Information Security; Principles of Incident Response and Disaster
Recovery; Readings and Cases in the Management of Information Security; Guide to
Network Security; and Hands-On Information Security Lab Manual, all from Cengage
Learning. During his career as an IT practitioner, Mattord has been an adjunct professor
at Kennesaw State University; Southern Polytechnic State University in Marietta, Georgia;
Austin Community College in Austin, Texas; and Texas State University: San Marcos. He
currently teaches undergraduate courses in Information Security. He is the Assistant Chair
of the Department of Information Systems and is also an active member of the Information
Systems Security Association and Information Systems Audit and Control Association. He
was formerly the Manager of Corporate Information Technology Security at Georgia-
Pacific Corporation, where much of the practical knowledge found in this and his earlier
textbooks was acquired.
Acknowledgments
The authors would like to thank their families for their support and understanding for the
many hours dedicated to this project—hours taken, in many cases, from family activities.
Special thanks to Carola Mattord, Ph.D., Professor of English at Kennesaw State University.
Her reviews of early drafts and suggestions for keeping the writing focused on the students
resulted in a more readable manuscript.
Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
xx Preface
Reviewers
We are indebted to the following individuals for their contributions of perceptive feedback on
the initial proposal, the project outline, and the chapter-by-chapter reviews of the text:
● Wasim A. AlHamdani, Ph.D., IACR, IEEE, ACM, CSAB (ABET Eva.), Professor of
Cryptography and InfoSec, College of Business and Computer Sciences, Kentucky State
University, Frankfort, KY
● James W. Rust, MSIS, MCSE: Security, MCSA: Security, MCDBA, MCP, CompTIA,
CTT+, Project+, Security+, Network+, A+, Implementation Engineer, Buford, GA
● Paul D. Witman, Ph.D., Associate Professor, Information Technology Management,
California Lutheran University, School of Management, Thousand Oaks, CA
Special Thanks
The authors wish to thank the Editorial and Production teams at Cengage Learning. Their
diligent and professional efforts greatly enhanced the final product:
Natalie Pashoukos, Senior Content Developer
Dan Seiter, Developmental Editor
Kristin McNary, Product Team Manager
Amy Savino, Associate Product Manager
Brooke Baker, Senior Content Project Manager
In addition, several professional and commercial organizations and individuals have aided
the development of this textbook by providing information and inspiration, and the authors
wish to acknowledge their contributions:
Charles Cresson Wood
NetIQ Corporation
The View Point authors:
● Henry Bonin
● Lee Imrey
● Robert Hayes and Kathleen Kotwicka
● David Lineman
● Paul D. Witman & Scott Mackelprang
● George V. Hulme
● Tim Callahan
● Mark Reardon
● Martin Lee
● Karen Scarfone
● Alison Gunnels
● Todd E. Tucker
Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
Preface xxi
Our Commitment
The authors are committed to serving the needs of the adopters and readers. We would be
pleased and honored to receive feedback on the textbook and its supporting materials. You
can contact us through Cengage Learning at infosec@kennesaw.edu.
Foreword
By David Rowan, Senior Vice President and Director
Technology Risk and Compliance, SunTrust Banks, Inc.
If you are reading this, I want to thank you. Your perusal of this text means you are inter-
ested in a career in Information Security or have actually embarked on one. I am thanking
you because we—and by we I mean all of us—need your help.
You and I live in a world completely enabled, supported by, and allowed by technology.
In almost all practical respects, the things you and I take for granted are created by our
technology. There is technology we see and directly interact with, and technology we
don’t see or are only peripherally aware of. For example, the temperature of my home is
monitored and maintained based on a smart thermostat’s perception of my daily habits
and preferences. I could check it via the app or wait for an alert via text message, but I
don’t—I just assume all is well, confident that I will be informed if something goes amiss.
Besides, I am more interested in reading my personal news feed….
With respect to technology, we occupy two worlds, one of intent and realized actions and
another of services that simply seem to occur on their own. Both these worlds are necessary,
desirable, growing, and evolving. Also, both these worlds are profoundly underpinned by one
thing: our trust in them to work.
We trust that our phones will work, we trust that we will have electricity, we trust that our
purchases are recorded accurately, we trust that our streaming services will have enough
bandwidth, we trust that our stock trades and bank transactions are secure, we trust that
our cars will run safely, and I trust that my home will be at the right temperature when I
walk in the door.
The benefits of our trust in technology are immeasurable and hard won. The fact that we
can delegate tasks, share infrastructure, exchange ideas and information, and buy goods
and services almost seamlessly benefits us all. It is good ground worth defending. How-
ever, the inevitable and unfortunate fact is that some among us prey upon our trust; they
will work tirelessly to disrupt, divert, or destroy our intents, actions, comfort, well-being,
information, and whatever else our technology and the free flow of information offers.
The motives of these actors matter, but regardless of why they threaten what technology
gives us, the actions we take to safeguard it is up to us. That’s why I am glad you are
reading this. We need guardians of the trust we place in technology and the information
flow it enables.
Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
xxii Preface
I have been in the financial industry for 35 years, and have spent the latter half of it focused
on information security and the related fields of fraud management, business continuity,
physical security, and legal and regulatory compliance. I have seen the evolution of technol-
ogy risk management from a necessary back-office function to a board-level imperative with
global implications. The bound interrelationships among commerce, infrastructure, basic util-
ities, safety, and even culture exist to the extent that providing security is now dominantly a
matter of strategy and management, and less a matter of the tools or technology de jure.
There’s an old saying that it’s not the tools that make a good cabinet, but the skill of the car-
penter. Our tools will change and evolve; it’s how we use them that really matter.
This fifth edition of Management of Information Security is a foundational source that embo-
dies the current best thinking on how to plan, govern, implement, and manage an informa-
tion security program. It is holistic and comprehensive, and provides a path to consider all
aspects of information security and to integrate security into the fabric of the things we
depend on and use. It provides specific guidance on strategy, policy development, risk identi-
fication, personal management, organization, and legal matters, and places them in the con-
text of a broader ecosystem. Strategy and management are not merely aspects of information
security; they are its essence—and this text informs the what, why, and how of it.
Management of Information Security is a vital resource in the guardianship of our world of
modern conveniences. I hope you will become a part of this community.
—Atlanta, Georgia, February 2016
Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
chapter 1
Management is, above all, a practice where art, science, and craft meet.
—HENRY MINTZBERG
One month into her new position at Random Widget Works, Inc. (RWW), Iris Majwubu
left her office early one afternoon to attend a meeting of the local chapter of the Information
Systems Security Association (ISSA). She had recently been promoted from her previous
assignment at RWW as an information security risk manager to become the first chief infor-
mation security officer (CISO) to be named at RWW.
This occasion marked Iris’s first ISSA meeting. With a mountain of pressing matters on her clut-
tered desk, Iris wasn’t exactly certain why she was making it a priority to attend this meeting. She
sighed. Since her early morning wake-up, she had spent many hours in business meetings, fol-
lowed by long hours at her desk working toward defining her new position at the company.
At the ISSA meeting, Iris saw Charlie Moody, her supervisor from the company she used to
work for, Sequential Label and Supply (SLS). Charlie had been promoted to chief information
officer (CIO) of SLS almost a year ago.
“Hi, Charlie,” she said.
“Hello, Iris,” Charlie said, shaking her hand. “Congratulations on your promotion. How are
things going in your new position?”
“So far,” she replied, “things are going well—I think.”
Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203 1
2 Chapter 1
Charlie noticed Iris’s hesitancy. “You think?” he said. “Okay, tell me what’s going on.”
“Well, I’m struggling to get a consensus from the rest of the management team about the pro-
blems we have,” Iris explained. “I’m told that information security is a priority, but every-
thing is in disarray. Any ideas that are brought up, especially my ideas, are chopped to bits
before they’re even taken up by senior management. There’s no established policy covering
our information security needs, and it seems that we have little hope of getting one approved.
The information security budget covers my salary plus a little bit of funding that goes toward
part of one position for a technician in the network department. The IT managers act like I’m
a waste of their time, and they don’t seem to take security issues as seriously as I do. It’s like
trying to drive a herd of cats!”
Charlie thought for a moment and then said, “I’ve got some ideas that may help. We should
talk more, but not now; the meeting is about to start. Here’s my new number—call me tomor-
row and we’ll arrange to get together for coffee.”
LEARNING OBJECTIVES
Upon completion of this material, you should be able to:
Introduction to Security
Key Terms
information security (InfoSec): Protection of the confidentiality, integrity, and availability of
information assets, whether in storage, processing, or transmission, via the application of policy,
education, training and awareness, and technology.
security: A state of being secure and free from danger or harm. Also, the actions taken to make
someone or something secure.
In today’s global markets, business operations are enabled by technology. From the board-
room to the mailroom, businesses make deals, ship goods, track client accounts, and inventory
company assets, all through the implementation of systems based upon information technol-
ogy (IT). IT enables the storage and transportation of information—often a company’s most
valuable resource—from one business unit to another. But what happens if the vehicle breaks
Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
Introduction to the Management of Information Security 3
down, even for a little while? Business deals fall through, shipments are lost, and company
assets become more vulnerable to threats from both inside and outside the firm. In the past, 1
the business manager’s response to this possibility was to proclaim, “We have technology peo-
ple to handle technology problems.” This statement might have been valid in the days when
technology was confined to the climate-controlled rooms of the data center and when infor-
mation processing was centralized. In the last 30 years, however, technology has moved out
from the data center to permeate every facet of the business environment. The business place
is no longer static; it moves whenever employees travel from office to office, from city to city,
or even from office to home. As businesses have become more fluid, “computer security” has
evolved into “information security,” or “InfoSec,” which covers a broader range of issues,
from the protection of computer-based data to the protection of human knowledge. Informa-
tion security is no longer the sole responsibility of a small, dedicated group of professionals in
the company. It is now the responsibility of all employees, especially managers.
Astute managers increasingly recognize the critical nature of information security as the vehi-
cle by which the organization’s information assets are secured. In response to this growing
awareness, businesses are creating new positions to solve the newly perceived problems. The
emergence of executive-level information security managers—like Iris in the opening scenario
of this chapter—allows for the creation of professionally managed information security teams
that have a primary objective to protect information assets, wherever they may be.
Organizations must realize that information security planning and funding decisions involve
more than managers of information, the members of the information security team, or the
managers of information systems. Altogether, they should involve the entire organization, as
represented by three distinct groups of managers and professionals, or communities of interest:
• Those in the field of information security
• Those in the field of IT
• Those from the rest of the organization
These three groups should engage in a constructive effort to reach consensus on an overall
plan to protect the organization’s information assets.
The communities of interest and the roles they fulfill include the following:
• The information security community protects the organization’s information assets
from the many threats they face.
• The IT community supports the business objectives of the organization by supplying
and supporting IT that is appropriate to the organization’s needs.
• The general business community articulates and communicates organizational policy
and objectives and allocates resources to the other groups.
Working together, these communities of interest make decisions about how to secure an orga-
nization’s information assets most effectively. As the discussion between Iris and Charlie in
this chapter’s opening scenario suggests, managing a successful information security program
takes time, resources, and a lot of effort by all three communities within the organization.
Each community of interest must understand that information security is about identifying,
measuring, and mitigating (or at least understanding and documenting) the risk associated
with operating information assets in a modern business environment. It is up to the leadership
Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
4 Chapter 1
of the various communities of interest to identify and support initiatives for controlling the
risks faced by the organization’s information assets. But to make sound business decisions
concerning the security of information assets, managers must understand the concept of infor-
mation security, the roles professionals play within that field, and the issues organizations face
in a fluid, global business environment.
In order to understand the varied aspects of information security, you must know the defini-
tions of certain key InfoSec terms and concepts. This knowledge enables you to communicate
effectively with the IT and information security communities.
In general, security means being free from danger. To be secure is to be protected from the
risk of loss, damage, unwanted modification, or other hazards. National security, for example,
is a system of multilayered processes that protects the sovereignty of a state—its assets,
resources, and people. Achieving an appropriate level of security for an organization also
depends on the implementation of a multilayered system.
Security is often achieved by means of several strategies undertaken simultaneously or used in
combination with one another. Many of those strategies will focus on specific areas of secu-
rity, but they also have many elements in common. It is the role of management to ensure
that each strategy is properly planned, organized, staffed, directed, and controlled.
Specialized areas of security include:
• Physical security—The protection of physical items, objects, or areas from unautho-
rized access and misuse.
• Operations security—The protection of the details of an organization’s operations and
activities.
• Communications security—The protection of all communications media, technology,
and content.
• Cyber (or computer) security—The protection of computerized information processing
systems and the data they contain and process. The term cybersecurity is relatively
new, so its use might be slightly ambiguous in coming years as the definition gets
sorted out.
• Network security—A subset of communications security and cybersecurity; the protec-
tion of voice and data networking components, connections, and content.
The efforts in each of these areas contribute to the information security program as a whole.
This textbook derives its definition of information security from the standards published
by the Committee on National Security Systems (CNSS), formerly known as the National
Security Telecommunications and Information Systems Security Committee (NSTISSC),
chaired by the U.S. Secretary of Defense.
Information security (InfoSec) focuses on the protection of information and the characteristics
that give it value, such as confidentiality, integrity, and availability, and includes the technol-
ogy that houses and transfers that information through a variety of protection mechanisms
such as policy, training and awareness programs, and technology. Figure 1-1 shows that Info-
Sec includes the broad areas of InfoSec management (the topic of this book): computer secu-
rity, data security, and network security. The figure also shows that policy is the space where
these components overlap.
Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
Introduction to the Management of Information Security 5
TY
IO
N
SE
CU
RI GO
VE
RN
AN
1
AT Management of CE
RM
FO Information Security
IN
POLICY
Computer Security
Network Security
Data Security
y
nolog
n| Tech
| Educatio
Policy
Confidentiality Confidentiality
y
log
no
ch
Te
n|
tio
Integrity Integrity
ca
du
y |E
lic
Po
Availability Availability
Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
6 Chapter 1
integrity, and storage criteria could include controls or safeguards addressing the use of tech-
nology to protect the integrity of information while in storage. Such a control might consist
of a host intrusion detection and prevention system (HIDPS), for example, which would
alert the security administrators when a critical file was modified or deleted.
While the CNSS model covers the three dimensions of InfoSec, it omits any discussion of
guidelines and policies that direct the implementation of controls, which are essential to an
effective InfoSec program. Instead, the main purpose of the model is to identify gaps in the
coverage of an InfoSec program.
Another weakness of this model emerges when it is viewed from a single perspective. For
example, the HIDPS control described earlier addresses only the needs and concerns of the
InfoSec community, leaving out the needs and concerns of the broader IT and general busi-
ness communities. In practice, thorough risk reduction requires the creation and dissemina-
tion of controls of all three types (policy, education, and technical) by all three communities.
These controls can be implemented only through a process that includes consensus building
and constructive conflict to reflect the balancing act that each organization faces as it designs
and executes an InfoSec program. The rest of this book will elaborate on these issues.
For more information on the CNSS and its training standards (known as issuances), visit the
Committee on National Security Systems Web site at www.cnss.gov, and select Directives from
the Library tab.
Key Terms
accountability: The access control mechanism that ensures all actions on a system—authorized
or unauthorized—can be attributed to an authenticated identity. Also known as auditability.
authentication: The access control mechanism that requires the validation and verification of an
unauthenticated entity’s purported identity.
authorization: The access control mechanism that represents the matching of an authenticated
entity to a list of information assets and corresponding access levels.
availability: An attribute of information that describes how data is accessible and correctly
formatted for use without interference or obstruction.
C.I.A. triad: The industry standard for computer security since the development of the
mainframe. The standard is based on three characteristics that describe the utility of information:
confidentiality, integrity, and availability.
confidentiality: An attribute of information that describes how data is protected from
disclosure or exposure to unauthorized individuals or systems.
disclosure: In InfoSec, the intentional or unintentional exposure of an information asset to
unauthorized parties.
identification: The access control mechanism whereby unverified entities who seek access to a
resource provide a label by which they are known to the system.
information aggregation: Pieces of non-private data that, when combined, may create
information that violates privacy. Not to be confused with aggregate information.
integrity: An attribute of information that describes how data is whole, complete, and
uncorrupted.
privacy: In the context of information security, the right of individuals or groups to protect
themselves and their information from unauthorized access, providing confidentiality.
Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
Introduction to the Management of Information Security 7
To better understand the management of InfoSec, you must become familiar with the key
characteristics of information that make it valuable to an organization, as expressed in the 1
C.I.A. triad characteristics of confidentiality, integrity and availability (see Figure 1-3). How-
ever, present-day needs have rendered these characteristics inadequate on their own to con-
ceptualize InfoSec because they are limited in scope and cannot encompass today’s
constantly changing IT environment, which calls for a more robust model. The C.I.A. triad,
therefore, has been expanded into a more comprehensive list of critical characteristics and
processes, including privacy, identification, authentication, authorization, and accountability.
These characteristics are explained in more detail in the sections that follow.
In
te
de
Data
gr
nfi
ity
&
Co
Services
Availability
Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
8 Chapter 1
Availability Availability of information means that users, either people or other systems,
have access to it in a usable format. Availability does not imply that the information is
accessible to any user; rather, it means it can be accessed when needed by authorized users.
To understand this concept more fully, consider the contents of a library—in particular,
research libraries that require identification for access to the library as a whole or to certain
collections. Library patrons must present the required identification before accessing the col-
lection. Once they are granted access, patrons expect to be able to locate and access
resources in the appropriate languages and formats.
Privacy Information that is collected, used, and stored by an organization should be used
only for the purposes stated by the data owner at the time it was collected. In this context,
privacy does not mean freedom from observation (the meaning usually associated with the
word); it means that the information will be used only in ways approved by the person
who provided it. Many organizations collect, swap, and sell personal information as a com-
modity. Today, it is possible to collect and combine personal information from several dif-
ferent sources, (known as information aggregation), which has resulted in databases that
could be used in ways the original data owner hasn’t agreed to or even knows about.
Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
Introduction to the Management of Information Security 9
Many people have become aware of these practices and are looking to the government to
protect their information’s privacy. 1
Identification An information system possesses the characteristic of identification when
it is able to recognize individual users. Identification is the first step in gaining access to
secured material, and it serves as the foundation for subsequent authentication and authori-
zation. Identification and authentication are essential to establishing the level of access or
authorization that an individual is granted. Identification is typically performed by means
of a user name or other ID.
Around 500 B.C., the Chinese general Sun Tzu Wu wrote The Art of War, a military treatise
that emphasizes the importance of knowing yourself as well as the threats you face.
Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
10 Chapter 1
Therefore I say: One who knows the enemy and knows himself will not be in
danger in a hundred battles.
One who does not know the enemy but knows himself will sometimes win,
sometimes lose. One who does not know the enemy and does not know himself
will be in danger in every battle.3
To protect your organization’s information, you must: (1) know yourself; that is, be familiar
with the information assets to be protected and the systems, mechanisms, and methods used
to store, transport, process, and protect them; and (2) know the threats you face. To make
sound decisions about information security, management must be informed about the various
threats to an organization’s people, applications, data, and information systems. As illustrated
in Figure 1-4, a threat represents a potential risk to an information asset, whereas an attack
represents an ongoing act against the asset that could result in a loss. Threat agents damage
or steal an organization’s information or physical assets by using exploits to take advantage
of a vulnerability where controls are not present or no longer effective. Unlike threats, which
are always present, attacks exist only when a specific act may cause a loss. For example, the
threat of damage from a thunderstorm is present throughout the summer in many places, but
Vulnerability: Buffer
overflow in online
database Web interface
Threat: Theft
Threat agent: Ima Hacker
Information
Asset: Buybay’s
customer database
an attack and its associated risk of loss exist only for the duration of an actual thunderstorm.
The following sections discuss each of the major types of threats and corresponding attacks 1
facing modern information assets.
To investigate the wide range of threats that pervade the interconnected world, many
researchers have collected information on threats and attacks from practicing information
security personnel and their organizations. While the categorizations may vary, threats are rel-
atively well researched and fairly well understood.
There is wide agreement that the threat from external sources increases when an organization
connects to the Internet. The number of Internet users continues to grow; about 45.0 percent
of the world’s 7.26 billion people (as of mid-2015) have some form of Internet access.4 There-
fore, a typical organization with an online connection to its systems and information faces
more than 3 billion potential hackers.
For more information on world Internet use, visit the Internet World Stats: Usage and Population
Statistics site at www.internetworldstats.com/stats.htm.
Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
12 Chapter 1
Key Terms
intellectual property (IP): The creation, ownership, and control of original ideas as well as the
representation of those ideas.
software piracy: The unauthorized duplication, installation, or distribution of copyrighted
computer software, which is a violation of intellectual property.
Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
Introduction to the Management of Information Security 13
For more information on software piracy and intellectual property protection, visit the Software &
Information Industry Association (SIIA) Web site at www.siia.net and the Business Software 1
Alliance (BSA) Web site at www.bsa.org. SIIA is the organization formerly known as the Software
Publishers Association.
Key Terms
availability disruption: An interruption in service, usually from a service provider, which causes
an adverse event within an organization.
blackout: A long-term interruption (outage) in electrical power availability.
brownout: A long-term reduction in the quality of electrical power availability.
fault: A short-term interruption in electrical power availability.
noise: The presence of additional and disruptive signals in network communications or electrical
power delivery.
sag: A short-term decrease in electrical power availability.
service level agreement (SLA): A document or part of a document that specifies the expected
level of service from a service provider. An SLA usually contains provisions for minimum
acceptable availability and penalties or remediation procedures for downtime.
spike: A short-term increase in electrical power availability, also known as a swell.
surge: A long-term increase in electrical power availability.
Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
14 Chapter 1
cable television, natural or propane gas, and custodial services. The loss of these ser-
vices can impair the ability of an organization to function. For instance, most facilities
require water service to operate an air-conditioning system. Even in Minnesota in Feb-
ruary, air-conditioning systems help keep a modern facility operating. If a wastewater
system fails, an organization might be prevented from allowing employees into the
building. While several online utilities allow an organization to compare pricing
options from various service providers, only a few show a comparative analysis of
availability or downtime.
• Power Irregularities—Irregularities from power utilities are common and can lead to
fluctuations such as power excesses, power shortages, and power losses. These fluctua-
tions can pose problems for organizations that provide inadequately conditioned power
for their information systems equipment. In the United States, residential users are sup-
plied 120-volt, 60-cycle power, usually through 15- and 20-amp circuits. Commercial
buildings often have 240-volt service and may also have specialized power distribution
infrastructure. When power voltage levels vary from normal, expected levels, such as
during a blackout, brownout, fault, noise, spike, surge, or sag, an organization’s sensi-
tive electronic equipment—especially networking equipment, computers, and computer-
based systems, which are vulnerable to fluctuations—can be easily damaged or
destroyed. Most good uninterruptible power supplies (UPS) can protect against spikes,
surges and sags, and even brownouts and blackouts of limited duration.
Key Terms
advanced persistent threat (APT): A collection of processes, usually directed by a human
agent, that targets a specific organization or individual.
brute force password attack: An attempt to guess a password by attempting every possible
combination of characters and numbers in it.
competitive intelligence: The collection and analysis of information about an organization’s
business competitors through legal and ethical means to gain business intelligence and
competitive advantage.
cracker: A hacker who intentionally removes or bypasses software copyright protection designed
to prevent unauthorized duplication or use.
cracking: Attempting to reverse-engineer, remove, or bypass a password or other access control
protection, such as the copyright protection on software. See also cracker.
dictionary password attack: A variation of the brute force attack that narrows the field by
using a dictionary of common passwords and includes information related to the target user.
expert hacker: A hacker who uses extensive knowledge of the inner workings of computer
hardware and software to gain unauthorized access to systems and information. Also known as
elite hackers, expert hackers often create automated exploits, scripts, and tools used by other
hackers.
hacker: A person who accesses systems and information without authorization and often
illegally.
industrial espionage: The collection and analysis of information about an organization’s
business competitors, often through illegal or unethical means, to gain an unfair competitive
advantage. Also known as corporate spying, which is distinguished from espionage for national
security reasons.
jailbreaking: Escalating privileges to gain administrator-level control over a smartphone
operating system (typically associated with Apple iOS smartphones). See also rooting.
Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
Introduction to the Management of Information Security 15
novice hacker: A relatively unskilled hacker who uses the work of expert hackers to perform
attacks. Also known as a neophyte, n00b, or newbie. This category of hackers includes script 1
kiddies and packet monkeys.
packet monkey: A script kiddie who uses automated exploits to engage in denial-of-service
attacks.
penetration tester: An information security professional with authorization to attempt to gain
system access in an effort to identify and recommend resolutions for vulnerabilities in those
systems.
phreaker: A hacker who manipulates the public telephone system to make free calls or disrupt
services.
privilege escalation: The unauthorized modification of an authorized or unauthorized system
user account to gain advanced access and control over system resources.
professional hacker: A hacker who conducts attacks for personal financial benefit or for a
crime organization or foreign government. Not to be confused with a penetration tester.
rainbow table: A table of hash values and their corresponding plaintext values that can be used
to look up password values if an attacker is able to steal a system’s encrypted password file.
rooting: Escalating privileges to gain administrator-level control over a computer system
(including smartphones). Typically associated with Android OS smartphones. See also jailbreaking.
script kiddie: A hacker of limited skill who uses expertly written software to attack a system.
Also known as skids, skiddies, or script bunnies.
shoulder surfing: The direct, covert observation of individual information or system use.
trespass: Unauthorized entry into the real or virtual property of another party.
Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
16 Chapter 1
trespassers that they are encroaching on the organization’s cyberspace. Sound principles of
authentication and authorization can help organizations protect valuable information and
systems. These control methods and technologies employ multiple layers or factors to pro-
tect against unauthorized access and trespass.
The classic perpetrator of espionage or trespass is the hacker, who is frequently glamorized
in fictional accounts as a person who stealthily manipulates a maze of computer networks,
systems, and data to find information that solves the mystery and heroically saves the day.
However, the true life of the hacker is far more mundane. In the real world, a hacker fre-
quently spends long hours examining the types and structures of targeted systems and uses
skill, guile, and/or fraud to attempt to bypass controls placed on information owned by
someone else.
Hackers possess a wide range of skill levels, as with most technology users. However, most
hackers are grouped into two general categories—the expert hacker and the novice hacker:
• The expert hacker is usually a master of several programming languages, networking
protocols, and operating systems, and exhibits a mastery of the technical environment
of the chosen targeted system. Once an expert hacker chooses a target system, the like-
lihood is high that he or she will successfully enter the system. Fortunately for the
many poorly protected organizations in the world, there are substantially fewer expert
hackers than novice hackers.
A new category of expert hacker has emerged over the last few years. The professional
hacker seeks to conduct attacks for personal benefit or the benefit of an employer,
which is typically a crime organization or illegal government operation (see the section
on cyberterrorism). The professional hacker should not be confused with the penetra-
tion tester, who has authorization from an organization to test its information systems
and network defense, and is expected to provide detailed reports of the findings. The
primary differences between professional hackers and penetration testers are the autho-
rization provided and the ethical professionalism displayed.
The recent emergence of a method of precisely targeted attacks against organizations is
known as an advanced persistent threat or APT. These attacks are usually a combina-
tion of social engineering, spear phishing, and customized malware generated by
nation-state sponsored organizations or sophisticated criminal operations. In many
cases these attacks seek to infiltrate high-value information for economic espionage or
attacks against national security.
The most notorious hacker in recent times is Kevin Mitnick, who was considered an
expert hacker by most, yet he often used social engineering rather than technical skills
to collect information for his attacks.
• Novice hackers have little or no real expertise of their own, but rely upon the expertise
of expert hackers, who often become dissatisfied with attacking systems directly and
turn their attention to writing software. These programs are automated exploits that
allow novice hackers to act as script kiddies or packet monkeys. The good news is that
if an expert hacker can post a script tool where a script kiddie or packet monkey can
find it, then systems and security administrators can find it, too. The developers of
protection software and hardware and the service providers who keep defensive sys-
tems up to date also stay informed about the latest in exploit scripts. As a result of
Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
Introduction to the Management of Information Security 17
preparation and continued vigilance, attacks conducted by scripts are usually predict-
able and can be adequately defended against. 1
Once an attacker gains access to a system, the next step is to increase his or her privileges
(privilege escalation). While most accounts associated with a system have only rudimentary
“use” permissions and capabilities, the attacker needs administrative or “root” privileges.
These privileges allow attackers to access information, modify the system itself to view all
information in it, and hide their activities by modifying system logs. The escalation of privi-
leges is a skill set in and of itself. However, just as novice hackers can use tools to gain
access, they can use tools to escalate privileges.
A common example of privilege escalation is called jailbreaking or rooting. Owners of cer-
tain smartphones can download and use particular tools to gain control over system func-
tions, often against the original intentions of the designers. The term jailbreaking is more
commonly associated with Apple’s iOS devices, while the term rooting is more common
with Android-based devices.
Other terms for system rule breakers may be less familiar. The term cracker is now com-
monly associated with software copyright bypassing and password decryption. With the
removal of the copyright protection, software can be easily distributed and installed. With
the decryption of user passwords from stolen system files, user accounts can be illegally
accessed. In current usage, the terms hacker and cracker both denote criminal intent.
Phreakers grew in fame in the 1970s when they developed devices called blue boxes that
enabled them to make free calls from pay phones. Later, red boxes were developed to simu-
late the tones of coins falling in a pay phone, and finally black boxes emulated the line volt-
age. With the advent of digital communications, these boxes became practically obsolete.
Even with the loss of the colored box technologies, however, phreakers continue to cause
problems for all telephone systems.
Password Attacks Password attacks fall under the category of espionage or trespass just
as lock-picking falls under breaking and entering. Attempting to guess or reverse-calculate a
password is often called cracking. There are a number of alternative approaches to pass-
word cracking:
• Brute Force—The application of computing and network resources to try every possi-
ble password combination is called a brute force password attack. If attackers can nar-
row the field of target accounts, they can devote more time and resources to these
accounts. This is one reason to always change the default administrator password
assigned by the manufacturer.
Brute force password attacks are rarely successful against systems that have adopted
the manufacturer’s recommended security practices. Controls that limit the number of
unsuccessful access attempts within a certain time are very effective against brute force
attacks. The strength of a password is a combination of its length and complexity,
which help determine its ability to withstand a brute force attack. Using best-practice
policies for passwords can greatly enhance their strength; use passwords of at least 10
characters and at least one uppercase and lowercase letter, one number and one special
character, and systems that allow case-sensitive passwords.
• Dictionary Attacks—The dictionary password attack, or simply dictionary attack, is a
variation of the brute force attack that narrows the field by using a dictionary of
Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
18 Chapter 1
common passwords and includes information related to the target user, such as names
of relatives or pets, and familiar numbers such as phone numbers, addresses, and even
Social Security numbers. Organizations can use similar dictionaries to disallow pass-
words during the reset process and thus guard against passwords that are easy to
guess. In addition, rules requiring numbers and special characters in passwords make
the dictionary attack less effective.
• Rainbow Tables—A far more sophisticated and potentially much faster password
attack is possible if the attacker can gain access to an encrypted password file, such as
the Security Account Manager (SAM) data file. While these password files contain
hashed representations of users’ passwords—not the actual passwords, and thus cannot
be used by themselves—the hash values for a wide variety of passwords can be looked
up in a database known as a rainbow table. These plain text files can be quickly
searched, and a hash value and its corresponding plaintext value can be easily located.
• —While social engineering is discussed in detail
—
Social Engineering Password Attacks—While
later in the section called “Human Error or Failure,” it is worth mentioning here as a
mechanism to gain password information. Attackers posing as an organization’s IT
professionals may attempt to gain access to systems information by contacting low-
level employees and offering to help with their computer issues. After all, what
employee doesn’t have issues with computers? By posing as a friendly and helpful
helpdesk or repair technician, the attacker asks employees for their usernames and
passwords, then uses the information to gain access to organizational systems. Some
even go so far as to actually resolve the user’s issues. Social engineering password
attacks are much easier than hacking servers for password files.
Forces of Nature Forces of nature, sometimes called acts of God, can present some of
the most dangerous threats because they usually occur with little warning and are beyond
the control of people. These threats, which include events such as fires, floods, earthquakes,
and lightning as well as volcanic eruptions and insect infestations, can disrupt not only peo-
ple’s lives but the storage, transmission, and use of information. Because it is not possible to
avoid threats from forces of nature, organizations must implement controls to limit damage
and prepare contingency plans for continued operations, such as disaster recovery plans,
business continuity plans, and incident response plans, as discussed in Chapter 10.
Another term you may encounter, force majeure, is roughly translated as “superior force,”
which includes forces of nature as well as civil disorder and acts of war. Most forces of
nature can only be mitigated through casualty or business interruption insurance, although
careful facilities design and placement can reduce the likelihood of damage to an organiza-
tion’s systems, buildings, or local infrastructure. Some typical force of nature attacks include
the following:
• Fire—The ignition of combustible material; damage can also be caused by smoke from
fires or by water from sprinkler systems or firefighters.
• Flood Water overflowing into an area that is normally dry, causing direct damage,
Flood—
and subsequent indirect damage from high humidity and moisture.
• Earthquake—A sudden movement of the earth’s crust caused by volcanic activity or
the release of stress accumulated along geologic faults.
Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
Introduction to the Management of Information Security 19
Key Terms
advance-fee fraud (AFF): A form of social engineering, typically conducted via e-mail, in which
an organization or some third party indicates that the recipient is due an exorbitant amount of
money and needs only a small advance fee or personal banking information to facilitate the
transfer.
phishing: A form of social engineering in which the attacker provides what appears to be a
legitimate communication (usually e-mail), but it contains hidden or embedded code that
redirects the reply to a third-party site in an effort to extract personal or confidential
information.
pretexting: A form of social engineering in which the attacker pretends to be an authority
figure who needs information to confirm the target’s identity, but the real object is to trick the
target into revealing confidential information. Pretexting is commonly performed by telephone.
social engineering: The process of using social skills to convince people to reveal access
credentials or other valuable information to an attacker.
spear phishing: Any highly targeted phishing attack.
Human Error or Failure This category includes acts performed without intent or mali-
cious purpose or in ignorance by an authorized user. When people use information systems,
mistakes happen. Similar errors happen when people fail to follow established policy.
Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
20 Chapter 1
Inexperience, improper training, and incorrect assumptions are just a few things that can cause
human error or failure. Regardless of the cause, even innocuous mistakes can produce exten-
sive damage.
One of the greatest threats to an organization’s information security is its own employees, as
they are the threat agents closest to the information. Because employees use data and infor-
mation in everyday activities to conduct the organization’s business, their mistakes represent
a serious threat to the confidentiality, integrity, and availability of data—even relative to
threats from outsiders. Employee mistakes can easily lead to revelation of classified data,
entry of erroneous data, accidental deletion or modification of data, storage of data in
unprotected areas, and failure to protect information. Leaving classified information in
unprotected areas, such as on a desktop, on a Web site, or even in the trash can, is as
much a threat as a person who seeks to exploit the information, because the carelessness
can create a vulnerability and thus an opportunity for an attacker. However, if someone
damages or destroys data on purpose, the act belongs to a different threat category.
Human error or failure often can be prevented with training, ongoing awareness activities,
and controls. These controls range from simple activities, such as requiring the user to type
a critical command twice, to more complex procedures, such as verifying commands by a
second party. An example of the latter is the performance of key recovery actions in PKI
(public key infrastructure) systems. Many military applications have robust, dual-approval
controls built in. Some systems that have a high potential for data loss or system outages
use expert systems to monitor human actions and request confirmation of critical inputs.
Some common types of human error include the following:
• Engineering—In the context of information security, social engineering is used
Social Engineering
by attackers to gain system access or information that may lead to system access. There
are several social engineering techniques, which usually involve a perpetrator posing as
a person who is higher in the organizational hierarchy than the victim.
• Fraud—Another social engineering attack called the advance-fee fraud
Advance-fee Fraud
(AFF), internationally known as the 4-1-9 fraud, is named after a section of the Niger-
ian penal code. The perpetrators of 4-1-9 schemes often use the names of legitimate
companies, such as the Nigerian National Petroleum Company. Alternatively, they may
invent other entities, such as a bank, government agency, long-lost relative, lottery, or
other nongovernmental organization.
• Phishing Some attacks are sent by e-mail and may consist of a notice that one’s
Phishing—
e-mail storage allotment has been exceeded. The user is asked to log in, to run a test
program attached to the e-mail, or even to log into their “bank” account (spoofed by
the attacker) to verify their balance. While these attacks may seem crude to experienced
users, the fact is that many e-mail users have fallen for them. These tricks and similar
variants are called phishing attacks.
Phishing attacks use two primary techniques, often in combination with one another: URL
manipulation and Web site forgery. In URL manipulation, attackers send an HTML
embedded e-mail message or a hyperlink whose HTML code opens a forged Web site. In
Web forgery, the attacker copies the HTML code from a legitimate Web site and then
Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
Introduction to the Management of Information Security 21
modifies key elements. When victims type their banking ID and password, the attacker
records that information and displays a message that the Web site is now offline. 1
Spear Phishing
Phishing—While normal phishing attacks target as many recipients as possi-
ble, spear phishing involves an attacker sending a targeted message that appears
to be from an employer, a colleague, or other legitimate correspondent to a small
group or even one person.
Pretexting Pretexting, sometimes referred to as phone phishing, is a purely social
Pretexting—
engineering attack in which the attacker calls a potential victim on the telephone
and pretends to be an authority figure in order to gain access to private or confi-
dential information, such as health, employment, or financial records.
For more information on the preceding attacks and other fraudulent cyberattacks, visit the FBI’s
high-tech (cyber) crimes Web site at www.fbi.gov/about-us/investigate/cyber.
Key Terms
information extortion: The act of an attacker or trusted insider who steals information from a
computer system and demands compensation for its return or for an agreement not to disclose
the information. Also known as cyberextortion.
ransomware: A specialized form of information extortion where the victim’s data is encrypted
by malware and the victim is offered the return of their data only if they pay the attacker.
Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
Another random document with
no related content on Scribd:
Neger-Engelsch. Nederlandsche vertaling.
6. Te brafoe fájà, joe de téki 6. Als de soep heet is,
spoen de driéngi hem, ma gebruikt men een lepel,
te a kóuroe, han sa wakka maar als zij koud is, steekt
na ini. men er de hand in. De zin
is: Den zachtzinnige durft
men aan, den driftige
ontziet men.[380]
7. Joe sa kìbri óuwroe 7. Ge zult een oude bes
mamá, ma joe no sa kìbri (vrouw) verbergen, maar
hém froekóutoe. haren hoest kunt ge niet
verbergen; d.i. de aap
komt altijd uit de mouw.
8. Grabóe njanjám, ma no 8. Grabbel naar spijs, maar
grabóe taki. niet naar praatjes.
9. Tángi foe boen da kódja. 9. Stank voor dank.
10. Tóngo tjári hem mássra na 10. De tong voert haren
boen, atjári hem mássra meester tot geluk, maar
na ógri toe. brengt hem ook dikwerf in
het ongeluk.
11. Tódo táki, iffi joe de táki 11. De kikvorsch zegt: zoo er
foe gogó, mi no kan piki, van billen gesproken
mára iffi joe de taki foe wordt, kan ik niet
hai, mi kon piki. meespreken, maar als ge
over oogen handelt, zal ik
U te woord staan.
12. Sáni móro keeskési, a 12. Als de aap in de
brasà makà. benauwdheid zit, omvat hij
den doornstruik.
Neger-Engelsch. Nederlandsche vertaling.
13. Joe ha’ prasénsi, joe sa si 13. Als ge geduld hebt, kunt
míra bére. ge de ingewanden van
een mier zien. De zin is:
geduld overwint alles.
14. Bósi swíti, ma a tjári 14. Kussen is zoet, maar baart
sábiso. wel eens berouw.
15. Hattí-bron no de méki wan 15. Gramschap brengt geen
boen pikíen. goed kroost voort.[381]
16. Nanái de háli tetéi, tetéi de 16. De naald trekt de draad en
háli nanái. de draad trekt de naald.
De zin is: Wij hebben
elkander onderling noodig.
17. Móni kabà, kómpe kabà. 17. Als het geld op is, is ’t met
de vrienden gedaan.
18. Te joe tráppoe na míra 18. Wanneer ge in een
hóso, joe sabi ho disi béti mierennest trapt, weet ge
joe. dan, welke mier u gebeten
heeft?
19. Bégi móro bétre léki 19. Bedelen is beter dan
foefóeroe, ma wróko da stelen, maar werken is de
bási. baas!
20. Joe lóbi okró*, joe moe 20. Houdt ge van de okra*,
lóbi hem síri toe. dan moet ge ook van de
pitten houden. De zin is:
Zoo ge van mij houdt,
houdt ge ook van mijn
kinderen.
B. West-Afrika.
2. Als een mensch geen kleine mat tot zijn beschikking heeft, moet
hij staande slapen.
3. Hoewel men twee oogen heeft, ziet men toch geen twee dingen
tegelijk.
NB. Deze beide spreekwoorden behooren tot een groep, die moet
leeren, dat men nooit twee dingen tegelijk kan doen.
6. Wanneer een jongen beweert, dat hij water met een touw wil
ophalen, vraag hem dan, of hij het water
NB. Dit spreekwoord wil zooveel zeggen als: Antwoord een dwaas
in overeenstemming met zijn dwaasheden.
7. De vogel in het hok is onbekend met den dag van zijn dood.
12. Hij, die voor zich zelf werkt, kan doen wat hem bevalt.
13. De mond zegt een menigte dingen, die het hart niet uitbrengen
kan. [383]
NB. De zin is: Een scherp woord kan niet geheeld worden, een
wond wel.
3. Begin niets, wat ge niet tot een goed einde kunt brengen.
6. Waar de mensch ook heen trekt, altijd neemt hij zijn karakter meê.
9. Datgene, waarvan een kind houdt, zal zijn maag geen kwaad
doen.
10. Wanneer ge te gauw een vrouw lief hebt, zult ge haar spoedig
niet meer beminnen. [384]
[Inhoud]
in Sierra Leone
naar
Sobah was een geboren handelsman en als zoodanig het type van
zijn stamgenooten, wier meest op den voorgrond tredende
eigenschappen koopmansgeest was.
Dikwijls had hij ver het land in tochten gemaakt, om waren te
verhandelen en hij had ook nu en dan een bootlading met produkten
naar de markt van Freetown 2 gebracht. Heden kwam de
handelsman weêr bij hem te voorschijn. Nadat hij zich van een
zestal mannen voor den boottocht had verzekerd, besteedde hij den
dag om zijn waren bijeen te brengen en in de boot te laden.
Vermoeid van het roeien, den langen nacht door, bereidden zij zich
twee aan twee in minder gemakkelijke houding tot den slaap voor,
waaruit zij eerst na vele uren ontwaakten. Op de met steenen
bedekte plaats vóór in de boot werd nu een vuur aangelegd, en
daarop een overvloedige hoeveelheid rijst en visch gereed gemaakt.
Nadat zij zich nu allen om den grooten rijstpot hadden neêrgezet,
begonnen zij het eten in zulke groote hoeveelheden naar binnen te
werken, als slechts een negermaag kan bevatten.
Gedurende het geheele verdere deel van den dag bleef de zeebries
met slechts een kleine vermindering voortduren, zoodat het hun
duidelijk werd, dat ook de nacht rustend zou moeten worden
doorgebracht, alvorens de reis kon worden hervat. Het avondeten
was een herhaling van den morgen, de hoeveelheid niet
uitgezonderd, en toen zij daarmede gereed waren, hielden zij zich op
hunne eigene bijzondere wijze bezig.
Met een „Wel! Spin, sterke kerel!” beantwoordde hij eenigzins vinnig
een minachtende opmerking van Dogbah, en als protest tegen diens
uitdagende bewering, begon hij het wonderbaarlijke heldenfeit van
Heer Spin te vertellen bij een wedstrijd in sterkte tusschen Olifant en
Hippopotamus 6: [389]
Spin, die niets bezat en van den honger rammelde, wilde dit echter
niet laten blijken en zei dus: „Het is waar, alles ziet er dor en dood
uit, maar ik zal spoedig wel een gelegenheid vinden, om mij en mijn
gezin rijkelijk van voedsel te voorzien”. „Als je dus een plaats vind”—
liet Olifant er op volgen, „verzuim dan niet, mij dadelijk te roepen”.
Spin beloofde dit op zijn woord van waarachtig. „Het gaat mij aan het
hart, je zoo mager te zien” zei Spin, „je wordt met den dag kleiner.
Vroeger was je zoo reusachtig groot en dik en nu ben je haast van
mijn postuur. Je ziet er uit, of je te veel drinkt. Ik geloof stellig, dat ik
in staat ben, je van den wal in de rivier te trekken”.
Olifant begreep niet, dat Spin hem een poets wilde bakken en het op
zijn leven gemunt had; de goede slungel ging daarom gaarne op de
uitdaging van Spin in en riep uit: „Ik zal je toonen, wie sterker is; kom
maar op!”
„Goed”, zei Spin, „we zullen touwtrekken en ik zal voor een mooi, dik
touw zorgen”.
Hij ging nu naar het bosch op zoek naar een liaan*, een boschtouw,
en vond er al spoedig een, zoo dik als een krokodillenkop. Hij sneed
dit af en bracht het naar den rivieroever. Daar keek hij uit naar vriend
Hippopotamus*, en toen hij dezen zwemmende ontdekte, riep hij
hem toe: „Wedden, dat ik sterker ben dan jij en je uit het water trek?”
[390]
Spin liep daarop het bosch in naar Olifant en maakte met hem
dezelfde afspraak voor den volgenden morgen.
De beide groote dieren hadden in het minst geen vermoeden, dat zij
tegen elkaar zouden moeten trekken.
Spin plaatste zich nu in het midden van het touw, deed er een ruk
aan en kroop toen achter een boom weg.
„Spin was in zijn nopjes, toen hij de dieren zag bezwijken, en hij riep uit:
„Jullie heeten sterker dan ik, maar dat is mis hoor! Ik ben sterker, omdat ik
meer verstand heb”. 8 Toen nam hij de dieren op en bracht ze een voor
een naar een veilige plaats”.
Dit was een wonderbaarlijk heldenfeit, zelfs voor Heer Spin zelf, en
Sobah wierp een blik uit een zijner ooghoeken, om te zien, hoe dit
feit door zijn toehoorders ontvangen was geworden. Op hun gelaat
stond duidelijk te lezen: „hoe kan dat? Zoo’n kleine spin kan toch
geen olifant dragen!” De verteller had echter zijn antwoord dadelijk
gereed en zei:
„Toch is het zoo! Spin is te lui om te werken; de [392]lichtste taak valt hem
zwaar, maar geroofd voedsel kan hij altijd tillen. Spin droeg dus de dieren
naar een plaats, waar hij ze kon villen en in stukken hakken. Hij liet nu
dieren aanrukken, om hem bij te staan en het vleesch naar huis te
brengen. Zijn helpers beloonde hij op keurige wijze met afval van Olifant
en Spin en zijn gezin leefden nu rijkelijk van het door list verkregen
voedsel, totdat de hongersnood langzamerhand uit het land verdwenen
was”.
„Vóór dien tijd”, moeten jelui weten, „leefden er nog geen visschen in het
water. Toen Spin zijn gedoode dieren had afgehakt en het vleesch had
weggedragen, wierp hij de rest van den afval in de rivier en ziet, toen
kwamen er visschen te voorschijn. Zoo is dus Spin eigenlijk de schepper
der visschen geworden, en zoo heeft alles wat visch eet, veel aan hem te
danken”. 9
Deze geheel nieuwe verklaring van den oorsprong der in het water
zoo overvloedig voorkomende dieren, scheen voor het kinderlijke
brein der zwarte bootslieden niet zoo heel ongeloofelijk. Het water
rondom hun boot wemelde op dat oogenblik van visschen, 10 en als
Spin ze niet had voortgebracht, wie had het dan gedaan?
Oleemah was geneigd, geloof te schenken aan het verhaal van Spin,
en vereerde in stilte zijn Held, die door zijn behendigheid en list voor
zich en zijn familie gedurende den hongersnood aan eten had weten
te komen. [393]
[Inhoud]
Personen:
Ngando (Krokodil).
Sinyani (Vogels).
Sinyama (Beesten). 12
Krokodil was oud. Ten slotte stierf hij. Snel verspreidde zich het
nieuws van zijn dood onder de Beesten. Zijn verwanten en vrienden
begaven zich naar de Droefheid. Nadat een daartoe vastgesteld
aantal dagen was verstreken, werd de vraag omtrent de verdeeling
van zijn eigendommen besproken. Dadelijk reeds ontstond er
oneenigheid over de vraag, wie zijn naaste verwanten waren. [394]
De stam der Vogels zei: „Hij behoort tot den onzen en wij zijn dus de
eenigen, die op de eigendommen aanspraak maken”.
1 Dit spreekwoord komt merkwaardig overeen met het Fransche: Les belles
femmes, il faut les aimer, les épouser jamais. ↑
2 Hoofdstad van Sierra Leone. ↑
3 Dat hiermede niet bedoeld kan zijn de ongevoeligheid van den Neger voor de
schoonheden der natuur in algemeenen zin, weet hij wel beter, die met negers
dagen achtereen te midden eener weelderige tropische natuur verkeerd heeft. (C.
b. en f). ↑
4 Opgemerkt mag worden, dat de zang der Afrikaansche Negers, evenals die der
Surinaamsche Boschnegers (C.a.) van meer primitieven aard is dan die der
Negers van Jamaica, waarin de invloed van Engelsche melodieën vaak duidelijk te
herkennen is. (J.e. blz. 278–288). ↑
5 Zie blz. 29 en No. 19 en 31 van de Surinaamsche Stadsneger-vertellingen en
No. 18 der Indiaansche serie. ↑
6 Vergelijk No. 17 der Stadsneger-vertellingen. ↑
7 De vier van hoeven voorziene teenen zijn allen even groot, zoodat bij hem van
een kleinen teen geen sprake is. ↑
8 Hier brengt de Neger weder zijn overtuiging tot uiting, dat de mensch door zijn
verstand over de sterkste dieren het overwicht heeft verkregen (zie blz. 205). ↑
9 Met dergelijke eenvoudige verklaringen voor het ontstaan van het geschapene
is de kinderlijke neger volkomen tevreden. Dat het op andere wijze ontstaan
kan zijn, komt in zijn brein niet op. ↑
10 Dit doet denken aan den enormen vischrijkdom van de Surinaamsche rivieren
(C. b., blz. 43, 48, 90 en 93). ↑
11 In deze fabel wordt de vraag behandeld: Hoe is het leven begonnen? ↑
12 Opmerking verdient het, dat, evenals bij de Indianen (zie blz. 17), hier de vogels
tegenover de overige dieren worden geplaatst. ↑
13 De Afrikaansche inboorling is zeer gevoelig in kwesties van gelijkheid of
verschil in rang en leeftijd. ↑
[Inhoud]
VERKLAREND REGISTER 1.
[Inhoud]
A.
Abonjera. N.E. naam voor een plant (Sesamum indicum L.) uit de
fam. der Pedaliaceën, waarvan het zaad, in koekjes gebakken,
gegeten wordt. Ook olie wordt uit het zaad geperst (Sesam-olie).
Acouri, ook wel Agoeti (in het N.E. Koni-Koni) genoemd, is een
knaagdier (Dasyprocta agoeti), dat in holle boomen huist en van
wortels en vruchten leeft. Het vleesch is smakelijk.
Amalivaca. Mythische Held, die door de C., meer in het bijzonder door
de Tamanaca’s, een oorspronkelijken stam der C., vereerd wordt.