Principles of Information Security examines the field of information security to prepare individuals for their future roles as business decision makers. This book presents both the managerial and the technicla aspects of this exciting discipline and addresses knowledge areas of CISSP(Certified Information Systems Security Professional) certification throughout.\r\n
Chapter 1 Introduction to Information Security\r\n\r\nIntroduction\r\nThe History of Information Security\r\nThe 1960s\r\nThe 1970s and 80s\r\nThe 1990s\r\nThe Present\r\nWhat Is Security?\r\nWhat Is Information Security?\r\nCritical Characteristics of Information\r\nAvailability\r\nAccuracy\r\nAuthenticity\r\nConfidentiality\r\nIntegrity\r\nUtility\r\nPossession\r\nNSTISSC Security Model\r\nComponents of an Information System\r\nSoftware\r\nHardware\r\nData\r\nPeople\r\nProcedures\r\nSecuring the Components\r\nBalancing Security and Access\r\nTop-Down Approach to Security Implementation\r\nThe Systems Development Life Cycle\r\nMethodology\r\nPhases\r\nInvestigation\r\nAnalysis\r\nLogical Design\r\nPhysical Design\r\nImplementation\r\nMaintenance and Change\r\nThe Security Systems Development Life Cycle\r\nInvestigation\r\nAnalysis\r\nLogical Design\r\nPhysical Design\r\nImplementation\r\nMaintenance and Change\r\nKey Terms\r\nSecurity Professionals and the Organization\r\nSenior Management\r\nSecurity Project Team\r\nData Ownership\r\nCommunities of Interest\r\nInformation Security Management and Professionals\r\nInformation Technology Management and Professionals\r\nOrganizational Management and Professionals\r\nInformation Security: Is It an Art or a Science?\r\nSecurity as Art\r\nSecurity as Science\r\nSecurity as a Social Science\r\nChapter Summary\r\nReview Questions\r\nExercises\r\nCase Exercises\r\n\r\nChapter 2 The Need for Security\r\n\r\nIntroduction\r\nBusiness Needs First, Technology Needs Last\r\nProtecting the Ability of the Organization to Function\r\nEnabling the Safe Operation of Applications\r\nProtecting Data that Organizations Collect and Use\r\nSafeguarding Technology Assets in Organizations\r\nThreats\r\nThreat Group 1: Inadvertent Acts\r\nThreat Group 2: Deliberate Acts\r\nThreat Group 3: Acts of God\r\nThreat Group 4: Technical Failures\r\nThreat Group 5: Management Failures\r\nAttacks\r\nMalicious Code\r\nHoaxes\r\nBack Doors\r\nPassword Crack\r\nBrute Force\r\nDictionary\r\nDenial-of-Service (DOS) and Distributed Denial-of-Service (DDoS)\r\nSpoofing\r\nMan-in-the-Middle\r\nSpam\r\nMail bombing\r\nSnifters\r\nSocial Engineering\r\nBuffer Overflow\r\nTiming Attack\r\nChapter Summary\r\nReview Questions\r\nCase Exercises\r\n\r\nChapter 3 Legal, Ethical and Professional Issues in Information Security\r\n\r\nIntroduction\r\nLaw and Ethics in Information Security\r\nTypes Of Law\r\nRelevant U.S. Laws\r\nGeneral Computer Crime Laws\r\nPrivacy\r\nExport and Espionage Laws\r\nU.S. Copyright Law\r\nInternational Laws and Legal Bodies\r\nEuropean Council Cyber-Crime Convention\r\nDigital Millennium Copyright Act (DMCA)\r\nUnited Nations Charter\r\nPolicy Versus Law\r\nEthical Concepts in Information Security\r\nCultural Differences in Ethical Concepts\r\nSoftware License Infringement\r\nIllicit Use\r\nMisuse of Corporate Resources\r\nEthics and Education\r\nDeterrence to Unethical and Illegal Behavior\r\nCodes of Ethics, Certifications, and Professional Organizations\r\nOther Security Organizations\r\nKey U.S. Federal Agencies\r\nOrganizational Liability and the Need for Counsel\r\nChapter Summary\r\nReview Questions\r\nExercises\r\nCase Exercises\r\n\r\nChapter 4 Risk Management: Identifying and Assessing Risk\r\n\r\nIntroduction\r\nChapter Organization\r\nRisk Management\r\nKnow Yourself\r\nKnow the Enemy\r\nAll Communities of Interest are Accountable\r\nIntegrating Risk Management into the SecSDLC\r\nRisk Identification\r\nAsset Identification and Valuation\r\nAutomated Risk Management Tools\r\nInformation Asset Classification\r\nInformation Asset Valuation\r\nListing Assets in Order of Importance\r\nData Classification and Management\r\nSecurity Clearances\r\nManagement of Classified Data\r\nThreat Identification\r\nIdentify And Prioritize Threats and Threat Agents\r\nVulnerability Identification\r\nRisk Assessment\r\nIntroduction to Risk Assessment\r\nLikelihood\r\nValuation of Information Assets\r\nPercentage of Risk Mitigated by Current Controls\r\nRisk Determination\r\nIdentify Possible Controls\r\nAccess Controls\r\nDocumenting Results of Risk Assessment\r\nChapter Summary\r\nReview Questions\r\nExercises\r\nCase Exercises\r\n\r\nChapter 5 Risk Management: Assessing and Controlling Risk\r\n\r\nIntroduction\r\nRisk Control Strategies\r\nAvoidance\r\nTransference\r\nMitigation\r\nAcceptance\r\nRisk Mitigation Strategy Selection\r\nEvaluation, Assessment, and Maintenance of Risk Controls\r\nCategories of Controls\r\nControl Function\r\nArchitectural Layer\r\nStrategy Layer\r\nInformation Security Principles\r\nFeasibility Studies\r\nCost Benefit Analysis (CBA)\r\nOther Feasibility Studies\r\nRisk Management Discussion Points\r\nRisk Appetite\r\nResidual Risk\r\nDocumenting Results\r\nRecommended Practices in Controlling Risk\r\nQualitative Measures\r\nDelphi Technique\r\nRisk Management and the SecSDLC\r\nChapter Summary\r\nReview Questions\r\nExercises\r\nCase Exercises\r\n\r\nChapter 6 Blueprint For Security\r\n\r\nIntroduction\r\nInformation Security Policy, Standards, and Practices\r\nDefinitions\r\nSecurity Program Policy (SPP)\r\nIssue-Specific Security Policy (ISSP)\r\nSystems-Specific Policy (SysSP)\r\nPolicy Management\r\nInformation Classification\r\nSystems Design\r\nInformation Security Blueprints\r\nISO 17799/BS 7799\r\nNIST Security Models,\r\nNIST Special Publication SP 800-12\r\nNIST Special Publication 800-14\r\nIETF Security Architecture\r\nVISA International Security Model\r\nBaselining and Best Business Practices\r\nHybrid Framework for a Blueprint of an Information Security System\r\nSecurity Education, Training, and Awareness Program\r\nSecurity Education\r\nSecurity Training\r\nSecurity Awareness\r\nDesign of Security Architecture\r\nDefense in Depth\r\nSecurity Perimeter\r\nKey Technology Components\r\nChapter Summary\r\nReview Questions\r\nExercises\r\nCase Exercises\r\n\r\nChapter 7 Planning for Continuity\r\n\r\nIntroduction\r\nContinuity Strategy\r\nBusiness Impact Analysis\r\nThreat Attack Identification and Prioritization\r\nBusiness Unit Analysis\r\nAttack Success Scenario Development'\r\nPotential Damage Assessment\r\nSubordinate Plan Classification\r\nIncident Response Planning\r\nIncident Planning\r\nIncident Detection\r\nWhen Does an Incident Become a Disaster?\r\nIncident Reaction\r\nNotification of Key Personnel\r\nDocumenting an Incident\r\nIncident Containment Strategies\r\nIncident Recovery\r\nPrioritization of Efforts\r\nDamage Assessment\r\nRecovery\r\nBackup Media\r\nAutomated Response\r\nDisaster Recovery Planning\r\nThe Disaster Recovery Plan\r\nCrisis Management\r\nRecovery Operations\r\nBusiness Continuity Planning\r\nDeveloping Continuity Programs (BCPs)\r\nContinuity Strategies\r\nModel for a Consolidated Contingency Plan\r\nThe Planning Document\r\nLaw Enforcement Involvement\r\nLocal, State, or Federal Authorities\r\nBenefits and Drawbacks of Law Enforcement Involvement\r\nChapter Summary\r\nReview Questions\r\nExercises\r\nCase Exercises\r\n\r\nChapter 8 Security Technology\r\n\r\nIntroduction\r\nPhysical Design of the SecSDLC\r\nFirewalls\r\nDevelopment of Firewalls\r\nFirewall Architectures\r\nConfiguring and Managing Firewalls\r\nDial-up Protection\r\nRADIUS and TACACS\r\nIntrusion Detection Systems (IDS)\r\nHost-based IDS\r\nNetwork-based IDS\r\nSignature-based IDS\r\nStatistical Anomaly-based IDS\r\nScanning and Analysis Tools\r\nPort Scanners\r\nVulnerability Scanners\r\nPacket Sniffers\r\nContent Filters\r\nTrap and Trace\r\nCryptography and Encryption-based Solutions\r\nEncryption Definitions\r\nEncryption Operations\r\nVerrnam Cipher\r\nBook or Running Key Cipher\r\nSymmetric Encryption\r\nAsymmetric Encryption\r\nDigital Signatures\r\nRSA\r\nPKI\r\nWhat are Digital Certificates and Certificate Authorities?\r\nHybrid Systems\r\nSecuring E-mail\r\nSecuring the Web\r\nSecuring Authentication\r\nSesame\r\nAccess Control Devices\r\nAuthentication\r\nEffectiveness of Biometrics\r\nAcceptability of Biometrics\r\nChapter Summary\r\nReview Questions\r\nExercises\r\nCase Exercises\r\n\r\nChapter 9 Physical Security\r\n\r\nIntroduction\r\nAccess Controls\r\nControls for Protecting the Secure Facility\r\nFire Safety\r\nFire Detection and Response\r\nFailure of Supporting Utilities and Structural Collapse\r\nHeating, Ventilation, and Air Conditioning\r\nPower Management and Conditioning\r\nTesting Facility Systems\r\nInterception of Data\r\nMobile and Portable Systems\r\nRemote Computing Security'\r\nSpecial Considerations for Physical Security Threats\r\nInventory Management\r\nChapter Summary\r\nReview Questions\r\nExercises\r\nCase Exercises\r\n\r\nChapter 10 Implementing Security\r\n\r\nIntroduction\r\nProject Management in the Implementation Phase\r\nDeveloping the Project Plan\r\nProject Planning Considerations\r\nThe Need for Project Management\r\nSupervising Implementation\r\nExecuting the Plan\r\nWrap-up\r\nTechnical Topics of Implementation\r\nConversion Strategies\r\nThe Bull's-eye Model for Information Security Project Planning\r\nTo Outsource or Not\r\nTechnology Governance and Change Control\r\nNontechnical Aspects of Implementation\r\nThe Culture of Change Management\r\nConsiderations for Organizational Change\r\nChapter Summary\r\nReview Questions\r\nExercises\r\nCase Exercises\r\n\r\nChapter 11 Security and Personnel\r\n\r\nIntroduction\r\nThe Security Function Within an Organization's Structure\r\nStaffing the Security Function\r\nQualifications and Requirements\r\nEntry into the Security Profession\r\nInformation Security Positions\r\nCredentials of Information Security Professionals\r\nCertified Information Systems Security Professional (CISSP) and Systems Security Certified\r\nPractitioner (SSCP)\r\nSecurity Certified Professional\r\nTruSecure ICSA Certified Security Associate (T.I.C.S.A.) and TruSecure ICSA Certified Security\r\nExpert (T.I.C.S.E.)\r\nSecurity+\r\nCertified Information Systems Auditor (CISA)\r\nCertified Information Systems Forensics Investigator\r\nRelated Certifications\r\nCost of Being Certified\r\nAdvice for Information Security Professionals\r\nEmployment Policies and Practices\r\nHiring and Termination Issues\r\nPerformance Evaluation\r\nTermination\r\nSecurity Considerations for Nonemployees\r\nTemporary Employees\r\nContract Employees\r\nConsultants\r\nBusiness Partners\r\nSeparation of Duties and Collusion\r\nPrivacy and the Security of Personnel Data\r\nChapter Summary\r\nReview Questions\r\nExercises\r\nCase Exercises\r\n\r\nChapter 12 Information Security Maintenance\r\n\r\nIntroduction\r\nManaging for Change\r\nSecurity Management Models\r\nThe ISO Network Management Model\r\nThe Maintenance Model\r\nMonitoring the External Environment\r\nMonitoring the Internal Environment\r\nPlanning and Risk Assessment\r\nVulnerability Assessment and Remediation\r\nReadiness and Review\r\nChapter Summary\r\nReview Questions\r\nExercises\r\nCase Exercises\r\n\r\nAppendix A Cryptography\r\n\r\nIntroduction\r\nDefinitions\r\nTypes of Ciphers\r\nPolyalphabetic Substitution Ciphers\r\nTransposition Ciphers\r\nCryptographic Algorithms\r\nAsymmetric Cryptography or Public Key Cryptography\r\nHybrid Cryptosystems\r\nPopular Cryptographic Algoritms\r\nData Encryption Standard (DES)\r\nData Encryption Core Process\r\nPublic Key Infrastructure (PKI)\r\nDigital Signatures\r\nDigital Certificates\r\nPretty Good Privacy (PGP)\r\nPGP Suite of Security Solutions\r\nProtocols for Secure Communications\r\nS-HTTP and SSL\r\nSecure/Multipurpose Intemet Mail Extension (S/MIME)\r\nIntemet Protocol Security (IPSec)\r\nAttacks on Cryptosystems\r\nMan-in-the-Middle Attack\r\nCorrelation Attacks\r\nDictionary Attacks\r\nTiming Attacks\r\nGlossary
第二书店&China-pub战略联盟提供专业服务
第二书店联系方式 010-64348411 webmaster@dearbook.com