Table Of ContentInformation
Security
Management
Concepts and Practice
OTHER INFORMATION SECURITY BOOKS FROM AUERBACH
Building an Effective Information Information Assurance Architecture
Security Policy Architecture Keith D. Willett
Sandy Bacik ISBN 978-0-8493-8067-9
ISBN 978-1-4200-5905-2
Information Security Management
Business Resumption Planning, Handbook, Sixth Edition, Volume 3
Second Edition Harold F. Tipton and Micki Krause
Leo A. Wrobel ISBN 978-1-4200-9092-5
ISBN 978-0-8493-1459-9
Information Security Management Metrics:
CISO Leadership: Essential Principles A Definitive Guide to Effective Security
for Success Monitoring and Measurement
Todd Fitzgerald and Micki Krause W. Krag Brotby
ISBN 978-0-8493-7943-7 ISBN 978-1-4200-5285-5
CISO Soft Skills: Securing Organizations Information Technology Control and Audit,
Impaired by Employee Politics, Apathy, Third Edition
and Intolerant Perspectives Sandra Senft and Frederick Gallegos
Ron Collette, Michael Gentile, and Skye Gentile ISBN 978-1-4200-6550-3
ISBN 978-1-4200-8910-3
Intelligent Video Surveillance:
Cyber Forensics: A Field Manual for Systems and Technology
Collecting, Examining, and Preserving Yunqian Ma
Evidence of Computer Crimes, ISBN 978-1-4398-1328-7
Second Edition
Albert Marcella, Jr. and Doug Menendez Malicious Bots: An Inside Look
ISBN 978-0-8493-8328-1 into the Cyber-Criminal Underground
of the Internet
Cyber Fraud: Tactics, Techniques Ken Dunham and Jim Melnick
and Procedures ISBN 978-1-4200-6903-7
Rick Howard
ISBN 978-1-4200-9127-4 Managing Security Overseas:
Protecting Employees and Assets
Data Protection: Governance, in Volatile Regions
Risk Management, and Compliance Scott Alan Ast
David G. Hill ISBN 978-1-4398-046-74
ISBN 978-1-4398-0692-0
Profiling Hackers: The Science of
Digital Privacy: Theory, Technologies, Criminal Profiling as Applied to
and Practices the World of Hacking
by Alessandro Acquisti, Stefanos Gritzalis, Raoul Chiesa, Stefania Ducci,
Costos Lambrinoudakis, and Sabrina di Vimercati and Silvio Ciappi
ISBN 978-1-4200-5217-6 ISBN 978-1-4200-8693-5
The Executive MBA in Information Security Security in an IPv6 Environment
John J. Trinckes, Jr. Daniel Minoli and Jake Kouns
ISBN 978-1-4398-1007-1 ISBN 978-1-4200-9229-5
How to Complete a Risk Assessment Security of Mobile Communications
in 5 Days or Less Noureddine Boudriga
Thomas R. Peltier ISBN 978-0-8493-7941-3
ISBN 978-1-4200-6275-5
Understanding and Applying
HOWTO Secure and Audit Oracle 10g Cryptography and Data Security
and 11g Adam J. Elbirt
Ron Ben-Natan ISBN 978-1-4200-6160-4
ISBN 978-1-4200-8412-2
AUERBACH PUBLICATIONS
www.auerbach-publications.com
To Order Call: 1-800-272-7737 • Fax: 1-800-374-3401
E-mail: orders@crcpress.com
Information
Security
Management
Concepts and Practice
Bel G. RaGGad
CRC Press
Taylor & Francis Group
6000 Broken Sound Parkway NW, Suite 300
Boca Raton, FL 33487-2742
© 2010 by Taylor & Francis Group, LLC
CRC Press is an imprint of Taylor & Francis Group, an Informa business
No claim to original U.S. Government works
Version Date: 20110725
International Standard Book Number-13: 978-1-4398-8263-4 (eBook - PDF)
This book contains information obtained from authentic and highly regarded sources. Reasonable efforts
have been made to publish reliable data and information, but the author and publisher cannot assume
responsibility for the validity of all materials or the consequences of their use. The authors and publishers
have attempted to trace the copyright holders of all material reproduced in this publication and apologize to
copyright holders if permission to publish in this form has not been obtained. If any copyright material has
not been acknowledged please write and let us know so we may rectify in any future reprint.
Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmit-
ted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented,
including photocopying, microfilming, and recording, or in any information storage or retrieval system,
without written permission from the publishers.
For permission to photocopy or use material electronically from this work, please access www.copyright.
com (http://www.copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood
Drive, Danvers, MA 01923, 978-750-8400. CCC is a not-for-profit organization that provides licenses and
registration for a variety of users. For organizations that have been granted a photocopy license by the CCC,
a separate system of payment has been arranged.
Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used
only for identification and explanation without intent to infringe.
Visit the Taylor & Francis Web site at
http://www.taylorandfrancis.com
and the CRC Press Web site at
http://www.crcpress.com
I am pleased and very proud to dedicate this book to
Zine El Abidine Ben Ali
You are a hero to me.
You are a savior for Tunisia.
You are a model for other world leaders and you are a friend to the States.
Our world is experiencing economic challenges. Tunisia’s homeland is surrounded
by unstable neighbors and continents filled with civil wars and conflicts.
Even with Tunisia’s limited resources, you defeated terrorism, succeeded in
creating a peaceful and friendly people, established a secure nation, maintained
your cultural identity, and brought peace to all of us wherever we are.
Your contributions to global security are unmatched.
God bless you.
Belgacem Raggad
Contents
Preface ........................................................................................................xxix
About the Author ......................................................................................xxxv
SeCtIon I IntroduCtIon
1 Introduction to Information Security Management ..............................3
1.1 Introduction ......................................................................................4
1.2 Why Information Security Matters ...................................................5
1.3 Information Sensitivity Classification ................................................6
1.3.1 Top Secret .............................................................................7
1.3.2 Highly Confidential .............................................................7
1.3.3 Proprietary ............................................................................8
1.3.4 Internal Use Only .................................................................8
1.3.5 Public Information ...............................................................8
1.4 Information Security Governance .....................................................8
1.5 The Computing Environment .........................................................10
1.5.1 People .................................................................................12
1.5.2 System Activities .................................................................13
1.5.3 Data Resources ...................................................................14
1.5.3.1 Noise Facts .........................................................14
1.5.3.2 Data Facts...........................................................14
1.5.3.3 Information ........................................................15
1.5.3.4 Knowledge Facts .................................................15
1.5.4 Technology .........................................................................15
1.5.5 Network .............................................................................16
1.6 Security of Various Components in the Computing
Environment ...................................................................................16
1.6.1 Personnel Security ..............................................................16
1.6.2 Activity Security .................................................................17
1.6.3 Information Security ..........................................................17
1.6.4 Technology Security ...........................................................18
vii
viii ◾ Contents
1.6.5 Network Security ...............................................................19
1.7 Security Interdependence.................................................................19
1.8 CIA Triad ........................................................................................20
1.8.1 Confidentiality ...................................................................20
1.8.2 Integrity ..............................................................................20
1.8.3 Availability .........................................................................20
1.9 Security Goals versus Business Goals ...............................................20
1.10 The Security Star .............................................................................22
1.10.1 Authentication ....................................................................22
1.10.2 Non-Repudiation ................................................................23
1.10.3 Risk Management ..............................................................23
1.11 Parker’s View of Information Security .............................................24
1.11.1 Authenticity ........................................................................24
1.11.2 Possession Envelope ............................................................24
1.11.3 Utility .................................................................................25
1.12 What Is Information Security Management? ...................................25
1.13 Defense-In-Depth Security ..............................................................25
1.14 Security Controls .............................................................................25
1.15 The NSA Triad for Security Assessment ..........................................28
1.15.1 Assessment ..........................................................................28
1.15.2 Evaluation ..........................................................................28
1.15.3 Penetration Testing .............................................................29
1.16 Summary .........................................................................................30
1.17 Review Questions ............................................................................30
1.18 Workshops .......................................................................................31
Workshop 1 .....................................................................................31
Workshop 2 .....................................................................................31
References ..................................................................................................32
2 Introduction to Management Concepts ...............................................33
2.1 Introduction ...................................................................................34
2.2 Brief History of Management .........................................................34
2.3 Traditional Management Skills and Security Literacy .....................36
2.3.1 Computer Literacy ..............................................................36
2.3.2 Information Literacy ...........................................................37
2.3.3 Security Literacy .................................................................38
2.4 Managerial Skills .............................................................................39
2.5 Redefining Mintzberg’s Managerial Roles .......................................39
2.5.1 Redefining Interpersonal Roles ..........................................40
2.5.2 Redefining Informational Roles ..........................................41
2.5.3 Redefining Decisional Roles ...............................................41
2.6 Strategic Management Concepts ....................................................42
Contents ◾ ix
2.7 IS Security Management Activities .................................................46
2.7.1 Prerequisites for Information Security Management ...........47
2.7.2 Core Phases of Information Security Management .............47
2.7.2.1 Security Planning ...............................................47
2.7.2.2 Development and Revision of Security
Policy ..................................................................47
2.7.2.3 Security Risk Analysis ........................................48
2.7.2.4 Security Assessment (Passive or Active) ...............48
2.7.2.5 Security Auditing ...............................................48
2.7.2.6 Security Certification and Accreditation .............48
2.7.2.7 Development of ISMS ........................................48
2.7.2.8 Intrusion Detection ............................................49
2.7.3 Recursive Continual Improvement for Security
Management .......................................................................49
2.8 Do We Really Need an Independent Information Security
Functional Unit? ..............................................................................49
2.9 The Information Security Management Cycle .................................51
2.9.1 Information Security Management Cycle and
Management Concepts .......................................................51
2.9.2 Information Security Controls ............................................54
2.9.3 Information Security Requirements ....................................54
2.10 IS Security Management versus Functional Management ...............55
2.10.1 Strategic and Functional Levels: Security Managers ...........55
2.10.2 Operational Management Level: Security
Administrators ....................................................................56
2.10.3 Roles, Responsibilities, and Qualifications for an IS
Security Manager ...............................................................56
2.10.4 ISO Personality Traits for Effective IS Security
Management .......................................................................58
2.10.5 The Information Security Management Team ....................59
2.10.6 ISO Self-Assessment to Deliver Effective IS Security
Management .......................................................................61
2.11 Summary .........................................................................................63
2.12 Review Questions ...........................................................................64
2.13 Workshops ......................................................................................64
Workshop 1 ....................................................................................64
Workshop 2 .....................................................................................65
References ..................................................................................................65
3 The Information Security Life Cycle ....................................................67
3.1 Introduction ....................................................................................67
3.2 Security Planning in the SLC ..........................................................69
3.2.1 Asset Definition ..................................................................69
