LibraryPirate This is an electronic version of the print textbook. Due to electronic rights restrictions, some third party content may be suppressed. Editorial review has deemed that any suppressed content does not materially a ffect the overall learning experience. The publisher reserves the right to remove content from this title at any time if subsequent rights restrictions require it. For valuable information on pricing, previous editions, changes to current editions, and alternate formats, please visit w ww.cengage.com/highered to search by ISBN#, author, title, or keyword for materials in your areas of interest. Copyright 2010 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. 5522660099__0000__ffmm__ppii--ppxxxxvvii..iinndddd iiii 22//11//1100 1111::3377::4433 PPMM Readings and Cases in Information Security Law and Ethics Michael E. Whitman Herbert J. Mattord Copyright 2010 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. ReadingsandCasesinInformation ©2011CourseTechnology,CengageLearning Security:LawandEthics ALLRIGHTSRESERVED.Nopartofthisworkcoveredbythecopy- MichaelE.Whitman, righthereinmaybereproduced,transmitted,storedorusedinany HerbertJ.Mattord formorbyanymeansgraphic,electronic,ormechanical,including butnotlimitedtophotocopying,recording,scanning,digitizing, VicePresident,CareerandProfessional taping,Webdistribution,informationnetworks,orinformation Editorial:DaveGarza storageandretrievalsystems,exceptaspermittedunderSection ExecutiveEditor:StephenHelba 107or108ofthe1976UnitedStatesCopyrightAct,withoutthe ManagingEditor:MarahBellegarde priorwrittenpermissionofthepublisher. SeniorProductManager:Michelle RuelosCannistraci Forproductinformationandtechnologyassistance,contactus EditorialAssistant:SarahPickering atCengageLearningCustomer&SalesSupport, 1-800-354-9706 VicePresident,CareerandProfessional Marketing:JenniferAnnBaker Forpermissiontousematerialfromthistextorproduct,submit MarketingDirector:DeborahS.Yarnell allrequestsonlineatcengage.com/permissions Furtherpermissionsquestionscanbee-mailedto SeniorMarketingManager:ErinCoffin [email protected] AssociateMarketingManager:Shanna Gibbs Microsoft®isaregisteredtrademarkofthe ProductionDirector:CarolynMiller MicrosoftCorporation. ProductionManager:AndrewCrouth LibraryofCongressControlNumber:2010927206 SeniorContentProjectManager: ISBN-13:978-1-4354-4157-6 AndreaMajot ISBN-10:1-4354-4157-5 ArtDirector:JackPendleton CourseTechnology 20ChannelCenterStreet Boston,MA02210 USA CengageLearningisaleadingproviderofcustomizedlearning solutionswithofficelocationsaroundtheglobe,including Singapore,theUnitedKingdom,Australia,Mexico,Brazil,and Japan.Locateyourlocalofficeat: international.cengage.com/region. CengageLearningproductsarerepresentedinCanadabyNelson Education,Ltd. Foryourlifelonglearningsolutions,visit course.cengage.com Visitourcorporatewebsiteatcengage.com. NoticetotheReader Someoftheproductnamesandcompanynamesusedinthisbookhavebeenusedforidentificationpurposesonlyandmaybetrademarksorregisteredtrademarks oftheirrespectivemanufacturersandsellers. CourseTechnologyandtheCourseTechnologylogoareregisteredtrademarksusedunderlicense. Theprogramsinthisbookareforinstructionalpurposesonly.Theyhavebeentestedwithcare,butarenotguaranteedforanyparticularintentbeyondeducational purposes.Theauthorandthepublisherdonotofferanywarrantiesorrepresentations,nordotheyacceptanyliabilitieswithrespecttotheprograms. Printed in the United States of America 1 2 3 4 5 6 7 14 13 12 11 10 Copyright 2010 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. To Rhonda, Rachel, Alex and Meghan, thank you for your loving support —MEW To Carola, your example continues to inspire me —HJM Copyright 2010 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Table of Contents PART 1 PREFACE& ACKNOWLEDGMENTS .. ... ... .. ... ... .. ... .. ... ... .. ... ... .. ... ... .. ... . vii PART 2 RUNNINGCASE: STRATIFIEDCUSTOMMANUFACTURING . . . .. ... ... .. ... ... .. ... ... .. ... .. 1 PART 3 PERSONNELAND PRIVACY. .. ... .. ... ... .. ... ... .. ... .. ... ... .. ... ... .. ... ... .. ... .. 7 READING 3A DataPrivacy IsItPossible?.. ... .. ... ... .. ... .. ... ... .. ... ... .. ... .. ... ... .. ... ... .. ... ... .. ... .. 9 Dr.JohnH. Nugent,Universityof Dallas CASE 3B CoordinationbetweenanInformation TechnologyDepartment and aHumanResourcesDepartment ACaseStudyand Analysis . ... .. ... .. ... ... .. ... ... .. ... .. ... ... .. ... ... .. ... ... .. ... . 23 JeffreyM. Stanton,SyracuseUniversity CASE 3C ITEthicsandSecurityin anInformationSecurity CertificationExam... .. ... ... .. ... ... .. ... . 31 JeffreyP.LandryandJ. HaroldPardue,Universityof SouthAlabama READING 3D AnEtymologicalView ofEthicalHacking ... .. ... ... .. ... .. ... ... .. ... ... .. ... ... .. ... . 57 MichaelE.Whitman, Kennesaw StateUniversity RUNNING CASE 3E RunningCase:Stratified Custom Manufacturing .. ... .. ... .. ... ... .. ... ... .. ... ... .. ... . 69 PART 4 RISKMANAGEMENT... ... .. ... .. ... ... .. ... ... .. ... .. ... ... .. ... ... .. ... ... .. ... . 73 READING 4A CyberInsurance andtheManagementofInformation SecurityRisk ... .. ... ... .. ... ... .. ... . 75 TridibBandyopadhyay,Kennesaw State University READING 4B RethinkingRisk-basedInformation Security. .. ... ... .. ... .. ... ... .. ... ... .. ... ... .. ... . 85 HerbertJ.Mattord, KennesawState University CASE 4C VideoMaze . ... .. ... ... .. ... .. ... ... .. ... ... .. ... .. ... ... .. ... ... .. ... ... .. ... . 97 PatriciaMorrison,Cape BretonUniversity RUNNING CASE 4D RunningCase:Stratified Custom Manufacturing .. ... .. ... .. ... ... .. ... ... .. ... ... .. ... 111 PART 5 MANAGEMENTOFSECURITYTECHNOLOGY .. ... ... .. ... .. ... ... .. ... ... .. ... ... .. ... 113 READING 5A CryptographyAlgorithmsStandards: Guidelines forManagement . ... .. ... ... .. ... ... .. ... 115 WasimA. Al-Hamdani,KentuckyState University READING 5B CyberTerrorism:Impacts, Vulnerabilities, andU.S. Policy ... .. ... ... .. ... ... .. ... ... .. ... 157 TridibBandyopadhyay,Kennesaw State University v Copyright 2010 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. vi TableofContents CASE 5C AdvancedTopologies, Inc. .. ... ... .. ... .. ... ... .. ... ... .. ... ... .. ... .. ... ... .. ... . 175 Michael E.WhitmanandHerbertMattord READING 5D WebApplications:Vulnerabilities andRemediation.. .. ... ... .. ... ... .. ... .. ... ... .. ... . 191 ShankarBabuChebrolu andVinayBansal, CiscoSystems READING 5E ManagingSecureDatabaseSystems .. ... .. ... ... .. ... ... .. ... ... .. ... .. ... ... .. ... . 203 LiYang,University ofTennesseeatChattanooga RUNNING CASE 5F RunningCase:Stratified CustomManufacturing . ... .. ... ... .. ... ... .. ... .. ... ... .. ... . 213 PART 6 INFORMATION SECURITYPROGRAMMANAGEMENT. .. ... ... .. ... ... .. ... .. ... ... .. ... . 215 CASE 6A Information SecurityMetrics:LegalandEthicalIssues.. ... ... .. ... ... .. ... .. ... ... .. ... . 217 JenniferL.Bayuk,StevensInstitute ofTechnology READING 6B ImpactofIncomplete or MissingInformation in aSecurityPolicy . ... ... .. ... .. ... ... .. ... . 231 WasimA. Al-HamdaniandWendyD. Dixie,KentuckyState University CASE 6C AReviewof InformationSecurityManagement Requirementsas ReflectedinU.S.FederalLaw... ... .. ... .. ... ... .. ... ... .. ... ... .. ... .. ... ... .. ... . 245 JeffreyP.Landry,University ofSouthAlabama CASE 6D TheLawin InformationSecurity Management .. ... .. ... ... .. ... ... .. ... .. ... ... .. ... . 263 KatherineH. Winters,Universityof TennesseeatChattanooga RUNNING CASE 6E RunningCase:Stratified CustomManufacturing . ... .. ... ... .. ... ... .. ... .. ... ... .. ... . 275 PART 7 INFORMATION SECURITYGOVERNANCE AND REGULATORYCOMPLIANCE .. ... .. ... ... .. ... . 277 READING 7A SecurityComplianceAuditing: ReviewandResearchDirections . . ... ... .. ... .. ... ... .. ... . 279 Guillermo A.Francia, IIIandJeffreyS.Zanzig,Jacksonville StateUniversity READING 7B GlobalInformation SecurityRegulations,CaseStudies, andCultural Issues..... .. ... ... .. ... . 305 Guillermo A.Francia, III,JacksonvilleState University Andrew P.Ciganek,UniversityofWisconsin atWhitewater CASE 7C CollaborationandCompliancein HealthCare:A Threat ModelingCaseStudy .. .. ... ... .. ... . 327 DivakaranLiginlal, CarnegieMellonUniversity atQatar LaraZ.Khansa, VirginiaPolytechnic Institute andStateUniversity JeffreyP.Landry,University ofSouthAlabama RUNNING CASE 7D RunningCase:Stratified CustomManufacturing . ... .. ... ... .. ... ... .. ... .. ... ... .. ... . 353 INDEX... .. ... .. ... ... .. ... ... .. ... .. ... ... .. ... ... .. ... ... .. ... .. ... ... .. ... . 355 Copyright 2010 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Preface The need for information security education is self-evident. Education is one of the recognized needs to combat the threats facing information security. These readings provide students with a depth of content and analytical perspective not found in other textbooks. The fundamental tenet of Readings & Cases in Information Security is that Infor- mation Security in the modern organization is a problem for management and not a problem of technology—a problem that has important economic consequences and for which management will be held accountable. It is a further observation that the subject of information security is not pres- ently widely included in the body of knowledge presented to most students enrolled in schools of business. This is true even within areas of concentration such as technology management and IT management. This textbook is suitable for course offerings to complement programs that adopt any one of the existing Course Technology textbooks. Readings and Cases in Information Security can be used to support Principles of Information Security, or Management of Information Security to further provide educational support for these texts. Purpose and Intended Audience This readings text provides instructors and lecturers with materials that give additional detail and depth on the management overview of information security, with emphasis on the legal and ethical issues surrounding these areas. These readings and cases can support a senior undergraduate or graduate information security class, or information technology class that requires additional depth in the area of information security. The cases can be used to enable individual or team projects, or vii Copyright 2010 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. viii Preface used to support classroom discussion or writing assignments. This readings text can be used to sup- port course delivery for both information security–driven programs targeted at information technol- ogy students and also IT management and technology management curricula aimed at business or technical management students. Scope Note that the title denotes support for the management of an information security program or orga- nization. Current information security literature now acknowledges the dominant need to protect information, including the protection of the systems that transport, store, and process it, whether those systems are technology or human based. The scope of the Readings and Cases text covers fun- damental areas of management of information security and the legal and ethical issues associated with these areas. The authors and many of the contributors are Certified Information Systems Secu- rity Professionals and/or Certified Information Security Managers. Features ● Designed for use with other information security textbook offerings, this text adds current research, informed opinion, and fictional scenarios to your classroom. ● Prepare students for situations in the information security industry with articles, best practices, and cases relating to today’s security issues. ● Create an interactive classroom by using the readings as discussion starters and using the scripted questions when provided in several of the cases. ● Some readings and cases have teaching guides to facilitate in-class discussion and learning from the material. Overview of the Text In addition to being an introduction to the text, we expect this section will also serve as a guidepost, directing teachers and students to relevant chapters and cases. Copyright 2010 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.