Michael Workman - Information Security Management

World Headquarters
Jones & Bartlett Learning
25 Mall Road, 6th Floor
Burlington, MA 01803
978-443-5000
www.jblearning.com

Jones & Bartlett Learning books and products are available through most bookstores and online booksellers. To contact Jones & Bartlett Learning directly, call 800-832-0034, fax 978-443-8000, or visit our website, www.jblearning.com.

Substantial discounts on bulk quantities of Jones & Bartlett Learning publications are available to corporations, professional associations, and other qualified organizations. For details and specific discount information, contact the special sales department at Jones & Bartlett Learning via the above contact information or send an email to .

Copyright 2023 by Jones & Bartlett Learning, LLC, an Ascend Learning Company

All rights reserved. No part of the material protected by this copyright may be reproduced or utilized in any form, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from the copyright owner.

The content, statements, views, and opinions herein are the sole expression of the respective authors and not that of Jones & Bartlett Learning, LLC. Reference herein to any specific commercial product, process, or service by trade name, trademark, manufacturer, or otherwise does not constitute or imply its endorsement or recommendation by Jones & Bartlett Learning, LLC and such reference shall not be used for advertising or product endorsement purposes. All trademarks displayed are the trademarks of the parties noted herein. Information Security Management, Second Edition is an independent publication and has not been authorized, sponsored, or otherwise approved by the owners of the trademarks or service marks referenced in this product.

There may be images in this book that feature models; these models do not necessarily endorse, represent, or participate in the activities represented in the images. Any screenshots in this product are for educational and instructive purposes only. Any individuals and scenarios featured in the case studies throughout this product may be real or fictitious but are used for instructional purposes only.

23637-8

Production Credits

VP, Product Development: Christine Emerton

Product Manager: Ned Hinman

Content Strategist: Melissa Duffy

Content Coordinator: Mark Restuccia

Technical Editor: Chris Kinnaird

Project Manager: Jessica deMartin

Senior Project Specialist: Jennifer Risden

Digital Project Specialist: Rachel DiMaggio

Marketing Manager: Suzy Balk

Product Fulfillment Manager: Wendy Kilborn

Composition: Straive

Project Management: Straive

Cover Design: Briana Yates

Media Development Editor: Faith Brosnan

Rights Specialist: James Fortney

Cover Image (Title Page, Part Opener, Chapter Opener): Antishock/Shutterstock

Printing and Binding: McNaughton & Gunn

Library of Congress Cataloging-in-Publication Data

Names: Workman, Michael D., 1957 author.

Title: Information security management / Michael Workman.

Other titles: Information security for managers

Description: Second edition. | Burlington, Massachusetts : Jones & Bartlett

Learning, [2023] | Revised edition of: Information security for

managers. | Includes bibliographical references and index.

Identifiers: LCCN 2021006401 | ISBN 9781284211658 (paperback)

Subjects: LCSH: Business enterprisesComputer networksSecurity measures.

| Computer securityManagement. | Computer networksSecurity measures.

| Data protection.

Classification: LCC HF5548.37 .W67 2023 | DDC 658.4/78dc23

LC record available at https://lccn.loc.gov/2021006401

6048

Printed in the United States of America

252423222110987654321

To my late wife, Cathy.

Cathy taught me that love is much more than a word we said to each other and to our children. She was like the ocean she loved so much, sometimes a mystery about what lay behind those azure-green eyes of hers. She enjoyed how that riddle occupied so many of my thoughts.

And to my Dad, Harley, who was a safety-net for a tightrope walker

I walked the tightrope without a tether. I knew he would catch me if ever I fell very far. Yet perhaps the best gift he ever gave to me was that he taught me to miss him while he was still alive, knowing that eventually there would be no more safety-net for me, once he was gone.

Antishock/Shutterstock

Antishock/Shutterstock

We tend to think of our geographical locale when it comes to information and cybersecurity, but we are a mobile society. For example, I have an old unlocked phone I use when I travel abroad. I stepped off an airplane in Jamaica while on a vacation with my family, and as soon as I turned my phone on in the airport, I began receiving tourism messages one after another that carried associated fees. Before I could shut it down, I received over a dozen text messages. If the government of Jamaica can bury my phone in expensive messages, what else can be done to it? Some apps and malware have even had the ability to automatically turn mobile devices on, or prevent them from turning off. Do you have a story like this to tell?

This text will provide you with an overview of information and cybersecurity and offer a summary of security topics that are addressed in more detail in the Jones & Bartlett Learning New Information Systems Security & Assurance series. Cybersecurity is an aspect of information security. Cybersecurity deals with the electronic elements of protecting assets such as information. Information security encompasses broader threats, including theft of physical documents, perhaps left unattended on an employees desk. In this text, we will use the term cybersecurity when we are referring to the electronic aspects and information security when discussing these other elements. We begin with some foundational materials that cover the broad spectrum of information technology management, including what the main departments such as software engineering, operations, and compliance do, and what their roles and responsibilities are. We then focus on specific aspects of information security design, development, control, and governance. Finally, we delve into advanced research and development topics such as emerging threats and what we are doing in the R&D field to try to address them. Our coverage of these topics in this edition is based on our experience with, and survey of, technology management programs, the gaps that exist, and important overlooked topics such as adaptive systems and techniques to deal with advanced and persistent threats.

This text is for those of you who have some background knowledge in networking and computer systems. We will be referring to concepts with the assumption that readers will know, for example, the basics of TCP/IP networking, what routers are, what operating systems do, and how systems interoperate. At the same time, this is an introductory book on information and cybersecurity for technology management.