Management of Information Security by M. E. Whitman and H. J. Mattord

Chapter 1


Introduction to the Management of Information Security

Chapter Overview

The opening chapter establishes the foundation for understanding the field of Information Security. This is accomplished by explaining the importance of information technology and defining who is responsible for protecting an organization’s information assets. In this chapter the student will come to know and understand the definition and key characteristics of information security as well as the come to recognize the characteristics that differentiate information security management from general management.

Chapter 1 Notes


Chapter 2

Planning for Security

Chapter Overview

In this chapter, the reader will come to recognize the importance of planning and learn the principal components of organizational planning as well as gaining an understanding of the principal components of information security system implementation planning as it functions within the organizational planning scheme.

Chapter 2 Notes


Chapter 3

Planning for Contingencies

Chapter Overview

The third chapter of the book will articulate the need for contingency planning and explore the major components of contingency planning. In this chapter, the reader will learn how to create a simple set of contingency plans using business impact analysis and prepare and execute a test of contingency plans.

Chapter 3 Notes


Chapter 4

Security Policy

Chapter Overview

In this chapter, readers will learn to define information security policy and understand its central role in a successful information security program. Research has shown that there are three major types of information security policy and the chapter will explain what goes into each type as the reader learns how to develop, implement, and maintain various types of information security policies.

Chapter 4 Notes


Chapter 5 Developing Security Programs

Chapter Overview

Chapter 5 will explore the various organizational approaches to information security and provide an explanation of the functional components of the information security program. Readers will learn how to plan and staff an organization’s information security program based on its size and other factors as well as how to evaluate the internal and external factors that influence the activities and organization of an information security program. As the topic of organizing the information security function is expanded upon, the reader will learn how to identify and describe the typical job titles and functions performed in the information security program. The chapter concludes with an exploration of the components of a security education, training, and awareness program and describes how organizations create and manage these programs.

Chapter 5 Notes


Chapter 6  Security Management Models and Practices

Chapter Overview

In this chapter, readers will learn the components of the dominant information security management models, including U.S. government-sanctioned models, and how to customize them for a specific organization’s needs. This knowledge will be extended as readers learn how to implement the fundamental elements of key information security management practices and gain an understanding of emerging trends in the certification and accreditation of U.S. federal IT systems.

Chapter 6 Notes


Chapter 7

Risk Management: Identifying and Assessing Risk

Chapter Overview

Chapter 7 defines risk management and its role in the organization and allows the reader to begin using risk management techniques to identify and prioritize risk factors for information assets. The risk management model presented here allows the assessment of risk based on the likelihood of adverse events and the effects on information assets when events occur. The chapter concludes with a brief discussion on how to document the results of risk identification.

Chapter 7 Notes


Chapter 8

Risk Management: Assessing and Controlling Risk

Chapter Overview

The eighth chapter of the text presents essential risk mitigation strategy options and opens the discussion of how to control risk. This will include identifying risk control classification categories, using existing conceptual frameworks to evaluate risk controls, and formulating a cost benefit analysis. Readers will learn how to maintain and perpetuate risk controls. As a method to contrast the approach presented in the earlier parts of the chapter, the OCTAVE approach to managing risk is introduced.

 Chapter 8 Notes

Chapter 11

Law and Ethics

Chapter Overview

Chapter 11 covers the topics of law and ethics. In this chapter readers will learn to identify major national and international laws that relate to the practice of information security as well as come to understand the role of culture as it applies to ethics in information security.

 Chapter 11 Notes

Be the first to comment

Leave a Reply

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.

error: Content is protected !!