Visit https://ebookluna.

com to download the full version and

explore more ebooks

(eBook PDF) Management of Information Security 5th

Edition

_____ Click the link below to download _____

https://ebookluna.com/product/ebook-pdf-management-of-
information-security-5th-edition/

Explore and download more ebooks at ebookluna.com

Here are some recommended products that might interest you.
You can download now and explore!

(eBook PDF) Management of Information Security 6th Edition

https://ebookluna.com/product/ebook-pdf-management-of-information-
security-6th-edition/

ebookluna.com

(eBook PDF) Principles of Information Security 5th Edition

https://ebookluna.com/product/ebook-pdf-principles-of-information-
security-5th-edition/

ebookluna.com

Management of Information Security 6th Edition Michael E.

Whitman - eBook PDF

https://ebookluna.com/download/management-of-information-security-
ebook-pdf/

ebookluna.com

Principles of Information Security 6th Edition Whitman -

eBook PDF

https://ebookluna.com/download/principles-of-information-security-
ebook-pdf/

ebookluna.com
Elementary Information Security, 3rd Edition (eBook PDF)

https://ebookluna.com/product/elementary-information-security-3rd-
edition-ebook-pdf/

ebookluna.com

(eBook PDF) Health Information: Management of a Strategic

Resource 5th Edition

https://ebookluna.com/product/ebook-pdf-health-information-management-
of-a-strategic-resource-5th-edition/

ebookluna.com

Principles of Information Security 7th Edition Michael E.

Whitman - eBook PDF

https://ebookluna.com/download/principles-of-information-security-
ebook-pdf-2/

ebookluna.com

Computer and Information Security Handbook - eBook PDF

https://ebookluna.com/download/computer-and-information-security-
handbook-ebook-pdf/

ebookluna.com

(Original PDF) Principles of Information Security 6th by

Michael E. Whitman

https://ebookluna.com/product/original-pdf-principles-of-information-
security-6th-by-michael-e-whitman/

ebookluna.com
Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
vi Table of Contents

Organizational Liability and the Need for Counsel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Key Law Enforcement Agencies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Closing Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Discussion Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Ethical Decision Making . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

CHAPTER 3
Governance and Strategic Planning for Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
The Role of Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Precursors to Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Strategic Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Creating a Strategic Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Planning Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Planning and the CISO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Information Security Governance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
The ITGI Approach to Information Security Governance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
NCSP Industry Framework for Information Security Governance . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
CERT Governing for Enterprise Security Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
ISO/IEC 27014:2013 Governance of Information Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Security Convergence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Planning for Information Security Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Introduction to the Security Systems Development Life Cycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Closing Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Discussion Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Ethical Decision Making . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136

CHAPTER 4
Information Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Why Policy?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Policy, Standards, and Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Enterprise Information Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Integrating an Organization’s Mission and Objectives into the EISP . . . . . . . . . . . . . . . . . . . . . . . . . 146
EISP Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
Example EISP Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Issue-Specific Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Elements of the ISSP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Implementing the ISSP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
System-Specific Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Managerial Guidance SysSPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Technical Specification SysSPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
 Table of Contents vii

Guidelines for Effective Policy Development and Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162

Developing Information Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Policy Distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Policy Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Policy Comprehension . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Policy Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Policy Enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Policy Development and Implementation Using the SecSDLC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Automated Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
Other Approaches to Information Security Policy Development . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
SP 800-18, Rev. 1: Guide for Developing Security Plans for Federal Information Systems . . . . . . . . . . . . 173
A Final Note on Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Closing Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Discussion Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Ethical Decision Making . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178

CHAPTER 5
Developing the Security Program. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Organizing for Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
Security in Large Organizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Security in Medium-Sized Organizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Security in Small Organizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
Placing Information Security Within an Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Components of the Security Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Information Security Roles and Titles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Chief Information Security Officer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Convergence and the Rise of the True CSO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Security Managers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Security Administrators and Analysts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
Security Technicians . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
Security Staffers and Watchstanders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Security Consultants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Security Officers and Investigators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Help Desk Personnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Implementing Security Education, Training, and Awareness Programs . . . . . . . . . . . . . . . . . . . . . . . . . . 210
Security Education . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
Security Training. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
Training Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
Security Awareness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Project Management in Information Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
Projects Versus Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
PMBOK Knowledge Areas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Project Management Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245

Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
viii Table of Contents

Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
Closing Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
Discussion Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
Ethical Decision Making . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247

CHAPTER 6
Risk Management: Identifying and Assessing Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Introduction to Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
Knowing Yourself . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
Knowing the Enemy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
Accountability for Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
Risk Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
Identification and Prioritization of Information Assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Threat Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
The TVA Worksheet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
Risk Assessment and Risk Appetite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
Assessing Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
Likelihood . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
Assessing Potential Impact on Asset Value (Consequences) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
Percentage of Risk Mitigated by Current Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Uncertainty . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Risk Determination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Likelihood and Consequences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
Documenting the Results of Risk Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Risk Appetite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
Closing Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
Discussion Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
Ethical Decision Making . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285

CHAPTER 7
Risk Management: Controlling Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
Introduction to Risk Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
Risk Control Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
Defense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
Transference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
Mitigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
Acceptance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
Termination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
Managing Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
Feasibility and Cost–Benefit Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
Other Methods of Establishing Feasibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
Alternatives to Feasibility Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
Recommended Risk Control Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
Qualitative and Hybrid Measures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
Delphi Technique . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
The OCTAVE Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
 Table of Contents ix

Microsoft Risk Management Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310

FAIR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
ISO 27005 Standard for InfoSec Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
NIST Risk Management Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
Other Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
Selecting the Best Risk Management Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
Closing Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
Discussion Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
Ethical Decision Making . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321

CHAPTER 8
Security Management Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
Introduction to Blueprints, Frameworks, and Security Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
Access Control Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
Categories of Access Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
Other Forms of Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
Security Architecture Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
Trusted Computing Base . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
Information Technology System Evaluation Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
The Common Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
Academic Access Control Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
Bell-LaPadula Confidentiality Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
Biba Integrity Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
Clark-Wilson Integrity Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
Graham-Denning Access Control Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
Harrison-Ruzzo-Ullman Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
Brewer-Nash Model (Chinese Wall) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
Other Security Management Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
The ISO 27000 Series. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
NIST Security Publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
Control Objectives for Information and Related Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
Committee of Sponsoring Organizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
Information Technology Infrastructure Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
Information Security Governance Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357
Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
Closing Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Discussion Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Ethical Decision Making . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360

CHAPTER 9
Security Management Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
Introduction to Security Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
Benchmarking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
x Table of Contents

Standards of Due Care/Due Diligence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365

Selecting Recommended Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368
Limitations to Benchmarking and Recommended Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369
Baselining . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370
Support for Benchmarks and Baselines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
Performance Measurement in InfoSec Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373
InfoSec Performance Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374
Building the Performance Measurement Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376
Specifying InfoSec Measurements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
Collecting InfoSec Measurements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
Implementing InfoSec Performance Measurement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381
Reporting InfoSec Performance Measurements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
Trends in Certification and Accreditation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385
NIST SP 800-37, Rev. 1: Guide for Applying the Risk Management Framework
to Federal Information Systems: A Security Life Cycle Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . 386
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
Closing Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
Discussion Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
Ethical Decision Making . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394

CHAPTER 10
Planning for Contingencies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397
Introduction to Contingency Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398
Fundamentals of Contingency Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400
Components of Contingency Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404
Business Impact Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
Contingency Planning Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
Incident Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412
Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412
Incident Response Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413
Incident Response Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414
Detecting Incidents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419
Reacting to Incidents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422
Recovering from Incidents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424
Disaster Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431
The Disaster Recovery Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433
Disaster Recovery Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434
Disaster Classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435
Planning to Recover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437
Responding to the Disaster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438
Simple Disaster Recovery Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438
Business Continuity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442
Business Continuity Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444
Continuity Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445
Timing and Sequence of CP Elements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447
Crisis Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449
Business Resumption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 450

Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
 Table of Contents xi

Testing Contingency Plans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453

Final Thoughts on CP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 454
Managing Investigations in the Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455
Digital Forensics Team . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456
Affidavits and Search Warrants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456
Digital Forensics Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457
Evidentiary Policy and Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459
Law Enforcement Involvement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462
Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465
Closing Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465
Discussion Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466
Ethical Decision Making . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466

CHAPTER 11
Personnel and Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469
Introduction to Personnel and Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471
Staffing the Security Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471
Information Security Positions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472
Information Security Professional Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485
(ISC)2 Certifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485
ISACA Certifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 489
GIAC Certifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492
EC-Council Certifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493
CompTIA Certifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495
ISFCE Certifications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496
Certification Costs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497
Entering the Information Security Profession . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498
Employment Policies and Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 500
Hiring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501
Contracts and Employment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503
Security as Part of Performance Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504
Termination Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504
Personnel Security Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 506
Security of Personnel and Personal Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507
Security Considerations for Temporary Employees, Consultants, and Other Workers . . . . . . . . . . . . . . 507
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513
Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515
Closing Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515
Discussion Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516
Ethical Decision Making . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516

CHAPTER 12
Protection Mechanisms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521
Introduction to Protection Mechanisms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523
Access Controls and Biometrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 524
Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
xii Table of Contents

Managing Network Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531

Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 532
Intrusion Detection and Prevention Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543
Remote Access Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 547
Wireless Networking Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 550
Scanning and Analysis Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 553
Managing Server-Based Systems with Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 557
Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 562
Encryption Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564
Using Cryptographic Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 571
Managing Cryptographic Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 575
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 577
Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 578
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 579
Closing Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 580
Discussion Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 581
Ethical Decision Making . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 581
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 581

APPENDIX
NIST SP 800-26, Security Self-Assessment Guide for Information Technology Systems . . . . . . . . . . . . . . . 583
ISO 17799: 2005 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607
The OCTAVE Method of Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 611
Microsoft Risk Management Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 616

GLOSSARY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 625
INDEX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 637

Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
Preface

As global use of the Internet continues to expand, the demand for and reliance on
Internet-based information creates an increasing expectation of access. Modern businesses
take advantage of this and have dramatically increased their Internet presence over the past
decade. This creates an increasing threat of attacks on information assets and a need for
greater numbers of professionals capable of protecting those assets.
To secure these information assets from ever-increasing threats, organizations demand
both breadth and depth of expertise from the next generation of information security prac-
titioners. These professionals are expected to have an optimal mix of skills and experiences
to secure diverse information environments. Students of technology must learn to recog-
nize the threats and vulnerabilities present in existing systems. They must also learn how
to manage the use of information assets securely and support the goals and objectives of
their organizations through effective information security governance, risk management,
and regulatory compliance.

Why This Text Was Written

The purpose of this textbook is to fulfill the need for a quality academic textbook in the dis-
cipline of information security management. While there are dozens of quality publications
on information security and assurance for the practitioner, there are fewer textbooks that

Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
xiii
xiv Preface

provide the student with an in-depth study of information security management. Specifically,
those in disciplines such as information systems, information technology, computer science,
criminal justice, political science, and accounting information systems must understand the
foundations of the management of information security and the development of managerial
strategy for information security. The underlying tenet of this textbook is that information
security in the modern organization is a management problem and not one that technology
alone can answer; it is a problem that has important economic consequences and one for
which management is accountable.

Approach
This book provides a managerial approach to information security and a thorough treatment
of the secure administration of information assets. It can be used to support information
security coursework for a variety of technology students, as well as for technology curricula
aimed at business students.
Certified Information Systems Security Professional, Certified Information Security Manager,
and NIST Common Bodies of Knowledge—As the authors are Certified Information Systems
Security Professionals (CISSP) and Certified Information Security Managers (CISM), these
knowledge domains have had an influence on the design of this textbook. With the influence
of the extensive library of information available from the Special Publications collection at
the National Institute of Standards and Technology (NIST, at csrc.nist.gov), the authors
have also tapped into additional government and industry standards for information security
management. Although this textbook is by no means a certification study guide, much of the
Common Bodies of Knowledge for the dominant industry certifications, especially in the area
of management of information security, have been integrated into the text.

Overview
Chapter 1—Introduction to the Management
of Information Security
The opening chapter establishes the foundation for understanding the field of information
security by explaining the importance of information technology and identifying who is
responsible for protecting an organization’s information assets. Students learn the definition
and key characteristics of information security, as well as the differences between information
security management and general management.

Chapter 2—Compliance: Law and Ethics

In this chapter, students learn about the legal and regulatory environment and its relationship
to information security. This chapter describes the major national and international laws that
affect the practice of information security, as well as the role of culture in ethics as it applies
to information security professionals.

Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
 Visit https://ebookluna.com
now to explore a diverse
collection of ebooks available
in formats like PDF, EPUB, and
MOBI, compatible with all
devices. Don’t miss the chance
to enjoy exciting offers and
quickly download high-quality
materials in just a few simple
steps!
 Preface xv

Chapter 3—Governance and Strategic Planning for Security

This chapter explains the importance of planning and describes the principal components of
organizational planning and the role of information security governance and planning within
the organizational context.

Chapter 4—Information Security Policy

This chapter defines information security policy and describes its central role in a successful
information security program. Industry and government best practices promote three major
types of information security policy; this chapter explains what goes into each type, and
demonstrates how to develop, implement, and maintain various types of information security
policies.

Chapter 5—Developing the Security Program

Chapter 5 explores the various organizational approaches to information security and
explains the functional components of an information security program. Students learn the
complexities of planning and staffing for an organization’s information security department
based on the size of the organization and other factors, as well as how to evaluate the inter-
nal and external factors that influence the activities and organization of an information secu-
rity program. This chapter also identifies and describes the typical job titles and functions
performed in the information security program, and concludes with an exploration of the
creation and management of a security education, training, and awareness program. This
chapter also provides an overview of project management, a necessary skill in any technology
or business professional’s portfolio.

Chapter 6—Risk Management: Identifying and Assessing Risk

This chapter defines risk management and its role in the organization, and demonstrates
how to use risk management techniques to identify and prioritize risk factors for informa-
tion assets. The risk management model presented here assesses risk based on the likeli-
hood of adverse events and the effects on information assets when events occur. This
chapter concludes with a brief discussion of how to document the results of the risk iden-
tification process.

Chapter 7—Risk Management: Controlling Risk

This chapter presents essential risk mitigation strategy options and opens the discussion on
controlling risk. Students learn how to identify risk control classification categories, use exist-
ing conceptual frameworks to evaluate risk controls, and formulate a cost benefit analysis.
They also learn how to maintain and perpetuate risk controls.

Chapter 8—Security Management Models

This chapter describes the components of the dominant information security management
models, including U.S. government and internationally sanctioned models, and discusses
how to customize them for a specific organization’s needs. Students learn how to implement
the fundamental elements of key information security management practices. Models include
NIST, ISO, and a host of specialized information security research models that help students
understand confidentiality and integrity applications in modern systems.
Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
xvi Preface

Chapter 9—Security Management Practices

This chapter describes the fundamentals and emerging trends in information security man-
agement practices and explains how these practices help organizations meet U.S. and
international compliance standards. The chapter contains an expanded section on security
performance measurement and covers concepts of certification and accreditation of IT
systems.

Chapter 10—Planning for Contingencies

This chapter describes and explores the major components of contingency planning and the
need for them in an organization. The chapter illustrates the planning and development of
contingency plans, beginning with the business impact analysis, and continues through the
implementation and testing of contingency plans.

Chapter 11—Personnel and Security

This chapter expands upon the discussion of the skills and requirements for information
security positions introduced in Chapter 5. It explores the various information security pro-
fessional certifications and identifies which skills are encompassed by each. The second half
of the chapter explores the integration of information security issues associated with person-
nel management to regulate employee behavior and prevent misuse of information, as part of
an organization’s human resources function.

Chapter 12—Protection Mechanisms

This chapter introduces students to the world of technical controls by exploring access con-
trol approaches, including authentication, authorization, and biometric access controls, as
well as firewalls and the common approaches to firewall implementation. It also covers the
technical control approaches for dial-up access, intrusion detection and prevention systems,
and cryptography.

Appendix
The appendix reproduces an essential security management self-assessment model from the
NIST library. It also includes a questionnaire from the ISO 27002 body that could be used
for organizational assessment. The appendix provides additional detail on various risk man-
agement models, including OCTAVE and the OCTAVE variants, the Microsoft Risk Manage-
ment Model, Factor Analysis of Information Risk (FAIR), ISO 27007, and NIST SP 800-30.

Features
Chapter Scenarios—Each chapter opens with a short vignette that follows the same fictional
company as it encounters various information security issues. The final part of each chapter
is a conclusion to the scenario that also offers questions to stimulate in-class discussion.
These questions give the student and the instructor an opportunity to explore the issues that
underlie the content.
View Points—An essay from an information security practitioner or academic is included in
each chapter. These sections provide a range of commentary that illustrate interesting topics
or share personal opinions, giving the student a wider, applied view on the topics in the text.
Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
 Preface xvii

Offline Boxes—These highlight interesting topics and detailed technical issues, allowing the
student to delve more deeply into certain topics.
Hands-On Learning—At the end of each chapter, students will find a Chapter Summary and
Review Questions as well as Exercises and Closing Case exercises, which give them the
opportunity to examine the information security arena from an experiential perspective.
Using the Exercises, students can research, analyze, and write to reinforce learning objectives
and deepen their understanding of the text. The Closing Case exercises require that students
use professional judgment, powers of observation, and elementary research to create solu-
tions for simple information security scenarios.

New to This Edition

This fifth edition of Management of Information Security tightens its focus on the managerial
aspects of information security, continues to expand the coverage of governance and compli-
ance issues, and continues to reduce the coverage of foundational and technical components.
While retaining enough foundational material to allow reinforcement of key concepts, this
edition has fewer technical examples. This edition also contains updated in-depth discussions
and Offline features, and additional coverage in key managerial areas: risk management,
information security governance, access control models, and information security program
assessment and metrics. Chapter 1 consolidates all the introductory and general IT manage-
rial material.
Each chapter now has key terms clearly delineated and defined in the preface of each
major section. This approach provides clear, concise definitions for use in instruction and
assessment.
In general, the entire text has been updated and re-organized to reflect changes in the field,
including revisions to sections on national and international laws and standards, such as the
ISO 27000 series, among others. Throughout the text, the content has been updated, with
newer and more relevant examples and discussions. A complete coverage matrix of the topics
in this edition is available to instructors to enable mapping of the previous coverage to the
new structure. Please contact your sales representative for access to the matrix.

MindTap
MindTap for Management of Information Security is an online learning solution designed to
help students master the skills they need in today’s workforce. Research shows employers
need critical thinkers, troubleshooters, and creative problem-solvers to stay relevant in our
fast-paced, technology-driven world. MindTap helps users achieve this with assignments and
activities that provide hands-on practice, real-life relevance, and mastery of difficult concepts.
Students are guided through assignments that progress from basic knowledge and under-
standing to more challenging problems.
All MindTap activities and assignments are tied to learning objectives. The hands-on exer-
cises provide real-life application and practice. Readings and “Whiteboard Shorts” support
the lecture, while “In the News” assignments encourage students to stay current. Pre- and
post-course assessments allow you to measure how much students have learned using analyt-
ics and reporting that makes it easy to see where the class stands in terms of progress,
engagement, and completion rates. Use the content and learning path as-is, or pick and

Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
xviii Preface

choose how the material will wrap around your own. You control what the students see and
when they see it. Learn more at www.cengage.com/mindtap/.

Instructor Resources
Free to all instructors who adopt Management of Information Security, 5e for their courses is
a complete package of instructor resources. These resources are available from the Cengage
Learning Web site, www.cengagebrain.com. Go to the product page for this book in the
online catalog and choose “Instructor Downloads.”
Resources include:
● Instructor’s Manual: This manual includes course objectives and additional informa-
tion to help your instruction.
● Cengage Learning Testing Powered by Cognero: A flexible, online system that allows
you to import, edit, and manipulate content from the text’s test bank or elsewhere,
including your own favorite test questions; create multiple test versions in an instant;
and deliver tests from your LMS, your classroom, or wherever you want.
● PowerPoint Presentations: A set of Microsoft PowerPoint slides is included for each
chapter. These slides are meant to be used as a teaching aid for classroom presentations,
to be made available to students for chapter review, or to be printed for classroom dis-
tribution. Instructors are also at liberty to add their own slides.
● Figure Files: Figure files allow instructors to create their own presentations using figures
taken from the text.
● Lab Manual: Cengage Learning has produced a lab manual (Hands-On Information
Security Lab Manual, Fourth Edition) written by the authors that can be used to
provide technical experiential exercises in conjunction with this book. Contact your
Cengage Learning sales representative for more information.
● Readings and Cases: Cengage Learning also produced two texts—Readings and Cases
in the Management of Information Security (ISBN-13: 9780619216276) and Readings
& Cases in Information Security: Law & Ethics (ISBN-13: 9781435441576)—by the
authors, which make excellent companion texts. Contact your Cengage Learning sales
representative for more information.
● Curriculum Model for Programs of Study in Information Security: In addition to the
texts authored by this team, a curriculum model for programs of study in Information
Security and Assurance is available from the Kennesaw State University Center for
Information Security Education (http://infosec.kennesaw.edu). This document provides
details on designing and implementing security coursework and curricula in academic
institutions, as well as guidance and lessons learned from the authors’ perspective.

Author Team
Michael Whitman and Herbert Mattord have jointly developed this textbook to merge knowl-
edge from the world of academic study with practical experience from the business world.
Michael Whitman, Ph.D., CISM, CISSP is a Professor of Information Security in the Informa-
tion Systems Department, Coles College of Business at Kennesaw State University, Kennesaw,
Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
 Preface xix

Georgia, where he is also the Executive Director of the Center for Information Security Educa-
tion (infosec.kennesaw.edu), Coles College of Business. He and Herbert Mattord are the
authors of Principles of Information Security; Principles of Incident Response and Disaster
Recovery; Readings and Cases in the Management of Information Security; Readings &
Cases in Information Security: Law & Ethics; Guide to Firewall and VPNs; Guide to
Network Security; Roadmap to the Management of Information Security; and Hands-On
Information Security Lab Manual, all from Cengage Learning. Dr. Whitman is an active
researcher in Information Security, Fair and Responsible Use Policies, and Ethical Computing.
He currently teaches graduate and undergraduate courses in Information Security. He has
published articles in the top journals in his field, including Information Systems Research, the
Communications of the ACM, Information and Management, the Journal of International
Business Studies, and the Journal of Computer Information Systems. He is an active member
of the Information Systems Security Association, the Association for Computing Machinery,
ISACA, (ISC)2, and the Association for Information Systems. Through his efforts and those
of Dr. Mattord, his institution has been recognized by the Department of Homeland Security
and the National Security Agency as a National Center of Academic Excellence in Information
Assurance Education four times, most recently in 2015. Dr. Whitman is also the Editor-in-
Chief of the Information Security Education Journal, a DLINE publication, and he continually
solicits relevant and well-written articles on InfoSec pedagogical topics for publication. Prior
to his employment at Kennesaw State, he taught at the University of Nevada Las Vegas, and
served over 13 years as an officer in the U.S. Army.
Herbert Mattord, Ph.D., CISM, CISSP completed 24 years of IT industry experience as an
application developer, database administrator, project manager, and information security
practitioner in 2002. He is currently an Associate Professor of Information Security in the
Coles College of Business at Kennesaw State University. He and Michael Whitman are the
authors of Principles of Information Security; Principles of Incident Response and Disaster
Recovery; Readings and Cases in the Management of Information Security; Guide to
Network Security; and Hands-On Information Security Lab Manual, all from Cengage
Learning. During his career as an IT practitioner, Mattord has been an adjunct professor
at Kennesaw State University; Southern Polytechnic State University in Marietta, Georgia;
Austin Community College in Austin, Texas; and Texas State University: San Marcos. He
currently teaches undergraduate courses in Information Security. He is the Assistant Chair
of the Department of Information Systems and is also an active member of the Information
Systems Security Association and Information Systems Audit and Control Association. He
was formerly the Manager of Corporate Information Technology Security at Georgia-
Pacific Corporation, where much of the practical knowledge found in this and his earlier
textbooks was acquired.

Acknowledgments
The authors would like to thank their families for their support and understanding for the
many hours dedicated to this project—hours taken, in many cases, from family activities.
Special thanks to Carola Mattord, Ph.D., Professor of English at Kennesaw State University.
Her reviews of early drafts and suggestions for keeping the writing focused on the students
resulted in a more readable manuscript.

Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
xx Preface

Reviewers
We are indebted to the following individuals for their contributions of perceptive feedback on
the initial proposal, the project outline, and the chapter-by-chapter reviews of the text:
● Wasim A. AlHamdani, Ph.D., IACR, IEEE, ACM, CSAB (ABET Eva.), Professor of
Cryptography and InfoSec, College of Business and Computer Sciences, Kentucky State
University, Frankfort, KY
● James W. Rust, MSIS, MCSE: Security, MCSA: Security, MCDBA, MCP, CompTIA,
CTT+, Project+, Security+, Network+, A+, Implementation Engineer, Buford, GA
● Paul D. Witman, Ph.D., Associate Professor, Information Technology Management,
California Lutheran University, School of Management, Thousand Oaks, CA

Special Thanks
The authors wish to thank the Editorial and Production teams at Cengage Learning. Their
diligent and professional efforts greatly enhanced the final product:
Natalie Pashoukos, Senior Content Developer
Dan Seiter, Developmental Editor
Kristin McNary, Product Team Manager
Amy Savino, Associate Product Manager
Brooke Baker, Senior Content Project Manager
In addition, several professional and commercial organizations and individuals have aided
the development of this textbook by providing information and inspiration, and the authors
wish to acknowledge their contributions:
Charles Cresson Wood
NetIQ Corporation
The View Point authors:
● Henry Bonin
● Lee Imrey
● Robert Hayes and Kathleen Kotwicka
● David Lineman
● Paul D. Witman & Scott Mackelprang
● George V. Hulme
● Tim Callahan
● Mark Reardon
● Martin Lee
● Karen Scarfone
● Alison Gunnels
● Todd E. Tucker
Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
 Preface xxi

Our Commitment
The authors are committed to serving the needs of the adopters and readers. We would be
pleased and honored to receive feedback on the textbook and its supporting materials. You
can contact us through Cengage Learning at [email protected].

Foreword
By David Rowan, Senior Vice President and Director
Technology Risk and Compliance, SunTrust Banks, Inc.
If you are reading this, I want to thank you. Your perusal of this text means you are inter-
ested in a career in Information Security or have actually embarked on one. I am thanking
you because we—and by we I mean all of us—need your help.
You and I live in a world completely enabled, supported by, and allowed by technology.
In almost all practical respects, the things you and I take for granted are created by our
technology. There is technology we see and directly interact with, and technology we
don’t see or are only peripherally aware of. For example, the temperature of my home is
monitored and maintained based on a smart thermostat’s perception of my daily habits
and preferences. I could check it via the app or wait for an alert via text message, but I
don’t—I just assume all is well, confident that I will be informed if something goes amiss.
Besides, I am more interested in reading my personal news feed….
With respect to technology, we occupy two worlds, one of intent and realized actions and
another of services that simply seem to occur on their own. Both these worlds are necessary,
desirable, growing, and evolving. Also, both these worlds are profoundly underpinned by one
thing: our trust in them to work.
We trust that our phones will work, we trust that we will have electricity, we trust that our
purchases are recorded accurately, we trust that our streaming services will have enough
bandwidth, we trust that our stock trades and bank transactions are secure, we trust that
our cars will run safely, and I trust that my home will be at the right temperature when I
walk in the door.
The benefits of our trust in technology are immeasurable and hard won. The fact that we
can delegate tasks, share infrastructure, exchange ideas and information, and buy goods
and services almost seamlessly benefits us all. It is good ground worth defending. How-
ever, the inevitable and unfortunate fact is that some among us prey upon our trust; they
will work tirelessly to disrupt, divert, or destroy our intents, actions, comfort, well-being,
information, and whatever else our technology and the free flow of information offers.
The motives of these actors matter, but regardless of why they threaten what technology
gives us, the actions we take to safeguard it is up to us. That’s why I am glad you are
reading this. We need guardians of the trust we place in technology and the information
flow it enables.

Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
xxii Preface

I have been in the financial industry for 35 years, and have spent the latter half of it focused
on information security and the related fields of fraud management, business continuity,
physical security, and legal and regulatory compliance. I have seen the evolution of technol-
ogy risk management from a necessary back-office function to a board-level imperative with
global implications. The bound interrelationships among commerce, infrastructure, basic util-
ities, safety, and even culture exist to the extent that providing security is now dominantly a
matter of strategy and management, and less a matter of the tools or technology de jure.
There’s an old saying that it’s not the tools that make a good cabinet, but the skill of the car-
penter. Our tools will change and evolve; it’s how we use them that really matter.
This fifth edition of Management of Information Security is a foundational source that embo-
dies the current best thinking on how to plan, govern, implement, and manage an informa-
tion security program. It is holistic and comprehensive, and provides a path to consider all
aspects of information security and to integrate security into the fabric of the things we
depend on and use. It provides specific guidance on strategy, policy development, risk identi-
fication, personal management, organization, and legal matters, and places them in the con-
text of a broader ecosystem. Strategy and management are not merely aspects of information
security; they are its essence—and this text informs the what, why, and how of it.
Management of Information Security is a vital resource in the guardianship of our world of
modern conveniences. I hope you will become a part of this community.
—Atlanta, Georgia, February 2016

Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
 chapter 1

Introduction to the Management

of Information Security

Management is, above all, a practice where art, science, and craft meet.
—HENRY MINTZBERG
One month into her new position at Random Widget Works, Inc. (RWW), Iris Majwubu
left her office early one afternoon to attend a meeting of the local chapter of the Information
Systems Security Association (ISSA). She had recently been promoted from her previous
assignment at RWW as an information security risk manager to become the first chief infor-
mation security officer (CISO) to be named at RWW.
This occasion marked Iris’s first ISSA meeting. With a mountain of pressing matters on her clut-
tered desk, Iris wasn’t exactly certain why she was making it a priority to attend this meeting. She
sighed. Since her early morning wake-up, she had spent many hours in business meetings, fol-
lowed by long hours at her desk working toward defining her new position at the company.
At the ISSA meeting, Iris saw Charlie Moody, her supervisor from the company she used to
work for, Sequential Label and Supply (SLS). Charlie had been promoted to chief information
officer (CIO) of SLS almost a year ago.
“Hi, Charlie,” she said.
“Hello, Iris,” Charlie said, shaking her hand. “Congratulations on your promotion. How are
things going in your new position?”
“So far,” she replied, “things are going well—I think.”

Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203 1
Other documents randomly have
different content
 "Well, Mary, is Master Fred in?" his face grew suddenly glad, and,
sitting up on the sofa, he turned his head eagerly towards the door.

Mary's reply was inaudible to him, as she said,—

"Oh, Miss Carter, I'm so glad you've come. Master Fred's all alone out
in the back parlor, and he's sad enough, poor boy!"

Then he heard Bess speak again: "Please take my cloak, Mary, it is so

wet; and ask him if I may go right in there."

"Oh, do come quick, Miss Bessie!" he called out. "I'm so glad you have
come." And as he heard the door open, and the light, quick steps advancing
towards him, he stood up and put out both hands to greet his guest, with no
trace of his old fretful look.

With a hasty glance Bess noted the helplessness that prevented his
meeting her at the door, but she only said, as she kissed him,—

"Well, Fred, I am so glad to have you back within reach once more."

"You have missed me, then?" asked the child anxiously, as she drew him
to the sofa and seated herself by his side.

"Missed you, you silly boy! What a question! Of course I have. 'We
boys,' as Rob says, have been longing for you to be back again. I have felt
quite lost without you."

"How is Rob,—and all the other boys?" inquired Fred, relieved that
Bess seemed so unconscious of his condition.

"Well, all of them. Rob is coming down as soon as you feel like seeing
him. I see more of him than I do of any of the others. Phil runs in once in a
while, but he is so busy all the time. Teddy was at the house one day last
week, the same dear, slangy boy as ever. But tell me, am I not crazy to
come down such a day?"

"It's a kind of crazy I like," said Fred. "You were awfully good to come,
and I've been alone here ever so long."
 "So much the better," said Bess, mentally abusing the mother who could
leave her boy under such circumstances; "we can have a real good, old-
fashioned visit, and when you get tired of me, you may send me off."

Fred's hand moved about in search of hers, as he asked,—

"How did you know I'd come?"

"Rob told me last night."

"Did he tell you"—

Fred could go no farther. Bess pulled the appealing little face over
against her shoulder, and gently smoothed his hair, as she answered, using
all her self-control to speak quietly,—

"Yes, dear, he did. I can't tell you how sorry we all felt for our boy. That
doesn't make it any easier to bear, I know; but perhaps in time we can help
you a little."

For the first time since his learning the sad truth, the boy broke down.
He had listened to the words of the oculist without a tear, too much stunned
even to speak, and he had met his father and mother with perfect quiet. But
the few gentle, loving words had broken his firm resolve not to be a baby;
and the tears gathered fast and fell, as he sat with his head on Bessie's
shoulder, her arm about his quivering little body.

"Oh, don't tell the boys!" he sobbed at last. "Don't tell them I cried. I
didn't mean to; but it's all so dreadful, here in the dark."

The tears stood in the girl's eyes as she answered,—

"My dear little boy, we all know how terrible it must be; but I won't tell
the boys if you say so. Just cry it all out; you have tried to be too brave. Rob
almost cried for you last night."

The sobs came less often, but the look of sadness on the boyish face
made Bessie's heart ache for the child, but she said cheerfully,—
 "Now, my son, I am going to take my old place as nurse to-day. You
aren't very strong yet, and I want you to lie down again here on the sofa,
and if you can spare a little of this lunch—I don't approve of candy between
meals, you know—I'll move the table away, pull up this low chair, and tell
you all the news."

Suiting the action to the word, Bess tucked the afghan round Fred's feet,
drew a willow chair up to the place of the despised table, and sat down
close to the child, who once more reached out for her hand.

For an hour she sat there chatting to the boy, telling him of the scrapes
his friends had been in, of the pranks they had played, until she began to see
traces of the old merry Fred, as the look of sorrow gave place to a smile,
and then to a hearty laugh, while she described Rob's recent attempts to
climb a picket fence too hastily, and his being caught by his shoe and hung
head downward, from which position he was ignominiously rescued by a
passing Irishman.

In the mean time, Bess was glad that her little friend could not see her
expression, as she sat looking at the worn, sad face, and the great vacant
eyes, that used to have such bright mischief dancing in them. But she forced
herself to talk on, as easily as she could, more than rewarded by the
pleasure in Fred's face, and his tight grip of her hand.

At length a step was heard on the stairs, and Mrs. Allen, daintily dressed
and looking provokingly fresh and unruffled, Bess thought, came into the
room.

"Why, Bessie, when did you come? How stupid of Mary not to tell me
you were here!"

"I told her I came to see Fred, and not to disturb you," said Bess, as Mrs.
Allen swept to the sofa and bent over her son.

"I am quite jealous of Fred, for you have hardly been here all the time
he was away," she said. "But he needs you now badly enough, poor boy!"
putting a delicately embroidered handkerchief to her eyes. "Isn't it hard to
see him in this condition?"
 Again the burning flush rolled up to Fred's hair, and the hand that was
tightly clasping Bessie's grew suddenly cold. Bess gently kissed him before
she answered,—

"You ought to know of my sympathy for Fred, Mrs. Allen. No words

can express it. But I am glad to have him here again. We were having such a
good talk, just like old times."

With an air of relief, Mrs. Allen took the hint, and left them alone again.
When she was gone, the boy settled back on his pillow, saying gratefully,—

"It is awfully nice to have you here. Tell some more about the fellows."

So Bess talked on, racking her brains for any bright, funny bit of gossip
that could rouse the lad from his depression, and give him something to
think of during the many sad, lonely hours that she saw were in store for
him. But the dreamy chime of the cathedral clock on the mantel, as it struck
four, reminded her of her promise to see Rob after school, and she rose to
go, saying brightly,—

"Now, my boy, I have worn you all out with such a long visit, for a first
one. I must go now, for Rob is coming up after school, and I must be at
home in time to see him. I hope I sha'n't drown on the way," she added, as a
fresh gust of wind brought a flurry of rain against the windows.

"I wish you needn't go," said the child. "It has been so jolly to see you
again. You haven't been here but a few minutes."

"An hour and a half, exactly," answered Bess, "but I'm coming again
real soon."

In the early twilight of the stormy day, the room was growing dark. As
Bess stooped to say good-by to the boy, she was surprised to feel the hot
tears on his cheeks. Sitting down on the edge of the sofa, she drew his head
over into her lap, and stroked his face in silence, for she felt no words could
comfort the little lad.
 "If you only needn't go," he said. "It all seems so much easier when you
are here. Miss Bessie, I can't stand it! What shall I do?"

"Fred, I know it is hard, so very hard. I wish I could stay with you
always, if you want me. But I will truly come again in a day or two. We are
all so sorry for you, and long to help you." Then she asked, "May Rob come
some day to see you? He is such a good little nurse."

Fred shook his head.

"Not yet," said he. "I'd rather not have the boys round just yet. But I
mustn't keep you. Good-by." And, getting up, he moved a few steps towards
the door.

"Don't be in too much of a hurry, my dear," said Bess. "I must ring for
Mary to bring my cloak. Don't try to come to the door, you will only tire
yourself for nothing." And, putting him back on the sofa with a gentle force,
she kissed him and was gone.

Later, when Bess, her parents, and Rob, who had been prevailed upon to
stay, sat at their dinner-table, the young lady, after silently pondering some
question in her own mind, suddenly announced with considerable energy,—

"I think Mrs. Allen is the most selfish woman I ever saw!"

Mrs. Carter, in her surprise at the outburst, dropped the biscuit that she
was feeding to Fuzz, under cover of the tablecloth; for it was the rule of the
family, agreed to by each, and broken by all, that Fuzz should not be fed at
meal-times. The biscuit was at once appropriated by the dog, who trotted
off to a corner with it in his mouth, and there proceeded to devour it, with
sundry growls at the shaggy collie who gazed with longing eyes on the
tempting morsel.

"Bess, my daughter," began Mrs. Carter, "don't be too severe. She may
not be very strong."

"Strong, mother! How much strength does it take to entertain one's son
who is ill? She'd better give up a few dinners and theatres. The idea of her
leaving Fred alone all the afternoon. Rob, the next time you come up here,
when you are tired and cross and headache-y, I am going to take a nap, so
there!"

CHAPTER III.

THE BEGINNING OF THE FIGHT.

True to her promise, Bess did go often to see her boy. For several weeks
it was her habit to spend a part of every afternoon with him; and the lad's
evident pleasure at her coming made her feel richly rewarded for the time
she gave up to him. He at once recognized her step in the hall, and she
always found him sitting up on the sofa, eagerly waiting for her to come to
him.

Mrs. Allen rarely appeared, and the two had the room to themselves,
while Bess either read aloud, or talked to Fred as she sewed on some bit of
work she had brought with her. To her mother she confessed that after her
usual call her mind was a blank, for she tried so hard to think of some
bright, interesting conversation for the lonely, sad boy. Her patient was not
an easy one to manage, for though Fred rarely complained, during the long
hours he was alone he brooded over his trouble until it seemed even harder
than before, and the old days of school and games were like dreams of
another and a happier world. His father was at his office all day, and his
mother, absorbed in her social life, had little time to give to her son; and
both of them regarded the boy as well cared for if he were only supplied
with all sorts of dainties, and had the most comfortable sofa and chair given
up to him.

Sometimes Bess found the child so disconsolate that she knew not how
to comfort him; sometimes he was moody, and slow to respond to her
efforts to be entertaining, but before she left him, her womanly tact had
smoothed away the frown, and forced him to laugh in spite of himself. And
in the worst of his moods he was never cross to her, but always seemed
grateful to her for her coming.

"If you only needn't go home at all!" he said to her one day. "It's lots
more fun when you are here, Miss Bess. The rest of the time I just lie here
and think till I get cross, and everything seems awful."

"Why do you 'just lie here and think,' then?" asked Bess, feeling that
here was a chance to make a good suggestion. "You are strong enough now
to go to drive every pleasant day. Why don't you?"

"I don't know; I don't want to," said Fred, as the quick color came to his
cheeks, that were beginning to have a more healthy look.

Bess was expecting that reply, for several times before now she had
tried to coax the boy into going out. But he had been ill and by himself for
so long, and had dwelt so continually on himself, that he had become very
sensitive about his blindness, a state of mind not at all improved by his
mother's tactless attempts at consolation. With Bess he could and did talk
freely, but with no one else, and he shrank from meeting any one who
called, and obstinately refused to see his boy friends, although Bess urged
him to let them come.

It was such an unnatural life for the boy, who, save in the one respect,
was rapidly returning to his old strength. Once let him break over this
sensitive reserve, and persuade himself to go out and enjoy the boys, and
Bess was sure that his life would be easier to bear.

To-day they were in their usual place by the fire. Bess was sewing, and
Fred was by her side, playing with the long loops of ribbon that hung from
her belt. Suddenly the girl rose and went to the window.

"Where are you going, Miss Bess?"

"I am going to run away from you, you obstinate boy. I want to see your
mother a minute. I'll come back, so don't you worry."
 For Bess had determined on a bold stroke. The air inside the room was
warm and heavy with the fragrance of roses. Outside, all was bright and
bracing, for an inch or two of snow had fallen the night before, and the air
after the storm was clear and sweet. Across the street, two rosy-cheeked
urchins were having a grand snowball fight, and Bess only wished that she
and Fred could join them. She heard their shouts of laughter as a
particularly large snowball struck one of them, just as he was stooping for
more ammunition, and half the snow was scattered down his neck.

The next moment she had tapped at Mrs. Allen's door.

"Come in," said a languid voice, and in she went.

Mrs. Allen, in a light wrapper, lay on a sofa, while Mary was kneeling
by her side, industriously polishing the nails of her mistress.

"Mrs. Allen," said Bess abruptly, "may Fred and I have the coupé this
afternoon?"

"Does he want to go out for a drive at last?" asked his mother.

"No, he doesn't," replied Bess, "but I want to have him go, and I think
that if the carriage were all at the door, I could get him started. May I try?"

"Of course you can have the carriage, Bessie; (a little more on the
thumb, Mary) but why do you tease him, if he doesn't want to go? It won't
be any pleasure to him, and if he is more comfortable at home, why not let
him do as he likes?"

Bess dropped into a chair, and wrinkled her brows with exasperation.

"Why, don't you see, Mrs. Allen," she said, "the boy can't spend all his
life in that one room. He must go out of it sometime, and the longer he
waits the harder it will be for him. He ought to have been out weeks ago,
for he needs the fresh air, and he is getting just blue and morbid from
staying alone in the house all this time."
 "Perhaps you are right (now the other hand, Mary). Of course you can
have James and the coupé, if you will order what you want. It will be
pleasanter for you, if not for Fred."

Bess felt her color come. She had not expected much from Mrs. Allen,
but this was too unkind,—to think that she was speaking two words for
herself and one for Fred! But Mrs. Allen was not fine enough to see how
her remark had cut, and Bess resolved to bear anything for the sake of her
boy; so she thanked his mother, a little coldly, perhaps, and then departed to
the kitchen, where she asked the coachman to bring the coupé to the door as
soon as he could, and requested the plump, ruddy cook, the family tyrant, to
get her Fred's coat and hat.

The good woman's face brightened perceptibly.

"An' is it goin' out he is? Bless the poor dear b'y; it's a long, long time
since he's had a hat on his head, and it's I as am glad to be gettin' it for you.
The air'll do him good, sure!"

Bess thanked the woman warmly as she took the wraps, for she noted
the difference in tone between the mother and the servant. Then she
returned to the parlor, where she dropped Fred's heavy coat and hat on a
chair, and went back to her old place by the fire.

"Seems to me you've been gone a good while," said the boy, as Bess sat
down on the sofa, and pulled his head, pillow and all, into her lap.

"I just wanted you to find out how charming my society is," she said
playfully, as she twisted his scalp-lock till it stood wildly erect.

"As if I didn't know anyway," responded Fred. "But what are you trying
to do to me?"

"Only beautifying you a little, sonny," said Bess, with one eye on the
window.

In a few moments she saw the carriage drive up to the door and stop.
She took the boy's hand firmly in her own, and said very quietly, from her
position of vantage,—

"Now, Fred, I have a favor to ask of you; it is something I want so very

much. Will you do it for me?"

"What is it?" asked the boy suspiciously.

"The coupé is all ready at the door, and I have brought in your coat and
hat. It is such a lovely day, I want you to come for a drive. Will you?"

"No, I won't," said the boy, turning his face away from her, and putting
his hand over his eyes.

"Listen, Fred," said Bess firmly; "I know just how you feel about this,
but is it quite right to give up to it? You have all your life before you, and
you can't lie on this sofa all your days. I have waited until you were
stronger, hoping you would feel like starting out; but the longer you are
here, the harder it will be! You will have to go sometime; why not to-day?"

"What's the use?" asked the boy sadly. "I sha'n't get any good of going. I
don't see why I'm not as well off here."

"It is a beautiful day after the snow, and the air is so fresh it will do you
good. You need some kind of a change. We will only go a little way, if you
say so. Come, Fred." And she waited.

She saw the boy shut his lips tight together, and two great tears rolled
out from under his hand. Then he said slowly,—

"I'll go, Miss Bessie."

"That's my dear, brave boy," said Bess, as she went to get their wraps.
She helped Fred into his hat and coat, quickly put on her own, and, drawing
his hand through her arm, led him to the door, talking easily all the time to
keep up the lad's courage.

Just as they came out of the house, Rob and Phil chanced to be passing.
Turning, as they heard the door open and close, they saw Bess helping their
friend to the carriage, waved their hats to her, and started to run back to
greet Fred. But Bess motioned to them to keep away, for she felt that her
charge was in no condition now to meet these strong, lively friends, just as
he was forced to realize anew his own helplessness. So the lads stood sadly
by, looking on while their unconscious friend slowly and awkwardly
climbed into the carriage. Bess followed, and, with a wave of her hand to
the watching boys, they drove away.

"That isn't much like Fred," said Phil, as he turned away with a serious
look on his jolly, freckled face. "Just think of the way he used to skate, and
play baseball and hare and hounds! It must be awful for him. But isn't it
funny he won't let us go to see him?"

"I don't know," replied Rob, meditatively patting a snowball into shape;
"I guess if I were like what Fred is, I shouldn't want the boys round, for
'twould just make me think all the time of the things I couldn't do. Cousin
Bess is awfully good to him; she's down here ever so much."

"I know it. Wonder if anything happened to me, she'd take me up," said
Phil, half enviously. "I just wish she was my cousin, Bob. Why, she's as
good as a boy, any day!"

In the mean-time, Fred's first care had been to draw down the curtains
on his side of the carriage, and then he shrank into the corner, answering as
briefly as possible to Bessie's careful suggestions for his comfort. But her
endless good-humor and fun were never to be long resisted, and he was
soon talking away as rapidly as ever, while the change and the motion and
the cool crisp air brought a glow to his cheeks that made him look like the
Fred of former days. After driving for nearly an hour, the carriage stopped.

"Are we home?" asked Fred, starting to rise.

"At mine, not yours. Mother was going out to tea, to-night, and you
have been such a good boy that, as a reward of merit, I am going back to
dinner with you; only I must stop and tell mother, and send word to Rob to
come down after me. Shall I come?" And Bess paused with a smile, waiting
to see the effect of her new plan.
 "Oh, yes, do come!" said Fred eagerly. "And tell Bob not to come for
you too early."

"What fun we'll have," he continued, when Bess had come back from
the house and they were driving away, regardless of the wails of Fuzz, who
surveyed them from a front window. "We'll play—how I wish I ever could
play games any more!" And his face grew dark again.

"You can, ever so many. But will you go home, or shall we drive a little
longer?"

"Home, please: that is, if you are willing, Miss Bessie."

"Fred, do you think me a dragon?" asked Bess, soberly. "Now tell me

truly, are you sorry you came out to-day? Even if you are a little tired, won't
the old sofa feel all the better for the change?" And while she waited for his
reply, she looked with pleasure at the clear, bright color that the wind had
brought into his cheeks.

"No, I don't know as I'm sorry, as long as you came too. But it's no fun
driving alone, and mother's too busy to go with me."

There was a pause, and then he suddenly asked,—

"Miss Bess, what makes you so good to me?"

"Good, to have a pleasant drive with my boy. I didn't suppose that

showed any great virtue. But," added Bess more seriously, "I want to teach
my boy to make the very best of his life. You have one hard, hard sorrow to
bear, dear; but you have ever so many pleasant things to enjoy, if you only
think of it: your home," here Bessie caught her breath, as a vision of Mrs.
Allen crossed her mind, then went on calmly, "all your friends, who care so
much for you; and then there are so many things you can do, as you get a
little more used to yourself. But this is enough sermon now, for here you are
at home. Just take my arm." And she led the boy into the house and up to
the fire.
 Mr. and Mrs. Allen dined out that night, and Fred and Bess had the
house to themselves. Fred was so roused by the little change, and Bess so
pleased at her own success, that their dinner was a merry one. Fred insisted
that it should be served on a small table by their favorite fire, instead of in
the imposing dining-room, and Mary, rejoiced at anything that could bring
Master Fred out of his languid indifference, was only too glad to make the
change, however much work it might involve for herself.

The boy was in fine spirits, in his delight at having Bess stay to dinner,
all to himself, and the two told stories and asked conundrums till the room
fairly rang with their mirth. At dinner, Bess sent Mary away and waited on
the boy herself, giving him the needed help in such a matter-of-course
fashion that he forgot to feel sensitive about it until long after his guest had
gone.

After dinner, when the table was cleared away, and Fred's sofa moved
again to the fire, they both settled themselves on it for a quiet chat. The fire
shone out on a pretty picture. Bess, in her dark red gown, sat leaning
luxuriously against the dull blue cushions of the oak sofa, while Fred was
close by her side, with his hand through her arm, his head on her shoulder,
listening with a laughing face to his friend's account of some college frolics.
There was no light in the room but the steady glow from the grate, that
plainly showed their faces, but for the moment kindly hid the sad, blank
look in Fred's once beautiful eyes, and only gave them a dreamy, thoughtful
expression, as from time to time he turned his face up to Bess.

In the midst of their conversation, the bell rang, and the next moment
Mary, privately instructed by Bess, without word of warning ushered Rob
into the room. For a minute he stood, hesitating whether to speak to Fred or
not, but Bess quickly came to the rescue.

"Why, Rob, here so soon? Come up to the fire; there's ever so much
room here on the sofa."

And Fred's voice added,—

"Hullo, Bob!" as he hospitably made room for his guest.

 There was another pause as Rob seated himself, for neither boy knew
just what to say. Fred had straightened himself up, and was twirling his
thumbs, while Rob crossed his feet and uncrossed them again, as he
methodically folded up his soft felt hat into a neat bundle.

As both boys declined to break the silence, Bess again took the lead.

"Is it cold to-night?" she asked Rob.

"Yes it's freezing fast, and 'twill be fine skating to-morrow. All us boys
are planning to go"—And Rob came to a sudden halt, as the idea dawned
on him that such subjects were not interesting to Fred, who asked abruptly,
—

"How's Phil?"

"He's well," replied Rob laconically, determined to make no mistake this

time.

"What's Bert Walsh doing with himself?"

"Football, of course." And both the boys laughed, for Bert's chronic
devotion to the game was the joke of all his friends.

But the next moment Bess felt Fred's head come over against her
shoulder. Rob watched him pityingly, not daring to speak his sympathy,
though he read his friend's thought.

"We've been reading 'Story of a Bad Boy,' this afternoon," said Bess,
trying once more to start the boys. Rob caught eagerly at the bait.

"Isn't it fine! That Fourth of July scrape just suits me."

And the boys were all animated as they discussed the details of the
story. Bess sat and watched them, occasionally putting in a word or two,
and soon all constraint had vanished, as the talk ran on from subject to
subject, and the long year of separation was a thing of the past.
 Rob, mindful of what Bess had told him about Fred's sensitive reserve,
tried to seem perfectly unconscious of the change in his boy friend, but he
looked anxious and troubled, between his sympathy for Fred, and his desire
to say just the right thing. But when Bess rose to go, and Fred was slowly
following her to the door, Rob could stand it no longer,

"Say, Fred, I'm awfully sorry for you!" he blurted out.

Contrary to his expectations, the simple, boyish pity went right to Fred's
heart, and did it a world of good, but he only said,—

"It isn't much fun, Bob, I tell you. But won't you come down again some
day? I wish you would."

And Bess went home, well pleased with her day's work.

CHAPTER IV.

THE OTHER BOYS.

Bess was in her element.

"Cousin Bess," Rob had said that morning, "may some of us boys come
up to-night, or will we be in the way?"

"Not a bit of it!" replied Bess heartily; "I wish you would. Who are
coming?"

"Oh, just the regular crowd, Ted and Phil and Bert and Sam. The boys
wanted me to ask if we might, for fear you'd be out, or busy, or something."

That afternoon the first flakes of a snowstorm were falling, as Bess

started to make her usual pilgrimage to Fred, and by evening it lay over all
things soft and white.

"I am afraid your boys won't come," said Mrs. Carter, as they sat
lingering over their dinner. "It is too bad, when you are all ready for your
candy-pull."

"Don't you worry," predicted Bess, as she slyly dropped a morsel in

front of the nose of Fuzz, who for once lay asleep. "It will take more than
this snow to keep those boys away, unless Teddy has one of his colds and
can't come. I wish Fred could have been here."

"Why didn't you have him?" asked her mother.

"Have him!" echoed Bess. "It is easy to say 'have him,' but except for
half a dozen drives, he has refused to go out at all; and he won't see any of
the boys but Rob. Poor Rob tries to be very devoted, but I dimly suspect
Fred is occasionally rather cross."

"Who could blame him?" said Mrs. Carter.

"Rob takes it very meekly," Bess went on, as she slowly peeled an
orange. "Fred never shows that side to me, but I think it is there. But it is
really scandalous the way Mrs. Allen goes on. Fred is left to himself the
whole time, just when he needs so much help physically, mentally, and
morally."

"I wish you could have him all the time, Bess," said her mother. "You
are good for him, and he enjoys you."

"Let's adopt him, mother! He's splendid material to work on, and I
would take him in a minute if I could. Think of me with an adopted son!"
And Bess drew herself up with an air of majesty as she began to devour her
orange. Suddenly she laughed.

"I was so amused the other day, Saturday it was, when I went down to
Fred's in the afternoon. I was later than usual, and Rob happened to be there
ahead of me. You know I always go right in without stopping to ring, and
that day, as I went, I heard loud voices in the back parlor. I went in there,
and found that the boys had evidently been having a quarrel, for Fred had
turned his back to Rob, and was decidedly red in the face; while Rob sat
there, the picture of discomfort, his face pale, but his eyes fairly snapping.
He departed as soon as I went in, and neither boy would tell me what was
the trouble. Fred said he didn't feel well, and didn't want to see Rob,
anyway. I offered to go away too, but he wouldn't allow that."

"What did Rob say for himself?" asked Mrs. Carter.

"He said he supposed Fred was angry at something he had said in fun.
He was quite distressed over it, and offered to apologize, but I advised him
to just wait a few days till Fred recovered from his tempers."

"Much the best way," assented Mrs. Carter. "Fred mustn't grow
tyrannical. Here come the boys."

It was a needless remark, for at that moment there was heard a sudden
chattering of young voices, the sound of ten feet leaping up the steps, and
the laughter and stamping as the boys shook off the snow. Fuzz darted to
the door, barking madly, while an echo from without took up his voice and
multiplied it fivefold. Bess picked up the wriggling little creature, who was
carried off by Mrs. Carter; then she admitted her young guests, who came in
all talking at once.

"Such a deep snow!"

"Five or six inches, at least!"

"I tell you, that fire looks dandy!"

"Phil fell down just below Bob's gate."

"Good evening, Miss Bessie. So jolly of you to let us come!"

"I am ever so glad to have you care to come, boys. But come right in to
the fire and dry those wet feet. Phil, I am glad to see you wore rubber
boots."
 "They're all full of snow where I fell down," answered Phil, as he
struggled to pull them off. "Here, Bob, help a fellow, will you?"

And the boots came off with a jerk, while a shower of half-melted snow
proved the truth of his statement.

As the lads drew their chairs to the fire and prepared to toast their toes,
a moment must be given up to glancing at them, as they sit recounting to
their hostess their varied experiences in the storm.

At her left hand sat Phil Cameron, a short, slight, delicate-looking boy
of thirteen, whose gray eyes, large mouth, pug nose, and freckled face
laughed from morning till night. Everybody liked Phil, and Phil liked
everybody in return. His invariable good temper, and a certain headlong
fashion he had of going into the interest of the moment, made him a favorite
with the boys; while his elders admired him for his charming manners and
his wonderful soprano voice, for he and Rob had the best voices in the little
village choir. Though not overwhelmed with too much conscience, Phil was
a thoroughly good boy, and one that his teachers and older friends petted
without knowing exactly why they did so.

Beyond him sat his great friend and boon companion in all their athletic
games, Bert Walsh, the doctor's son, a lad whose poet's face, with its great,
liquid brown eyes, and whose slow, deliberate speech, gave no indication of
the force of character that lay below. Like Phil, he was fond of all out-of-
door sports, but, unlike him, he was fond of books as well. A strong
character, emphatic in its likes and dislikes, Bert's finest trait was his high
sense of honor, that was evident in his every act.

On the other side of Bess was the minister's son, Teddy Preston, the
oldest of eight children, a frank, healthy, happy boy, good and bad by turns,
but irresistible even in his naughtiness. Brought up in a home where books
and magazines were always at hand, though knees and toes might be a little
shabby, Ted had contrived to pick up a vast amount of information about the
world at large; and, added to that, he had the happy faculty of telling all he
knew. With an easy assurance he slipped along through life, never
embarrassed, and taking occasional well-merited snubs so good-naturedly
that his friends might have regretted giving them had they not known only
too well that they slid off from his mind like the fabled water from a duck's
back. A year younger than Phil, his yellow head towered far above him, and
he outgrew his coats and trousers in a manner entirely incompatible with
the relative sizes of the family circle to be clothed, and of the paternal
salary. But Ted never minded that. He carried off his shabby clothes as
easily as Bert did his perfectly fitting suits, and seemed in no way
concerned about the difference.

A year older than any of the other lads was Sam Boeminghausen, a
short, sturdy boy, a real German, blond, phlegmatic, and good-humored.
But his light blue eyes had a look of determination that suggested that the
day might come when Sam would be something or somebody. His father
had recently made a large fortune in Western cattle-ranching, and, as yet,
the family had not entirely adapted themselves to their new surroundings.
Sam's grammar was erratic, and his expensive garments had the look of
being made for another and a larger boy. But time would change that, and
under the careless speech and rough manners Bess could see the
possibilities of a glorious manhood.

On the floor at Bessie's feet sat our old friend Rob, poking the fire with
the tongs. The light fell on his fine, soft, brown hair, delicate skin, and
great, laughing dark eyes. Rob was the descendant of a long line of refined
ancestors, a real little gentleman, and he showed it from the perfect nails on
his small slim hands, brown as berries though they were, to the easy
position in which he now sat, with one foot curled under him. A gentle, shy
boy, affectionate and easily managed, he was an inveterate tease, and full of
a quiet fun that sparkled in his eyes and laughed in his dimples.

But while we have been gazing at the five lads, all so different from one
another, there was a sudden burst of applause as Bess rose, saying,—

"Now, boys, if you are all dry, I am going to invite my company out into
the kitchen. What do you say to making molasses candy and popcorn balls?
It is just the night for it."

"That's just dandy!" exclaimed Ted, springing up with a force that sent
his chair rolling back some inches.
 "Ted, if you talk slang I sha'n't give you any to eat," said Bess
laughingly. "But come, boys." And she led the way into the large kitchen,
where her mother soon followed them with five large gingham aprons in
which she proceeded to envelop the lads, in spite of their derisive
comments.

"I am not going to have you spoil your clothes, children, for then your
mothers will scold us. Now, if I can't help you, Bess, I am going to stay
with Fuzz; and I leave you to do your worst."

"Don't go, Mrs. Carter," implored Ted, and the others echoed him; but
Mrs. Carter was not to be bribed, even by Phil's noble offer to let her do his
share of the work.

"I will eat your share of the candy, Phil, but I am going to stay with Mr.
Carter and Fuzz. I'll come and look at you by and by." And, drawing her
white shawl around her, she was gone.

Bess quickly divided her forces. Rob and Ted were set to shelling the
corn, while Phil and Bert scorched it and their faces at the same time. The
impressive duty of stirring the molasses she reserved for herself, assisted at
times by Sam.

For a short time all went well. But just as the bright new pan was nearly
full of the white kernels, and the molasses was beginning to show its
threads, a sudden determined bark was heard at the door, and the scratching
of two active little paws. Then followed the sound of Mrs. Carter's voice in
warning tones,—

"Fuzzy mustn't scratch the doors! No, no! Grandma 'pank."

An instant's pause was succeeded by a fresh onslaught on the door by

the small delinquent who scorned "grandma's" threats, having learned from
past experiences that patience would carry the day.

"It's Fuzz," said Rob. "Can't I let him in, Cousin Bess?"

"I wouldn't, Rob; he will be so in the way."

Welcome to our website – the ideal destination for book lovers and
knowledge seekers. With a mission to inspire endlessly, we offer a
vast collection of books, ranging from classic literary works to
specialized publications, self-development books, and children's
literature. Each book is a new journey of discovery, expanding
knowledge and enriching the soul of the reade

Our website is not just a platform for buying books, but a bridge
connecting readers to the timeless values of culture and wisdom. With
an elegant, user-friendly interface and an intelligent search system,
we are committed to providing a quick and convenient shopping
experience. Additionally, our special promotions and home delivery
services ensure that you save time and fully enjoy the joy of reading.

Let us accompany you on the journey of exploring knowledge and

personal growth!

ebookluna.com