(eBook PDF) Management of Information Security

5th Edition pdf download

https://ebooksecure.com/product/ebook-pdf-management-of-
information-security-5th-edition/

Download more ebook from https://ebooksecure.com

We believe these products will be a great fit for you. Click
the link to download now, or visit ebooksecure.com
to discover even more!

(eBook PDF) Management of Information Security 6th

Edition

http://ebooksecure.com/product/ebook-pdf-management-of-
information-security-6th-edition/

(eBook PDF) Principles of Information Security 5th

Edition

http://ebooksecure.com/product/ebook-pdf-principles-of-
information-security-5th-edition/

Management of Information Security 6th Edition Michael

E. Whitman - eBook PDF

https://ebooksecure.com/download/management-of-information-
security-ebook-pdf/

Principles of Information Security 6th Edition Whitman

- eBook PDF

https://ebooksecure.com/download/principles-of-information-
security-ebook-pdf/
Elementary Information Security, 3rd Edition (eBook
PDF)

http://ebooksecure.com/product/elementary-information-
security-3rd-edition-ebook-pdf/

(eBook PDF) Health Information: Management of a

Strategic Resource 5th Edition

http://ebooksecure.com/product/ebook-pdf-health-information-
management-of-a-strategic-resource-5th-edition/

Principles of Information Security 7th Edition Michael

E. Whitman - eBook PDF

https://ebooksecure.com/download/principles-of-information-
security-ebook-pdf-2/

Computer and Information Security Handbook - eBook PDF

https://ebooksecure.com/download/computer-and-information-
security-handbook-ebook-pdf/

(Original PDF) Principles of Information Security 6th

by Michael E. Whitman

http://ebooksecure.com/product/original-pdf-principles-of-
information-security-6th-by-michael-e-whitman/
Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
vi Table of Contents

Organizational Liability and the Need for Counsel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Key Law Enforcement Agencies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Closing Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Discussion Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Ethical Decision Making . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

CHAPTER 3
Governance and Strategic Planning for Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
The Role of Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Precursors to Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Strategic Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Creating a Strategic Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Planning Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Planning and the CISO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Information Security Governance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
The ITGI Approach to Information Security Governance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
NCSP Industry Framework for Information Security Governance . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
CERT Governing for Enterprise Security Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
ISO/IEC 27014:2013 Governance of Information Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Security Convergence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Planning for Information Security Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Introduction to the Security Systems Development Life Cycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Closing Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Discussion Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Ethical Decision Making . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136

CHAPTER 4
Information Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Why Policy?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Policy, Standards, and Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Enterprise Information Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Integrating an Organization’s Mission and Objectives into the EISP . . . . . . . . . . . . . . . . . . . . . . . . . 146
EISP Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
Example EISP Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Issue-Specific Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Elements of the ISSP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Implementing the ISSP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
System-Specific Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Managerial Guidance SysSPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Technical Specification SysSPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
 Table of Contents vii

Guidelines for Effective Policy Development and Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162

Developing Information Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Policy Distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Policy Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Policy Comprehension . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Policy Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Policy Enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Policy Development and Implementation Using the SecSDLC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Automated Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
Other Approaches to Information Security Policy Development . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
SP 800-18, Rev. 1: Guide for Developing Security Plans for Federal Information Systems . . . . . . . . . . . . 173
A Final Note on Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Closing Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Discussion Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Ethical Decision Making . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178

CHAPTER 5
Developing the Security Program. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Organizing for Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
Security in Large Organizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Security in Medium-Sized Organizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Security in Small Organizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
Placing Information Security Within an Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Components of the Security Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Information Security Roles and Titles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Chief Information Security Officer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Convergence and the Rise of the True CSO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Security Managers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Security Administrators and Analysts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
Security Technicians . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
Security Staffers and Watchstanders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Security Consultants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Security Officers and Investigators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Help Desk Personnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Implementing Security Education, Training, and Awareness Programs . . . . . . . . . . . . . . . . . . . . . . . . . . 210
Security Education . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
Security Training. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
Training Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
Security Awareness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Project Management in Information Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
Projects Versus Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
PMBOK Knowledge Areas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Project Management Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245

Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
viii Table of Contents

Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
Closing Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
Discussion Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
Ethical Decision Making . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247

CHAPTER 6
Risk Management: Identifying and Assessing Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Introduction to Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
Knowing Yourself . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
Knowing the Enemy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
Accountability for Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
Risk Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
Identification and Prioritization of Information Assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Threat Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
The TVA Worksheet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
Risk Assessment and Risk Appetite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
Assessing Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
Likelihood . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
Assessing Potential Impact on Asset Value (Consequences) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
Percentage of Risk Mitigated by Current Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Uncertainty . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Risk Determination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Likelihood and Consequences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
Documenting the Results of Risk Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Risk Appetite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
Closing Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
Discussion Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
Ethical Decision Making . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285

CHAPTER 7
Risk Management: Controlling Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
Introduction to Risk Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
Risk Control Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
Defense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
Transference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
Mitigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
Acceptance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
Termination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
Managing Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
Feasibility and Cost–Benefit Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
Other Methods of Establishing Feasibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
Alternatives to Feasibility Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
Recommended Risk Control Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
Qualitative and Hybrid Measures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
Delphi Technique . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
The OCTAVE Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
 Table of Contents ix

Microsoft Risk Management Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310

FAIR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
ISO 27005 Standard for InfoSec Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
NIST Risk Management Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
Other Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
Selecting the Best Risk Management Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
Closing Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
Discussion Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
Ethical Decision Making . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321

CHAPTER 8
Security Management Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
Introduction to Blueprints, Frameworks, and Security Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
Access Control Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
Categories of Access Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
Other Forms of Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
Security Architecture Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
Trusted Computing Base . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
Information Technology System Evaluation Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
The Common Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
Academic Access Control Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
Bell-LaPadula Confidentiality Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
Biba Integrity Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
Clark-Wilson Integrity Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
Graham-Denning Access Control Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
Harrison-Ruzzo-Ullman Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
Brewer-Nash Model (Chinese Wall) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
Other Security Management Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
The ISO 27000 Series. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
NIST Security Publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
Control Objectives for Information and Related Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
Committee of Sponsoring Organizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
Information Technology Infrastructure Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
Information Security Governance Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357
Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
Closing Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Discussion Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Ethical Decision Making . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360

CHAPTER 9
Security Management Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
Introduction to Security Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
Benchmarking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
x Table of Contents

Standards of Due Care/Due Diligence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365

Selecting Recommended Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368
Limitations to Benchmarking and Recommended Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369
Baselining . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370
Support for Benchmarks and Baselines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
Performance Measurement in InfoSec Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373
InfoSec Performance Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374
Building the Performance Measurement Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376
Specifying InfoSec Measurements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
Collecting InfoSec Measurements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
Implementing InfoSec Performance Measurement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381
Reporting InfoSec Performance Measurements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
Trends in Certification and Accreditation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385
NIST SP 800-37, Rev. 1: Guide for Applying the Risk Management Framework
to Federal Information Systems: A Security Life Cycle Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . 386
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
Closing Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
Discussion Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
Ethical Decision Making . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394

CHAPTER 10
Planning for Contingencies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397
Introduction to Contingency Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398
Fundamentals of Contingency Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400
Components of Contingency Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404
Business Impact Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
Contingency Planning Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
Incident Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412
Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412
Incident Response Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413
Incident Response Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414
Detecting Incidents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419
Reacting to Incidents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422
Recovering from Incidents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424
Disaster Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431
The Disaster Recovery Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433
Disaster Recovery Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434
Disaster Classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435
Planning to Recover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437
Responding to the Disaster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438
Simple Disaster Recovery Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438
Business Continuity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442
Business Continuity Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444
Continuity Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445
Timing and Sequence of CP Elements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447
Crisis Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449
Business Resumption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 450

Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
 Table of Contents xi

Testing Contingency Plans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453

Final Thoughts on CP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 454
Managing Investigations in the Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455
Digital Forensics Team . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456
Affidavits and Search Warrants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456
Digital Forensics Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457
Evidentiary Policy and Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459
Law Enforcement Involvement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462
Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465
Closing Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465
Discussion Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466
Ethical Decision Making . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466

CHAPTER 11
Personnel and Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469
Introduction to Personnel and Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471
Staffing the Security Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471
Information Security Positions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472
Information Security Professional Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485
(ISC)2 Certifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485
ISACA Certifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 489
GIAC Certifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492
EC-Council Certifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493
CompTIA Certifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495
ISFCE Certifications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496
Certification Costs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497
Entering the Information Security Profession . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498
Employment Policies and Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 500
Hiring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501
Contracts and Employment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503
Security as Part of Performance Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504
Termination Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504
Personnel Security Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 506
Security of Personnel and Personal Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507
Security Considerations for Temporary Employees, Consultants, and Other Workers . . . . . . . . . . . . . . 507
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513
Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515
Closing Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515
Discussion Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516
Ethical Decision Making . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516

CHAPTER 12
Protection Mechanisms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521
Introduction to Protection Mechanisms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523
Access Controls and Biometrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 524
Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
xii Table of Contents

Managing Network Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531

Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 532
Intrusion Detection and Prevention Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543
Remote Access Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 547
Wireless Networking Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 550
Scanning and Analysis Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 553
Managing Server-Based Systems with Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 557
Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 562
Encryption Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564
Using Cryptographic Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 571
Managing Cryptographic Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 575
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 577
Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 578
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 579
Closing Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 580
Discussion Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 581
Ethical Decision Making . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 581
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 581

APPENDIX
NIST SP 800-26, Security Self-Assessment Guide for Information Technology Systems . . . . . . . . . . . . . . . 583
ISO 17799: 2005 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607
The OCTAVE Method of Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 611
Microsoft Risk Management Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 616

GLOSSARY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 625
INDEX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 637

Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
Preface

As global use of the Internet continues to expand, the demand for and reliance on
Internet-based information creates an increasing expectation of access. Modern businesses
take advantage of this and have dramatically increased their Internet presence over the past
decade. This creates an increasing threat of attacks on information assets and a need for
greater numbers of professionals capable of protecting those assets.
To secure these information assets from ever-increasing threats, organizations demand
both breadth and depth of expertise from the next generation of information security prac-
titioners. These professionals are expected to have an optimal mix of skills and experiences
to secure diverse information environments. Students of technology must learn to recog-
nize the threats and vulnerabilities present in existing systems. They must also learn how
to manage the use of information assets securely and support the goals and objectives of
their organizations through effective information security governance, risk management,
and regulatory compliance.

Why This Text Was Written

The purpose of this textbook is to fulfill the need for a quality academic textbook in the dis-
cipline of information security management. While there are dozens of quality publications
on information security and assurance for the practitioner, there are fewer textbooks that

Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
xiii
xiv Preface

provide the student with an in-depth study of information security management. Specifically,
those in disciplines such as information systems, information technology, computer science,
criminal justice, political science, and accounting information systems must understand the
foundations of the management of information security and the development of managerial
strategy for information security. The underlying tenet of this textbook is that information
security in the modern organization is a management problem and not one that technology
alone can answer; it is a problem that has important economic consequences and one for
which management is accountable.

Approach
This book provides a managerial approach to information security and a thorough treatment
of the secure administration of information assets. It can be used to support information
security coursework for a variety of technology students, as well as for technology curricula
aimed at business students.
Certified Information Systems Security Professional, Certified Information Security Manager,
and NIST Common Bodies of Knowledge—As the authors are Certified Information Systems
Security Professionals (CISSP) and Certified Information Security Managers (CISM), these
knowledge domains have had an influence on the design of this textbook. With the influence
of the extensive library of information available from the Special Publications collection at
the National Institute of Standards and Technology (NIST, at csrc.nist.gov), the authors
have also tapped into additional government and industry standards for information security
management. Although this textbook is by no means a certification study guide, much of the
Common Bodies of Knowledge for the dominant industry certifications, especially in the area
of management of information security, have been integrated into the text.

Overview
Chapter 1—Introduction to the Management
of Information Security
The opening chapter establishes the foundation for understanding the field of information
security by explaining the importance of information technology and identifying who is
responsible for protecting an organization’s information assets. Students learn the definition
and key characteristics of information security, as well as the differences between information
security management and general management.

Chapter 2—Compliance: Law and Ethics

In this chapter, students learn about the legal and regulatory environment and its relationship
to information security. This chapter describes the major national and international laws that
affect the practice of information security, as well as the role of culture in ethics as it applies
to information security professionals.

Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
 Preface xv

Chapter 3—Governance and Strategic Planning for Security

This chapter explains the importance of planning and describes the principal components of
organizational planning and the role of information security governance and planning within
the organizational context.

Chapter 4—Information Security Policy

This chapter defines information security policy and describes its central role in a successful
information security program. Industry and government best practices promote three major
types of information security policy; this chapter explains what goes into each type, and
demonstrates how to develop, implement, and maintain various types of information security
policies.

Chapter 5—Developing the Security Program

Chapter 5 explores the various organizational approaches to information security and
explains the functional components of an information security program. Students learn the
complexities of planning and staffing for an organization’s information security department
based on the size of the organization and other factors, as well as how to evaluate the inter-
nal and external factors that influence the activities and organization of an information secu-
rity program. This chapter also identifies and describes the typical job titles and functions
performed in the information security program, and concludes with an exploration of the
creation and management of a security education, training, and awareness program. This
chapter also provides an overview of project management, a necessary skill in any technology
or business professional’s portfolio.

Chapter 6—Risk Management: Identifying and Assessing Risk

This chapter defines risk management and its role in the organization, and demonstrates
how to use risk management techniques to identify and prioritize risk factors for informa-
tion assets. The risk management model presented here assesses risk based on the likeli-
hood of adverse events and the effects on information assets when events occur. This
chapter concludes with a brief discussion of how to document the results of the risk iden-
tification process.

Chapter 7—Risk Management: Controlling Risk

This chapter presents essential risk mitigation strategy options and opens the discussion on
controlling risk. Students learn how to identify risk control classification categories, use exist-
ing conceptual frameworks to evaluate risk controls, and formulate a cost benefit analysis.
They also learn how to maintain and perpetuate risk controls.

Chapter 8—Security Management Models

This chapter describes the components of the dominant information security management
models, including U.S. government and internationally sanctioned models, and discusses
how to customize them for a specific organization’s needs. Students learn how to implement
the fundamental elements of key information security management practices. Models include
NIST, ISO, and a host of specialized information security research models that help students
understand confidentiality and integrity applications in modern systems.
Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
xvi Preface

Chapter 9—Security Management Practices

This chapter describes the fundamentals and emerging trends in information security man-
agement practices and explains how these practices help organizations meet U.S. and
international compliance standards. The chapter contains an expanded section on security
performance measurement and covers concepts of certification and accreditation of IT
systems.

Chapter 10—Planning for Contingencies

This chapter describes and explores the major components of contingency planning and the
need for them in an organization. The chapter illustrates the planning and development of
contingency plans, beginning with the business impact analysis, and continues through the
implementation and testing of contingency plans.

Chapter 11—Personnel and Security

This chapter expands upon the discussion of the skills and requirements for information
security positions introduced in Chapter 5. It explores the various information security pro-
fessional certifications and identifies which skills are encompassed by each. The second half
of the chapter explores the integration of information security issues associated with person-
nel management to regulate employee behavior and prevent misuse of information, as part of
an organization’s human resources function.

Chapter 12—Protection Mechanisms

This chapter introduces students to the world of technical controls by exploring access con-
trol approaches, including authentication, authorization, and biometric access controls, as
well as firewalls and the common approaches to firewall implementation. It also covers the
technical control approaches for dial-up access, intrusion detection and prevention systems,
and cryptography.

Appendix
The appendix reproduces an essential security management self-assessment model from the
NIST library. It also includes a questionnaire from the ISO 27002 body that could be used
for organizational assessment. The appendix provides additional detail on various risk man-
agement models, including OCTAVE and the OCTAVE variants, the Microsoft Risk Manage-
ment Model, Factor Analysis of Information Risk (FAIR), ISO 27007, and NIST SP 800-30.

Features
Chapter Scenarios—Each chapter opens with a short vignette that follows the same fictional
company as it encounters various information security issues. The final part of each chapter
is a conclusion to the scenario that also offers questions to stimulate in-class discussion.
These questions give the student and the instructor an opportunity to explore the issues that
underlie the content.
View Points—An essay from an information security practitioner or academic is included in
each chapter. These sections provide a range of commentary that illustrate interesting topics
or share personal opinions, giving the student a wider, applied view on the topics in the text.
Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
 Preface xvii

Offline Boxes—These highlight interesting topics and detailed technical issues, allowing the
student to delve more deeply into certain topics.
Hands-On Learning—At the end of each chapter, students will find a Chapter Summary and
Review Questions as well as Exercises and Closing Case exercises, which give them the
opportunity to examine the information security arena from an experiential perspective.
Using the Exercises, students can research, analyze, and write to reinforce learning objectives
and deepen their understanding of the text. The Closing Case exercises require that students
use professional judgment, powers of observation, and elementary research to create solu-
tions for simple information security scenarios.

New to This Edition

This fifth edition of Management of Information Security tightens its focus on the managerial
aspects of information security, continues to expand the coverage of governance and compli-
ance issues, and continues to reduce the coverage of foundational and technical components.
While retaining enough foundational material to allow reinforcement of key concepts, this
edition has fewer technical examples. This edition also contains updated in-depth discussions
and Offline features, and additional coverage in key managerial areas: risk management,
information security governance, access control models, and information security program
assessment and metrics. Chapter 1 consolidates all the introductory and general IT manage-
rial material.
Each chapter now has key terms clearly delineated and defined in the preface of each
major section. This approach provides clear, concise definitions for use in instruction and
assessment.
In general, the entire text has been updated and re-organized to reflect changes in the field,
including revisions to sections on national and international laws and standards, such as the
ISO 27000 series, among others. Throughout the text, the content has been updated, with
newer and more relevant examples and discussions. A complete coverage matrix of the topics
in this edition is available to instructors to enable mapping of the previous coverage to the
new structure. Please contact your sales representative for access to the matrix.

MindTap
MindTap for Management of Information Security is an online learning solution designed to
help students master the skills they need in today’s workforce. Research shows employers
need critical thinkers, troubleshooters, and creative problem-solvers to stay relevant in our
fast-paced, technology-driven world. MindTap helps users achieve this with assignments and
activities that provide hands-on practice, real-life relevance, and mastery of difficult concepts.
Students are guided through assignments that progress from basic knowledge and under-
standing to more challenging problems.
All MindTap activities and assignments are tied to learning objectives. The hands-on exer-
cises provide real-life application and practice. Readings and “Whiteboard Shorts” support
the lecture, while “In the News” assignments encourage students to stay current. Pre- and
post-course assessments allow you to measure how much students have learned using analyt-
ics and reporting that makes it easy to see where the class stands in terms of progress,
engagement, and completion rates. Use the content and learning path as-is, or pick and

Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
xviii Preface

choose how the material will wrap around your own. You control what the students see and
when they see it. Learn more at www.cengage.com/mindtap/.

Instructor Resources
Free to all instructors who adopt Management of Information Security, 5e for their courses is
a complete package of instructor resources. These resources are available from the Cengage
Learning Web site, www.cengagebrain.com. Go to the product page for this book in the
online catalog and choose “Instructor Downloads.”
Resources include:
● Instructor’s Manual: This manual includes course objectives and additional informa-
tion to help your instruction.
● Cengage Learning Testing Powered by Cognero: A flexible, online system that allows
you to import, edit, and manipulate content from the text’s test bank or elsewhere,
including your own favorite test questions; create multiple test versions in an instant;
and deliver tests from your LMS, your classroom, or wherever you want.
● PowerPoint Presentations: A set of Microsoft PowerPoint slides is included for each
chapter. These slides are meant to be used as a teaching aid for classroom presentations,
to be made available to students for chapter review, or to be printed for classroom dis-
tribution. Instructors are also at liberty to add their own slides.
● Figure Files: Figure files allow instructors to create their own presentations using figures
taken from the text.
● Lab Manual: Cengage Learning has produced a lab manual (Hands-On Information
Security Lab Manual, Fourth Edition) written by the authors that can be used to
provide technical experiential exercises in conjunction with this book. Contact your
Cengage Learning sales representative for more information.
● Readings and Cases: Cengage Learning also produced two texts—Readings and Cases
in the Management of Information Security (ISBN-13: 9780619216276) and Readings
& Cases in Information Security: Law & Ethics (ISBN-13: 9781435441576)—by the
authors, which make excellent companion texts. Contact your Cengage Learning sales
representative for more information.
● Curriculum Model for Programs of Study in Information Security: In addition to the
texts authored by this team, a curriculum model for programs of study in Information
Security and Assurance is available from the Kennesaw State University Center for
Information Security Education (http://infosec.kennesaw.edu). This document provides
details on designing and implementing security coursework and curricula in academic
institutions, as well as guidance and lessons learned from the authors’ perspective.

Author Team
Michael Whitman and Herbert Mattord have jointly developed this textbook to merge knowl-
edge from the world of academic study with practical experience from the business world.
Michael Whitman, Ph.D., CISM, CISSP is a Professor of Information Security in the Informa-
tion Systems Department, Coles College of Business at Kennesaw State University, Kennesaw,
Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
 Preface xix

Georgia, where he is also the Executive Director of the Center for Information Security Educa-
tion (infosec.kennesaw.edu), Coles College of Business. He and Herbert Mattord are the
authors of Principles of Information Security; Principles of Incident Response and Disaster
Recovery; Readings and Cases in the Management of Information Security; Readings &
Cases in Information Security: Law & Ethics; Guide to Firewall and VPNs; Guide to
Network Security; Roadmap to the Management of Information Security; and Hands-On
Information Security Lab Manual, all from Cengage Learning. Dr. Whitman is an active
researcher in Information Security, Fair and Responsible Use Policies, and Ethical Computing.
He currently teaches graduate and undergraduate courses in Information Security. He has
published articles in the top journals in his field, including Information Systems Research, the
Communications of the ACM, Information and Management, the Journal of International
Business Studies, and the Journal of Computer Information Systems. He is an active member
of the Information Systems Security Association, the Association for Computing Machinery,
ISACA, (ISC)2, and the Association for Information Systems. Through his efforts and those
of Dr. Mattord, his institution has been recognized by the Department of Homeland Security
and the National Security Agency as a National Center of Academic Excellence in Information
Assurance Education four times, most recently in 2015. Dr. Whitman is also the Editor-in-
Chief of the Information Security Education Journal, a DLINE publication, and he continually
solicits relevant and well-written articles on InfoSec pedagogical topics for publication. Prior
to his employment at Kennesaw State, he taught at the University of Nevada Las Vegas, and
served over 13 years as an officer in the U.S. Army.
Herbert Mattord, Ph.D., CISM, CISSP completed 24 years of IT industry experience as an
application developer, database administrator, project manager, and information security
practitioner in 2002. He is currently an Associate Professor of Information Security in the
Coles College of Business at Kennesaw State University. He and Michael Whitman are the
authors of Principles of Information Security; Principles of Incident Response and Disaster
Recovery; Readings and Cases in the Management of Information Security; Guide to
Network Security; and Hands-On Information Security Lab Manual, all from Cengage
Learning. During his career as an IT practitioner, Mattord has been an adjunct professor
at Kennesaw State University; Southern Polytechnic State University in Marietta, Georgia;
Austin Community College in Austin, Texas; and Texas State University: San Marcos. He
currently teaches undergraduate courses in Information Security. He is the Assistant Chair
of the Department of Information Systems and is also an active member of the Information
Systems Security Association and Information Systems Audit and Control Association. He
was formerly the Manager of Corporate Information Technology Security at Georgia-
Pacific Corporation, where much of the practical knowledge found in this and his earlier
textbooks was acquired.

Acknowledgments
The authors would like to thank their families for their support and understanding for the
many hours dedicated to this project—hours taken, in many cases, from family activities.
Special thanks to Carola Mattord, Ph.D., Professor of English at Kennesaw State University.
Her reviews of early drafts and suggestions for keeping the writing focused on the students
resulted in a more readable manuscript.

Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
xx Preface

Reviewers
We are indebted to the following individuals for their contributions of perceptive feedback on
the initial proposal, the project outline, and the chapter-by-chapter reviews of the text:
● Wasim A. AlHamdani, Ph.D., IACR, IEEE, ACM, CSAB (ABET Eva.), Professor of
Cryptography and InfoSec, College of Business and Computer Sciences, Kentucky State
University, Frankfort, KY
● James W. Rust, MSIS, MCSE: Security, MCSA: Security, MCDBA, MCP, CompTIA,
CTT+, Project+, Security+, Network+, A+, Implementation Engineer, Buford, GA
● Paul D. Witman, Ph.D., Associate Professor, Information Technology Management,
California Lutheran University, School of Management, Thousand Oaks, CA

Special Thanks
The authors wish to thank the Editorial and Production teams at Cengage Learning. Their
diligent and professional efforts greatly enhanced the final product:
Natalie Pashoukos, Senior Content Developer
Dan Seiter, Developmental Editor
Kristin McNary, Product Team Manager
Amy Savino, Associate Product Manager
Brooke Baker, Senior Content Project Manager
In addition, several professional and commercial organizations and individuals have aided
the development of this textbook by providing information and inspiration, and the authors
wish to acknowledge their contributions:
Charles Cresson Wood
NetIQ Corporation
The View Point authors:
● Henry Bonin
● Lee Imrey
● Robert Hayes and Kathleen Kotwicka
● David Lineman
● Paul D. Witman & Scott Mackelprang
● George V. Hulme
● Tim Callahan
● Mark Reardon
● Martin Lee
● Karen Scarfone
● Alison Gunnels
● Todd E. Tucker
Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
 Preface xxi

Our Commitment
The authors are committed to serving the needs of the adopters and readers. We would be
pleased and honored to receive feedback on the textbook and its supporting materials. You
can contact us through Cengage Learning at [email protected].

Foreword
By David Rowan, Senior Vice President and Director
Technology Risk and Compliance, SunTrust Banks, Inc.
If you are reading this, I want to thank you. Your perusal of this text means you are inter-
ested in a career in Information Security or have actually embarked on one. I am thanking
you because we—and by we I mean all of us—need your help.
You and I live in a world completely enabled, supported by, and allowed by technology.
In almost all practical respects, the things you and I take for granted are created by our
technology. There is technology we see and directly interact with, and technology we
don’t see or are only peripherally aware of. For example, the temperature of my home is
monitored and maintained based on a smart thermostat’s perception of my daily habits
and preferences. I could check it via the app or wait for an alert via text message, but I
don’t—I just assume all is well, confident that I will be informed if something goes amiss.
Besides, I am more interested in reading my personal news feed….
With respect to technology, we occupy two worlds, one of intent and realized actions and
another of services that simply seem to occur on their own. Both these worlds are necessary,
desirable, growing, and evolving. Also, both these worlds are profoundly underpinned by one
thing: our trust in them to work.
We trust that our phones will work, we trust that we will have electricity, we trust that our
purchases are recorded accurately, we trust that our streaming services will have enough
bandwidth, we trust that our stock trades and bank transactions are secure, we trust that
our cars will run safely, and I trust that my home will be at the right temperature when I
walk in the door.
The benefits of our trust in technology are immeasurable and hard won. The fact that we
can delegate tasks, share infrastructure, exchange ideas and information, and buy goods
and services almost seamlessly benefits us all. It is good ground worth defending. How-
ever, the inevitable and unfortunate fact is that some among us prey upon our trust; they
will work tirelessly to disrupt, divert, or destroy our intents, actions, comfort, well-being,
information, and whatever else our technology and the free flow of information offers.
The motives of these actors matter, but regardless of why they threaten what technology
gives us, the actions we take to safeguard it is up to us. That’s why I am glad you are
reading this. We need guardians of the trust we place in technology and the information
flow it enables.

Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
xxii Preface

I have been in the financial industry for 35 years, and have spent the latter half of it focused
on information security and the related fields of fraud management, business continuity,
physical security, and legal and regulatory compliance. I have seen the evolution of technol-
ogy risk management from a necessary back-office function to a board-level imperative with
global implications. The bound interrelationships among commerce, infrastructure, basic util-
ities, safety, and even culture exist to the extent that providing security is now dominantly a
matter of strategy and management, and less a matter of the tools or technology de jure.
There’s an old saying that it’s not the tools that make a good cabinet, but the skill of the car-
penter. Our tools will change and evolve; it’s how we use them that really matter.
This fifth edition of Management of Information Security is a foundational source that embo-
dies the current best thinking on how to plan, govern, implement, and manage an informa-
tion security program. It is holistic and comprehensive, and provides a path to consider all
aspects of information security and to integrate security into the fabric of the things we
depend on and use. It provides specific guidance on strategy, policy development, risk identi-
fication, personal management, organization, and legal matters, and places them in the con-
text of a broader ecosystem. Strategy and management are not merely aspects of information
security; they are its essence—and this text informs the what, why, and how of it.
Management of Information Security is a vital resource in the guardianship of our world of
modern conveniences. I hope you will become a part of this community.
—Atlanta, Georgia, February 2016

Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
 chapter 1

Introduction to the Management

of Information Security

Management is, above all, a practice where art, science, and craft meet.
—HENRY MINTZBERG
One month into her new position at Random Widget Works, Inc. (RWW), Iris Majwubu
left her office early one afternoon to attend a meeting of the local chapter of the Information
Systems Security Association (ISSA). She had recently been promoted from her previous
assignment at RWW as an information security risk manager to become the first chief infor-
mation security officer (CISO) to be named at RWW.
This occasion marked Iris’s first ISSA meeting. With a mountain of pressing matters on her clut-
tered desk, Iris wasn’t exactly certain why she was making it a priority to attend this meeting. She
sighed. Since her early morning wake-up, she had spent many hours in business meetings, fol-
lowed by long hours at her desk working toward defining her new position at the company.
At the ISSA meeting, Iris saw Charlie Moody, her supervisor from the company she used to
work for, Sequential Label and Supply (SLS). Charlie had been promoted to chief information
officer (CIO) of SLS almost a year ago.
“Hi, Charlie,” she said.
“Hello, Iris,” Charlie said, shaking her hand. “Congratulations on your promotion. How are
things going in your new position?”
“So far,” she replied, “things are going well—I think.”

Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203 1
Another Random Scribd Document
with Unrelated Content
 suggests which of the words, stage or era, has the
meaning of a longer span of time. Therefore, I have chosen
to let my eras be shorter, and to subdivide my stages into
eras. Webster gives era as: “A signal stage of history, an
epoch.” When I want to subdivide my eras, I find myself
using sub-eras. Thus I speak of the eras within a stage and
of the sub-eras within an era; that is, I do so when I feel
that I really have to, and when the evidence is clear
enough to allow it.

The food-producing revolution ushers in the food-producing

stage. This stage began to be replaced by the industrial stage only
about two hundred years ago. Now notice that my stage divisions
are in terms of technology and economics. We must think sharply to
be sure that the subdivisions of the stages, the eras, are in the same
terms. This does not mean that I think technology and economics
are the only important realms of culture. It is rather that for most of
prehistoric time the materials left to the archeologists tend to limit
our deductions to technology and economics.
I’m so soon out of my competence, as conventional ancient
history begins, that I shall only suggest the earlier eras of the food-
producing stage to you. This book is about prehistory, and I’m not a
universal historian.

T HE TW O EA RLI ES T ERA S O F THE FO O D-

P R O DUC I NG S T A G E

The food-producing stage seems to appear in western Asia with

really revolutionary suddenness. It is seen by the relative speed with
which the traces of new crafts appear in the earliest village-farming
community sites we’ve dug. It is seen by the spread and
multiplication of these sites themselves, and the remarkable growth
in human population we deduce from this increase in sites. We’ll
look at some of these sites and the archeological traces they yield in
the next chapter. When such village sites begin to appear, I believe
we are in the era of the primary village-farming community. I also
believe this is the second era of the food-producing stage.
The first era of the food-producing stage, I believe, was an era
of incipient cultivation and animal domestication. I keep saying “I
believe” because the actual evidence for this earlier era is so slight
that one has to set it up mainly by playing a hunch for it. The reason
for playing the hunch goes about as follows.
One thing we seem to be able to see, in the food-collecting era
in general, is a tendency for people to begin to settle down. This
settling down seemed to become further intensified in the terminal
era. How this is connected with Professor Mathiassen’s
“receptiveness” and the tendency to be experimental, we do not
exactly know. The evidence from the New World comes into play
here as well as that from the Old World. With this settling down in
one place, the people of the terminal era—especially the “Forest
folk” whom we know best—began making a great variety of new
things. I remarked about this earlier in the chapter. Dr. Robert M.
Adams is of the opinion that this atmosphere of experimentation
with new tools—with new ways of collecting food—is the kind of
atmosphere in which one might expect trials at planting and at
animal domestication to have been made. We first begin to find
traces of more permanent life in outdoor camp sites, although caves
were still inhabited at the beginning of the terminal era. It is not
surprising at all that the “Forest folk” had already domesticated the
dog. In this sense, the whole era of food-collecting was becoming
ready and almost “incipient” for cultivation and animal
domestication.
Northwestern Europe was not the place for really effective
beginnings in agriculture and animal domestication. These would
have had to take place in one of those natural environments of
promise, where a variety of plants and animals, each possible of
domestication, was available in the wild state. Let me spell this out.
Really effective food-production must include a variety of items to
make up a reasonably well-rounded diet. The food-supply so
produced must be trustworthy, even though the food-producing
peoples themselves might be happy to supplement it with fish and
wild strawberries, just as we do when such things are available. So,
as we said earlier, part of our problem is that of finding a region with
a natural environment which includes—and did include, some ten
thousand years ago—a variety of possibly domesticable wild plants
and animals.

NUC LEA R A R EA S

Now comes the last of my definitions. A region with a natural

environment which included a variety of wild plants and animals,
both possible and ready for domestication, would be a central or
core or nuclear area, that is, it would be when and if food-
production took place within it. It is pretty hard for me to imagine
food-production having ever made an independent start outside such
a nuclear area, although there may be some possible nuclear areas
in which food-production never took place (possibly in parts of
Africa, for example).
We know of several such nuclear areas. In the New World,
Middle America and the Andean highlands make up one or two; it is
my understanding that the evidence is not yet clear as to which.
There seems to have been a nuclear area somewhere in
southeastern Asia, in the Malay peninsula or Burma perhaps,
connected with the early cultivation of taro, breadfruit, the banana
and the mango. Possibly the cultivation of rice and the domestication
of the chicken and of zebu cattle and the water buffalo belong to
this southeast Asiatic nuclear area. We know relatively little about it
archeologically, as yet. The nuclear area which was the scene of the
earliest experiment in effective food-production was in western Asia.
Since I know it best, I shall use it as my example.
T HE NUC LEA R NEA R EA ST

The nuclear area of western Asia is naturally the one of greatest

interest to people of the western cultural tradition. Our cultural
heritage began within it. The area itself is the region of the hilly
flanks of rain-watered grass-land which build up to the high
mountain ridges of Iran, Iraq, Turkey, Syria, and Palestine. The map
on page 125 indicates the region. If you have a good atlas, try to
locate the zone which surrounds the drainage basin of the Tigris and
Euphrates Rivers at elevations of from approximately 2,000 to 5,000
feet. The lower alluvial land of the Tigris-Euphrates basin itself has
very little rainfall. Some years ago Professor James Henry Breasted
called the alluvial lands of the Tigris-Euphrates a part of the “fertile
crescent.” These alluvial lands are very fertile if irrigated. Breasted
was most interested in the oriental civilizations of conventional
ancient history, and irrigation had been discovered before they
appeared.
The country of hilly flanks above Breasted’s crescent receives
from 10 to 20 or more inches of winter rainfall each year, which is
about what Kansas has. Above the hilly-flanks zone tower the peaks
and ridges of the Lebanon-Amanus chain bordering the coast-line
from Palestine to Turkey, the Taurus Mountains of southern Turkey,
and the Zagros range of the Iraq-Iran borderland. This rugged
mountain frame for our hilly-flanks zone rises to some magnificent
alpine scenery, with peaks of from ten to fifteen thousand feet in
elevation. There are several gaps in the Mediterranean coastal
portion of the frame, through which the winter’s rain-bearing winds
from the sea may break so as to carry rain to the foothills of the
Taurus and the Zagros.
The picture I hope you will have from this description is that of
an intermediate hilly-flanks zone lying between two regions of
extremes. The lower Tigris-Euphrates basin land is low and far too
dry and hot for agriculture based on rainfall alone; to the south and
southwest, it merges directly into the great desert of Arabia. The
mountains which lie above the hilly-flanks zone are much too high
and rugged to have encouraged farmers.

T HE NA TU RA L ENV I RO NMENT O F THE NU CLEA R

NEA R EA S T

The more we learn of this hilly-flanks zone that I describe, the

more it seems surely to have been a nuclear area. This is where we
archeologists need, and are beginning to get, the help of natural
scientists. They are coming to the conclusion that the natural
environment of the hilly-flanks zone today is much as it was some
eight to ten thousand years ago. There are still two kinds of wild
wheat and a wild barley, and the wild sheep, goat, and pig. We have
discovered traces of each of these at about nine thousand years ago,
also traces of wild ox, horse, and dog, each of which appears to be
the probable ancestor of the domesticated form. In fact, at about
nine thousand years ago, the two wheats, the barley, and at least
the goat, were already well on the road to domestication.
The wild wheats give us an interesting clue. They are only
available together with the wild barley within the hilly-flanks zone.
While the wild barley grows in a variety of elevations and beyond the
zone, at least one of the wild wheats does not seem to grow below
the hill country. As things look at the moment, the domestication of
both the wheats together could only have taken place within the
hilly-flanks zone. Barley seems to have first come into cultivation due
to its presence as a weed in already cultivated wheat fields. There is
also a suggestion—there is still much more to learn in the matter—
that the animals which were first domesticated were most at home
up in the hilly-flanks zone in their wild state.
With a single exception—that of the dog—the earliest positive
evidence of domestication includes the two forms of wheat, the
barley, and the goat. The evidence comes from within the hilly-flanks
zone. However, it comes from a settled village proper, Jarmo (which
I’ll describe in the next chapter), and is thus from the era of the
primary village-farming community. We are still without positive
evidence of domesticated grain and animals in the first era of the
food-producing stage, that of incipient cultivation and animal
domestication.

T HE ERA O F I NCI P I ENT CULTIVA TIO N A ND A NIMA L

DO MEST IC A T I O N

I said above (p. 105) that my era of incipient cultivation and

animal domestication is mainly set up by playing a hunch. Although
we cannot really demonstrate it—and certainly not in the Near East
—it would be very strange for food-collectors not to have known a
great deal about the plants and animals most useful to them. They
do seem to have domesticated the dog. We can easily imagine them
remembering to go back, season after season, to a particular patch
of ground where seeds or acorns or berries grew particularly well.
Most human beings, unless they are extremely hungry, are attracted
to baby animals, and many wild pups or fawns or piglets must have
been brought back alive by hunting parties.
In this last sense, man has probably always been an incipient
cultivator and domesticator. But I believe that Adams is right in
suggesting that this would be doubly true with the experimenters of
the terminal era of food-collecting. We noticed that they also seem
to have had a tendency to settle down. Now my hunch goes that
when this experimentation and settling down took place within a
potential nuclear area—where a whole constellation of plants and
animals possible of domestication was available—the change was
easily made. Professor Charles A. Reed, our field colleague in
zoology, agrees that year-round settlement with plant domestication
probably came before there were important animal domestications.

I NCI P IENT ERA S A ND NUCLEA R A R EA S

 I have put this scheme into a simple chart (p. 111) with the
names of a few of the sites we are going to talk about. You will see
that my hunch means that there are eras of incipient cultivation only
within nuclear areas. In a nuclear area, the terminal era of food-
collecting would probably have been quite short. I do not know for
how long a time the era of incipient cultivation and domestication
would have lasted, but perhaps for several thousand years. Then it
passed on into the era of the primary village-farming community.
Outside a nuclear area, the terminal era of food-collecting would
last for a long time; in a few out-of-the-way parts of the world, it still
hangs on. It would end in any particular place through contact with
and the spread of ideas of people who had passed on into one of the
more developed eras. In many cases, the terminal era of food-
collecting was ended by the incoming of the food-producing peoples
themselves. For example, the practices of food-production were
carried into Europe by the actual movement of some numbers of
peoples (we don’t know how many) who had reached at least the
level of the primary village-farming community. The “Forest folk”
learned food-production from them. There was never an era of
incipient cultivation and domestication proper in Europe, if my hunch
is right.

A R CHEO LO G I CA L DI FFI CULTIES IN SEEI NG T HE

I NCI P IENT ERA

The way I see it, two things were required in order that an era
of incipient cultivation and domestication could begin. First, there
had to be the natural environment of a nuclear area, with its whole
group of plants and animals capable of domestication. This is the
aspect of the matter which we’ve said is directly given by nature. But
it is quite possible that such an environment with such a group of
plants and animals in it may have existed well before ten thousand
years ago in the Near East. It is also quite possible that the same
promising condition may have existed in regions which never
developed into nuclear areas proper. Here, again, we come back to
the cultural factor. I think it was that “atmosphere of
experimentation” we’ve talked about once or twice before. I can’t
define it for you, other than to say that by the end of the Ice Age,
the general level of many cultures was ready for change. Ask me
how and why this was so, and I’ll tell you we don’t know yet, and
that if we did understand this kind of question, there would be no
need for me to go on being a prehistorian!
 POSSIBLE RELATIONSHIPS OF STAGES AND ERAS IN
WESTERN ASIA AND NORTHEASTERN AFRICA

Now since this was an era of incipience, of the birth of new

ideas, and of experimentation, it is very difficult to see its traces
archeologically. New tools having to do with the new ways of getting
and, in fact, producing food would have taken some time to develop.
It need not surprise us too much if we cannot find hoes for planting
and sickles for reaping grain at the very beginning. We might expect
a time of making-do with some of the older tools, or with make-shift
tools, for some of the new jobs. The present-day wild cousin of the
domesticated sheep still lives in the mountains of western Asia. It
has no wool, only a fine down under hair like that of a deer, so it
need not surprise us to find neither the whorls used for spinning nor
traces of woolen cloth. It must have taken some time for a wool-
bearing sheep to develop and also time for the invention of the new
tools which go with weaving. It would have been the same with
other kinds of tools for the new way of life.
It is difficult even for an experienced comparative zoologist to
tell which are the bones of domesticated animals and which are
those of their wild cousins. This is especially so because the animal
bones the archeologists find are usually fragmentary. Furthermore,
we do not have a sort of library collection of the skeletons of the
animals or an herbarium of the plants of those times, against which
the traces which the archeologists find may be checked. We are only
beginning to get such collections for the modern wild forms of
animals and plants from some of our nuclear areas. In the nuclear
area in the Near East, some of the wild animals, at least, have
already become extinct. There are no longer wild cattle or wild
horses in western Asia. We know they were there from the finds
we’ve made in caves of late Ice Age times, and from some slightly
later sites.

S I TES W I TH A NT I Q U ITIES O F THE INC IP IENT ERA

So far, we know only a very few sites which would suit my notion
of the incipient era of cultivation and animal domestication. I am
closing this chapter with descriptions of two of the best Near Eastern
examples I know of. You may not be satisfied that what I am able to
describe makes a full-bodied era of development at all. Remember,
however, that I’ve told you I’m largely playing a kind of a hunch, and
also that the archeological materials of this era will always be
extremely difficult to interpret. At the beginning of any new way of
life, there will be a great tendency for people to make-do, at first,
with tools and habits they are already used to. I would suspect that
a great deal of this making-do went on almost to the end of this era.

T HE NA TU FI A N, A N A SSEMBLA G E O F THE
I NCI P IENT ERA

The assemblage called the Natufian comes from the upper layers
of a number of caves in Palestine. Traces of its flint industry have
also turned up in Syria and Lebanon. We don’t know just how old it
is. I guess that it probably falls within five hundred years either way
of about 5000 B.C.
Until recently, the people who produced the Natufian
assemblage were thought to have been only cave dwellers, but now
at least three open air Natufian sites have been briefly described. In
their best-known dwelling place, on Mount Carmel, the Natufian folk
lived in the open mouth of a large rock-shelter and on the terrace in
front of it. On the terrace, they had set at least two short curving
lines of stones; but these were hardly architecture; they seem more
like benches or perhaps the low walls of open pens. There were also
one or two small clusters of stones laid like paving, and a ring of
stones around a hearth or fireplace. One very round and regular
basin-shaped depression had been cut into the rocky floor of the
terrace, and there were other less regular basin-like depressions. In
the newly reported open air sites, there seem to have been huts
with rounded corners.
Most of the finds in the Natufian layer of the Mount Carmel cave
were flints. About 80 per cent of these flint tools were microliths
made by the regular working of tiny blades into various tools, some
having geometric forms. The larger flint tools included backed
blades, burins, scrapers, a few arrow points, some larger hacking or
picking tools, and one special type. This last was the sickle blade.
We know a sickle blade of flint when we see one, because of a
strange polish or sheen which seems to develop on the cutting edge
when the blade has been used to cut grasses or grain, or—perhaps
—reeds. In the Natufian, we have even found the straight bone
handles in which a number of flint sickle blades were set in a line.
There was a small industry in ground or pecked stone (that is,
abraded not chipped) in the Natufian. This included some pestle and
mortar fragments. The mortars are said to have a deep and narrow
hole, and some of the pestles show traces of red ochre. We are not
sure that these mortars and pestles were also used for grinding
food. In addition, there were one or two bits of carving in stone.

NA TU FIA N A NT I Q U IT I ES I N O T HER MA T ERIA LS ;

BU RI A LS A ND P EO P LE

The Natufian industry in bone was quite rich. It included, beside

the sickle hafts mentioned above, points and harpoons, straight and
curved types of fish-hooks, awls, pins and needles, and a variety of
beads and pendants. There were also beads and pendants of pierced
teeth and shell.
A number of Natufian burials have been found in the caves;
some burials were grouped together in one grave. The people who
were buried within the Mount Carmel cave were laid on their backs
in an extended position, while those on the terrace seem to have
been “flexed” (placed in their graves in a curled-up position). This
may mean no more than that it was easier to dig a long hole in cave
dirt than in the hard-packed dirt of the terrace. The people often had
some kind of object buried with them, and several of the best
collections of beads come from the burials. On two of the skulls
there were traces of elaborate head-dresses of shell beads.
SKETCH OF NATUFIAN
ASSEMBLAGE
MICROLITHS
ARCHITECTURE?
BURIAL
CHIPPED STONE
GROUND STONE
BONE
 The animal bones of the Natufian layers show beasts of a
“modern” type, but with some differences from those of present-day
Palestine. The bones of the gazelle far outnumber those of the deer;
since gazelles like a much drier climate than deer, Palestine must
then have had much the same climate that it has today. Some of the
animal bones were those of large or dangerous beasts: the hyena,
the bear, the wild boar, and the leopard. But the Natufian people
may have had the help of a large domesticated dog. If our guess at
a date for the Natufian is right (about 7750 B.C.), this is an earlier
dog than was that in the Maglemosian of northern Europe. More
recently, it has been reported that a domesticated goat is also part
of the Natufian finds.
The study of the human bones from the Natufian burials is not
yet complete. Until Professor McCown’s study becomes available, we
may note Professor Coon’s assessment that these people were of a
“basically Mediterranean type.”

T HE K A R IM S HA HI R A SSEMBLA G E

Karim Shahir differs from the Natufian sites in that it shows

traces of a temporary open site or encampment. It lies on the top of
a bluff in the Kurdish hill-country of northeastern Iraq. It was dug by
Dr. Bruce Howe of the expedition I directed in 1950–51 for the
Oriental Institute and the American Schools of Oriental Research. In
1954–55, our expedition located another site, M’lefaat, with general
resemblance to Karim Shahir, but about a hundred miles north of it.
In 1956, Dr. Ralph Solecki located still another Karim Shahir type of
site called Zawi Chemi Shanidar. The Zawi Chemi site has a
radiocarbon date of 8900 ± 300 B.C.
Karim Shahir has evidence of only one very shallow level of
occupation. It was probably not lived on very long, although the
people who lived on it spread out over about three acres of area. In
spots, the single layer yielded great numbers of fist-sized cracked
pieces of limestone, which had been carried up from the bed of a
stream at the bottom of the bluff. We think these cracked stones had
something to do with a kind of architecture, but we were unable to
find positive traces of hut plans. At M’lefaat and Zawi Chemi, there
were traces of rounded hut plans.
As in the Natufian, the great bulk of small objects of the Karim
Shahir assemblage was in chipped flint. A large proportion of the
flint tools were microlithic bladelets and geometric forms. The flint
sickle blade was almost non-existent, being far scarcer than in the
Natufian. The people of Karim Shahir did a modest amount of work
in the grinding of stone; there were milling stone fragments of both
the mortar and the quern type, and stone hoes or axes with polished
bits. Beads, pendants, rings, and bracelets were made of finer
quality stone. We found a few simple points and needles of bone,
and even two rather formless unbaked clay figurines which seemed
to be of animal form.
SKETCH OF KARIM SHAHIR
ASSEMBLAGE
CHIPPED STONE
GROUND STONE
UNBAKED CLAY
SHELL
BONE
“ARCHITECTURE”
 Karim Shahir did not yield direct evidence of the kind of
vegetable food its people ate. The animal bones showed a
considerable increase in the proportion of the bones of the species
capable of domestication—sheep, goat, cattle, horse, dog—as
compared with animal bones from the earlier cave sites of the area,
which have a high proportion of bones of wild forms like deer and
gazelle. But we do not know that any of the Karim Shahir animals
were actually domesticated. Some of them may have been, in an
“incipient” way, but we have no means at the moment that will tell
us from the bones alone.

W ER E THE NA T U FI A N A ND K A R IM SHA HI R P EO P LES

F O O D- P R O DUC ERS ?

It is clear that a great part of the food of the Natufian people

must have been hunted or collected. Shells of land, fresh-water, and
sea animals occur in their cave layers. The same is true as regards
Karim Shahir, save for sea shells. But on the other hand, we have
the sickles, the milling stones, the possible Natufian dog, and the
goat, and the general animal situation at Karim Shahir to hint at an
incipient approach to food-production. At Karim Shahir, there was
the tendency to settle down out in the open; this is echoed by the
new reports of open air Natufian sites. The large number of cracked
stones certainly indicates that it was worth the peoples’ while to
have some kind of structure, even if the site as a whole was short-
lived.
It is a part of my hunch that these things all point toward food-
production—that the hints we seek are there. But in the sense that
the peoples of the era of the primary village-farming community,
which we shall look at next, are fully food-producing, the Natufian
and Karim Shahir folk had not yet arrived. I think they were part of a
general build-up to full scale food-production. They were possibly
controlling a few animals of several kinds and perhaps one or two
plants, without realizing the full possibilities of this “control” as a
new way of life.
This is why I think of the Karim Shahir and Natufian folk as
being at a level, or in an era, of incipient cultivation and
domestication. But we shall have to do a great deal more excavation
in this range of time before we’ll get the kind of positive information
we need.

S U MMA R Y

I am sorry that this chapter has had to be so much more about

ideas than about the archeological traces of prehistoric men
themselves. But the antiquities of the incipient era of cultivation and
animal domestication will not be spectacular, even when we do have
them excavated in quantity. Few museums will be interested in these
antiquities for exhibition purposes. The charred bits or impressions
of plants, the fragments of animal bone and shell, and the varied
clues to climate and environment will be as important as the artifacts
themselves. It will be the ideas to which these traces lead us that
will be important. I am sure that this unspectacular material—when
we have much more of it, and learn how to understand what it says
—will lead us to how and why answers about the first great change
in human history.
We know the earliest village-farming communities appeared in
western Asia, in a nuclear area. We do not yet know why the Near
Eastern experiment came first, or why it didn’t happen earlier in
some other nuclear area. Apparently, the level of culture and the
promise of the natural environment were ready first in western Asia.
The next sites we look at will show a simple but effective food-
production already in existence. Without effective food-production
and the settled village-farming communities, civilization never could
have followed. How effective food-production came into being by the
end of the incipient era, is, I believe, one of the most fascinating
questions any archeologist could face.
 It now seems probable—from possibly two of the Palestinian
sites with varieties of the Natufian (Jericho and Nahal Oren)—that
there were one or more local Palestinian developments out of the
Natufian into later times. In the same way, what followed after the
Karim Shahir type of assemblage in northeastern Iraq was in some
ways a reflection of beginnings made at Karim Shahir and Zawi
Chemi.
 THE First Revolution

As the incipient era of cultivation and animal domestication

passed onward into the era of the primary village-farming
community, the first basic change in human economy was fully
achieved. In southwestern Asia, this seems to have taken place
about nine thousand years ago. I am going to restrict my description
to this earliest Near Eastern case—I do not know enough about the
later comparable experiments in the Far East and in the New World.
Let us first, once again, think of the contrast between food-collecting
and food-producing as ways of life.

T HE DI FFERENC E BET W EEN FO O D- CO LLECT O RS

A ND FO O D- P RO DU C ERS

Childe used the word “revolution” because of the radical change

that took place in the habits and customs of man. Food-collectors—
that is, hunters, fishers, berry- and nut-gatherers—had to live in
small groups or bands, for they had to be ready to move wherever
their food supply moved. Not many people can be fed in this way in
one area, and small children and old folks are a burden. There is not
enough food to store, and it is not the kind that can be stored for
long.
Do you see how this all fits into a picture? Small groups of
people living now in this cave, now in that—or out in the open—as
they moved after the animals they hunted; no permanent villages, a
few half-buried huts at best; no breakable utensils; no pottery; no
signs of anything for clothing beyond the tools that were probably
used to dress the skins of animals; no time to think of much of
anything but food and protection and disposal of the dead when
death did come: an existence which takes nature as it finds it, which
does little or nothing to modify nature—all in all, a savage’s
existence, and a very tough one. A man who spends his whole life
following animals just to kill them to eat, or moving from one berry
patch to another, is really living just like an animal himself.

T HE FO O D- P RO DU C I NG ECO NO MY

Against this picture let me try to draw another—that of man’s life

after food-production had begun. His meat was stored “on the hoof,”
his grain in silos or great pottery jars. He lived in a house: it was
worth his while to build one, because he couldn’t move far from his
fields and flocks. In his neighborhood enough food could be grown
and enough animals bred so that many people were kept busy. They
all lived close to their flocks and fields, in a village. The village was
already of a fair size, and it was growing, too. Everybody had more
to eat; they were presumably all stronger, and there were more
children. Children and old men could shepherd the animals by day or
help with the lighter work in the fields. After the crops had been
harvested the younger men might go hunting and some of them
would fish, but the food they brought in was only an addition to the
food in the village; the villagers wouldn’t starve, even if the hunters
and fishermen came home empty-handed.
There was more time to do different things, too. They began to
modify nature. They made pottery out of raw clay, and textiles out of
hair or fiber. People who became good at pottery-making traded
their pots for food and spent all of their time on pottery alone. Other
people were learning to weave cloth or to make new tools. There
were already people in the village who were becoming full-time
craftsmen.
Other things were changing, too. The villagers must have had to
agree on new rules for living together. The head man of the village
had problems different from those of the chief of the small food-
collectors’ band. If somebody’s flock of sheep spoiled a wheat field,
the owner wanted payment for the grain he lost. The chief of the
hunters was never bothered with such questions. Even the gods had
changed. The spirits and the magic that had been used by hunters
weren’t of any use to the villagers. They needed gods who would
watch over the fields and the flocks, and they eventually began to
erect buildings where their gods might dwell, and where the men
who knew most about the gods might live.

W A S FO O D- P RO DU C T IO N A “ REVO LUTIO N” ?

If you can see the difference between these two pictures—

between life in the food-collecting stage and life after food-
production had begun—you’ll see why Professor Childe speaks of a
revolution. By revolution, he doesn’t mean that it happened over
night or that it happened only once. We don’t know exactly how long
it took. Some people think that all these changes may have occurred
in less than 500 years, but I doubt that. The incipient era was
probably an affair of some duration. Once the level of the village-
farming community had been established, however, things did begin
to move very fast. By six thousand years ago, the descendants of
the first villagers had developed irrigation and plow agriculture in the
relatively rainless Mesopotamian alluvium and were living in towns
with temples. Relative to the half million years of food-gathering
which lay behind, this had been achieved with truly revolutionary
suddenness.

G A P S IN O UR K NO W LEDG E O F THE NEA R EA S T

If you’ll look again at the chart (p. 111) you’ll see that I have
very few sites and assemblages to name in the incipient era of
cultivation and domestication, and not many in the earlier part of the
primary village-farming level either. Thanks in no small part to the
intelligent co-operation given foreign excavators by the Iraq
Directorate General of Antiquities, our understanding of the
sequence in Iraq is growing more complete. I shall use Iraq as my
main yard-stick here. But I am far from being able to show you a
series of Sears Roebuck catalogues, even century by century, for any
part of the nuclear area. There is still a great deal of earth to move,
and a great mass of material to recover and interpret before we
even begin to understand “how” and “why.”
Perhaps here, because this kind of archeology is really my
specialty, you’ll excuse it if I become personal for a moment. I very
much look forward to having further part in closing some of the gaps
in knowledge of the Near East. This is not, as I’ve told you, the
spectacular range of Near Eastern archeology. There are no royal
tombs, no gold, no great buildings or sculpture, no writing, in fact
nothing to excite the normal museum at all. Nevertheless it is a
range which, idea-wise, gives the archeologist tremendous
satisfaction. The country of the hilly flanks is an exciting combination
of green grasslands and mountainous ridges. The Kurds, who inhabit
the part of the area in which I’ve worked most recently, are an
extremely interesting and hospitable people. Archeologists don’t
become rich, but I’ll forego the Cadillac for any bright spring
morning in the Kurdish hills, on a good site with a happy crew of
workmen and an interested and efficient staff. It is probably
impossible to convey the full feeling which life on such a dig holds—
halcyon days for the body and acute pleasurable stimulation for the
mind. Old things coming newly out of the good dirt, and the pieces
of the human puzzle fitting into place! I think I am an honest man; I
cannot tell you that I am sorry the job is not yet finished and that
there are still gaps in this part of the Near Eastern archeological
sequence.

EA RLIEST SIT ES O F T HE VILLA G E FA RMER S

So far, the Karim Shahir type of assemblage, which we looked at

in the last chapter, is the earliest material available in what I take to
be the nuclear area. We do not believe that Karim Shahir was a
village site proper: it looks more like the traces of a temporary
encampment. Two caves, called Belt and Hotu, which are outside the
nuclear area and down on the foreshore of the Caspian Sea, have
been excavated by Professor Coon. These probably belong in the
later extension of the terminal era of food-gathering; in their upper
layers are traits like the use of pottery borrowed from the more
developed era of the same time in the nuclear area. The same
general explanation doubtless holds true for certain materials in
Egypt, along the upper Nile and in the Kharga oasis: these materials,
called Sebilian III, the Khartoum “neolithic,” and the Khargan
microlithic, are from surface sites, not from caves. The chart (p. 111)
shows where I would place these materials in era and time.
THE HILLY FLANKS OF THE CRESCENT AND EARLY SITES OF
THE NEAR EAST

Both M’lefaat and Dr. Solecki’s Zawi Chemi Shanidar site appear
to have been slightly more “settled in” than was Karim Shahir itself.
But I do not think they belong to the era of farming-villages proper.
The first site of this era, in the hills of Iraqi Kurdistan, is Jarmo, on
which we have spent three seasons of work. Following Jarmo comes
a variety of sites and assemblages which lie along the hilly flanks of
the crescent and just below it. I am going to describe and illustrate
some of these for you.
Since not very much archeological excavation has yet been done
on sites of this range of time, I shall have to mention the names of
certain single sites which now alone stand for an assemblage. This
does not mean that I think the individual sites I mention were
unique. In the times when their various cultures flourished, there
must have been many little villages which shared the same general
assemblage. We are only now beginning to locate them again. Thus,
if I speak of Jarmo, or Jericho, or Sialk as single examples of their
particular kinds of assemblages, I don’t mean that they were unique
at all. I think I could take you to the sites of at least three more
Jarmos, within twenty miles of the original one. They are there, but
they simply haven’t yet been excavated. In 1956, a Danish
expedition discovered material of Jarmo type at Shimshara, only two
dozen miles northeast of Jarmo, and below an assemblage of
Hassunan type (which I shall describe presently).

T HE G A P BET W EEN K A R IM SHA HIR A ND JA RMO

As we see the matter now, there is probably still a gap in the

available archeological record between the Karim Shahir-M’lefaat-
Zawi Chemi group (of the incipient era) and that of Jarmo (of the
village-farming era). Although some items of the Jarmo type
materials do reflect the beginnings of traditions set in the Karim
Shahir group (see p. 120), there is not a clear continuity. Moreover—
to the degree that we may trust a few radiocarbon dates—there
would appear to be around two thousand years of difference in time.
The single available Zawi Chemi “date” is 8900 ± 300 B.C.; the most
reasonable group of “dates” from Jarmo average to about 6750 ±
200 B.C. I am uncertain about this two thousand years—I do not
think it can have been so long.
This suggests that we still have much work to do in Iraq. You
can imagine how earnestly we await the return of political stability in
the Republic of Iraq.

J A R MO , I N T HE K U RDI SH HILLS, I RA Q

The site of Jarmo has a depth of deposit of about twenty-seven

feet, and approximately a dozen layers of architectural renovation
and change. Nevertheless it is a “one period” site: its assemblage
remains essentially the same throughout, although one or two new
items are added in later levels. It covers about four acres of the top
of a bluff, below which runs a small stream. Jarmo lies in the hill
country east of the modern oil town of Kirkuk. The Iraq Directorate
General of Antiquities suggested that we look at it in 1948, and we
have had three seasons of digging on it since.
The people of Jarmo grew the barley plant and two different
kinds of wheat. They made flint sickles with which to reap their
grain, mortars or querns on which to crack it, ovens in which it
might be parched, and stone bowls out of which they might eat their
porridge. We are sure that they had the domesticated goat, but
Professor Reed (the staff zoologist) is not convinced that the bones
of the other potentially domesticable animals of Jarmo—sheep,
cattle, pig, horse, dog—show sure signs of domestication. We had
first thought that all of these animals were domesticated ones, but
Reed feels he must find out much more before he can be sure. As
well as their grain and the meat from their animals, the people of
Jarmo consumed great quantities of land snails. Botanically, the
Jarmo wheat stands about half way between fully bred wheat and
the wild forms.

A R CHI T EC TU RE: HA LL- MA RK O F THE VILLA G E

The sure sign of the village proper is in its traces of architectural

permanence. The houses of Jarmo were only the size of a small
cottage by our standards, but each was provided with several
rectangular rooms. The walls of the houses were made of puddled
mud, often set on crude foundations of stone. (The puddled mud
wall, which the Arabs call touf, is built by laying a three to six inch
course of soft mud, letting this sun-dry for a day or two, then adding
the next course, etc.) The village probably looked much like the
simple Kurdish farming village of today, with its mud-walled houses
and low mud-on-brush roofs. I doubt that the Jarmo village had
more than twenty houses at any one moment of its existence. Today,
an average of about seven people live in a comparable Kurdish
house; probably the population of Jarmo was about 150 people.
SKETCH OF JARMO ASSEMBLAGE
CHIPPED STONE
UNBAKED CLAY
GROUND STONE
POTTERY UPPER THIRD OF SITE ONLY.
REED MATTING
BONE
ARCHITECTURE
 It is interesting that portable pottery does not appear until the
last third of the life of the Jarmo village. Throughout the duration of
the village, however, its people had experimented with the plastic
qualities of clay. They modeled little figurines of animals and of
human beings in clay; one type of human figurine they favored was
that of a markedly pregnant woman, probably the expression of
some sort of fertility spirit. They provided their house floors with
baked-in-place depressions, either as basins or hearths, and later
with domed ovens of clay. As we’ve noted, the houses themselves
were of clay or mud; one could almost say they were built up like a
house-sized pot. Then, finally, the idea of making portable pottery
itself appeared, although I very much doubt that the people of the
Jarmo village discovered the art.
On the other hand, the old tradition of making flint blades and
microlithic tools was still very strong at Jarmo. The sickle-blade was
made in quantities, but so also were many of the much older tool
types. Strangely enough, it is within this age-old category of chipped
stone tools that we see one of the clearest pointers to a newer age.
Many of the Jarmo chipped stone tools—microliths—were made of
obsidian, a black volcanic natural glass. The obsidian beds nearest to
Jarmo are over three hundred miles to the north. Already a bulk
carrying trade had been established—the forerunner of commerce—
and the routes were set by which, in later times, the metal trade was
to move.
There are now twelve radioactive carbon “dates” from Jarmo.
The most reasonable cluster of determinations averages to about
6750 ± 200 B.C., although there is a completely unreasonable range
of “dates” running from 3250 to 9250 B.C.! If I am right in what I
take to be “reasonable,” the first flush of the food-producing
revolution had been achieved almost nine thousand years ago.

HA SS UNA , I N UP P ER MESO P O TA MIA N IR A Q

 We are not sure just how soon after Jarmo the next assemblage
of Iraqi material is to be placed. I do not think the time was long,
and there are a few hints that detailed habits in the making of
pottery and ground stone tools were actually continued from Jarmo
times into the time of the next full assemblage. This is called after a
site named Hassuna, a few miles to the south and west of modern
Mosul. We also have Hassunan type materials from several other
sites in the same general region. It is probably too soon to make
generalizations about it, but the Hassunan sites seem to cluster at
slightly lower elevations than those we have been talking about so
far.
The catalogue of the Hassuna assemblage is of course more full
and elaborate than that of Jarmo. The Iraqi government’s
archeologists who dug Hassuna itself, exposed evidence of
increasing architectural know-how. The walls of houses were still
formed of puddled mud; sun-dried bricks appear only in later
periods. There were now several different ways of making and
decorating pottery vessels. One style of pottery painting, called the
Samarran style, is an extremely handsome one and must have
required a great deal of concentration and excellence of
draftsmanship. On the other hand, the old habits for the preparation
of good chipped stone tools—still apparent at Jarmo—seem to have
largely disappeared by Hassunan times. The flint work of the
Hassunan catalogue is, by and large, a wretched affair. We might
guess that the kinaesthetic concentration of the Hassuna craftsmen
now went into other categories; that is, they suddenly discovered
they might have more fun working with the newer materials. It’s a
shame, for example, that none of their weaving is preserved for us.
The two available radiocarbon determinations from Hassunan
contexts stand at about 5100 and 5600 B.C. ± 250 years.

O THER EA RLY V ILLA G E SI TES I N THE NUCLEA R

A R EA
 I’ll now name and very briefly describe a few of the other early
village assemblages either in or adjacent to the hilly flanks of the
crescent. Unfortunately, we do not have radioactive carbon dates for
many of these materials. We may guess that some particular
assemblage, roughly comparable to that of Hassuna, for example,
must reflect a culture which lived at just about the same time as that
of Hassuna. We do this guessing on the basis of the general
similarity and degree of complexity of the Sears Roebuck catalogues
of the particular assemblage and that of Hassuna. We suppose that
for sites near at hand and of a comparable cultural level, as
indicated by their generally similar assemblages, the dating must be
about the same. We may also know that in a general stratigraphic
sense, the sites in question may both appear at the bottom of the
ascending village sequence in their respective areas. Without a
number of consistent radioactive carbon dates, we cannot be precise
about priorities.