(eBook PDF) Management of Information Security

5th Edition download

https://ebooksecure.com/product/ebook-pdf-management-of-
information-security-5th-edition/

Download full version ebook from https://ebooksecure.com

We believe these products will be a great fit for you. Click
the link to download now, or visit ebooksecure.com
to discover even more!

(eBook PDF) Management of Information Security 6th

Edition

http://ebooksecure.com/product/ebook-pdf-management-of-
information-security-6th-edition/

(eBook PDF) Principles of Information Security 5th

Edition

http://ebooksecure.com/product/ebook-pdf-principles-of-
information-security-5th-edition/

Management of Information Security 6th Edition Michael

E. Whitman - eBook PDF

https://ebooksecure.com/download/management-of-information-
security-ebook-pdf/

Principles of Information Security 6th Edition Whitman

- eBook PDF

https://ebooksecure.com/download/principles-of-information-
security-ebook-pdf/
Elementary Information Security, 3rd Edition (eBook
PDF)

http://ebooksecure.com/product/elementary-information-
security-3rd-edition-ebook-pdf/

(eBook PDF) Health Information: Management of a

Strategic Resource 5th Edition

http://ebooksecure.com/product/ebook-pdf-health-information-
management-of-a-strategic-resource-5th-edition/

Principles of Information Security 7th Edition Michael

E. Whitman - eBook PDF

https://ebooksecure.com/download/principles-of-information-
security-ebook-pdf-2/

Computer and Information Security Handbook - eBook PDF

https://ebooksecure.com/download/computer-and-information-
security-handbook-ebook-pdf/

(Original PDF) Principles of Information Security 6th

by Michael E. Whitman

http://ebooksecure.com/product/original-pdf-principles-of-
information-security-6th-by-michael-e-whitman/
Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
vi Table of Contents

Organizational Liability and the Need for Counsel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Key Law Enforcement Agencies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Closing Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Discussion Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Ethical Decision Making . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

CHAPTER 3
Governance and Strategic Planning for Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
The Role of Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Precursors to Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Strategic Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Creating a Strategic Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Planning Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Planning and the CISO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Information Security Governance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
The ITGI Approach to Information Security Governance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
NCSP Industry Framework for Information Security Governance . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
CERT Governing for Enterprise Security Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
ISO/IEC 27014:2013 Governance of Information Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Security Convergence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Planning for Information Security Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Introduction to the Security Systems Development Life Cycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Closing Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Discussion Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Ethical Decision Making . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136

CHAPTER 4
Information Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Why Policy?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Policy, Standards, and Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Enterprise Information Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Integrating an Organization’s Mission and Objectives into the EISP . . . . . . . . . . . . . . . . . . . . . . . . . 146
EISP Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
Example EISP Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Issue-Specific Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Elements of the ISSP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Implementing the ISSP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
System-Specific Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Managerial Guidance SysSPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Technical Specification SysSPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
 Table of Contents vii

Guidelines for Effective Policy Development and Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162

Developing Information Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Policy Distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Policy Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Policy Comprehension . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Policy Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Policy Enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Policy Development and Implementation Using the SecSDLC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Automated Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
Other Approaches to Information Security Policy Development . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
SP 800-18, Rev. 1: Guide for Developing Security Plans for Federal Information Systems . . . . . . . . . . . . 173
A Final Note on Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Closing Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Discussion Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Ethical Decision Making . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178

CHAPTER 5
Developing the Security Program. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Organizing for Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
Security in Large Organizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Security in Medium-Sized Organizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Security in Small Organizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
Placing Information Security Within an Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Components of the Security Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Information Security Roles and Titles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Chief Information Security Officer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Convergence and the Rise of the True CSO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Security Managers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Security Administrators and Analysts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
Security Technicians . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
Security Staffers and Watchstanders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Security Consultants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Security Officers and Investigators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Help Desk Personnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Implementing Security Education, Training, and Awareness Programs . . . . . . . . . . . . . . . . . . . . . . . . . . 210
Security Education . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
Security Training. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
Training Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
Security Awareness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Project Management in Information Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
Projects Versus Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
PMBOK Knowledge Areas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Project Management Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245

Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
viii Table of Contents

Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
Closing Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
Discussion Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
Ethical Decision Making . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247

CHAPTER 6
Risk Management: Identifying and Assessing Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Introduction to Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
Knowing Yourself . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
Knowing the Enemy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
Accountability for Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
Risk Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
Identification and Prioritization of Information Assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Threat Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
The TVA Worksheet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
Risk Assessment and Risk Appetite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
Assessing Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
Likelihood . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
Assessing Potential Impact on Asset Value (Consequences) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
Percentage of Risk Mitigated by Current Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Uncertainty . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Risk Determination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Likelihood and Consequences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
Documenting the Results of Risk Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Risk Appetite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
Closing Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
Discussion Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
Ethical Decision Making . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285

CHAPTER 7
Risk Management: Controlling Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
Introduction to Risk Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
Risk Control Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
Defense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
Transference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
Mitigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
Acceptance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
Termination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
Managing Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
Feasibility and Cost–Benefit Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
Other Methods of Establishing Feasibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
Alternatives to Feasibility Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
Recommended Risk Control Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
Qualitative and Hybrid Measures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
Delphi Technique . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
The OCTAVE Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
 Table of Contents ix

Microsoft Risk Management Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310

FAIR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
ISO 27005 Standard for InfoSec Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
NIST Risk Management Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
Other Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
Selecting the Best Risk Management Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
Closing Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
Discussion Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
Ethical Decision Making . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321

CHAPTER 8
Security Management Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
Introduction to Blueprints, Frameworks, and Security Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
Access Control Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
Categories of Access Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
Other Forms of Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
Security Architecture Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
Trusted Computing Base . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
Information Technology System Evaluation Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
The Common Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
Academic Access Control Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
Bell-LaPadula Confidentiality Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
Biba Integrity Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
Clark-Wilson Integrity Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
Graham-Denning Access Control Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
Harrison-Ruzzo-Ullman Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
Brewer-Nash Model (Chinese Wall) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
Other Security Management Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
The ISO 27000 Series. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
NIST Security Publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
Control Objectives for Information and Related Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
Committee of Sponsoring Organizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
Information Technology Infrastructure Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
Information Security Governance Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357
Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
Closing Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Discussion Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Ethical Decision Making . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360

CHAPTER 9
Security Management Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
Introduction to Security Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
Benchmarking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
x Table of Contents

Standards of Due Care/Due Diligence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365

Selecting Recommended Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368
Limitations to Benchmarking and Recommended Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369
Baselining . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370
Support for Benchmarks and Baselines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
Performance Measurement in InfoSec Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373
InfoSec Performance Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374
Building the Performance Measurement Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376
Specifying InfoSec Measurements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
Collecting InfoSec Measurements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
Implementing InfoSec Performance Measurement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381
Reporting InfoSec Performance Measurements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
Trends in Certification and Accreditation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385
NIST SP 800-37, Rev. 1: Guide for Applying the Risk Management Framework
to Federal Information Systems: A Security Life Cycle Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . 386
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
Closing Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
Discussion Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
Ethical Decision Making . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394

CHAPTER 10
Planning for Contingencies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397
Introduction to Contingency Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398
Fundamentals of Contingency Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400
Components of Contingency Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404
Business Impact Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
Contingency Planning Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
Incident Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412
Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412
Incident Response Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413
Incident Response Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414
Detecting Incidents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419
Reacting to Incidents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422
Recovering from Incidents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424
Disaster Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431
The Disaster Recovery Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433
Disaster Recovery Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434
Disaster Classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435
Planning to Recover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437
Responding to the Disaster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438
Simple Disaster Recovery Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438
Business Continuity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442
Business Continuity Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444
Continuity Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445
Timing and Sequence of CP Elements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447
Crisis Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449
Business Resumption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 450

Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
 Table of Contents xi

Testing Contingency Plans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453

Final Thoughts on CP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 454
Managing Investigations in the Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455
Digital Forensics Team . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456
Affidavits and Search Warrants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456
Digital Forensics Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457
Evidentiary Policy and Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459
Law Enforcement Involvement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462
Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465
Closing Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465
Discussion Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466
Ethical Decision Making . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466

CHAPTER 11
Personnel and Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469
Introduction to Personnel and Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471
Staffing the Security Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471
Information Security Positions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472
Information Security Professional Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485
(ISC)2 Certifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485
ISACA Certifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 489
GIAC Certifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492
EC-Council Certifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493
CompTIA Certifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495
ISFCE Certifications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496
Certification Costs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497
Entering the Information Security Profession . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498
Employment Policies and Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 500
Hiring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501
Contracts and Employment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503
Security as Part of Performance Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504
Termination Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504
Personnel Security Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 506
Security of Personnel and Personal Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507
Security Considerations for Temporary Employees, Consultants, and Other Workers . . . . . . . . . . . . . . 507
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513
Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515
Closing Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515
Discussion Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516
Ethical Decision Making . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516

CHAPTER 12
Protection Mechanisms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521
Introduction to Protection Mechanisms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523
Access Controls and Biometrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 524
Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
xii Table of Contents

Managing Network Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531

Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 532
Intrusion Detection and Prevention Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543
Remote Access Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 547
Wireless Networking Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 550
Scanning and Analysis Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 553
Managing Server-Based Systems with Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 557
Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 562
Encryption Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564
Using Cryptographic Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 571
Managing Cryptographic Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 575
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 577
Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 578
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 579
Closing Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 580
Discussion Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 581
Ethical Decision Making . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 581
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 581

APPENDIX
NIST SP 800-26, Security Self-Assessment Guide for Information Technology Systems . . . . . . . . . . . . . . . 583
ISO 17799: 2005 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607
The OCTAVE Method of Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 611
Microsoft Risk Management Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 616

GLOSSARY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 625
INDEX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 637

Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
Preface

As global use of the Internet continues to expand, the demand for and reliance on
Internet-based information creates an increasing expectation of access. Modern businesses
take advantage of this and have dramatically increased their Internet presence over the past
decade. This creates an increasing threat of attacks on information assets and a need for
greater numbers of professionals capable of protecting those assets.
To secure these information assets from ever-increasing threats, organizations demand
both breadth and depth of expertise from the next generation of information security prac-
titioners. These professionals are expected to have an optimal mix of skills and experiences
to secure diverse information environments. Students of technology must learn to recog-
nize the threats and vulnerabilities present in existing systems. They must also learn how
to manage the use of information assets securely and support the goals and objectives of
their organizations through effective information security governance, risk management,
and regulatory compliance.

Why This Text Was Written

The purpose of this textbook is to fulfill the need for a quality academic textbook in the dis-
cipline of information security management. While there are dozens of quality publications
on information security and assurance for the practitioner, there are fewer textbooks that

Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
xiii
xiv Preface

provide the student with an in-depth study of information security management. Specifically,
those in disciplines such as information systems, information technology, computer science,
criminal justice, political science, and accounting information systems must understand the
foundations of the management of information security and the development of managerial
strategy for information security. The underlying tenet of this textbook is that information
security in the modern organization is a management problem and not one that technology
alone can answer; it is a problem that has important economic consequences and one for
which management is accountable.

Approach
This book provides a managerial approach to information security and a thorough treatment
of the secure administration of information assets. It can be used to support information
security coursework for a variety of technology students, as well as for technology curricula
aimed at business students.
Certified Information Systems Security Professional, Certified Information Security Manager,
and NIST Common Bodies of Knowledge—As the authors are Certified Information Systems
Security Professionals (CISSP) and Certified Information Security Managers (CISM), these
knowledge domains have had an influence on the design of this textbook. With the influence
of the extensive library of information available from the Special Publications collection at
the National Institute of Standards and Technology (NIST, at csrc.nist.gov), the authors
have also tapped into additional government and industry standards for information security
management. Although this textbook is by no means a certification study guide, much of the
Common Bodies of Knowledge for the dominant industry certifications, especially in the area
of management of information security, have been integrated into the text.

Overview
Chapter 1—Introduction to the Management
of Information Security
The opening chapter establishes the foundation for understanding the field of information
security by explaining the importance of information technology and identifying who is
responsible for protecting an organization’s information assets. Students learn the definition
and key characteristics of information security, as well as the differences between information
security management and general management.

Chapter 2—Compliance: Law and Ethics

In this chapter, students learn about the legal and regulatory environment and its relationship
to information security. This chapter describes the major national and international laws that
affect the practice of information security, as well as the role of culture in ethics as it applies
to information security professionals.

Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
 Preface xv

Chapter 3—Governance and Strategic Planning for Security

This chapter explains the importance of planning and describes the principal components of
organizational planning and the role of information security governance and planning within
the organizational context.

Chapter 4—Information Security Policy

This chapter defines information security policy and describes its central role in a successful
information security program. Industry and government best practices promote three major
types of information security policy; this chapter explains what goes into each type, and
demonstrates how to develop, implement, and maintain various types of information security
policies.

Chapter 5—Developing the Security Program

Chapter 5 explores the various organizational approaches to information security and
explains the functional components of an information security program. Students learn the
complexities of planning and staffing for an organization’s information security department
based on the size of the organization and other factors, as well as how to evaluate the inter-
nal and external factors that influence the activities and organization of an information secu-
rity program. This chapter also identifies and describes the typical job titles and functions
performed in the information security program, and concludes with an exploration of the
creation and management of a security education, training, and awareness program. This
chapter also provides an overview of project management, a necessary skill in any technology
or business professional’s portfolio.

Chapter 6—Risk Management: Identifying and Assessing Risk

This chapter defines risk management and its role in the organization, and demonstrates
how to use risk management techniques to identify and prioritize risk factors for informa-
tion assets. The risk management model presented here assesses risk based on the likeli-
hood of adverse events and the effects on information assets when events occur. This
chapter concludes with a brief discussion of how to document the results of the risk iden-
tification process.

Chapter 7—Risk Management: Controlling Risk

This chapter presents essential risk mitigation strategy options and opens the discussion on
controlling risk. Students learn how to identify risk control classification categories, use exist-
ing conceptual frameworks to evaluate risk controls, and formulate a cost benefit analysis.
They also learn how to maintain and perpetuate risk controls.

Chapter 8—Security Management Models

This chapter describes the components of the dominant information security management
models, including U.S. government and internationally sanctioned models, and discusses
how to customize them for a specific organization’s needs. Students learn how to implement
the fundamental elements of key information security management practices. Models include
NIST, ISO, and a host of specialized information security research models that help students
understand confidentiality and integrity applications in modern systems.
Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
xvi Preface

Chapter 9—Security Management Practices

This chapter describes the fundamentals and emerging trends in information security man-
agement practices and explains how these practices help organizations meet U.S. and
international compliance standards. The chapter contains an expanded section on security
performance measurement and covers concepts of certification and accreditation of IT
systems.

Chapter 10—Planning for Contingencies

This chapter describes and explores the major components of contingency planning and the
need for them in an organization. The chapter illustrates the planning and development of
contingency plans, beginning with the business impact analysis, and continues through the
implementation and testing of contingency plans.

Chapter 11—Personnel and Security

This chapter expands upon the discussion of the skills and requirements for information
security positions introduced in Chapter 5. It explores the various information security pro-
fessional certifications and identifies which skills are encompassed by each. The second half
of the chapter explores the integration of information security issues associated with person-
nel management to regulate employee behavior and prevent misuse of information, as part of
an organization’s human resources function.

Chapter 12—Protection Mechanisms

This chapter introduces students to the world of technical controls by exploring access con-
trol approaches, including authentication, authorization, and biometric access controls, as
well as firewalls and the common approaches to firewall implementation. It also covers the
technical control approaches for dial-up access, intrusion detection and prevention systems,
and cryptography.

Appendix
The appendix reproduces an essential security management self-assessment model from the
NIST library. It also includes a questionnaire from the ISO 27002 body that could be used
for organizational assessment. The appendix provides additional detail on various risk man-
agement models, including OCTAVE and the OCTAVE variants, the Microsoft Risk Manage-
ment Model, Factor Analysis of Information Risk (FAIR), ISO 27007, and NIST SP 800-30.

Features
Chapter Scenarios—Each chapter opens with a short vignette that follows the same fictional
company as it encounters various information security issues. The final part of each chapter
is a conclusion to the scenario that also offers questions to stimulate in-class discussion.
These questions give the student and the instructor an opportunity to explore the issues that
underlie the content.
View Points—An essay from an information security practitioner or academic is included in
each chapter. These sections provide a range of commentary that illustrate interesting topics
or share personal opinions, giving the student a wider, applied view on the topics in the text.
Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
 Preface xvii

Offline Boxes—These highlight interesting topics and detailed technical issues, allowing the
student to delve more deeply into certain topics.
Hands-On Learning—At the end of each chapter, students will find a Chapter Summary and
Review Questions as well as Exercises and Closing Case exercises, which give them the
opportunity to examine the information security arena from an experiential perspective.
Using the Exercises, students can research, analyze, and write to reinforce learning objectives
and deepen their understanding of the text. The Closing Case exercises require that students
use professional judgment, powers of observation, and elementary research to create solu-
tions for simple information security scenarios.

New to This Edition

This fifth edition of Management of Information Security tightens its focus on the managerial
aspects of information security, continues to expand the coverage of governance and compli-
ance issues, and continues to reduce the coverage of foundational and technical components.
While retaining enough foundational material to allow reinforcement of key concepts, this
edition has fewer technical examples. This edition also contains updated in-depth discussions
and Offline features, and additional coverage in key managerial areas: risk management,
information security governance, access control models, and information security program
assessment and metrics. Chapter 1 consolidates all the introductory and general IT manage-
rial material.
Each chapter now has key terms clearly delineated and defined in the preface of each
major section. This approach provides clear, concise definitions for use in instruction and
assessment.
In general, the entire text has been updated and re-organized to reflect changes in the field,
including revisions to sections on national and international laws and standards, such as the
ISO 27000 series, among others. Throughout the text, the content has been updated, with
newer and more relevant examples and discussions. A complete coverage matrix of the topics
in this edition is available to instructors to enable mapping of the previous coverage to the
new structure. Please contact your sales representative for access to the matrix.

MindTap
MindTap for Management of Information Security is an online learning solution designed to
help students master the skills they need in today’s workforce. Research shows employers
need critical thinkers, troubleshooters, and creative problem-solvers to stay relevant in our
fast-paced, technology-driven world. MindTap helps users achieve this with assignments and
activities that provide hands-on practice, real-life relevance, and mastery of difficult concepts.
Students are guided through assignments that progress from basic knowledge and under-
standing to more challenging problems.
All MindTap activities and assignments are tied to learning objectives. The hands-on exer-
cises provide real-life application and practice. Readings and “Whiteboard Shorts” support
the lecture, while “In the News” assignments encourage students to stay current. Pre- and
post-course assessments allow you to measure how much students have learned using analyt-
ics and reporting that makes it easy to see where the class stands in terms of progress,
engagement, and completion rates. Use the content and learning path as-is, or pick and

Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
xviii Preface

choose how the material will wrap around your own. You control what the students see and
when they see it. Learn more at www.cengage.com/mindtap/.

Instructor Resources
Free to all instructors who adopt Management of Information Security, 5e for their courses is
a complete package of instructor resources. These resources are available from the Cengage
Learning Web site, www.cengagebrain.com. Go to the product page for this book in the
online catalog and choose “Instructor Downloads.”
Resources include:
● Instructor’s Manual: This manual includes course objectives and additional informa-
tion to help your instruction.
● Cengage Learning Testing Powered by Cognero: A flexible, online system that allows
you to import, edit, and manipulate content from the text’s test bank or elsewhere,
including your own favorite test questions; create multiple test versions in an instant;
and deliver tests from your LMS, your classroom, or wherever you want.
● PowerPoint Presentations: A set of Microsoft PowerPoint slides is included for each
chapter. These slides are meant to be used as a teaching aid for classroom presentations,
to be made available to students for chapter review, or to be printed for classroom dis-
tribution. Instructors are also at liberty to add their own slides.
● Figure Files: Figure files allow instructors to create their own presentations using figures
taken from the text.
● Lab Manual: Cengage Learning has produced a lab manual (Hands-On Information
Security Lab Manual, Fourth Edition) written by the authors that can be used to
provide technical experiential exercises in conjunction with this book. Contact your
Cengage Learning sales representative for more information.
● Readings and Cases: Cengage Learning also produced two texts—Readings and Cases
in the Management of Information Security (ISBN-13: 9780619216276) and Readings
& Cases in Information Security: Law & Ethics (ISBN-13: 9781435441576)—by the
authors, which make excellent companion texts. Contact your Cengage Learning sales
representative for more information.
● Curriculum Model for Programs of Study in Information Security: In addition to the
texts authored by this team, a curriculum model for programs of study in Information
Security and Assurance is available from the Kennesaw State University Center for
Information Security Education (http://infosec.kennesaw.edu). This document provides
details on designing and implementing security coursework and curricula in academic
institutions, as well as guidance and lessons learned from the authors’ perspective.

Author Team
Michael Whitman and Herbert Mattord have jointly developed this textbook to merge knowl-
edge from the world of academic study with practical experience from the business world.
Michael Whitman, Ph.D., CISM, CISSP is a Professor of Information Security in the Informa-
tion Systems Department, Coles College of Business at Kennesaw State University, Kennesaw,
Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
 Preface xix

Georgia, where he is also the Executive Director of the Center for Information Security Educa-
tion (infosec.kennesaw.edu), Coles College of Business. He and Herbert Mattord are the
authors of Principles of Information Security; Principles of Incident Response and Disaster
Recovery; Readings and Cases in the Management of Information Security; Readings &
Cases in Information Security: Law & Ethics; Guide to Firewall and VPNs; Guide to
Network Security; Roadmap to the Management of Information Security; and Hands-On
Information Security Lab Manual, all from Cengage Learning. Dr. Whitman is an active
researcher in Information Security, Fair and Responsible Use Policies, and Ethical Computing.
He currently teaches graduate and undergraduate courses in Information Security. He has
published articles in the top journals in his field, including Information Systems Research, the
Communications of the ACM, Information and Management, the Journal of International
Business Studies, and the Journal of Computer Information Systems. He is an active member
of the Information Systems Security Association, the Association for Computing Machinery,
ISACA, (ISC)2, and the Association for Information Systems. Through his efforts and those
of Dr. Mattord, his institution has been recognized by the Department of Homeland Security
and the National Security Agency as a National Center of Academic Excellence in Information
Assurance Education four times, most recently in 2015. Dr. Whitman is also the Editor-in-
Chief of the Information Security Education Journal, a DLINE publication, and he continually
solicits relevant and well-written articles on InfoSec pedagogical topics for publication. Prior
to his employment at Kennesaw State, he taught at the University of Nevada Las Vegas, and
served over 13 years as an officer in the U.S. Army.
Herbert Mattord, Ph.D., CISM, CISSP completed 24 years of IT industry experience as an
application developer, database administrator, project manager, and information security
practitioner in 2002. He is currently an Associate Professor of Information Security in the
Coles College of Business at Kennesaw State University. He and Michael Whitman are the
authors of Principles of Information Security; Principles of Incident Response and Disaster
Recovery; Readings and Cases in the Management of Information Security; Guide to
Network Security; and Hands-On Information Security Lab Manual, all from Cengage
Learning. During his career as an IT practitioner, Mattord has been an adjunct professor
at Kennesaw State University; Southern Polytechnic State University in Marietta, Georgia;
Austin Community College in Austin, Texas; and Texas State University: San Marcos. He
currently teaches undergraduate courses in Information Security. He is the Assistant Chair
of the Department of Information Systems and is also an active member of the Information
Systems Security Association and Information Systems Audit and Control Association. He
was formerly the Manager of Corporate Information Technology Security at Georgia-
Pacific Corporation, where much of the practical knowledge found in this and his earlier
textbooks was acquired.

Acknowledgments
The authors would like to thank their families for their support and understanding for the
many hours dedicated to this project—hours taken, in many cases, from family activities.
Special thanks to Carola Mattord, Ph.D., Professor of English at Kennesaw State University.
Her reviews of early drafts and suggestions for keeping the writing focused on the students
resulted in a more readable manuscript.

Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
xx Preface

Reviewers
We are indebted to the following individuals for their contributions of perceptive feedback on
the initial proposal, the project outline, and the chapter-by-chapter reviews of the text:
● Wasim A. AlHamdani, Ph.D., IACR, IEEE, ACM, CSAB (ABET Eva.), Professor of
Cryptography and InfoSec, College of Business and Computer Sciences, Kentucky State
University, Frankfort, KY
● James W. Rust, MSIS, MCSE: Security, MCSA: Security, MCDBA, MCP, CompTIA,
CTT+, Project+, Security+, Network+, A+, Implementation Engineer, Buford, GA
● Paul D. Witman, Ph.D., Associate Professor, Information Technology Management,
California Lutheran University, School of Management, Thousand Oaks, CA

Special Thanks
The authors wish to thank the Editorial and Production teams at Cengage Learning. Their
diligent and professional efforts greatly enhanced the final product:
Natalie Pashoukos, Senior Content Developer
Dan Seiter, Developmental Editor
Kristin McNary, Product Team Manager
Amy Savino, Associate Product Manager
Brooke Baker, Senior Content Project Manager
In addition, several professional and commercial organizations and individuals have aided
the development of this textbook by providing information and inspiration, and the authors
wish to acknowledge their contributions:
Charles Cresson Wood
NetIQ Corporation
The View Point authors:
● Henry Bonin
● Lee Imrey
● Robert Hayes and Kathleen Kotwicka
● David Lineman
● Paul D. Witman & Scott Mackelprang
● George V. Hulme
● Tim Callahan
● Mark Reardon
● Martin Lee
● Karen Scarfone
● Alison Gunnels
● Todd E. Tucker
Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
 Preface xxi

Our Commitment
The authors are committed to serving the needs of the adopters and readers. We would be
pleased and honored to receive feedback on the textbook and its supporting materials. You
can contact us through Cengage Learning at [email protected].

Foreword
By David Rowan, Senior Vice President and Director
Technology Risk and Compliance, SunTrust Banks, Inc.
If you are reading this, I want to thank you. Your perusal of this text means you are inter-
ested in a career in Information Security or have actually embarked on one. I am thanking
you because we—and by we I mean all of us—need your help.
You and I live in a world completely enabled, supported by, and allowed by technology.
In almost all practical respects, the things you and I take for granted are created by our
technology. There is technology we see and directly interact with, and technology we
don’t see or are only peripherally aware of. For example, the temperature of my home is
monitored and maintained based on a smart thermostat’s perception of my daily habits
and preferences. I could check it via the app or wait for an alert via text message, but I
don’t—I just assume all is well, confident that I will be informed if something goes amiss.
Besides, I am more interested in reading my personal news feed….
With respect to technology, we occupy two worlds, one of intent and realized actions and
another of services that simply seem to occur on their own. Both these worlds are necessary,
desirable, growing, and evolving. Also, both these worlds are profoundly underpinned by one
thing: our trust in them to work.
We trust that our phones will work, we trust that we will have electricity, we trust that our
purchases are recorded accurately, we trust that our streaming services will have enough
bandwidth, we trust that our stock trades and bank transactions are secure, we trust that
our cars will run safely, and I trust that my home will be at the right temperature when I
walk in the door.
The benefits of our trust in technology are immeasurable and hard won. The fact that we
can delegate tasks, share infrastructure, exchange ideas and information, and buy goods
and services almost seamlessly benefits us all. It is good ground worth defending. How-
ever, the inevitable and unfortunate fact is that some among us prey upon our trust; they
will work tirelessly to disrupt, divert, or destroy our intents, actions, comfort, well-being,
information, and whatever else our technology and the free flow of information offers.
The motives of these actors matter, but regardless of why they threaten what technology
gives us, the actions we take to safeguard it is up to us. That’s why I am glad you are
reading this. We need guardians of the trust we place in technology and the information
flow it enables.

Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
xxii Preface

I have been in the financial industry for 35 years, and have spent the latter half of it focused
on information security and the related fields of fraud management, business continuity,
physical security, and legal and regulatory compliance. I have seen the evolution of technol-
ogy risk management from a necessary back-office function to a board-level imperative with
global implications. The bound interrelationships among commerce, infrastructure, basic util-
ities, safety, and even culture exist to the extent that providing security is now dominantly a
matter of strategy and management, and less a matter of the tools or technology de jure.
There’s an old saying that it’s not the tools that make a good cabinet, but the skill of the car-
penter. Our tools will change and evolve; it’s how we use them that really matter.
This fifth edition of Management of Information Security is a foundational source that embo-
dies the current best thinking on how to plan, govern, implement, and manage an informa-
tion security program. It is holistic and comprehensive, and provides a path to consider all
aspects of information security and to integrate security into the fabric of the things we
depend on and use. It provides specific guidance on strategy, policy development, risk identi-
fication, personal management, organization, and legal matters, and places them in the con-
text of a broader ecosystem. Strategy and management are not merely aspects of information
security; they are its essence—and this text informs the what, why, and how of it.
Management of Information Security is a vital resource in the guardianship of our world of
modern conveniences. I hope you will become a part of this community.
—Atlanta, Georgia, February 2016

Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203
 chapter 1

Introduction to the Management

of Information Security

Management is, above all, a practice where art, science, and craft meet.
—HENRY MINTZBERG
One month into her new position at Random Widget Works, Inc. (RWW), Iris Majwubu
left her office early one afternoon to attend a meeting of the local chapter of the Information
Systems Security Association (ISSA). She had recently been promoted from her previous
assignment at RWW as an information security risk manager to become the first chief infor-
mation security officer (CISO) to be named at RWW.
This occasion marked Iris’s first ISSA meeting. With a mountain of pressing matters on her clut-
tered desk, Iris wasn’t exactly certain why she was making it a priority to attend this meeting. She
sighed. Since her early morning wake-up, she had spent many hours in business meetings, fol-
lowed by long hours at her desk working toward defining her new position at the company.
At the ISSA meeting, Iris saw Charlie Moody, her supervisor from the company she used to
work for, Sequential Label and Supply (SLS). Charlie had been promoted to chief information
officer (CIO) of SLS almost a year ago.
“Hi, Charlie,” she said.
“Hello, Iris,” Charlie said, shaking her hand. “Congratulations on your promotion. How are
things going in your new position?”
“So far,” she replied, “things are going well—I think.”

Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203 1
Another Random Scribd Document
with Unrelated Content
yonder bed? Would some strange disfigured image look at her from
that familiar glass—the long cheval glass before which she had stood
so often in her trivial moods to study the set of a mantua, the hang
of a petticoat, a dazzling figure in a splendour of gold and silver, and
colour that mocked the glory of an autumn sunset, or for a whim,
perhaps, in back velvet, sable from head to foot, a sombre
background for her tiara and rivière of diamonds, and her famous
pearl necklace.
She burst into a wild laugh as she thought of those gems. Would she
ever again wear pearls or diamonds on her neck? Disfigured—blind,
perhaps, a creature upon whose hideous form fine clothes and
flashing jewels would seem more appalling than a shroud!
"Good-bye, beautiful Lady Kilrush," she said, making a low curtsey to
the figure in the glass; and then all grew dim, and she could only
totter to the bell-pull and ring for help.
Sophy came to her. The French maid had been banished after her
mistress's first visit to Mrs. Stobart, Antonia having taken pains to
lessen the risk of contagion for her household. Sophy had waited
upon her, and had been her only means of communication with the
servants.
Dr. Heberden saw her next morning, and recognized the tokens of a
disease not much less terrible than the plague. He was careful not to
alarm the patient, but gave his instructions to Miss Potter, and
promised to send a capable nurse.
"If I am going to be ill let me have the little Lambeth apothecary to
attend me," Antonia said to the physician. "I have seen him by the
sick-beds of the poor, and I know what a kind soul it is."
"Let it be so, dear lady. He will make a good watch-dog. I shall see
you every day till you are well."
"That will not be for a long time, sir. I know what I have to expect,"
she answered calmly. "But if I am likely to be hideous, for pity's
sake, don't try to save my life."
"I protest, your ladyship takes alarm too soon. Your sickness may be
no more than a chill, with a touch of fever."
"Oh, I know, I know," she answered, her eyes searching his
countenance. "You cannot deceive me, sir. I was prepared for this. I
did not think it would come. I thought I was too strong. I hardly
feared it; but I knew it was possible. I did what I had to do without
counting the cost."
She was in a high fever, but still in her right senses. She lay in a half
stupor for the rest of the day, and her nurses, a comfortable looking
middle-aged woman sent by Dr. Heberden, and Sophy Potter, had
nothing to do but watch her and give her a cooling drink from time
to time.
It was growing dusk, and Sophy and Mrs. Ball, the nurse, were
taking tea in the dressing-room, when the door was opened and a
lady appeared, struggling with a sheet steeped in vinegar that had
been hung over the door by Mr. Morton's order. The intruder was
Mrs. Granger, modishly dressed in a chintz silk tucked up over a
black satin petticoat.
"Drat your vinegar," she cried. "I'll wager my new silk is done for."
"Oh, madam, you oughtn't to have come here," cried Sophy, starting
up in a fright. "Her ladyship is taken with——"
"Yes, I know. I've had it, Miss Potter—had it rather bad when I was a
child. You might have seen some marks on my forehead and chin if
you'd ever looked close at me. I should have been marked much
worse, and I should never have been Mrs. General Granger, if
mother hadn't sat by the bed and held my hands day and night to
stop me doing myself a mischief. And I'm going to keep watch over
Antonia, and save her beauty, if it's in human power to do it."
"I am the nurse engaged for the case," said Mrs. Ball, rising from the
tea-board with a stately air, "and your ladyship's services will not be
required."
"That's for my ladyship to judge, not you. Lady Kilrush and me was
close friends before we married; and I'm not going to leave her at
the mercy of any nurse in London, not if she was nurse to the
Princess of Wales."
"I think Dr. Heberden's favourite nurse may be trusted, madam,"
said Mrs. Ball, with growing indignation.
Sophy had gone back to the sick-room.
"I wonder her ladyship's hall porter should have let you come
upstairs, madam, when he had positive orders to admit nobody,"
continued Mrs. Ball.
"I didn't wait for his permission when I had got the truth out of him.
Lions and tigers wouldn't have kept me from my friend, much less
hired nurses and hall porters."
She took off her hat and flung it on the sofa, and went into the next
room with so resolute an air that Mrs. Ball could only stand staring
at her.
Antonia looked up as she approached the bed, and held out her
hand to her.
"Oh, Patty, how glad I am to see you. Your face always brings back
my youth. But no, no, no, don't come near me. Tell her, Sophy—tell
her! Oh, what a racking headache."
Her head fell back upon the pillow. It was impossible to hold it up
with that insufferable pain.
Patty reminded her friend of the pock marks on her temple and chin,
and that she ran no risk in being with her; and from that moment till
the peril was past, through a fortnight of keen anxiety, General
Granger's wife remained at Antonia's bedside, watching over her
with a devotion that never wearied. It was useless for Mrs. Ball to
protest, or for Sophy Potter to show signs of jealousy.
"I'm going to save her beautiful face for her," Patty declared. "She
shan't get up from her sick-bed to find herself a fright. She's the
handsomest woman in London, and beauty like hers is worth fighting
for."
Dr. Heberden heard her, and approved. He had seen her clever
management, her tender care of Antonia, when the fever was
raging, and the delirious sufferer would have done herself mischief
in an agony of irritation. The famous doctor was vastly polite to this
volunteer nurse, and complimented her on her skill and courage.
"As for my courage, sir, 'tis nothing to boast of," Patty answered
frankly. "Poor as my face is, I wouldn't have risked spoiling it, and
shouldn't be here if I had not had the distemper when I was a
child."

Lady Kilrush passed safely through the malady that had been fatal to
Lucy Stobart; but her convalescence was very slow, and she suffered
a depression of spirits from which neither her devoted Sophy Potter
nor her lively friend Patty could rouse her. She came back to life
unwillingly, and felt as if she had nothing to live for.
On the very first day that she was able to leave her bed for an hour
or two, Patty led her to the great cheval glass.
"There!" she cried, "look at yourself as close as you please. You are
not pitted as much as I am even. Why, Lord bless the woman! Aren't
you pleased with yourself, Tonia? You stare as if you saw a ghost."
"'Tis a ghost I am looking at, Patty, the ghost of my old self. Oh, you
have been an angel of goodness, dear; and it is a mercy not to be
loathsome; but the past is past, and I shall never be the beautiful
Lady Kilrush again. I hope I was not too proud of my kingdom while
I had it. 'Tis gone from me for ever."
"Why, you simpleton! All this fuss because you are hollow-cheeked
and pale—and your beautiful hair has been cut off."
"A wreck, Patty! A haggard ghost! Don't think I am going to weep
for the loss of a complexion. I had grown tired of the world before I
fell ill. It will give me little pain to leave it altogether—only there is
nothing else—nothing left but to sit by the fire with a book, and wait
for the slow years to roll by. And the years are so slow. It seems a
century since I came into this house for the first time, and found the
man I loved lying on his death-bed."
"Oh, how foolish this sadness is! If I was a peeress, with such jewels
as yours, a young widow, my own mistress, free to do what I liked
for the rest of my days, or to pick and choose a new tyrant if I liked
—I should jump for joy. You will be as handsome as ever you was
after six weeks at the Wells. And you ought to marry a duke, like
your friend Miss Gunning that was, who would never have been
thought your equal for looks if there had not been two of her."
"Dear Patty, I have done with vanities. But never doubt my gratitude
for the kindness that saved me from being a hideous spectacle."
"Nay, 'tis but the lion and the mouse over again. You took me in
hand and made a lady of me, and how could I do less than jump at
the first chance of making a return? I used to be a little bit envious
of your handsome face once, Tonia, when you used to come to my
lodgings in the piazza, in your shabby clothes, so careless and so
lovely."

Lady Kilrush would see no one after her illness, putting off all visitors
with polite little notes of apology, protesting that she was not yet in
health to receive visits, and must defer the pleasures of friendship till
she was stronger. On this the rumour went about that the disease
had disfigured her beyond recognition, and all the envious women of
her acquaintance were loud in their compassion.
"'Tis vastly sad to think she is too ugly to let anybody see her," said
one. "I'm told she wears a thick veil even in her own house, for fear
of frightening her footmen."
"They say she offered a thousand pounds to any one who would
invent a wash that would hide the spots," said another.
"Spots, my dear! 'Tis vastly fine to talk of spots. The poor wretch
has holes in her face as deep as your thimble."
"And is as blind as Samson Agonistes," said a fourth.
"And oh, dear, we are all so sorry for her," said the chorus, with
sighs and uplifted hands; and then the fiddles began a country
dance, and everybody was curtseying and simpering and setting to
partners, down the long perspective of fine clothes and powdered
heads, and Lady Kilrush was forgotten.
Not by Lord Dunkeld, who started post-haste for London directly he
heard of her illness, and being informed that she was out of danger,
and sitting up in her dressing-room every afternoon, pleaded hard to
be admitted, but was resolutely refused.
Sophy wrote to him at her mistress's dictation, assuring him of her
lady's unchanging esteem, but adding that she was too much out of
spirits to see even her most valued friends.
"Most valued! I wonder what value she sets upon me?" questioned
Dunkeld, cruelly disappointed. "'Tis the parson-soldier, or the soldier-
parson she values. Perhaps the loss of her beauty moves her most
because she will be less fair in his eyes. I doubt that it is always of
one man only that a woman thinks, when she rejoices in her beauty.
It is for his sake; to please his eye! The fellow may be a Caliban,
perhaps, and yet he is the shrine at which she offers her charms."
He tried to picture that glorious beauty changed to ugliness, tried
and could not; for he could not banish her image as he had seen her
in Italy. Her beauty sparkled and shone before him; and imagination
could not conjure up the tragic transformation.
"There is no change that could lessen my love," he thought. "She
has grown into my heart, and is a part of my life. I may be appalled
when I see her, may suffer tortures at a sight so piteous; but she will
be dearer to me in her ruined beauty than the handsomest woman
in London."
He thought of one of the handsomest, the exquisite Lady Coventry,
the younger of the Gunning sisters, whose brief reign was hastening
towards its melancholy close: a butterfly creature, inferior to Antonia
in all mental qualities, but with much grace and sparkle, and an
Irishwoman's high spirits. The Ring in Hyde Park, the Rotunda at
Ranelagh, the Opera House and the Pantheon, would be poorer for
the loss of that brilliant figure.
"And if Antonia appears there no more 'twill be two stars dropped
out of our firmament," thought Dunkeld.

It was in vain that Patty urged her friend to try the waters of Bath or
Bristol, as Dr. Heberden had advised, seeing that his patient was
slow to recover her strength. Antonia refused to leave St. James's
Square.
"If I went to drink the waters I should have a host of trivial
acquaintances buzzing round me," she told Patty. "And I have taken
a hatred of all company, but yours and Sophy's. Indeed, I think I
hate the world. Here I am as safe as in a prison; for my fine friends
will think the house infected, and will be afraid to trust their beauty
in it."
"Sure there has been pains enough taken to drive away the
contagion," said Sophy, who had suffered some inconvenience from
the stringent measures Lady Kilrush had insisted upon after her
recovery.
"But my friends do not know that, and till they forget my illness this
house is my castle."
Mrs. Granger dropped in at teatime two or three times a week, and
brought the gossip of the town, and exercised all her wit to enliven
her friend; but Antonia seemed sunk in a hopeless languor and
melancholy, and only affected an interest in the outside world to
please her visitor.
"I'll swear you are not listening, and have scarce heard a word of it,"
Patty would exclaim, stopping midway in her account of the last
event that had startled the town. A rich old Mrs. Somebody who was
going to marry a boy; or a high-born Iphigenia sacrificed to an
octogenarian bridegroom.
Antonia had left off caring what people did, or what became of
them.
Even the doings of her duchesses had ceased to interest. They had
sent affectionate notes and messages, and she had responded civilly.
The Duke of Cumberland had sent an equerry with his card, and
tender inquiries. The Princess had sent one of her ladies. And all that
Antonia desired in her present mood was to be forgotten. She was
glad that Lady Margaret Laroche, whom she liked best of all of her
fashionable friends, was spending the winter in Paris; since she
could hardly have denied herself where she was under so many
obligations.
She read the papers every day, wondering whether she would ever
come upon George Stobart's name in the news from America; but
the name had not appeared, nor had Mr. Stobart been heard of at
his own house at the beginning of the year, when she sent a servant
to inquire of the woman in charge there. It was a bitter cold winter;
but London was full of movement and gaiety while Antonia sat alone
in the library at the back of the great solemn house, where the
shutting of one of the massive doors reverberated from cellar to
roof-tree in the silence. Never had there been a gayer season. It
seemed as if the noise of all the crackers and squibs that had been
burnt after the news from Quebec was still in the air. The cold
weather killed a good many old people, and there were the usual
number of putrid sore throats and typhus fevers in the fine West End
mansions; but the herd went on their way rejoicing and illuminating,
and praising God for the triumph of English arms on land and sea,
since the victories of the great year '59 were being briskly followed
up in the year that had just begun—the thirty-third of his Majesty's
illustrious reign. His Majesty was waxing old and feeble, and the
hero of Dettingen was soon to follow that other old lion in the
Tower; and most people's eyes were turned to the mild effulgence of
the rising star, the young Prince of Wales, or to the Prince's mother,
and his guardian, my Lord Bute, who might be supposed to direct
that youthful mind. Soon, very soon, the great bell would be tolling,
the muffled drums beating, and the pomp of a royal funeral would
fill the night with torches and solemn music.

That bitter winter was over, and the river was running gaily under
April skies, when George Stobart came up the Thames to the Pool of
London. What an insignificant river it seemed after the St. Lawrence!
what a poor little flat world lay all around him, as his eyes looked out
upon his native land—melancholy eyes, that found no joy in
anything, no pleasure in that aspect of familiar scenes which delights
most wanderers in their home-coming. Duty brought him home,
while inclination would have kept him in Georgia, whither he had
made his way by a difficult and perilous journey, from the snow-
fields and frozen rivers of Canada to the orange groves and sunny
sea of the South, after a weary time in the hospital at Quebec. There
had been much for him to see in the little colony established by the
philanthropic Oglethorpe five-and-twenty years before, a refuge and
a home for poor debtors from the English prisons. He had preached
several times in one of the school-rooms at Savannah; and the fire
and fervour of his exhortations had won him a numerous following,
black and white. He had gone among Whitefield's slaves; but
although he found them for the most part well-used and contented,
he loathed a condition which Whitefield justified, and against which
Wesley had never lifted up his voice. To Stobart this buying and
selling of humanity was intolerable. True that in these pious
communities the African was better off than many a slave of toil in
Spitalfields or Whitechapel; but he lived under the fear of the lash,
and he knew not when it might suit his owner's convenience to sell
him into a worse bondage.
It was with a willing heart that the soldier-priest laid down the sword
and took up the Bible. In his hours of despair, in all the longing and
regret of a hopeless love, his faith had remained unshaken. There
was still the terror, and there was still the hope: the fear of
everlasting condemnation, the hope of life eternal. Among the
ignorant throng whom the great evangelist awakened to a sense of
sin and a yearning for pardon, there were numerous backsliders; but
the men of education and enlightenment who followed John Wesley
seldom fell away. To them the things unseen, the promise and the
hope, were more real than the bustle and strife of the world that
hemmed them round. They walked the streets of the city with their
eyes looking afar off, their thoughts full of that heavenly kingdom
where life would put on a loveliness unthinkable here below.
Sickening at the horrors of a world in which there were such things
as the gallows at Tyburn, with its batch of victims ten or a dozen at
a time—men, women, boys and girls, children almost; the Fleet
prison; Bedlam, with its manacles and scourges, and Sunday
promenades for the idle curious; Bridewell, Newgate. Sickening at
such a world as this, the Methodist turned his ecstatic gaze towards
that Kingdom of Christ the Lord, where there should be no more
tears, no more war, no more oppression, no more grinding poverty
or foul disease, and where all the redeemed should be equals in one
brotherhood of heavenly love.
George Stobart went back to his mission work as faithful a believer
as in the day of his conversion. He had not been an idle servant
while he was with his regiment. He had preached the gospel
wherever he could find hearers, had been instant in season and out
of season; but his persistence had not been of a noisy kind, and
although his superior officers were disposed to docket him as a
religious monomaniac, after the manner of Methodists, they had
never found him troublesome or insubordinate.
"Mr. Stobart is a gentleman," said the major. "And if expounding the
Scriptures to a parcel of unbelieving rascals can console him for
short rations, and keep him warm in a temperature ten degrees
below zero—why, who the deuce would deny him that luxury? If he's
a saint at his prayers, he's a devil in a mêlée; and he saved my scalp
from the redskins when we were fighting in the dark in the marshes
before Louisburg."
Stobart landed at the docks, had his luggage put on a hackney
coach, and drove to his house at Lambeth, without a shadow of
doubt that he would find all things as he had left them more than
two years ago. Lucy's last letter had been written in a cheerful spirit.
She was elated at Georgie's good luck in pleasing his grandmamma,
and she prophesied that he would inherit Lady Lanigan's fortune and
become a person of importance. Her father's drunken habits and
persecuting visits were her only trouble. Her health was good, and
her last maidservant was the best she had found since she began
housekeeping. True that this letter had been written more than half
a year ago; but the idea of change or misfortune in the quiet life at
home hardly entered into the mind of the man who had so lately
passed through all the perils of the siege of Quebec, from the first
disastrous attack on the heights of the Montmorenci to the daring
escalade and the battle on the Plains of Abraham, to say nothing of
minor dangers and adventures which had made his life of the last
two years a series of hairbreadth escapes. He counted on his wife's
smiling welcome; and in the tediousness of the voyage he had been
schooling himself to his duty as a husband, to give love for love with
liberal measure, to make his wife's future years happy.
"Poor Wesley's only mistake in life is to have made an unfortunate
marriage, and not to be able to make the best of a bad bargain," he
thought. "But my Lucy is no such termagant as Mrs. John; and I
must be a wretch if I cannot live contentedly with her. She was fair,
and gentle, and loving; and I chose her for the companion of my life.
I must stand by my choice."
In long, wakeful nights, when the ship was rolling in a stormy sea,
he had ample leisure to travel again and again over the same
ground, to make the same resolutions, to repeat the same prayers
for strength within and guidance from above.
There was one name he never breathed to himself, one face he tried
to shut out of his memory; but such names and such faces have the
sleeper at their mercy; and his dreams were often haunted by an
image that his waking thoughts ever strove to banish.
The spring afternoon was grey and cheerless; a fine rain was falling;
and the narrow streets, muddy gutters, and smoky atmosphere of
London were not attractive after the clear air and bright white light
of Georgia.
He felt in worse spirits than before he left the ship—his prison of
near six weeks—and the journey seemed interminable; but the
coach rolled over Westminster Bridge at last, and drew up in front of
his house. The outside shutters were closed over the parlour
windows, though it was only five o'clock and broad daylight. Lucy
must be away from home; with his mother, perhaps, who, having
melted to the grandson, might have made a further concession and
extended her kindness to the daughter-in-law—her meek protégée
of days gone by. The suggestion seemed reasonable; but the aspect
of those closed shutters chilled him.
He knocked loudly at first; and knocked a second time before the
door was opened by a decent old woman in clean white cap and
apron.
"Is your mistress away from home?"
The explanation was slow, disjointed, on the woman's part. His
questioning was quick, impassioned, horror-stricken; but the story
was told at last, the woman sparing him no ghastly particulars: the
patient's sufferings; the disfiguring malady which had afterwards
seized Lady Kilrush, who had come through it worse than Mrs.
Stobart, and was said to be a terrible "objick." Poor Lady Kilrush!
who had been so kind, and had visited Mrs. Stobart at the risk of her
life, although the doctors had warned her of her danger times and
often. And now she was shut up in her house and would see no one,
not even her own servants, without the black velvet mask which she
wore day and night.
Stobart had gone into the parlour while they were talking. The grey
day came in through the holes in the shutters, and made a twilight
in the familiar room. Everything was the same as when his wife used
to dust and polish the furniture with indefatigable care, and place
every chair and table with a prim correctness of line that had often
irritated him. There was the bureau at which he used to write; and
the little Pembroke table was in its own place between the windows,
with the big Bible laid upon a patchwork mat.
And she for whom he had made the home was lying yonder in
Mortlake churchyard, the place of rustic graves through which he
had passed so often, crossing the meadows between Sheen and the
church, on his way to the river. She was gone! and all his schemes
for making her life happy, all his remorseful thoughts of her, had
been in vain. She was gone! His last irrevocable act had been an act
of unkindness. He had left her to die alone.
For his sins against God he might atone, and might feel the
assurance of pardon; but for his sin against this weak mortal who
had loved him, and whom he had sworn to cherish, there was no
possibility of atonement.
"Not to her, not to her," he thought. "I may repent in sackcloth and
ashes—I may rip the flesh from my bones with the penitent's
scourge, like Henry Plantagenet. But could he make amends to the
martyr Becket? Can I make amends to her? 'O God! O God! that it
were possible to undo things done; to call back yesterday!'" he
thought, recalling a passage in an old play that had burnt itself into
his brain, by many a pang of regret for acts ill done or duties
neglected.
He wandered from room to room in the familiar house which seemed
so strange in its blank emptiness, looking at everything with
brooding gaze—the parlour where he had spent so many solitary
hours in study and in prayer. His books were on the shelves as he
had left them—the old Puritan writers he loved—Baxter, Charnock,
Howe, Bunyan. He had taken only three books on his voyage: his
Bible, a pocket Milton, and Charles Wesley's Hymns. His study looked
as if he had left it yesterday. The trees and shrubs were budding in
the long slip of garden, where he had paced the narrow pathway so
often in troubled thought.
He went upstairs, and stood beside the bed where his wife had lain
in her last sleep. The curtains had been stripped from the tent-
bedstead, the carpet taken up, and every scrap of drapery removed
from the windows when the house was disinfected. The room looked
poverty-stricken and grim.
The caretaker followed him from room to room, praising herself for
the cleanliness of the house, and keeping up a continuous stream of
talk to which he gave the scantiest attention. In the bedchamber she
was reminded of Lady Kilrush and her goodness, and began to dilate
upon that theme.
Was there ever such a noble lady? She had thought of everything.
He might make himself quite happy about his poor dear lady. Never
had a patient been better nursed. Her ladyship never missed a day,
and saw with her own eyes that everything was being done. And she
was with his lady a long time on that last day when the fever left her
and she was able to talk sensibly. And his lady was quite happy at
the last—oh, so happy! And the old woman clasped her hands in a
kind of ecstasy. "Quite blind," she said, "and with a handkerchief
bound over her poor eyes—but oh, so happy!"

He left the house, heavy-hearted, and walked across the bridge and
by Whitehall to St. James's Square. He could not exist in uncertainty
about Antonia's fate. He must discover if there were any truth in
what the woman had told him, if that resplendent beauty, Nature's
choicest dower given to one woman among thousands, had indeed
been sacrificed. So great a sacrifice made by an Infidel! a woman
who had no hope in an everlasting reward for the renunciation of
happiness here. He recalled the exquisite face that had lured him to
sin, and pictured it scarred and blemished—as he had seen so many
faces,—changed by that fatal disease which leaves ruin where it
spares life. He shuddered and sickened at the vision his imagination
evoked. Would he honour her less, adore her less, so disfigured? He
had told himself sometimes in his guilty reveries, when Satan had
got the better of him, that he would love her if she were a leper;
that it was the soul, the noble, the daring, the generous nature of
the woman that he idolized; that he was scarcely a sinner for loving
the most perfect creature God had ever made.
If she hid her blemished face from the world, would she consent to
see him? Or would he find his sin still unpardoned? Would she hold
him at a distance for ever because of one fatal hour in his life? She
could scarcely forget their last parting, when she had prayed never
to look upon his face again; but time might have mitigated her
wrath, and she might have forgiven him.
Her ladyship saw no visitors, the porter told him, and was about to
shut the door in his face; but Mr. Stobart pushed his way in, and
scribbled a note at a writing-table in the hall.
"Pray be so kind as to see me. I want to thank you for your
goodness to my wife. I landed in London two hours ago on my
arrival from America."
He walked up and down the hall while a footman carried the note to
his mistress. His heart beat heavily, tortured with the anticipation of
horror; to look upon the altered face; to have to tell himself that this
was Antonia.
The man came back, solemn and slow, in his rich livery and
powdered head. Her ladyship would see Mr. Stobart.
She was sitting in a large armchair by the fire, her face showing
dimly in the twilight. He could distinguish nothing but her pallor and
the difference in the style of her hair. The flowing curls that he had
admired were gone. He felt thankful for the darkness which spared
him the immediate sight of her changed aspect.
"I am glad you are back in England, Mr. Stobart, and have escaped
the perils of that dreadful war," she said, in a low, grave voice. "But
you have had a sorrowful welcome home."
"Yes, it was a heavy blow."
"I hope you had received Lady Lanigan's letter, and that the blow
was softened by foreknowledge."
"No, I had no letter; I came home expecting to find all things as I
left them. My mind was full of schemes for making my wife happier
than I had made her in the past. But I doubt sins of omission are
irrevocable. A man may sometimes undo what he has done, but he
cannot make amends for what he has left undone."
There was a silence. The shadows deepened. The wood fire burnt
low and gave no light.
"I have no words to thank you for your goodness to my wife," he
said. "That you should go to her in her loneliness, that you should so
brave all perils, be so compassionate, so self-sacrificing! What can I
say to you? There is nothing nobler in the lives of the saints. There
was never Christian living more worthy to be called Christ's disciple."
"Oh, sir, there needed no Gospel light to show me so plain a course.
Your wife was alone, while you were fighting for your country. I
promised years ago to be her friend. Could there be any question as
to my duty?"
"'Twill need all my future life to prove my gratitude."
"You have left the army?"
"Yes. I resigned my commission after Quebec."
"You were at the taking of Quebec, then? I thought you were with
Amherst when he recovered Ticonderoga."
"So I was, madam. But after we took the fort I was entrusted to
carry a letter for General Wolfe conveying General Amherst's plans.
'Twas a difficult journey, by a circuitous route, and I was more than
a month on the way; but I was in time to be in the escalade and the
battle. It was glorious—a glorious tragedy. England and France lost
two of the finest leaders that ever soldier followed—Montcalm and
Wolfe. Alas! shall I ever forget James Wolfe's spectral face in the
grey of that fatal morning? He was fitter to be lying on a sick-bed
than to be commanding an army. He looked a ghost, and fought like
the god of war."
"Shall you go back to your work with Mr. Wesley?"
"If he will have me—and, indeed, I think he will, for he needs
helpers. 'Tis in his army—the evangelical army—I shall fight
henceforward. I stand alone in the world now, for my son's welfare
could scarce be better assured than with his grandmother, who
offers to provide his education, and is likely to make him her heir. My
experience in Georgia renewed my self-confidence, and I doubt I
may yet be of some use to my fellow-creatures."
"You could scarce fail in that," she answered gently. "I remember
how those poor wretches at Lambeth loved you."
Her voice was unaltered. It had all that grave music he remembered
of old, when she spoke of serious things. It soothed him to sit in the
darkness and hear her talk, and he dreaded the coming of light that
would break the spell.
Did he love her as he had loved her before those slow years of
severance? Yes. Her lightest word thrilled him. He thought of the
change in her with unspeakable dread; but he knew that it would
not change his heart. Lovely or unlovely she would still be Antonia,
the woman he adored. A footman came in to light the candles.
"This half darkness is very pleasant, madam," Stobart said hurriedly.
"Do you desire more light?"
"I am expecting a friend to take tea with me, and I can hardly
receive her in the dark. You may light the candles, Robert."
There were six candles in each of two bronze candelabra on the
mantelpiece, and two more in tall silver candlesticks on the writing-
table. Stobart sat looking down at the fading embers, and did not lift
his eyes till the servant had left the room. Then, as the door shut, he
looked up and saw Antonia watching him in the bright candlelight.
He gave a sudden cry, in uncontrollable emotion, and burst into
tears. "You—you are not changed!" he cried, as soon as he could
control his speech. "Oh, madam, I beseech you not to despise me
for these unmanly tears! but—but I was told——"
"You were told that the disease had used me very cruelly; that I
should be better dead than such a horrid spectacle," she said. "I
know that has been the talk of the town—and I let them talk. I have
done with the town."
"Thank God!" he exclaimed, starting up from his chair and walking
about the room in a tumult of emotion. "Thank God, it was a lie that
old woman told me. It would have broken my heart to know that
your divine charity had cost you the loss of your beauty."
His eyes shone with wonder and delight as he looked at her. She
was greatly changed, but in his sight not less lovely. Her bloom was
gone. She could no longer dazzle the mob in Hyde Park by her vivid
beauty. She was very pale, and her cheeks were hollow and thin.
Her eyes looked unnaturally large, and her hair, once so luxuriant,
was clustered in short curls under a little lace cap.
"Oh, so far as that goes, sir, I renounce any claim I ever had to rank
among beauties," she said, amused at his surprise. "Through the
devoted care of a friend I was spared the worst kind of
disfigurement; but as I have lost my complexion, my figure, and my
hair, I can no longer hope to take any place among the Waldegraves
and Hamiltons. And I have done with the great world and its
vanities."
"Then you will give yourself to that better world—the world of the
true believer; you will be among the saved?"
"Alas, sir, I am no nearer the heavenly kingdom than I was before I
sickened of the earthly one. I am very tired of the pomps and
vanities, but I cannot entertain the hope of finding an alternative
pleasure in sermons and long prayers, or the pious company Lady
Huntingdon assembles every Thursday evening."
"If you have renounced the world of pleasure—the rest will follow."
"You think a woman must live in some kind of fever? I own that Lady
Fanny Shirley seems always as busy and full of engagements as if
she were at the top of the ton. She flies from one end of London to
the other to hear a new preacher, and makes more fuss about the
opening of some poor little chapel in the suburbs, than the Duchess
of Buccleuch makes about an al fresco ball that costs thousands.
There is the chairman's knock. Perhaps you will scarce care to meet
my lively friend, Mrs. Granger, in your sad circumstances."
"Not for the world. Adieu, madam. I shall go to Mortlake to-morrow
to look at my poor Lucy's resting-place, and shall start the next day
for Bath to see my son; and thence to Bristol, where I hope to find
Mr. Wesley."
He bent down to kiss her hand, so thin and so alabaster white, and
said in a low voice, with his head still bent—
"Dare I hope that my madness of the past is pardoned?"
"The past is past," she answered coldly. "The world has changed for
both of us. Adieu."
He left her, passing Mrs. Granger in the hall.
"You have admitted a sneaking Methodist," cried Patty, "after
denying yourself to all the people of fashion in London."

Mr. Wesley received the returning prodigal with kindness. In that

vast enterprise of one who said "My parish is the world," loyal
adherents were of unspeakable value. The few churchmen who
served under his banner were but a sprinkling compared with his lay
itinerants; and Stobart was among the best of these. He was too
manly a man to think the worse of his helper for having changed
gown for sword during a troubled interval of his life; for he divined
that Stobart must have been in some bitter strait before he went
back to the soldier's trade.
He listened with interest to Stobart's American adventures, and
congratulated him upon having been with Wolfe at Quebec.
"'Twas a glorious victory," he said; "but I doubt the French may yet
prove too strong for us in Canada, and that we are still far from a
peaceful settlement."
"They are strong in numbers, sir, but weak in leaders. Lévis is a poor
substitute for Montcalm, and, if the Governor Vaudreuil harasses him
and ties his hands, as he harassed the late marquis, whom he hated,
his work will be difficult. I should not have left the regiment while
there was a chance of more fighting, if I had not been disabled by
my wounds."
"You were badly wounded?"
"I had a bullet through my ribs that looked like making an end of
me; and I walk lame still from a ball in my left hip. I spent eight
weeks in the general hospital at Quebec, where the nuns tended me
with an angelic kindness; and I was still but a feeble specimen of
humanity when I set out on the journey to Georgia, through a
country beset by Indians."
"I honour those good women for their charity, Stobart; but I hope
you did not let them instil their pernicious doctrine into your mind
while it was enfeebled by sickness."
"No, sir. Yet there was one pious enthusiast whom I could not
silence; and be not offended if I say that her fervent discourse about
spiritual things reminded me of your own teaching."
"Surely that's not possible!"
"Extremes meet, sir; and, I doubt, had you not been a high-church
Methodist you would have been a Roman Catholic of the most
exalted type."

Stobart accompanied Mr. Wesley from Bristol to St. Ives, then back
to Bristol by a different route, taking the south coast of Cornwall and
Devonshire. From Bristol they crossed to Ireland; and returned by
Milford Haven through Wales to London, a tour that lasted till the
first days of October.
Wesley was then fifty-seven years of age, in the zenith of his renown
as the founder of a sect that had spread itself abroad with amazing
power since the day when a handful of young men at Oxford, poor,
obscure, unpretending, had met together in each other's rooms to
pray and expound the Scriptures, and by their orderly habits, and
the method with which they conducted all their spiritual exercises,
had won for themselves the name of "methodists." From those quiet
rooms at Oxford had arisen a power that had shaken the Church of
England, and which might have reinforced and strengthened that
Church with an infinite access of vigour, enthusiasm, and piety, had
English churchmen so willed. But the Methodists had been driven
from the fold and cast upon their own resources. They were shut out
of the churches; but, as one of the society protested, the fields were
open to them, and they had the hills for their pulpit, the heavens for
their sounding board.
George Stobart flung himself heart and soul into his work as an
itinerant preacher, riding through the country with Mr. Wesley,
preaching at any of the smaller towns and outlying villages to which
his leader sent him, and confronting the malice of "baptized
barbarians" with a courage as imperturbable as Wesley's. To be
welcomed with pious enthusiasm, or to be assailed with the vilest
abuse, seemed a matter of indifference to the Methodist itinerants.
Their mission was to carry the tidings of salvation to the lost sheep
of Israel; and more or less of ill usage suffered on their way counted
for little in the sum of their lives. 'Twas a miracle, considering the
violence of the mob and the inefficiency of rustic constables, that
not one of these enthusiasts lost his life at the hands of enemies
scarce less ferocious than the Indians on the banks of the
Monongahela. But in those savage scenes it seemed ever as if a
special providence guarded John Wesley and his followers. Many and
many a time the rabble rout seemed possessed by Moloch, and the
storm of stones and clods flew fast around the preacher's head; and
again and again he passed unharmed out of the demoniac herd.
Missiles often glanced aside and wounded the enemy, for the aim of
blind hate was seldom true; and if Wesley did not escape injury on
every occasion, his wounds were never serious enough to drive him
from the stand he had taken by the market cross or in the
churchyard, in outhouse or street, on common or hillside. He might
finish his discourse while a stream of blood trickled down his face, or
the arm that he would fain have raised in exhortation hung
powerless from a blow; but in none of his wanderings had he been
silenced or acknowledged defeat.
It was John Wesley's privilege, or his misfortune, at this time to
stand alone in the world, unfettered by any tie that could hamper
him in his life's labour. He was childless; and hard fate had given him
a wife so uncongenial, so tormenting in her causeless jealousy and
petty tyranny, that 'twas but an act of self-defence to leave her. In
the earlier years of their marriage she accompanied him on his
journeys; but as she quarrelled with his sister-in-law, Charles
Wesley's amiable helpmeet, and insulted every woman he called his
friend, her companionship must have been a thorn in the flesh
rather than a blessing. His brother Charles—once the other half of
his soul—was now estranged. Their opinions differed upon many
points, and John, as the bolder spirit, had gone far beyond the
order-loving and placable poet, who deemed no misfortune so
terrible for the Methodists as to stand outside the pale of the
Church, albeit they might be strong enough in their own unaided
power to gather half the Protestant world within their fold. Charles
thought of himself and his brother Methodists only as more fervent
members of the Church of England, never as the founders of an
independent establishment, primitive in the simplicity of its doctrine
and observances, modern in its fitness to the needs of modern life.
John Wesley was now almost at the height of his power, and strong
enough in the number of his followers, and in their profound
affection for his person, to laugh at insult, and to defy even so
formidable an assailant as Dr. Lavington, Bishop of Exeter, with
whom he was carrying on a pamphlet war.
George Stobart loved the man and honoured the teacher. It was a
pleasure to him to share the rough and smooth of Wesley's
pilgrimage, to ride a sorry jade, even, for the privilege of riding at
the side of one of the worst and boldest horsemen in England, who
was not unlikely to come by a bad fall before the end of his journey.
In those long stages there was ample leisure for the two friends to
share their burden of sorrows and perplexities, and for heart to
converse with heart.
Wesley was too profound a student of his fellow men not to have
fathomed George Stobart's mind in past years, when Antonia's lover
was himself but half conscious of the passion that enslaved him;
and, remembering this, he was careful not to say too much of the
young wife who was gone, or the love-match which had ended so
sadly. He knew that in heart, at least, Stobart had been unfaithful to
that sacred tie; but although he deplored the sin he could not
withhold his compassion from the sinner. The Methodist leader had
been singularly unlucky in affairs of the heart, from the day when at
Savannah he allowed himself to be persuaded out of an engagement
with a girl he loved, to the hour when he took a Zantippe for his
spouse; and it may be that his own unfortunate marriage, and the
memory of Grace Murray, that other woman once so dearly loved
and once his plighted wife, made him better able to sympathise with
the victim of a misplaced affection.
It was after Stobart had been working with him all through the
summer and autumn, and when that eventful year of 1760 was
waning, that Wesley for the first time spoke of Antonia.
"Your kinswoman Lady Kilrush?" he inquired. "What has become of
so much beauty and fashion? I have not seen the lady's name in the
evening papers for an age."
"Lady Kilrush has withdrawn herself from society. She has discovered
how poor a thing a life of pleasure is when the bloom of novelty is
off it."
"Aye, aye. Fashion's child has cut open the top of her drum and
found nothing but emptiness in the toy. Did I not hear, by-the-bye,
when I was last in London, that the poor lady had come through an
attack of confluent smallpox with the loss of her beauty? If it be so,
I hope she may awaken to the expectation of a kingdom where all
faces are beautiful in the light that shines around the throne of
God."
"No, sir, her ladyship has lost but little of her beauty. And it is not
because she can no longer excel there that she has left the world of
fashion."
And then Stobart took courage for the first time to speak freely of
the woman he loved, and told Mr. Wesley the story of his wife's
death-bed and Antonia's devotion. But when questioned as to the
lady's spiritual state, he had to confess that her opinions had
undergone no change.
"And can this presumptuous worm still deny her Maker? Can this
heart which melts at a sister's distress remain adamant against
Christ? It is a mystery! I know that the man atheist is common
enough—an arrogant wretch, like David Hume, who thinks himself
wiser than God who made the universe. But can a woman, a being
that should be all softness and humility, set up her shallow reason
against the light of nature and revelation, the light that comes to the
savage in the wilderness and tells him there is an avenging God; the
light that shows the child, as soon as he can think, that there is
something better and higher than the erring mortals he knows,
somewhere a world more beautiful than the garden where he plays?
Stobart, I grieve that there should be such a woman, and that you
should be her friend."
"The fabric of our friendship was torn asunder before I went to
America, sir. I doubt if the ravelled edges will ever meet again."
"And you heave a sigh as you say it! You regret the loss of a
friendship that might have shipwrecked your immortal soul."
"Oh, sir, why must my soul be the forfeit? Might it not be my
happiness to save hers?"
"You were her friend and companion for years. Did you bring her
nearer God?"
"Alas, no!"
"Abjure her company then for ever. I warned you of your peril when
you had a wife, when I feared your spirit hovered on the brink of
hell—for remember, Stobart, there is no such height of holiness as it
is impossible to fall from. I adjured you to renounce that woman's
company as you would avoid companionship with Satan. I warn you
even more solemnly to-day; for at that time it was a sin to love her,
and your conscience might have been your safeguard. You are a free
man now; and you may account it no sin to love an infidel."
"Is it a sin, sir, even when that love goes hand in hand with the
desire to bring her into Christ's fold?"
"It is a sin, George. It is the way to everlasting perdition, it is the
choice of evil instead of good, Lucifer instead of Christ. Do you know
what would happen if you were to marry this woman?"
"You would cease to be my friend, perhaps?"
"No, my son. I could not cease to love you and to pity you; but you
could be no more my fellow worker. This pleasant communion in
work and hope would be at an end for ever. At our last Conference
we resolved to expel any member of our society who should marry
an unbeliever. We have all seen the evil of such unions, the
confusion worse confounded when the cloven foot crosses the
threshold of a Christian's home, the uselessness of a Teacher whose
heart is divided between fidelity to Christ and affection for a wicked
wife. We resolved that no member of our society must marry without
first taking counsel with some of our most serious members, and
being governed by their advice."
"Oh, sir, this is tyranny!"
"It is the upshot of long experience. He who is not with me is
against me. We can have no half-hearted helpers. You must choose
whom you will serve, George: Christ or Satan."
"Ah, sir, my fortitude will not be put to the test. The lady for whom I
would lay down my life looks upon me with a chilling disdain. 'Tis
half a year since I forced myself upon her presence to acknowledge
her goodness to my wife; and in all that time she has given me no
sign that she remembers my existence."
"Shun her, my friend; walk not in the way of sinners; and thank God
on your knees that your Delilah scorns you."
George Stobart spent many a bitter hour after that conversation with
his leader. To be forbidden to think of the woman he worshipped
now, when no moral law came between him and her love, when
from the worldling's standpoint it was the most natural thing that he
should try to win her; he, who for her sake had been disinherited,
and who had by his life of self-denial proved himself above all
mercenary views. Why should he not pursue her, with a love so
sincere and so ardent that it might prevail even over indifference,
might conquer disdain? There was not a man in his late regiment,
not a man in the London clubs, who would not laugh him to scorn
for letting spiritual things stand between him and that earthly bliss.
And yet for him who had taken up the Cross of Christ, who had
given his best years and all the power of heart and brain to
preaching Christ's Law of self-surrender and submission, how
horrible a falling away would it be if he were to abandon his beloved
leader, turn deserter while the Society was still on its trial before the
sight of men, and while every fervent voice was an element of
strength. He thought of Wesley's other helpers, and recalled those
ardent enthusiasts who had broken all family ties, parted from father
and mother, sisters and brothers and plighted wife, renounced the
comforts of home, and suffered the opprobrium of the world, in
order to spend and be spent in the task of converting the English
heathen, the toilers in the copper mine or the coal pit, the weavers
of Somerset and Yorkshire, the black faces, the crooked backs, the
forgotten sheep of Episcopal Shepherds.
But had any man living given up more than he was called upon to
surrender, he asked himself? Who among those soldiers and
servants of Christ had loved a woman as beautiful, loved with a
passion as fervent?
He went back to London discouraged, yet not despairing. There was
still the hope, faint perhaps, that he might lead that bright spirit out
of darkness into light; win her for Christ, and so win her for himself.
Ah, what an ecstatic dream, what an ineffable hope! To kneel by her
side at the altar, to know her among the redeemed, the chosen of
God! For that end what labour could be too difficult?
But, alas! between him and that hope there came the cloud of a
terrible fear. He knew the Tempter's power over senses and soul,
knew that to be in Antonia's company was to forget the world
present and the world to come, to remember nothing, value nothing,
but her, to become a worse idolator than they of old who
worshipped Moloch and gave their children to the fire.
Wesley had warned him. Should he, in defiance of that warning from
the best and wisest friend he ever had, enter the house where the
Tempter lay in wait to destroy him, where he must meet the Enemy
of Man? Call that enemy by what name he would, Satan, or love, he
knew himself incapable of resistance.
He resolved to abide by Wesley's advice. He went back to his
desolate home, and resumed his work in Lambeth Marsh, where he
Welcome to Our Bookstore - The Ultimate Destination for Book Lovers
Are you passionate about testbank and eager to explore new worlds of
knowledge? At our website, we offer a vast collection of books that
cater to every interest and age group. From classic literature to
specialized publications, self-help books, and children’s stories, we
have it all! Each book is a gateway to new adventures, helping you
expand your knowledge and nourish your soul
Experience Convenient and Enjoyable Book Shopping Our website is more
than just an online bookstore—it’s a bridge connecting readers to the
timeless values of culture and wisdom. With a sleek and user-friendly
interface and a smart search system, you can find your favorite books
quickly and easily. Enjoy special promotions, fast home delivery, and
a seamless shopping experience that saves you time and enhances your
love for reading.
Let us accompany you on the journey of exploring knowledge and
personal growth!

ebooksecure.com