0% found this document useful (0 votes)

43 views

Mod 6 Legal Ethical and Professional Issues in Information Security

The document discusses the importance of ongoing maintenance for information security programs. It describes recommended security management models for maintenance, including the NIST SP 800-100 model which involves 13 areas of security management that require ongoing monitoring. The document also presents a security maintenance model focused on external and internal monitoring, ongoing planning and risk assessment, vulnerability assessment and remediation, and readiness review procedures. Maintaining and adapting security programs is crucial as an organization's needs and risks evolve over time.

Uploaded by

Saarthak Agarwal

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PPTX, PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

43 views

Mod 6 Legal Ethical and Professional Issues in Information Security

Uploaded by

Saarthak Agarwal

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PPTX, PDF, TXT or read online on Scribd

You are on page 1/ 71

Module 12

Information Security
Maintenance

Upon completion of this material, you should be able to:

12.1 Discuss the need for ongoing maintenance of the information security program
12.2 Describe recommended security management models
12.3 Define a model for a full maintenance program
12.4 Identify the key factors involved in monitoring the external and internal
environment
12.5 Describe how planning, risk assessment, vulnerability assessment, and
remediation tie into information security maintenance
12.6 Explain how to build readiness and review procedures into information security
maintenance
12.7 Discuss physical security controls
Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 2
Introduction To
Information Security Maintenance
• Organizations should avoid overconfidence after improving their information
security profile.
• Organizational changes that may occur include acquisition of new assets,
emergence of new vulnerabilities, shifting business priorities, dissolution and
formation of partnerships, and employee hire and turnover
• If a program is not adequately adjusting, it may be necessary to begin the cycle
again.
• If an organization creates adjustable procedures and systems, the existing
security improvement program can continue to work well.

• Management models must be adopted to manage and operate ongoing security

programs.
• Management models are frameworks that structure the tasks of managing a
particular set of activities or business functions on an ongoing basis.
• Coupled with a strategic plan to move the status of any project toward its goal
by closing the “gap,” improvements become more than just change: they
provide real progress toward making the security program better.
• Remember “Good now is better than perfect never.”

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 4
NIST SP 800-100 Information Security
Handbook: A Guide for Managers (1 of 5)
• Provides managerial guidance for establishing and implementing an information
security program.
• Provides 13 areas of information security management.
− Specific monitoring activities for each task
− Tasks should be done on an ongoing basis.
− Not all issues are negative.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 5
NIST SP 800-100 Information Security
Handbook: A Guide for Managers (2 of 5)
• Information security governance
− Agencies should monitor the status of their programs to ensure
 Ongoing information security activities providing appropriate support.
 Policies and procedures are current.
 Controls are accomplishing their intended purpose.
• System Development Life Cycle is the overall process of developing, implementing,
and retiring information systems through a multistep process.
• Awareness and training
− Tracking system should capture key information on program activities.
− Tracking compliance involves assessing the status of the program.
− Security policies must continue to evolve.
Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 6
NIST SP 800-100 Information Security
Handbook: A Guide for Managers (3 of 5)
• Capital planning and investment control
− Departments required to allocate funding toward highest-priority investments
− Designed to facilitate the expenditure of agency funds
• Interconnecting systems
− The direct connection of two or more information systems for sharing data and other
information resources
− Can expose the participating organizations to risk
− If one of the connected systems is compromised, interconnection could be used as conduit.
• Performance measures
− Metrics should be used for monitoring the performance of information security controls.
− Six-phase iterative process
Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 7
Information Security Measures Development

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 9
NIST SP 800-100 Information Security
Handbook: A Guide for Managers (4 of 5)
• Security planning
− One of the most crucial ongoing responsibilities in security management
• Information technology contingency planning
− Consists of a process for recovery and documentation of procedures
• Risk management
− Ongoing effort
− Tasks include performing risk identification, analysis, and management

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 10
NIST SP 800-100 Information Security
Handbook: A Guide for Managers (5 of 5)
• Certification, accreditation, and security assessments
− An essential component of any security program
− The status of security controls is checked regularly
− Auditing to review a system’s use to determine if misuse/malfeasance has
occurred
• Security services and products acquisition
• Incident response: incident response life cycle
• Configuration (or change) management: manages the effects of changes in
configurations, five-step process
Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 11
Information Security Services Life Cycle

• Designed to focus organizational effort on maintaining systems

• Recommended maintenance model based on five
subject areas:
− External monitoring
− Internal monitoring
− Planning and risk assessment
− Vulnerability assessment and remediation
− Readiness and review

• Provides early awareness of new and emerging threats, threat agents, vulnerabilities,
and attacks so organization can mount an effective defense.
• Entails collecting intelligence from data sources and giving that intelligence context and
meaning for use by organizational decision makers.
• Data sources:
− Acquiring threat and vulnerability data is not difficult.
− Turning data into information decision makers can use is challenging.
− External intelligence comes from vendors, computer emergency response teams
(CERTs), public network sources, or membership sites.
− Regardless of where or how external monitoring data are collected must be
analyzed in the context of the organization’s security environment to be useful
Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 15
External Monitoring

• Monitoring, escalation, and incident response

− Function of external monitoring process is to monitor activity, report results, and escalate
warnings
− Monitoring process has three primary deliverables:
 Specific warning bulletins issued when developing threats and specific attacks pose
measurable risk to the organization
 Periodic summaries of external information
 Detailed intelligence on highest risk warnings
• Data collection and management
− Over time, external monitoring processes should capture information about the external
environment in appropriate formats
− External monitoring collects raw intelligence, filters for relevance, assigns a relative risk
impact, and communicates to decision makers in time to make a difference
Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 17
Knowledge Check Activity 1

The basic function of the external monitoring process is to maintain an informed

awareness of the state of all the organization’s networks, information systems,
and information security defenses.
a. True
b. False

The basic function of the external monitoring process is to maintain an informed

awareness of the state of all the organization’s networks, information systems,
and information security defenses.
a. True
b. False

Answer: b. False
The steps to maintain an informed awareness of the state of all the organization’s
networks, information systems, and information security defenses are internal
monitoring. External monitoring is oriented to monitor activity, report results, and
escalate warnings.
Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 19
Monitoring the Internal Environment (1 of 3)

• Primary goal is informed awareness of the state of the organization’s networks,

systems, and security defenses.
• Internal monitoring accomplished by
− Inventorying network devices and channels, IT infrastructure and
applications, and information security infrastructure elements
− Leading the IT governance process
− Real-time monitoring of IT activity
− Monitoring the internal state of the organization’s networks and systems

• Network characterization and inventory

− Organizations should have/maintain carefully planned and fully populated inventory of
network devices, communication channels, and computing devices.
− Once characteristics are identified, they must be carefully organized and stored using a
mechanism (manual or automated) that allows timely retrieval and rapid integration of
disparate facts.
• Making intrusion detection and prevention systems work
− The most important value of raw intelligence provided by the IDS is providing indicators of
current or imminent vulnerabilities.
− Log files from IDS engines can be mined for information.
− Another IDS monitoring element is traffic analysis.
− Analyzing attack signatures from unsuccessful system attacks can identify weaknesses in
various security efforts.
Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 22
Monitoring the Internal Environment (3 of 3)

• Detecting differences
− Difference analysis is the procedure that compares the current state of
network segment against the known previous state of same segment
− Unexpected differences between the current state and the baseline state
could indicate trouble

• Primary objective is to keep a lookout over the entire information security program
• Accomplished by identifying and planning ongoing information security activities that
further reduce risk
• Primary objectives
− Establishing a formal information security program review process
− Instituting formal project identification, selection, planning, and management
processes
− Coordinating with IT project teams to introduce risk assessment and review for all IT
projects
− Integrating a mindset of risk assessment throughout organization

• Information security program planning and review

− Periodic review of the ongoing information security program and planning for
enhancements and extensions is recommended.
− Should examine future IT needs of the organization and its impact on
information security
− A recommended approach takes advantage of the fact that most
organizations have annual capital budget planning cycles and manage
security projects as part of that process.

• Large projects should be broken into smaller projects because

− Smaller projects tend to have more manageable impacts on networks and users.
− Larger projects tend to complicate the change control process in the implementation phase.
− Shorter planning, development, and implementation schedules reduce uncertainty.
− Most large projects can easily be broken down into smaller projects, giving more
opportunities to change direction and gain flexibility.
• Security risk assessments
− A key component for driving security program change is risk assessment (RA).
− RA identifies and documents the risk that a project, process, or action introduces to the
organization and offers suggestions for controls.
− Information security group coordinates the preparation of many types of RA documents.
Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 27
Vulnerability Assessment and Remediation
(1 of 9)
• Primary goal is the identification of specific, documented vulnerabilities and their
timely remediation
• Accomplished by
− Using vulnerability assessment procedures
− Documenting background information and providing tested remediation
procedures for vulnerabilities
− Tracking vulnerabilities from the time they are identified
− Communicating vulnerability information to owners of vulnerable systems
− Reporting on the status of vulnerabilities
− Ensuring the proper level of management is involved
Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 28
Vulnerability Assessment and Remediation
(2 of 9)

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 32
Vulnerability Assessment and Remediation
(6 of 9)
• Platform security validation
− Designed to find and document vulnerabilities that may be present because
misconfigured systems are in use within the organization
− Misconfigured systems fail to comply with company policy or standards
− Automated measurement systems are available to help with the intensive process
of validating the compliance of platform configuration with policy
• Wireless vulnerability assessment
− Designed to find and document vulnerabilities that may be present in wireless local
area networks of the organization
− Since attackers from this direction are likely to take advantage of any flaw,
assessment is usually performed against all publicly accessible areas using every
possible wireless penetration testing approach
Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 33
Vulnerability Assessment and Remediation
(7 of 9)
• Documenting vulnerabilities
− Vulnerability database should provide details about reported vulnerability as well as a link to
the information assets
− Low-cost and ease of use makes relational databases a realistic choice
− Vulnerability database is an essential part of effective remediation
• Remediating vulnerabilities
− Objective is to repair flaws causing a vulnerability instance or remove risk associated with
vulnerability
− As a last resort, informed decision makers with proper authority can accept risk
− Important to recognize that building relationships with those who control information assets
is key to success
− Success depends on the organization adopting team approach to remediation, in place of
cross-organizational push and pull
Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 34
Vulnerability Assessment and Remediation
(8 of 9)
• Acceptance or transference of risk
− In some instances, risk must be either simply acknowledged as part of the
organization’s business process or transferred to another organization via
insurance
− Management must be assured that decisions made to accept risk or buy
insurance were made by properly informed decision makers
− Information security must make sure the right people make risk assumption
decisions with complete knowledge of the impact of the decision

The final process in the vulnerability assessment and remediation domain is the
_____ phase.

Answer: remediation
Remediation cannot be undertaken until all vulnerabilities are identified,
categorized, classified and prioritized.

• Primary goal is to keep information security programs functioning as designed

and continuously improving
• Accomplished by
− Policy review
− Program review
− Rehearsals

• Physical security involves the protection of physical items, objects, or areas

from unauthorized access and misuse
• Most technology-based controls can be circumvented if an attacker gains
physical access
• Physical security is as important as logical security

• Donn B. Parker’s seven major sources of physical loss:

1. Extreme temperature
2. Gases
3. Liquids
4. Living organisms
5. Projectiles
6. Movement
7. Energy anomalies

• Community roles
− General management is responsible for facility security
− IT management and professionals are responsible for environmental and
access security
− Information security management and professionals perform risk
assessments and implementation reviews

• Secure facility is a physical location with controls implemented to minimize the

risk of attacks from physical threats
• Secure facility can take advantage of natural terrain, local traffic flow, and
surrounding development and can complement these with protection
mechanisms (fences, gates, walls, guards, alarms)

• Walls, fencing, and gates

• Guards and dogs
• ID cards and badges
• Locks and keys
• Electronic monitoring
• Alarms and alarm systems
• Computer rooms and wiring closets
• Interior walls and doors
Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 45
Physical Security Controls (2 of 8)

• Walls, Fencing, and Gates

− Some of the oldest and most reliable elements of physical security and the
essential starting point for perimeter control
• Guards and dogs
− Can evaluate each situation as it arises to make reasoned responses and
most have standard operating procedures
− Dogs have a keen sense of smell and hearing and can detect intrusions that
human guards cannot

• ID Cards and Badges

− ID card is typically concealed, while a name badge is visible
− Serve as a simple form of biometrics (facial recognition)
− Should not be the only means of control as cards can be easily duplicated,
stolen, and modified
− Tailgating occurs when an authorized individual opens a door and other
people also enter

• Locks and keys

− Two types of locks: mechanical and electromechanical
− Locks can also be divided into four categories: manual, programmable,
electronic, biometric
− Locks fail and so alternative procedures for controlling access must be put in
place
− Locks fail in two ways
 Fail-safe lock
 Fail-secure lock
Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 49
Physical Security Controls (5 of 8)

• Electronic Monitoring
− Equipment can record events in areas where other types of physical controls
are impractical
− Cameras with video recorders, including closed-circuit television (CCT)
systems
− Drawbacks
 Passive and does not prevent access or prohibited activity
 Recordings often are not monitored in real time and must be reviewed to
have any value

• Alarms and alarm systems

− Alarm systems notify people/systems when an event occurs
− Fire detection, intrusion, environmental disturbance, or an interruption in
services
− Reliance on sensors that detect an event: motion detectors, thermal
detectors, glass breakage detectors, weight sensors, and contact sensors

• Computer rooms and wiring closets

− Require special attention to ensure confidentiality, integrity, and availability of
information
− Logical access controls are easily defeated if attacker gains physical access
to computing equipment
− Custodial staff, often the least scrutinized people who have access to offices,
are given greatest degree of unsupervised access

• Interior walls and doors

− Information asset security is sometimes compromised by improper
construction of facility walls and doors
− Facility walls are typically either standard interior or firewall
− High-security areas must have firewall-grade walls to provide physical
security against potential intruders and fires
− Doors allowing access to high-security rooms should be evaluated
− To secure doors, install push or crash bars on computer rooms and closets

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 53
Failure of Supporting Utilities and
Structural Collapse
• Supporting utilities (heating, ventilation, air conditioning, power, water) have
significant impact on continued safe operation of a facility
• Each utility must be properly managed to prevent potential damage to
information and information systems

• Areas within heating, ventilation, and air conditioning (HVAC) systems that can
cause damage to information systems include
− Temperature and Filtration
− Humidity and Static Electricity
• Ventilation shafts
− Ductwork is small in residential buildings but large enough in commercial
buildings for an individual to climb through
− If ducts are large, security can install wire mesh grids at various points to
compartmentalize the runs
Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 55
Power Management and Conditioning (1 of 2)

• Power systems used by information-processing equipment must be properly

installed and correctly grounded
• Noise that interferes with the normal 60 Hertz cycle can result in inaccurate time
clocks or unreliable internal clocks inside CPU
• Grounding and amperage
− Grounding ensures that returning flow of current is properly discharged to
ground
− GFCI is capable of quickly identifying and interrupting a ground fault
− Overloading a circuit can create a load exceeding electrical cable’s rating,
increasing the risk of overheating and fire
Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 56
Power Management and Conditioning (2 of 2)

• Uninterruptible power supply (UPS)

− In case of power outage, UPS is the backup power source for major
computing systems
− Basic UPS configurations:
 Standby
 Line-interactive
 Standby online hybrid
 Standby ferroresonant
 Double conversion online
 Data conversion online
Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 57
Knowledge Check Activity 3

Power systems used by information-processing equipment must be properly

installed and correctly _____.

Power systems used by information-processing equipment must be properly

installed and correctly _____.

Answer: grounded
Grounding ensures that the returning flow of current is properly discharged to the
ground. If the grounding elements of the electrical system are not properly
installed, anyone who touches a computer or other electrical device could
become a ground source, which can cause damage to the equipment and injury
or death to the person.

• Three methods of data interception:

− Direct observation
− Interception of data transmission
− Electromagnetic interception
• U.S. government developed the TEMPEST program to reduce the risk of
electromagnetic radiation (EMR) monitoring

• Mobile computing requires more security than typical computing infrastructures

on the organization’s premises
• Many mobile computing systems have corporate information stored within them
• Some are configured to facilitate user’s access into organization’s secure
computing facilities
• Controls support security and retrieval of lost or stolen laptops

• Remote site computing involves variety of computing sites outside the

organization’s main facility
• Telecommuting is off-site computing using Internet, dial-up, or leased point-to-
point links.
• Remote working became critical during COVID-19 pandemic
• Employees may need to access networks on business trips and telecommuters
need access from home systems or satellite offices
• Telecommuter’s computers must be made more secure than organization’s
systems
Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 62
Special Considerations for Physical
Security Threats
• Develop physical security in-house or outsource?
− Many qualified and professional agencies
− Benefit of outsourcing includes gaining experience and knowledge of
agencies
− Downside includes high expense, loss of control over individual components,
and level of trust that must be placed in another company
• Social engineering: use of people skills to obtain information from employees
that should not be released

• Change is inevitable, so organizations should have procedures to deal with changes in

the operation and maintenance of their information security program.
• The CISO decides whether the information security program can adapt to change as it
is implemented or whether the process of the risk management program must be
started anew.
• To stay current, the information security community of interest and the CISO must
constantly monitor the three components of the security triple: threats, assets, and
vulnerabilities.
• To assist the information security community in managing and operating the ongoing
security program, the organization should adopt a security management maintenance
model. These models are frameworks that are structured by the tasks of managing a
particular set of activities or business functions.
Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 64
Summary (2 of 7)

• NIST SP 800-100, “Information Security Handbook: A Guide for Managers,” outlines

managerial tasks performed after the program is operational. For each of the 13 areas
of information security management presented in SP 800-100, there are specific
monitoring activities:
1. Information security governance
2. Systems development life cycle
3. Awareness and training
4. Capital planning and investment control
5. Interconnecting systems
6. Performance measures
7. Security planning
Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 65
Summary (3 of 7)

8. Information technology contingency planning

9. Risk management
10. Certification, accreditation, and security assessments
11. Security services and products acquisition
12. Incident response
13. Configuration and change management

• The maintenance model recommended in this module is made up of five subject areas
or domains: external monitoring, internal monitoring, planning and risk assessment,
vulnerability assessment and remediation, and readiness and review.
• The objective of the external monitoring domain in the maintenance model is to provide
early awareness of new and emerging threats, threat agents, vulnerabilities, and
attacks so that an effective and timely defense can be mounted.
• The objective of the internal monitoring domain is an informed awareness of the state
of the organization’s networks, information systems, and information security defenses.
The security team documents and communicates this awareness, particularly when it
concerns system components that face the external network.
• The primary objective of the planning and risk assessment domain is to keep an eye on
the entire information security program.
Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 67
Summary (5 of 7)

• The primary objectives of the vulnerability assessment and remediation domain are to identify
specific, documented vulnerabilities and remediate them in a timely fashion.
• The primary objectives of the readiness and review domain are to keep the information security
program functioning as designed and keep improving it over time.
• Physical security requires the design, implementation, and maintenance of countermeasures
that protect the physical resources of an organization.
• An organization’s policy should guide the planning for physical security throughout the
development life cycle.
• In facilities management, a secure facility is a physical location that has controls to minimize the
risk of attacks from physical threats. A secure facility can use natural terrain, traffic flow, and
urban development, and can complement these environmental elements with protection
mechanisms such as fences, gates, walls, guards, and alarms.

• The management of keys and locks is a fundamental part of general management’s

responsibility for the organization’s physical environment.
• A fail-safe lock is typically used on an exit door when human safety in a fire or other emergency
is the essential consideration. A fail-secure lock is used when human safety is not the dominant
factor.
• Fire suppression systems typically work by denying an environment one of the three
requirements for a fire to burn: temperature (an ignition source), fuel, and oxygen.
• Four environmental variables controlled by HVAC systems can cause damage to information
systems: temperature, filtration, humidity, and static electricity.
• Computer systems depend on stable power supplies to function; when power levels are too
high, too low, or too erratic, computer circuitry can be damaged or destroyed. The power
provided to computing and networking equipment should contain no unwanted fluctuations and
no embedded signaling.
Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 69
Summary (7 of 7)

• As with any phase of the security process, the implementation of physical security must
be constantly documented, evaluated, and tested. Once the physical security of a
facility is established, it must be diligently maintained.
• Data can be intercepted electronically and manually. The three routes of data
interception are direct observation, interception of data transmission, and interception
of electromagnetic radiation.
• With the increased use of laptops, tablets, and smartphones, organizations should be
aware that mobile computing requires even more security than the average in-house
system.
• Remote site computing requires a secure extension of the organization’s internal
networks and special attention to security for any connected home or off-site computing
technology.
Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 70
Self-Assessment

• You learned about Capability Maturity Model Integration (CMMI) on page 490 of
the textbook.
• From what you learned about CMM in general and CMMI in particular, should a
company try to gain higher levels of CMMI as a goal? What would be the benefit
of achieving an improved CMMI score?

CSIT561 Module8 Network Security
No ratings yet
CSIT561 Module8 Network Security
62 pages
PDF Technology in Action Complete 8th Edition Alan R. Evans download
100% (9)
PDF Technology in Action Complete 8th Edition Alan R. Evans download
85 pages
PoIS 7E PPT - Module 02
100% (3)
PoIS 7E PPT - Module 02
77 pages
Automation
No ratings yet
Automation
6 pages
Database Security LESSON1
No ratings yet
Database Security LESSON1
16 pages
Ms 98-367
No ratings yet
Ms 98-367
38 pages
Affidavit of Loss SSS ID Sample
100% (11)
Affidavit of Loss SSS ID Sample
1 page
Module 7
No ratings yet
Module 7
59 pages
9780357506431 PoIS 7E PPT_Module 01a
No ratings yet
9780357506431 PoIS 7E PPT_Module 01a
47 pages
9780357506431 PoIS 7E PPT_Module 05
No ratings yet
9780357506431 PoIS 7E PPT_Module 05
97 pages
Module 03
No ratings yet
Module 03
68 pages
Unit 3 CYBER SECURITY (AUC-002)
No ratings yet
Unit 3 CYBER SECURITY (AUC-002)
15 pages
Crptography and Network Security
No ratings yet
Crptography and Network Security
102 pages
CSIT561 Module6 Web Security (1)
No ratings yet
CSIT561 Module6 Web Security (1)
29 pages
It Security
No ratings yet
It Security
24 pages
L3 Computer Crime and Computer Crime Act
No ratings yet
L3 Computer Crime and Computer Crime Act
47 pages
Chapter 1 - PPT - ch01
No ratings yet
Chapter 1 - PPT - ch01
58 pages
History of Information Security
100% (1)
History of Information Security
13 pages
Principals of Information Security, Fourth Edition: Legal, Ethical, and Professional Issues in Information Security
No ratings yet
Principals of Information Security, Fourth Edition: Legal, Ethical, and Professional Issues in Information Security
44 pages
4 The Web, Management Incidents - RTD
No ratings yet
4 The Web, Management Incidents - RTD
66 pages
Chapter 1 Graphical User Interface (GUI)
No ratings yet
Chapter 1 Graphical User Interface (GUI)
53 pages
Information Security 1
100% (1)
Information Security 1
12 pages
Principles of Information Security, Fifth Edition: Security Technology: Firewalls and Vpns
No ratings yet
Principles of Information Security, Fifth Edition: Security Technology: Firewalls and Vpns
65 pages
Chapter 01
No ratings yet
Chapter 01
31 pages
Chapter 4: Implementing Information Security: at The End of The Unit, The Students Should Be Able To
100% (1)
Chapter 4: Implementing Information Security: at The End of The Unit, The Students Should Be Able To
10 pages
Information security-LAB
No ratings yet
Information security-LAB
3 pages
How To Begin - Cybersecurity Career Guidance
No ratings yet
How To Begin - Cybersecurity Career Guidance
28 pages
WT Unit 5
No ratings yet
WT Unit 5
123 pages
CIS416 - Data and Information Managment - Syllabus 2020-2021
No ratings yet
CIS416 - Data and Information Managment - Syllabus 2020-2021
7 pages
Chapter One Introduction To Information Security Definition of Information System Security
100% (1)
Chapter One Introduction To Information Security Definition of Information System Security
15 pages
Database Security
No ratings yet
Database Security
26 pages
Security in Computing, Fifth Edition: Chapter 11: Legal Issues and Ethics
No ratings yet
Security in Computing, Fifth Edition: Chapter 11: Legal Issues and Ethics
25 pages
Saurashtra University: Rajkot - India
No ratings yet
Saurashtra University: Rajkot - India
13 pages
FOP B9PrivacyandDataSecurity
No ratings yet
FOP B9PrivacyandDataSecurity
37 pages
Chapter 4 Cybersecurity
No ratings yet
Chapter 4 Cybersecurity
76 pages
CSCI262 Trustedcomputing 1+2
No ratings yet
CSCI262 Trustedcomputing 1+2
86 pages
QueryTrainingGuide 1
No ratings yet
QueryTrainingGuide 1
79 pages
Lecture 3-4 Symmetric Cryptography
No ratings yet
Lecture 3-4 Symmetric Cryptography
49 pages
Exercise Transaction Management System
100% (1)
Exercise Transaction Management System
2 pages
Database Security
No ratings yet
Database Security
30 pages
Test Bank for Computer Security Principles and Practice, 5th Edition by William Stallings Lawrie Brown 2
No ratings yet
Test Bank for Computer Security Principles and Practice, 5th Edition by William Stallings Lawrie Brown 2
145 pages
02 Protocols and TCP IP
No ratings yet
02 Protocols and TCP IP
14 pages
Database Administration
No ratings yet
Database Administration
12 pages
Instant Download Principles of Information Security 6th Edition Whitman PDF All Chapters
100% (1)
Instant Download Principles of Information Security 6th Edition Whitman PDF All Chapters
55 pages
Immediate Download (Ebook PDF) Management of Information Security 6th Edition Ebooks 2024
100% (6)
Immediate Download (Ebook PDF) Management of Information Security 6th Edition Ebooks 2024
41 pages
Immediate Download Hands On Information Security Lab Manual 4th Edition Andrew Green Ebooks 2024
100% (5)
Immediate Download Hands On Information Security Lab Manual 4th Edition Andrew Green Ebooks 2024
84 pages
Chapter 4 Physical and Logical Security
No ratings yet
Chapter 4 Physical and Logical Security
22 pages
Lecture 2 Security Threats
No ratings yet
Lecture 2 Security Threats
56 pages
Chapter (4) - Modified
No ratings yet
Chapter (4) - Modified
27 pages
1.1 Understand and Apply Concepts of Confidentiality, Integrity and Availability
100% (1)
1.1 Understand and Apply Concepts of Confidentiality, Integrity and Availability
14 pages
Aaa Security
No ratings yet
Aaa Security
9 pages
5 Network Security - RTD
No ratings yet
5 Network Security - RTD
43 pages
Implementing Information Security System: Prof. Georgette Carpio-Balajadia, Cpa, PHD
No ratings yet
Implementing Information Security System: Prof. Georgette Carpio-Balajadia, Cpa, PHD
33 pages
Threats and Attacks: CSE 4471: Information Security Instructor: Adam C. Champion, PH.D
No ratings yet
Threats and Attacks: CSE 4471: Information Security Instructor: Adam C. Champion, PH.D
26 pages
Unit 38 DatabaseManagementSyst
No ratings yet
Unit 38 DatabaseManagementSyst
27 pages
Information Systems Development Information Systems Development
No ratings yet
Information Systems Development Information Systems Development
38 pages
Database Security in DBMS... 22
No ratings yet
Database Security in DBMS... 22
15 pages
Stair Reynolds Is Essentials PPT Chapter 9
No ratings yet
Stair Reynolds Is Essentials PPT Chapter 9
59 pages
Searching Techniques: Linear and Binary Search
No ratings yet
Searching Techniques: Linear and Binary Search
13 pages
HTML Forms: Controls
No ratings yet
HTML Forms: Controls
14 pages
Chapter 3 - AISe - Student
No ratings yet
Chapter 3 - AISe - Student
47 pages
TC 6471
No ratings yet
TC 6471
525 pages
Gamification - Lecture - 1
No ratings yet
Gamification - Lecture - 1
23 pages
Internship Report 1
No ratings yet
Internship Report 1
27 pages
Design & Fabrication of Dual Axis Solar System
No ratings yet
Design & Fabrication of Dual Axis Solar System
56 pages
All Love Is Expansion, All Selfishness Is Contraction
No ratings yet
All Love Is Expansion, All Selfishness Is Contraction
3 pages
M.Tech_CNS LAB_AR22-2
No ratings yet
M.Tech_CNS LAB_AR22-2
29 pages
Application Structure and Files-R14
100% (1)
Application Structure and Files-R14
23 pages
BNWAS Performance Standards MSC.128 PDF
No ratings yet
BNWAS Performance Standards MSC.128 PDF
8 pages
Service Design Package Assignment (1)
No ratings yet
Service Design Package Assignment (1)
10 pages
TF2 Balancing Ideas
No ratings yet
TF2 Balancing Ideas
80 pages
Fanuc PMC Password
No ratings yet
Fanuc PMC Password
5 pages
Https Interception
No ratings yet
Https Interception
14 pages
Win DNS DHCP
No ratings yet
Win DNS DHCP
9 pages
CNS Module 1-Notes
No ratings yet
CNS Module 1-Notes
31 pages
Rcms Public Manual
No ratings yet
Rcms Public Manual
30 pages
MIA 5. Embedded IoT Applications
No ratings yet
MIA 5. Embedded IoT Applications
3 pages
Iso 17799 2005
100% (1)
Iso 17799 2005
43 pages
Building Virtual Pentesting Labs For Advanced Penetration Testing Sample Chapter
No ratings yet
Building Virtual Pentesting Labs For Advanced Penetration Testing Sample Chapter
24 pages
A Microsoft Windows 2003 Server Manual
100% (3)
A Microsoft Windows 2003 Server Manual
45 pages
Implementing Rules and Regulations of Republic Act No
No ratings yet
Implementing Rules and Regulations of Republic Act No
25 pages
Netverify-Implementation-Guide v1 7 5
No ratings yet
Netverify-Implementation-Guide v1 7 5
39 pages
Hydraulic Cylinders Design
60% (5)
Hydraulic Cylinders Design
20 pages
Psybersecurity Workshop Program Updated 5
No ratings yet
Psybersecurity Workshop Program Updated 5
1 page
Palo Alto Networks - Next-Generation Firewall Security With Expanding Scalability
No ratings yet
Palo Alto Networks - Next-Generation Firewall Security With Expanding Scalability
2 pages
Aviation Security Technology - European Airport Requirements
No ratings yet
Aviation Security Technology - European Airport Requirements
11 pages
457975
No ratings yet
457975
48 pages
chap 4 marking scheme
No ratings yet
chap 4 marking scheme
16 pages
Resume of Satish 16122009
No ratings yet
Resume of Satish 16122009
4 pages
Alex Karp - Statement
No ratings yet
Alex Karp - Statement
5 pages
testOutcomes3e_UpperIntermediate_Assessment_Test_Unit09
No ratings yet
testOutcomes3e_UpperIntermediate_Assessment_Test_Unit09
5 pages
Offer Letter NEW 2023 As-2
No ratings yet
Offer Letter NEW 2023 As-2
2 pages
Learning Management System SRS
No ratings yet
Learning Management System SRS
10 pages
CounterACT Switch Commands in Use by The Switch Plugin v8.9.4
No ratings yet
CounterACT Switch Commands in Use by The Switch Plugin v8.9.4
798 pages
Certifications: 1) EC-Council
No ratings yet
Certifications: 1) EC-Council
4 pages