Information Security: Principles and Practices

Mark S. Merkow / Jim Breithaupt  
Total pages
June 2014
Related Titles

Product detail

Product Price CHF Available  
Information Security: Principles and Practices
94.00 approx. 7-9 days


Fully updated for today's technologies and best practices, Information Security: Principles and Practices, Second Edition thoroughly covers all 10 domains of today's Information Security Common Body of Knowledge. Written by two of the world's most experienced IT security practitioners, it brings together foundational knowledge that prepares readers for real-world environments, making it ideal for introductory courses in information security, and for anyone interested in entering the field. This edition addresses today's newest trends, from cloud and mobile security to BYOD and the latest compliance requirements. The authors present updated real-life case studies, review questions, and exercises throughout.


  • Thoroughly updated to reflect the latest knowledge for all ten domains of the (ISC)∼ CBK
  • Wide-ranging coverage, from security management and physical security to cryptography and application development security
  • Covers new technologies, practices, and procedures, ranging from cloud and mobile to BYOD
  • Includes revamped case studies, review questions, and exercises throughout

New to this Edition

  • Extensively updated coverage of all technologies, practices, and procedures
  • Updated case studies, review questions, and exercises
  • All-new coverage of cloud security, mobile security, BYOD, and other key trends

Table of Contents


Chapter 1: Why Study Information Security?


The Growing Importance of IT Security and New Career Opportunities

An Increase in Demand by Government and Private Industry

Becoming an Information Security Specialist

Schools Are Responding to Demands

The Importance of a Multidisciplinary Approach

Contextualizing Information Security

Information Security Careers Meet the Needs of Business


Chapter 2: Information Security Principles of Success


Principle 1: There Is No Such Thing As Absolute Security

Principle 2: The Three Security Goals Are Confidentiality, Integrity, and Availability

Integrity Models

Availability Models

Principle 3: Defense in Depth as Strategy

Principle 4: When Left on Their Own, People Tend to Make the Worst Security Decisions

Principle 5: Computer Security Depends on Two Types of Requirements: Functional and Assurance

Principle 6: Security Through Obscurity Is Not an Answer

Principle 7: Security = Risk Management

Principle 8: The Three Types of Security Controls Are Preventative, Detective, and Responsive

Principle 9: Complexity Is the Enemy of Security

Principle 10: Fear, Uncertainty, and Doubt Do Not Work in Selling Security

Principle 11: People, Process, and Technology Are All Needed to Adequately Secure a System or Facility

Principle 12: Open Disclosure of Vulnerabilities Is Good for Security!


Chapter 3: Certification Programs and the Common Body of Knowledge


Certification and Information Security

International Information Systems Security Certifications Consortium (ISC)2

The Information Security Common Body of Knowledge

Information Security Governance and Risk Management

Security Architecture and Design

Business Continuity and Disaster Recovery Planning

Legal Regulations, Investigations, and Compliance

Physical (Environmental) Security

Operations Security

Access Control


Telecommunications and Network Security

Software Development Security

Other Certificate Programs in the IT Security Industry

Certified Information Systems Auditor

Certified Information Security Manager

Certified in Risk and Information Systems Control

Global Information Assurance Certifications

 (ISC)2 Specialization Certificates

CCFP: Certified Cyber Forensics Professional

HCISPP: HealthCare Information Security and Privacy Practitioner

Vendor-Specific and Other Certification Programs


Chapter 4: Governance and Risk Management


Security Policies Set the Stage for Success

Understanding the Four Types of Policies

Programme-Level Policies

Programme-Framework Policies

Issue-Specific Policies

System-Specific Policies

Developing and Managing Security Policies

Security Objectives

Operational Security

Policy Implementation

Providing Policy Support Documents


Standards and Baselines



Suggested Standards Taxonomy

Asset and Data Classification

Separation of Duties

Employment Hiring Practices

Risk Analysis and Management

Education, Training, and Awareness

Who Is Responsible for Security?


Chapter 5: Security Architecture and Design


Defining the Trusted Computing Base

Rings of Trust

Protection Mechanisms in a TCB

System Security Assurance Concepts

Goals of Security Testing

Formal Security Testing Models

The Trusted Computer Security Evaluation Criteria

Division D: Minimal Protection

Division C: Discretionary Protection

Division B: Mandatory Protection

Division A: Verified Protection

The Trusted Network Interpretation of the TCSEC

The Information Technology Security Evaluation Criteria

Comparing ITSEC to TCSEC

ITSEC Assurance Classes

The Canadian Trusted Computer Product Evaluation Criteria

The Federal Criteria for Information Technology Security

The Common Criteria

Protection Profile Organization

Security Functional Requirements

Evaluation Assurance Levels

The Common Evaluation Methodology

Confidentiality and Integrity Models

Bell-LaPadula Model

Biba Integrity Model

Advanced Models


Chapter 6: Business Continuity Planning and Disaster Recovery Planning


Overview of the Business Continuity Plan and Disaster Recovery Plan

Why the BCP Is So Important

Types of Disruptive Events

Defining the Scope of the BCP

Creating the Business Impact Analysis

Disaster Recovery Planning

Identifying Recovery Strategies

Understanding Shared-Site Agreements

Using Alternate Sites

Making Additional Arrangements

Testing the DRP


Chapter 7: Law, Investigations, and Ethics


Types of Computer Crime

How Cybercriminals Commit Crimes

The Computer and the Law

Legislative Branch of the Legal System

Administrative Branch of the Legal System

Judicial Branch of the Legal System

Intellectual Property Law

Patent Law


Trade Secrets

Privacy and the Law

International Privacy Issues

Privacy Laws in the United States

Computer Forensics

The Information Security Professional’s Code of Ethics

Other Ethics Standards

Computer Ethics Institute

Internet Activities Board: Ethics and the Internet

Code of Fair Information Practices


Chapter 8: Physical Security Control


Understanding the Physical Security Domain

Physical Security Threats

Providing Physical Security


Chapter 9: Operations Security


Operations Security Principles

Operations Security Process Controls

Operations Security Controls in Action

Software Support

Configuration and Change Management


Media Controls





Chapter 10: Access Control Systems and Methodology


Terms and Concepts



Least Privilege (Need to Know)

Information Owner

Discretionary Access Control

Access Control Lists

Mandatory Access Control

Role-Based Access Control

Principles of Authentication

The Problems with Passwords

Multifactor Authentication


Single Sign-On


Federated Identities

Remote User Access and Authentication

Remote Access Dial-In User Service

Virtual Private Networks


Chapter 11: Cryptography


Applying Cryptography to Information Systems

Basic Terms and Concepts

Strength of Cryptosystems

Cryptosystems Answer the Needs of Today’s E-Commerce

The Role of Keys in Cryptosystems

Putting the Pieces to Work

Digesting Data

Digital Certificates

Examining Digital Cryptography

Hashing Functions

Block Ciphers

Implementations of PPK Cryptography


Chapter 12: Telecommunications, Network, and Internet Security


An Overview of Network and Telecommunications Security

Network Security in Context

The Open Systems Interconnection Reference Model

The Protocol Stack

The OSI Reference Model and TCP/IP

The OSI Model and Security

Data Network Types

Local Area Networks

Wide Area Networks




Protecting TCP/IP Networks

Basic Security Infrastructures



Intrusion Detection Systems

Intrusion Prevention Systems

Virtual Private Networks


Encapsulating Security Protocol

Security Association

Internet Security Association and Key Management Protocol

Security Policies

IPSec Key Management

Applied VPNs

Cloud Computing


Chapter 13: Software Development Security


The Practice of Software Engineering

Software Development Life Cycles

Don’t Bolt Security On–Build It In

Catch Problems Sooner Rather Than Later

Requirements Gathering and Analysis

Systems Design and Detailed Design

Design Reviews

Development (Coding) Phase



Security Training

Measuring the Secure Development Program

Open Software Assurance Maturity Model (OpenSAMM)

Building Security in Maturity Model (BSIMM)


Chapter 14: Securing the Future


Operation Eligible Receiver

Carders, Account Takeover, and Identity Theft

Some Definitions

ZeuS Banking Trojan

Phishing and Spear Phishing

Other Trends in Internet (In)Security

The Year (Decade?) of the Breach

The Rosy Future for InfoSec Specialists


Appendix A: Common Body of Knowledge

Access Control

Telecommunications and Network Security

Information Security Governance and Risk Management

Software Development Security


Security Architecture and Design

Operations Security

Business Continuity and Disaster Recovery Planning

Legal Regulations, Investigations, and Compliance

Physical (Environmental) Security

Appendix B: Security Policy and Standards Taxonomy

Appendix C: Sample Policies

Sample Computer Acceptable Use Policy

1.0.0 Acceptable Use Policy

Sample Email Use Policy

1.0.0 Email Use Policy

Sample Password Policy

1.0.0 Password Policy

Sample Wireless (WiFi) Use Policy

1.0.0 Wireless Communication Policy

Appendix D: HIPAA Security Rule Standards

HIPAA Security Standards

Administrative Procedures

Physical Safeguards

Technical Security Services

Technical Security Mechanisms



9780789753250   TOC   5/7/2014



Mark Merkow, CISSP, CISM, CSSLP, is a technical director for a Fortune 100 financial services firm, where he works on implementing and operating a software security practice for the enterprise. He has more than 35 years of IT experience, including 20 years in IT security. Mark has worked in a variety of roles, including applications development, systems analysis and design, security engineering, and security management. Mark holds a master’s degree in decision and info systems from Arizona State University (ASU), a master’s of education in Distance Learning from ASU, and a bachelor’s degree in Computer Info Systems from ASU.


Jim Breithaupt is a data integrity manager for a major bank, where he manages risk for a large data mart. He has more than 30 years of data processing experience and has co-authored several other books on information systems and information security, along with Mark Merkow.