- Understand what information security is and how it came to mean what it does today.
- Comprehend the history of computer security and how it evolved into information security.
- Understand the key terms and critical concepts of information security as presented in the chapter.
- Outline the phases of the security systems development life cycle.
- Understand the role professionals involved in information security in an organizational structure.
- Understand the business need for information security.
- Understand a successful information security program is the responsibility of an organization’s general management and IT management.
- Understand the threats posed to information security and the more common attacks associated with those threats.
- Differentiate threats to information systems from attacks against information systems.
- Use this chapter as a guide for future reference on laws, regulations, and professional organizations.
- Differentiate between laws and ethics.
- Identify major national laws that relate to the practice of information security.
- Understand the role of culture as it applies to ethics in information security.
- Define risk management and its role in the SecSDLC
- Understand how risk is identified
- Assess risk based on the likelihood of occurrence and impact on an organization
- Grasp the fundamental aspects of documenting risk identification and assessment
- Recognize why risk control is needed in today’s organizations
- Know the risk mitigation strategy options for controlling risks
- Identify the categories that can be used to classify controls
- Be aware of the conceptual frameworks that exist for evaluating risk controls, and be able to formulate a cost benefit analysis when required
- Understand how to maintain and perpetuate risk controls
- Understand management’s responsibilities and role in the development, maintenance, and enforcement of information security policy, standards, practices, procedures, and guidelines
- Understand the differences between the organization’s general information security policy and the requirements and objectives of the various issue-specific and system-specific policies.
- Know what an information security blueprint is and what its major components are.
- Understand how an organization institutionalizes its policies, standards, and practices using education, training, and awareness programs.
- Become familiar with what viable information security architecture is, what it includes, and how it is used.
- Know what contingency planning is and how incident response planning, disaster recovery planning, and business continuity plans are related to contingency planning.
- Understand the elements that comprise a business impact analysis and the information that is collected for the attack profile.
- Recognize the components of an incident response plan.
- Define and identify the various types of firewalls.
- Discuss the approaches to firewall implementation.
- Discuss the approaches to dial-up access and protection.
- Identify and describe the two categories of intrusion detection systems.
- Discuss the two strategies behind intrusion detection systems.
- Understand the conceptual need for physical security.
- Identify threats to information security that are unique to physical security.
- Describe the key physical security considerations for selecting a facility site.
- Identify physical security monitoring components.
- Grasp the essential elements of access control within the scope of facilities management.
- Understand the criticality of fire safety programs to all physical security programs.
- Understand how the organization’s security blueprint becomes a project plan.
- Understand the numerous organizational considerations that must be addressed by the project plan.
- Grasp the significant role and importance of the project manager in the success of an information security project.
- Understand the need for professional project management for complex projects.
- Take in the technical strategies and models for implementing the project plan.
- Grasp the nontechnical problems that organizations face in times of rapid change.
- Understand the need for the ongoing maintenance of the information security program.
- Become familiar with recommended security management models.
- Understand a model for a full maintenance program.
- Understand key factors for monitoring the external and internal environment.
- Learn how planning and risk assessment tie into information security maintenance.
- Understand how vulnerability assessment and remediation tie into information security maintenance.Learn how to build readiness and review procedures into information security maintenance.
- Understand where and how the information security function is positioned within organizations.
- Understand the issues and concerns about staffing the information security function.
- Know about the credentials that professionals in the information security field can acquire.
- Recognize how an organization’s employment policies and practices can support the information security effort.
- Understand the special security precautions necessary for non employees.
- Recognize the need for the separation of duties.
- Understand the special requirements needed for the privacy of personnel data.