Information Security Term Paper

Length: 8 pages Sources: 1 Subject: Business Type: Term Paper Paper: #14679131 Related Topics: Firewalls, Ip Address, Port Security, Biometric Technology
Excerpt from Term Paper :

¶ … Security

The following will look at case review questions based on the book known as Principles of Information Security by Michael E. Whitman. Chapters 4, 5, 6, and 7 were read through and case questions were given for each of these chapters. Case review question answers will be incorporated with material from the chapter reading that accompanies it.

Chapter 4's introduction has a scenario of a man known as Charlie. He is giving key reminders for everyone in the asset identification project. They are to complete their asset lists while keeping in mind certain priorities. It ties into the idea of chapter 4 which is known as risk management and identifying risks along with assessing them (Whitman and Mattord, 2011-page 116). It also explains how one can perpetuate risk control. Risk management itself refers to a process that identifies risk or vulnerabilities to the organization and taking steps to reduce the risks (Whitman and Mattord, 2001-page 116).

Three undertakings are attached to risk management and they are known as risk assessment, risk identification, and risk control. (Whitman and Mattord, 2011-page 116) As part of being an information security professional one needs a risk management strategy. Asset identification is a part of that strategy (Whitman and Mattord, 2011-page 116). When doing asset identification one should consider the following attributes such as people, data, and procedures.


Charlie did an organization of the work that was quite effective before the meeting with a little bit of flaws. He brings about the idea before the meeting is to begin that participation from all departments is needed. This shows that everyone is an equal to the company and it will not be that everything is to go through one department that controls all (Whitman and Mattord, 2011 Case Study Question page). The issues that should be covered by the work plan include addressing people and their positions. Everyone needs to know what their role will be in the work plan and they part they need to contribute (Whitman and Mattord, 2011-page 121). When sorting through this avoid names and stick with identifying the positions. Another thing the work plan should include is procedures (Whitman and Mattord, 2011-page 121). Procedures include the purpose of each task and how they are to be performed (Whitman and Mattord, 2011-page 121). They also include relationships between hardware and networking elements as well as software.


The company will get useful information from the team it has assembled. The information packets provided at the beginning of the meeting aim to give all of the information needed (Whitman and Mattord, 2011 Case Study question Page). This includes info on all the information technology risks faced by the organization such as fires and floods. Legal requirements faced in the industry and background articles are provided as well (Whitman and Mattord, pg 115).


Some attendees might resist the goals of a meeting if they feel like their department or position has nothing to do with any of the goals to be accomplished (Whitman and Mattord, 2011-page 115). For example in the chapter introduction with case of Charlie the manager of sales says something quite interesting (Whitman and Mattord, 2011-page 115). He says, "Why is my department here? Isn't security a problem for the IT department?" There is that sense of resistance already there as a result of not knowing things to come.

Key notes to make out of chapter 4 are that the goal of information security is to reduce risk which is the amount of risk that is not accounted for control applications and other risk management strategies to a level that is acceptable (Whitman and Mattord, 2011-page 164). One needs to also fully understand each threat that can be presented and the impact it can have on the organization (Whitman and Mattord, 2011-page 164). It also should be known on how each individual threat should be examined as a result of using a threat assessment process. It should be known that the goal of a risk assessment is the assignment of a risk score to represent the risk of a specific vulnerability.

Case Study Chapter 5

For the chapter 5 case study we see Charles sitting at his desk and answering an important email. He has a notepad ready and is prepared to make notes on what should be done in case his "


The case study asks on what should be written down on the notepad in order to address the situation and deal it with in a way that is effective and takes care of the problem completely (Whitman and Mattord, 2011 Case Study Question).

What he should keep in mind is known as a single comprehensive ISSP document. A single comprehensive ISSP document is centrally managed and controlled (Whitman and Mattord, 2011-page 176). It is known as an issue specific security policy and it aims to address specific areas of technology, it requires updates frequently, and contains a statement on the organizations position on a specific issue (Whitman and Mattord, 2011-page 176). It can cover topics such as email, internet use, use of personal equipment on company networks, and prohibition against hacking or testing in any form of organization security controls.

The ISSP document is what will give him the guidelines to follow for the contingency plan. Contingency plans prepare for action if any successful attack occurs (Whitman and Mattord, 2011-page 176). Many types of contingency plans exist such as business contingency plans and incident response plans.


The first thing that should be written on Charlie's list should be the rough draft of the business impact analysis. This is the assessment and examination of any impact that various problems can cause (Whitman and Mattord, 2011-page 209). Charlie should have written down all the problems that can occur and what their effect would be on the business if they were to happen. He will have the answers to the question on what to do now if an attack succeeds. For example what is to happen when an electric blackout occurs or if a malicious code attack occurs that is massive.


The other items that should be included are incident response planning, disaster recovery planning, and business continuity planning. Incident response planning includes the classification, identification, and response to an incident (Whitman and Mattord, 2011-page 212). It consists of four phases known as planning, detection, reaction, and recovery. Disaster recovery planning looks at crisis management procedures and recovery operations. It gives very detailed guidance in the event of a disaster (Whitman and Mattord, 2011-page 220) It establishes priorities and roles and responsibilities that are delineated. Everyone is to be aware of their expected actions in case of disaster (Whitman and Mattord, 2011-page 226). Business continuity will allow Charlie to have guidelines that allow the preparation of reestablishing business operations during disaster time. It has the steps the organization can take in order to function if business cannot be done at the main work site (Whitman and Mattord, 2011-page 226). There has to be a plan in motion that will allow the business to continue if certain things are unable as a result of disaster. There are a number of strategies that one can do to bring forth a continuation plan. Cost tends to be the determining factor.

Once Charlie has everything written down on the notepad he will have the model needed that will become the official contingency plan.

Case Study for Chapter 6

The case study for chapter 6 sees a character known as Kelvin calling a meeting to order. The meeting is called in order to settle a design issue over the network. Susan Hamir reviews key points and certain tradeoffs. Kelvin then starts a slide presentation with a list of discussion questions.

Chapter 6 itself looks at concepts such as filtering technology, describing technology that enables the use of virtual private networks, and describing firewall technology. The idea of access control is looked at as well. Access control is the method by which systems can determine how to adapt into a trusted section of the organization itself (Whitman and Mattord, 2011-page 237). Categorized firewalls such as first generation firewalls, second generation firewalls, and third generation firewalls are explained.


The questions that should be addressed in the slide presentation are what is going to be the architecture of the firewall. For example will it be a packet-filtering router, screened-host firewall, and dual-homed host firewalls (Whitman and Mattord, 2011 pages 255-256). Answer question to be asked includes if the firewall design will adapt to the growing network of the organization (Whitman and Mattord, 2011-page 259). Another thing to take into account is what is included in the base price. Are all of the costs of the design known? What additional features can be received at an extra cost? To what extent will the firewall design give the required protection needed? Will the firewall design be one that is easy to setup and configure (Whitman…

Sources Used in Documents:


Whitman, M., & Mattord, H. (2011). Principles of Information Security (4th ed.). Cengage Learning.

Cite this Document:

"Information Security" (2014, November 15) Retrieved January 20, 2022, from

"Information Security" 15 November 2014. Web.20 January. 2022. <>

"Information Security", 15 November 2014, Accessed.20 January. 2022,

Related Documents
Information Security
Words: 1440 Length: 4 Pages Topic: Information Technology Paper #: 32625376

Information Security The discussion below provides answers to questions raised with regard to a case at Greenwood Company A forensic plan of readiness comes with several advantages. If there arises a situation that forces a company to be engaged in litigation, and there is need for digital evidence, e-discovery is of central importance. The laws and rules that govern the e-discovery, such as the Federal Rules of Civil Procedure or the Practice

Security Information Security Is a Primary Concern
Words: 809 Length: 2 Pages Topic: Education - Computers Paper #: 72516905

Security Information security is a primary concern for consumers and businesses. In "IT security fails to keep pace with the rise of cloud computing," the author claims that in spite of the advancements in cloud technology, information security has not kept pace. This assessment is rooted firmly in fact and best practices in the information security industry. Although their analysis is thorough, the authors would do well to point out the

Information Security Management
Words: 549 Length: 2 Pages Topic: Teaching Paper #: 12749963

Security Management Information Security Management Managing the information security at a major university is never an easy task, and especially with a team of only ten the complexities and the resource demands can sometimes make the situation seem all but impossible even on the best of days. When the former head of information security management suddenly departs as the result of an FBI arrest -- and when that arrest stems from the

Security Information Security and Risk Management in
Words: 1322 Length: 5 Pages Topic: Business - Management Paper #: 2883406

SECURITY Information Security and Risk Management in IT This essay is designed to present and discuss both an assessment of information security and risk management in IT systems and a comparative discussion of important academic theories related to security and risk. In the first section, An assessment, a conceptual framework will emerge including reference to important terminology and concepts as well as an outline of legislation and authorized usage examples. In the

Security at Work Information Security Within the
Words: 576 Length: 2 Pages Topic: Education - Computers Paper #: 95935201

Security at Work Information Security within the nursing fraternity With the advent of consolidated information storage within the nursing fraternity, there has grown the need to have better security and controlled access to such information that may be considered confidential and for the use by the nurse and the patient alone. When anyone wants therefore to have access to the documents I will always need to verify several details just to be

Information Security
Words: 3704 Length: 10 Pages Topic: Business - Management Paper #: 44263283

Security A broad definition of information security is given in ISO/IEC 17799 (2000) standard as: "The preservation of confidentiality (ensuring that information is accessible only to those authorized to have access), integrity (safeguarding the accuracy and completeness of information and processing methods), and availability (ensuring that authorized users have access to information and associated assets when required" (ISO/IEC 17799, 2000, p. viii). Prior to the computer and internet security emerged as we