FUNDAMENTALS

INFORMATIO
OF
ASSURAN
N
AND
CE
SECURITY
apter One
Why Study
Information
Security?
troduction
With the rapid advances in networked
computer technology during the last
few decades and the unprecedented
growth of the Internet, the public has
become increasingly aware of the
threats to personal privacy and
security through computer crime.
Identity theft, pirated bank accounts,
forgery—the list of electronic crimes is
as unlimited as the imaginations of
those who use technology in harmful
and dangerous ways
troduction
As much as consumers and businesses
like the convenience of the Internet
and open computer networks, this ease
of access also makes people vulnerable
to technically savvy but unscrupulous
thieves. To protect computers,
networks, and the information they
store, organizations are increasingly
turning to information security
specialists.
 AN INCREASE IN DEMAND BY
GOVERNMENT AND PRIVATE INDUSTRY

The U.S. Department of Labor predicts

that the occupational outlook for
computer and information systems
managers will grow much faster than
the average for all occupations. From
2012 to 2022, the number of
information security analysts in the
workforce alone is anticipated to grow
from 75,000 to 102,000, or 36 percent.
 SECURITY SPECIALIST
A specialty in information security does not
come easily. Serious students must be
prepared for a challenging slate of classes in
security architecture, laws and ethics, access
control, disaster recovery planning, and other
coursework that might not be an obvious
prerequisite.
One major educational institution, Carnegie
Mellon (www.cmu.edu), established the
Information Network Institute (INI) in 1989 as a
leading research and education center in the
field of information networking.
 The Information Network
Institute (INI) offers five
graduate degree programs in
the areas of

INFORMATION NETWORKING,
INFORMATION TECHNOLOGY
INFORMATION SECURITY
 THE IMPORTANCE OF A
MULTIDISCIPLINARY APPROACH
A Multidisciplinary Approach describes
the breadth of people’s knowledge and
experience across a wide variety of
interests—scientific, liberal arts,
business, communications, and so on.
Those who are able to maintain a wide
view of the world (or a business
situation) tend to excel when working in
information security.
 Lee Kushner and Mike Murray of Search
Security Magazine wrote an article
describing information security as a popular
career choice among information technology
(IT) professionals. Because of the variety of
skills needed, people with many different
backgrounds are attracted to the field, and
what used to be a cottage industry is
becoming mainstream. With these changes
in the industry, career management, career
development, and career planning are vital
to future success.
 “To have a successful information
security career, one must have the
skills of a technologist but be able
to think like a business leader; this
involves understanding how
security benefits the
organization’s business goals and
knowing how to network and make
connections beyond just IT. “
 CONTEXTUALIZING
INFORMATION SECURITY
As the world’s computers become
more interconnected, and as more
people and companies rely on the
global village to communicate and
transact, systems become more
exposed to successful break-in
attempts.
 As noted by Bruce Schneier,
Principal of Counterpane Internet
Security Inc. and foremost expert
and authority on computer security,
“The only secure computer is one
that is turned off, locked in a safe,
and buried 20 feet down in a secret
location—and I’m not completely
confident of that one, either”
-(Schneier 1995).
 INFORMATION SECURITY
CAREERS MEET THE NEEDS OF
BUSINESS
Companies are not spending
millions of dollars in information
security just for the sake of
security. IT security is needed to
protect the business both from
itself and from outsiders who would
cause it harm.
 CAREERS
To support business operations, regardless of the industry,
a number of common positions and career opportunities are
needed to prevent and respond to business needs.

SECURITY ADMINISTRATORS
ACCESS COORDINATORS
SECURITY ARCHITECTS AND NETWORK
ENGINEERS
SECURITY CONSULTANTS
SECURITY TESTERS
POLICYMAKERS AND STANDARDS
DEVELOPERS
COMPLIANCE OFFICERS
INCIDENT RESPONSE TEAM MEMBERS
GOVERNANCE AND VENDOR MANAGERS
 ACCESS COORDINATORS
are delegated the authority on
behalf of a system owner to
establish and maintain the user
base that is permitted to access
and use the system in the
normal course of their job
duties.
 NETWORK ENGINEERS
design and implement network
infrastructures that are built with
security in mind. Skills needed here
include understanding firewall
designs, designing and developing
intrusion detection/prevention
systems and processes, and
determining how to configure servers,
desktop computers, and mobile
devices to comply with security
policies.
work with project-development teams
to perform risk analysis of new
systems by balancing the needs of
business with the threats that stem
from opening up access to data or
managing new information that could
compromise the business if it fell into
the wrong hands. Security consultants
are usually internal personnel who are
assigned to project-development
teams and remain with the project
from inception to implementation.
 SECURITY TESTERS
are the white-hat hackers paid to test
the security of newly acquired and
newly developed or redeveloped
systems. Testers who can mimic the
activities of outside hackers are hired
to find software problems and bugs
before the system is made available.
Their work reduces the likelihood that
the system will be compromised when
it’s in day-to-day operating mode.
 POLICYMAKERS AND
STANDARDS DEVELOPERS
are the people who look to outside
regulators and executive management
to set the tone and establish the
specific rules of the road when
interacting with or managing
information systems. Policymakers
formally encode the policies or
management intentions in how
information will be secured.
 COMPLIANCE OFFICERS
check to see that employees remain in
compliance with security policies and
standards as they use information
systems in their daily work.
Compliance officers usually work with
outside regulators when audits are
conducted and are often charged with
employee security training and
awareness programs to help maintain
compliance.
 MEMBERS
are alerted when an intrusion or
security incident occurs. They
decide how to stop the attack or
limit the damage as they collect
and analyze forensics data while
interacting with law enforcement
personnel and executive
management.
 GOVERNANCE AND VENDOR
MANAGERS

are needed to ensure that outsourced

functions are operating within security
policies and standards. The IT industry
continues to rely on off-shore
developers, managed security
services, and outsourced computer
operations, so the growth of
governance personnel is assured.
The Fundamentals
of
Information
are mostly commonsense principles,
Security
approaches, and concepts that work
together like a symphony to provide
the harmonious mix of risk and reward
that modern business demands.
End of
Chapter 1