Instructor Manual
Principles of Information Security,
7th Edition by Michael E. Whitman
,Instructor Manual
Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module
1: Introduction to Information Security
Table of Contents
Purpose and Perspective of the Module ......................................................................................2
Cengage Supplements................................................................................................................2
Module Objectives ......................................................................................................................2
Complete List of Module Activities and Assessments ..................................................................2
Key Terms ..................................................................................................................................3
What's New in This Module .........................................................................................................4
Module Outline ............................................................................................................................4
Discussion Questions................................................................................................................15
Suggested Usage for Lab Activities...........................................................................................16
Additional Activities and Assignments .......................................................................................17
Additional Resources ................................................................................................................17
Cengage Video Resources ............................................................................................................................. 17
Internet Resources ........................................................................................................................................ 17
Appendix ...................................................................................................................................18
Grading Rubrics.............................................................................................................................................. 18
,Purpose and Perspective of the Module
The first module of the course in information security provides learners the foundational
knowledge to become well versed in the protection systems of any size need within an
organization today. The module begins with fundamental knowledge of what information
security is and the how computer security evolved into what we know now as information
security today. Additionally, learners will gain knowledge on the how information security can be
viewed either as an art or a science and why that is the case.
Cengage Supplements
The following product-level supplements are available in the Instructor Resource Center and
provide additional information that may help you in preparing your course:
PowerPoint slides
Test banks, available in Word, as LMS-ready files, and on the Cognero platform
MindTap Educator Guide
Solution and Answer Guide
This instructor‘s manual
Module Objectives
The following objectives are addressed in this module:
1.1 Define information security.
1.2 Discuss the history of computer security and explain how it evolved into information
security.
1.3 Define key terms and critical concepts of information security.
1.4 Describe the information security roles of professionals within an organization.
Complete List of Module Activities and Assessments
For additional guidance refer to the MindTap Educator Guide.
Module PPT slide Activity/Assessment Duration
Objective
2 Icebreaker: Interview Simulation 10 minutes
1.1–1.2 19–20 Knowledge Check Activity 1 2 minutes
1.3 34–35 Knowledge Check Activity 2 2 minutes
1.4 39–40 Knowledge Check Activity 3 2 minutes
1.1–1.4 MindTap Module 01 Review Questions 30–40 minutes
1.1 – 1.4 MindTap Module 01 Case Exercises 30 minutes
1.1 – 1.4 MindTap Module 01 Exercises 10–30 minutes per
question; 1+ hour
per module
1.1 – 1.4 MindTap Module 01 Security for Life 1+ hour
1.1 – 1.4 MindTap Module 01 Quiz 10–15 minutes
[return to top]
,Key Terms
In order of use:
computer security: In the early days of computers, this term specified the protection of the
physical location and assets associated with computer technology from outside threats, but it
later came to represent all actions taken to protect computer systems from losses.
security: A state of being secure and free from danger or harm as well as the actions taken to
make someone or something secure.
information security: Protection of the confidentiality, integrity, and availability of information
assets, whether in storage, processing, or transmission, via the application of policy, education,
training and awareness, and technology.
network security: A subset of communications security; the protection of voice and data
networking components, connections, and content.
C.I.A. triad: The industry standard for computer security since the development of the
mainframe; the standard is based on three characteristics that describe the attributes of
information that are important to protect: confidentiality, integrity, and availability.
confidentiality: An attribute of information that describes how data is protected from disclosure
or exposure to unauthorized individuals or systems.
personally identifiable information (PII): Information about a person‘s history, background,
and attributes that can be used to commit identity theft that typically includes a person‘s name,
address, Social Security number, family information, employment history, and financial
information.
integrity: An attribute of information that describes how data is whole, complete, and
uncorrupted.
availability: An attribute of information that describes how data is accessible and correctly
formatted for use without interference or obstruction.
accuracy: An attribute of information that describes how data is free of errors and has the value
that the user expects.
authenticity: An attribute of information that describes how data is genuine or original rather
than reproduced or fabricated.
utility: An attribute of information that describes how data has value or usefulness for an end
purpose.
possession: An attribute of information that describes how the data‘s ownership or control is
legitimate or authorized.
McCumber Cube: A graphical representation of the architectural approach used in computer
and information security that is commonly shown as a cube composed of 3×3×3 cells, similar to
a Rubik‘s Cube.
information system: The entire set of software, hardware, data, people, procedures, and
networks that enable the use of information resources in the organization.
physical security: The protection of material items, objects, or areas from unauthorized access
and misuse.
,bottom-up approach: A method of establishing security policies and/or practices that begins as
a grassroots effort in which systems administrators attempt to improve the security of their
systems.
top-up approach: A methodology of establishing security policies and/or practices that is
initiated by upper management.
chief information officer (CIO): An executive-level position that oversees the organization‘s
computing technology and strives to create efficiency in the processing and access of the
organization‘s information.
chief information security officer (CISO): The title typically assigned to the top information
security manager in an organization.
data owners: Individuals who control and are therefore ultimately responsible for the security
and use of a particular set of information.
data custodians: Individuals who are responsible for the storage, maintenance, and protection
of information.
data stewards: See data custodians.
data trustees: Individuals who are assigned the task of managing a particular set of information
and coordinating its protection, storage, and use.
data users: Internal and external stakeholders (customers, suppliers, and employees) who
interact with information in support of their organization‘s planning and operations.
community of interest: A group of individuals who are united by similar interests or values
within an organization and who share a common goal of helping the organization to meet its
objectives.
[return to top]
What's New in This Module
The following elements are improvements in this module from the previous edition:
This Module was Chapter 1 in the 6th edition.
The content that covered Systems Development was moved to Module 11:
Implementation.
The Module was given a general update and given more current examples.
[return to top]
Module Outline
Introduction to Information Security (1.1, 1.2, PPT Slides 4–17)
I. Recognize that organizations, regardless of their size or purpose, have information they
must protect and store internally and externally.
II. Analyze the importance and reasoning an organization must be responsible for the
information they collect, store, and use.
III. Review the concept of computer security and when the need for it initially arose.
,IV. Discuss how badges, keys, and facial recognition of authorized personnel are required
to access military locations deemed sensitive.
V. Describe the primary threats to security: physical theft of equipment, product espionage,
and sabotage.
VI. Examine information security practices in the World War II era and compare with modern
day needs.
The 1960s
I. Explain the purpose of the Department of Defense‘s Advanced Research Procurement
Agency (ARPA) and their need to create redundant networked communications systems
so that the military can exchange information.
II. Identify Dr. Larry Roberts as the creator of the ARPANET project and now the modern-
day Internet.
The 1970s and ’80s
I. Critique the use of ARPANET and how it became more widely used and consequentially
misused.
II. Recognize that Robert M. Metcalfe expressed concerns about ARPANET and how it
could be easily hacked into due to password structure vulnerabilities, lack of safety
protocols, and widely distributed phone numbers for system access.
III. Conclude that a lack of controls in place provided users limited safeguards to protect
themselves from unauthorized remote users.
IV. Discuss how dial-up connections lacked safety protocols when connecting to ARPANET.
V. Recall that authorizations into the system and a lack of user identification were
significant security risks for ARPANET during this time.
VI. Evaluate the movement of stronger security protocols thanks to the implementation of
conclusions from the Rand Report R-609.
VII. Relate how the need of physical security protocols grew to include computer security
protocols as part of a holistic information security plan.
MULTICS
I. Define the purpose of the Multiplexed Information and Computing Service (MULTICS)
and its importance to information security.
II. Relate that the restructuring of the MULTICS project created the UNIX operating system
in 1969.
III. Contrast the facts that the MULTICS system had multiple security levels planned,
whereas the new UNIX system did not have them included.
IV. Examine the decentralization of data processing and why it is important to modern-day
information security protocols.
V. Distinguish that in the late 1970s microprocessors transformed computing capabilities
but also established new security threats.
VI. Recall the Defense Advanced Research Projects Agency (DARPA) created the
Computer Emergency Response Team (CERT) in 1988.
,VII. Conclude that not until the mid-1980s computer security was a non-issue for federal
information systems.
The 1990s
I. Understand that as more computers and their networks became more common, the
need to connect networks rose in tandem during this time. Hence, the Internet was born
out of the need to have a global network of networks.
II. Analyze the consequences of how exponential growth of the Internet early on resulted in
security being a low priority over other core components.
III. Identify that the networked computers were the most common style of computing during
this time. However, a result of this was the lessened ability to secure a physical
computer and stored data is more exposed to security threats internally and externally.
IV. Recognize that toward the turn of the new millennium, numerous large corporations
demonstrated the need and integration of security into their internal systems. Antivirus
products grew in popularity and information security grown into its own discipline
because of these proactive initiatives.
2000 to Present
I. Recall the fact that millions of unsecured computer networks and billions of computing
devices are communicating with each other.
II. Recognize and apply the fact that cyberattacks are increasing and have caused
governments and corporations to resign themselves to stronger information security
protocols.
III. Examine the exponential rise in mobile computing and how these devices bring their
own set of vulnerabilities with respect to information security.
IV. Apply the fact that one‘s ability to secure the information stored in their device is
influenced by security protocols on the others they are connected to.
V. Establish that wireless networks and their associated risks often have minimal security
protocols in place and can be a catalyst for anonymous attacks.
What Is Security? (1.3, PPT Slides 18 and 21–26)
I. Define the term security and why it is important to have multiple layers of it to protect
people, operations, infrastructure, functions, communications, and information.
II. Emphasize the role of the Committee on National Security Systems (CNSS) and its role
in defining information security. This includes the protection of critical elements such as
systems and hardware that stores, transmits, and use information.
III. Recognize the importance of the C.I.A. Triad but which is no longer an adequate model
to apply to modern information security needs.
Key Information Security Concepts
I. Comprehend and define the following security terms and concepts:
Access: A subject or object‘s ability to use, manipulate, modify, or affect another
subject or object. Authorized users have legal access to a system, whereas hackers
must gain illegal access to a system. Access controls regulate this ability.
, Asset: The organizational resource that is being protected. An asset can be logical,
such as a Web site, software information, or data, or an asset can be physical, such
as a person, computer system, hardware, or other tangible object. Assets,
particularly information assets, are the focus of what security efforts are attempting to
protect.
Attack: An intentional or unintentional act that can damage or otherwise compromise
information and the systems that support it. Attacks can be active or passive,
intentional or unintentional, and direct or indirect. Someone who casually reads
sensitive information not intended for his or her use is committing a passive attack. A
hacker attempting to break into an information system is an intentional attack. A
lightning strike that causes a building fire is an unintentional attack. A direct attack is
perpetrated by a hacker using a PC to break into a system. An indirect attack is a
hacker compromising a system and using it to attack other systems—for example, as
part of a botnet (slang for robot network). This group of compromised computers,
running software of the attacker‘s choosing, can operate autonomously or under the
attacker‘s direct control to attack systems and steal user information or conduct
distributed denial-of-service attacks. Direct attacks originate from the threat itself.
Indirect attacks originate from a compromised system or resource that is
malfunctioning or working under the control of a threat.
Control, safeguard, or countermeasure: Security mechanisms, policies, or
procedures that can successfully counter attacks, reduce risk, resolve vulnerabilities,
and otherwise improve security within an organization. The various levels and types
of controls are discussed more fully in the following modules.
Exploit: A technique used to compromise a system. This term can be a verb or a
noun. Threat agents may attempt to exploit a system or other information asset by
using it illegally for their personal gain, or an exploit can be a documented process to
take advantage of a vulnerability or exposure, usually in software, that is either
inherent in the software or created by the attacker. Exploits make use of existing
software tools or custom-made software components.
Exposure: A condition or state of being exposed; in information security, exposure
exists when a vulnerability is known to an attacker.
Loss: A single instance of an information asset suffering damage or destruction,
unintended or unauthorized modification or disclosure, or denial of use. When an
organization‘s information is stolen, it has suffered a loss. Protection profile or
security posture is the entire set of controls and safeguards—including policy,
education, training and awareness, and technology—that the organization
implements to protect the asset. The terms are sometimes used interchangeably with
the term security program although a security program often comprises managerial
aspects of security, including planning, personnel, and subordinate programs.
Risk: The probability of an unwanted occurrence, such as an adverse event or loss.
Organizations must minimize risk to match their risk appetite—the quantity and
nature of risk they are willing to accept.
Subjects and objects of attack: A computer can be either the subject of an
attack—an agent entity used to conduct the attack—or the object of an attack: the
target entity. See Figure 1-8. A computer can also be both the subject and object of
an attack. For example, it can be compromised by an attack (object) and then used
to attack other systems (subject).
, Threat: Any event or circumstance that has the potential to adversely affect
operations and assets. The term threat source is commonly used interchangeably
with the more generic term threat. The two terms are technically distinct, but to
simplify discussion, the text will continue to use the term threat to describe threat
sources.
Threat agent: The specific instance or a component of a threat. For example, the
threat source of ―trespass or espionage‖ is a category of potential danger to
information assets, while ―external professional hacker‖ (like Kevin Mitnick, who was
convicted of hacking into phone systems) is a specific threat agent. A lightning strike,
hailstorm, or tornado is a threat agent that is part of the threat source known as ―acts
of God/acts of nature.‖
Threat event: An occurrence of an event caused by a threat agent. An example of a
threat event might be damage caused by a storm. This term is commonly used
interchangeably with the term attack.
Threat source: A category of objects, people, or other entities that represents the
origin of danger to an asset—in other words, a category of threat agents. Threat
sources are always present and can be purposeful or undirected. For example,
threat agent ―hackers,‖ as part of the threat source ―acts of trespass or espionage,‖
purposely threaten unprotected information systems, while threat agent ―severe
storms,‖ as part of the threat source ―acts of God/acts of nature,‖ incidentally
threaten buildings and their contents.
Vulnerability: A potential weakness in an asset or its defensive control system(s).
Some examples of vulnerabilities are a flaw in a software package, an unprotected
system port, and an unlocked door. Some well-known vulnerabilities have been
examined, documented, and published; others remain latent (or undiscovered).
Critical Characteristics of Information
I. Recognize that when a characteristic of information changes, the value of that
information may increase but more so decreases.
II. Comprehend and define the following security terms and concepts: confidentiality,
personally identifiable information (PII), integrity, availability, accuracy, authenticity,
utility, and possession.
Confidentiality
I. Define the purpose of confidentiality and the measures that must be in place to protect
information.
Information classification
Securely storing documents
Applying general security policies and protocols
Educating information custodians and end users
II. Analyze common reasons confidentiality breaches occur.
III. Review the concept of personally identifiable information (PII) and its application to
confidentiality.
Integrity
, I. Examine the concept of integrity and its application to information security principles.
II. Justify that file corruption is not strictly the result of hackers or other external forces but
can include internal forces such as noise, low-voltage circuits, and retransmissions.
Availability
I. Define the concept of availability and how it allows users to access information without
restriction in their required formats.
Accuracy
I. Understand that accuracy of data transmitted in information is important as it must be
free of mistakes or errors, and it aligns with end user‘s expectations.
Authenticity
I. Identify the fact that information is authentic when it is given to a user in the same state
that it was created, placed, stored, or transferred.
II. Evaluate the example of e-mail spoofing and how messages sent look authentic on the
surface but are, in fact, not.
Utility
I. Examine the usefulness of information and how it can be applied for an end purpose.
Possession
I. Recall this attribute as one where the ownership or control of information has legitimacy
or authorization.
II. Assess the scenario where a breach of possession does not always equate to a breach
of confidentiality.
CNSS Security Model
I. Discuss the concept of the McCumber Cube and its application into computer and
information security protocols.
Quantify via Figure 1-9 (page 14) within the text that there are a total of 27 areas
(3 x 3 x 3) that must be properly addressed during a security process.
Understand the fact that as policy, education, and technology increase, so too
the needs for confidentiality, integrity, availability, storage, processing, and
transmission.
II. Conclude that a common exclusion in this model is the need for guidelines and policies
that provide direction for implementation technologies and the practices of doing so.
Components of an Information System (1.3, PPT Slide 27)
I. Gain an understanding that to have a full understanding of the importance of an
information system, one must have an awareness of what all is included within it.
II. Review the six most common elements of an information system.
Software
Hardware
