Purpose of This Book

This book is part of the Information Systems Security & Assurance Series from Jones & Bartlett Learning (https://www.jblearning.com/cybersecurity/issa). Designed for courses and curriculums in IT security, cybersecurity, information assurance, and information systems security, this series features a comprehensive, consistent treatment of the most current thinking and trends in this critical subject area. The books in this series deliver fundamental information security principles packed with real-world applications and examples. Authored by Certified Information Systems Security Professionals (CISSPs), they deliver comprehensive information on all aspects of information security. Reviewed word for word by leading technical experts in the field, these books are not just current, but also forward thinking, putting you in the position to solve the cybersecurity challenges not just of today, but of tomorrow as well.

This book provides a comprehensive view of managing risk in information systems. It covers the fundamentals of risk and risk management and includes in-depth details on more comprehensive risk management topics in three major parts.

Part One, Risk Management Business Challenges, addresses many of the issues relevant to present-day businesses. It covers details of risks, threats, and vulnerabilities. Topics help students understand the importance of risk management in the organization, including many of the techniques used to manage risks. Several current laws are presented with clear descriptions of how they are relevant in organizations. It also includes a chapter describing the contents of a risk management plan.

Part Two, Mitigating Risk, focuses on risk assessments. Topics presented include risk assessment approaches, including the overall steps in performing a risk assessment. It covers the importance of identifying assets and then identifying potential threats, vulnerabilities, and exploits against these assets. Chapter 9 covers the types of controls that can be used to mitigate risk. The last two chapters in this part identify how to plan risk mitigation throughout the organization and convert the risk assessment into a risk management plan.

Part Three, Risk Mitigation Plans, covers the many elements of risk mitigation plans, such as a business impact analysis and a business continuity plan. The last two chapters cover disaster recovery and computer incident response team plans.

Learning Features

The writing style of this book is practical and conversational. Step-by-step examples of information security concepts and procedures are presented throughout the text. Each chapter begins with a statement of learning objectives. Illustrations are used to clarify the material and vary the presentation. The text is sprinkled with Notes, Tips, FYIs, and sidebars to alert the reader to additional and helpful information related to the subject under discussion. Chapter Assessments appear at the end of each chapter, with solutions provided in the back of the book.

Chapter summaries are included in the text to provide a rapid review or preview of the material and to help students understand the relative importance of the concepts presented.

Audience

The material is suitable for undergraduate or graduate computer science or information science majors, students at a two-year technical college or community college who have a basic technical background, or readers who have a basic understanding of IT security and want to expand their knowledge.

New to This Edition

This text has been broadly updated to include new and emerging concepts in the expanding field of information systems and cybersecurity, in particular risk management. Concepts are more appropriately defined and explained; for example, the definition of risk references assets as a critical component of the totality of risk. Risk management and assessment topics have been updated throughout the book with references to threat sources, for example, advanced persistent threats. Included are updated references and examples of threat-likelihood impacts and how organizations compute risk loss scenarios. Explanations of business continuity plans, minimum business continuity objectives, disaster recovery plans, and recovery sites are updated. Several new guidelines have been introduced in the text to reflect advances in the field of cybersecurity. In particular, federal guidelines from the National Institute of Standards and Technology (NIST) and the Department of Homeland Security have been updated, with the inclusion of new NIST Special Publications: 800-183; 800-154; 800-153; 800-150; 800-84; 800-63 a, b, and c; 800-53 Rev. 5; 800-34; and 800-37.

The text includes updated references to the current organizational state of affairs in the field of cybersecurity, such as surveys of executives in the field, and references to the new and emerging topics of cloud computing, analytics, mobile computing, artificial intelligence, machine learning, robotic process automation, and blockchain. Besides updated information on the NIST Risk Management Framework, updates to the Common Vulnerabilities and Exposures (CVE) are included. The textbook now has updated references to U.S. and international compliance laws, including the Federal Information Security Modernization Act (FISMA), Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA), and the EU’s General Data Protection Regulation (GDPR). The Children’s Online Privacy Protection Act (COPPA) is introduced as well as the Equifax data breach. The text includes updated references to ISACA’s Control Objectives for Information and Related Technologies (COBIT) 2019. Updated end-of-chapter questions are also included in the text.

Cloud Labs

This text is accompanied by Cybersecurity Cloud Labs. These hands-on virtual labs provide immersive mock IT infrastructures whereby students can learn and practice foundational cybersecurity skills as an extension of the lessons in this textbook. For more information or to purchase the labs, visit go.jblearning.com/gibson3e.