Need for Sound Information Security Management - Literature review Example

Heading: Information Security Management Your name: Course name: Professors’ name: Date Table of Contents Table of Contents 2 Introduction 3 Need for sound information security management 3 Incident Response Management and Disaster Recovery 4 Mobile Device Security Management 6 Linking Business Objectives with Security 6 Ethical Issues in Information Security Management 9 Security Training and Education 10 Defending against Internet-Based Attacks 11 Industrial Espionage and Business Intelligence Gathering 13 Personnel Issues in Information Security 14 Physical security issues in information security 15 Cyber Forensic Incident Response 16 Conclusion 17 References 19 Introduction Small and Medium Enterprises (SMEs) can be described as business units with less employees and low turnover as compared to large firms. Small firms have less than 50 workers, while medium-sized firm has 500 workers. SMEs usually experience some disadvantages, including the need for tighter resource planning, more rigorous budgeting, as well as time management issues, which government bodies and larger firms do not have to contend with. Given these constraints, many small to medium firms ignore the issue of information security management, despite the fact that it is pivotal to their success. Hence, this paper intends to explore the implementation of information security management in SMEs as compared to larger organizations. It also attempts to rationalize the significance of effective information security management in a firm. Need for sound information security management Computer technology environments require enabled security settings. A common example of this entails firms installing firewalls and anti-virus software in order to safeguard their systems against unauthorized access and malware. A company is a business entity which holds or processes information, some of which is confidential. If this confidential information gets disclosed or exposed to the public in any way, it may cause loss of prospective monetary gains, earnings, and fidelity. From an employee’s perspective, business loss in smaller companies due to security hitches could possibly cause a reciprocal impact on workers in terms of loss of revenue due, layoff, retrenchment, or downscaling (Stamp, 2006). In SMEs, information security is particularly difficult because resources are limited and firms lack the means or resources to introduce a preventive solution (Fay, 2007).), placing more responsibility on staff members to uphold integrity in dealing with company information holdings. Lack of resources necessary for hiring, or receiving professional advice and assistance from security domain experts creates narrower knowledge on the subject of information security in SMEs and it may be difficult for such companies to identify appropriate security products off the shelf, including anti-virus software and firewalls. This problem of insufficient knowledge also leads SMEs to believe that they are well protected if they keep these security devices on, and renew their subscriptions at the specific time required by the vendor (Hine, & Carson, 2007). However, such measures are inadequate and there is a clear need for SMEs to upgrade the security of information management – both in terms of protective measures and organizational knowledge of how to accomplish such security. Incident Response Management and Disaster Recovery This entails the process of managing and responding to security incidents in terms of social, technical, or socio-technical measures. Here, social measures entail the use of people, such as, specialists, in handling security measures in a firm, whereas technical measures are those involving use of technological procedures or aspects to address security of information in a business. Disaster recovery comprises management of the policies, procedures and processes involved in bringing a firm back on track after undergoing a disaster which is commonly humanly-induced or natural. When making a plan for fail proof (that which resists failure) and practical response management, it is important to have a written list of employees and their roles in managing incidents. A charter is crucial in establishing an appropriate team and members’ assigned roles in case of an incident (Elliott, 2010). In big firms or governmental bodies, both external parties and employees, including security domain professionals, can constitute the incident response team. For instance, some workers might be skilled in how to handle Denial of Service attacks and might be given a specialized role in managing these attacks. The establishment of a multi-disciplinary, specialized team is not usually possible in SMEs where staffing and budgeting limitations prevent these smaller companies from creating dedicated incident response roles. In this case, the availability of a charter and the formation of a team help in the creation of an incident response plan which describes and categorizes incidents in terms of their degree of severity, from isolated and small incidents such as virus attacks to full-scale, deliberate penetration attacks (Mann, 2009). In SMEs, Calder (2005) claims, a few workers can make up this incident response-monitoring group with a director or senior management representative assuming the responsibility and role of leader of an incident response plan. The leader is the one who guides the team and establishes the severity of every incident; hence determining a suitable response level and unit. A formal incident declaration determines the procedures for reporting the incident in the firm by informing the management leader of the incident in order to handle it properly. This involves suitable team activation and level scaling, as mentioned above. In SMEs, the declaration may be in the form of an email, short message, face-to-face, or telephone conversation. This is because SMEs operate in single locations or small premises. In contrast, in larger firms, a single incident may trigger extensive detrimental effects across the same setups, systems, or scenarios, and the response group may be distributed across different places, or the team size can be bigger, with more complex roles, in larger firms (Snedaker, 2007). Mobile Device Security Management Since mobile devices run on hardware and software susceptible to the same attacks faced by server and desktop technologies, companies need to take steps to protect these assets (Androulidakis, 2012). Debbabi (2007) maintains that threats to mobile devices are of a lower level of severity than threats to applications and operating systems, networks, and user information. Nonetheless, because few makers of mobile devices opt to employ substandard operating systems, attacks and threats will not directly affect the end user. These operating system makers can conveniently renew and use patches in reaction to security susceptibilities, reducing the responsibility of the end users (Mitchell, 2004). In bigger organizations with specialized departments and functions, mobile device security is dealt with systematically. In contrast, Campagna (2011) recommends that SMEs be proactive in obtaining new and punctual security patches from their mobile vendors and in passing as much responsibility for product security and mitigation of threats to the vendors as possible. Linking Business Objectives with Security Johnson (2008) maintains that, fundamentally, return on investment is among the most significant factors in any organization. Aligning business goals with security and persuading the board that every dollar spent on security is necessary is fundamental in every upcoming firm, especially in SMEs. Moreover, linking security with business goals is about persuading investors and senior management to invest in feasible protection and return on investment for every dollar used in firm’s security. To devise a boardroom security program, a number of areas can be considered including accessing, analyzing, strategizing, aligning, and communicating. This ordered outline can be especially useful for SMEs (Doll, 2003). In big organizations, where departments and human resources are distributed throughout many places, business units, and offices, it is more difficult than it is in SMEs to collect the information necessary. In the initial discipline involving a firm’s present security state, and current security model, the creation of a right evaluation for the next discipline requires the development of standardized expectations and checklist in all relevant business units. For instance, evaluation can happen by determining questions to be used in an interview (De Decker, 2002). Publishing (2011) holds that the analysis stage entails working on the raw information gathered in the initial stage and employing various available analytical methods and tools to perform a gap analysis. Security gap analysis assesses the variation between the accessible security system and the definite anticipated conditions. Upon performing a gap analysis on a firm’s security settings, it is imperative to divide this into projects to be handled separately and given priority based on their level of significance (De Decker, 2002). Moreover, SMEs should implement an available, efficient capacity structure to help them appropriately prioritize the projects as per level of significance. The implementation of each project requires proper planning, as well as a sound and feasible approach (Paulus, 2005). Moreover, the security plan requires managers and executives at each step to understand necessary steps in the implementation of the approach from the beginning to the end (Vallabhaneni, 2008). As Convery (2004) contends, linking security to business goals is a constant process evolving with business needs. In the case of change, security plans must be linked with business needs. Thus, the alignment of strategy and security should not happen once per year, but should be incorporated into each business operation on a continual basis. Biometric Security Devices and their Use Reid (2004) states that biometric devices are used in the identification of individuals in terms of behavioral or biological features, such as facial recognition, finger printing, voice dynamics, hand geometry, iris scan, retinal scan, and signature dynamics. Readily accessible verification techniques remain critical in several organizational areas, such as workstations, email access, and general facilities. These techniques are usually utilized together with biometric security as the initial or the second verification layer. The selective or common utilization of biometric security devices in SME firms depends on the nature of security levels and business needs. The greater cost of arranging biometric security application is always among the many factors that SMEs must consider. Firms should consider the related costs before adopting biometric security application. Thus, it is critical for firms to determine whether accessing biometric device is a reasonable investment. If not, minor security devices which are not biometric applications might be employed instead (Vacca, 2007). As Newman (2009) maintains, some of the general features of the application of biometric devices include enhanced security, improved user convenience and experience, and lower cost of operation in the long term in comparison with conventional verification measures. Biometric devices are usually used in larger firms in order to protect resources and data as well as confidential and vital facilities. Such large firms could be in sectors such as finance, healthcare, or manufacturing and governmental bills or laws could exist requiring conformity to security activities via biometric device usage. In the same way, SMEs that are bidding, entity, or government projects might need to implement these security measures as part of their contractual terms (Vacca, 2007), despite the higher set-up costs of these devices. Ethical Issues in Information Security Management Since security management always addresses human rights matters, ethical issues measures are critical in any SME. It is also vital that SMEs ensure that their employees act with integrity and ethical competence. Every employee should accept responsibility for his or her work, and set high standards of individual performance in relation to keeping data safe and private (Vacca, 2009). SMEs also strive to minimize levels of computer crime among their staff. Computer crime could involve illegal access, use, or damage of software, hardware networks, or data resources. This could also entail illegal information release, illegal reproduction of software, and denial of end user access to data, software, network resources, and data. Further, it could involve conspiring to use network or computer resources unlawfully to get tangible property or information. It is, thus, crucial that SMEs ensure that all workers perform as per their code of conduct. Additionally, Tipton and Nozaki (2007) propose that firms must adhere to the technological principles of informed consent, proportionality, justice, as well as minimized risk. Informed consent explains that persons influenced by technology must comprehend and accept the threats involved. For proportionality, the good obtained from technology should supersede the possible risks. This implies that the technological benefits achieved by firms ought to be more than the risks involved. In terms of justice, SMEs should fairly distribute technological burdens and benefits. This implies that both losers and gainers must accept equal measures of risks (Grama, 2011). Security Training and Education McCrie (2007) demonstrates that security training and education for employees yields knowledge and communication that is beneficial for all personnel. While SMEs may not be able to offer additional training by external vendors due to it being beyond budgetary scope, in-house training is essential for firms in raising the awareness of staff members lacking in knowledge of information management security processes. It also enables firms to describe and explain to its personnel particular roles in relation to information security. According to Herold (2011), this training should be arranged in parts or as a whole according to organizational needs and reviewed on a yearly basis in order to link security concerns to business objectives. What is more, Herold (2011) claims that an effective information technology plan entails the development of information technology policies linked to business needs, including dangers posed by known threats, establishment of processes for proper observation, evaluation, and updating of the security plan; and enlightening users about their responsibilities regarding information technology security. Education and training describes appropriate rules of conduct for using a given firm’s IT information and systems and communicates technological security procedures and policies with which to comply. Such education must also set any sanctions to be imposed in case of non-compliance. This training and awareness enable users to understand company expectations. Consequently, it enables firms to achieve accountability arising from well-trained, fully informed, and knowledgeable personnel. Whitman (2012) asserts that awareness entails changed behavior or reinforcement of desirable security actions. It enables individuals to identify IT security issues and react accordingly. On the other hand, training seeks to give staff necessary and relevant security competencies and skills. The most important distinction between awareness and training is that the latter instills skills that enable an individual to conduct a particular function, whereas awareness aims at focusing one’s attention on a given issue. Additionally, McCrie (2007) holds that education seeks to integrate all the security competencies and skills of different functional fields into one body of knowledge. Moreover, certification is necessary to validate that users acquire the appropriate level of competence and knowledge essential for their responsibilities. Such development of staff knowledge and effective certification may be seen in terms of professionalization of a company’s workforce. In terms of training, SMEs have non-specialists; hence, limited knowledge and skills in information security management, as compared to large firms (Whitman, 2012). Defending against Internet-Based Attacks Firms with internet presence or which employ web based technologies are particularly susceptible to internet-based attacks. Since the internet involves an open network of interrelated computers, it is crucial to divide defense against these attacks into two sections. These parts are, firstly, securing firm infrastructures exposed to the internet system, and, secondly, securing applications accessible on the internet. Modified and customized applications available online, or web applications accessible to the public, are at the greatest risk from a chain of common attacks including UR writing, SQL injection, cross site scripting, buffer overflow, and input confirmation attacks. Such web attacks are dangerous, as, unlike in network level and open operating systems attacks, firewalls cannot manage information passing through the selected web ports, usually 443, and 80, for HTTPS and HTTP, respectively (Purser, 2004). Application developers who design software and programs for utilization over the internet should ensure that it is only under some regulated situations that data becomes output. In SMEs, where employment of modified software is more important and common than its costly equivalent turnkey solutions, it is imperative to ensure that the advance group has background knowledge of inclusive web attacks (Andress, 2011). This kind of awareness creates a defense bulk against internet attacks and, if this does not succeed, secure coding can be its available protection. In many situations, web servers are exposed to the internet in order to serve http requests. Server administrators should ensure that only the necessary ports are free to serve requests and, in most situations, the majority of the web systems come in layered architectures, such as n-tier and three-tier architecture in which servers are divided based on responsibilities and are in charge of particular feature of the whole application (Convery, 2004). Such physical or logical segmentation comprises proxy servers, database servers, middleware or application servers, and web servers. In this situation, server administrators must ensure that only web servers are opened to the internet, whereas other servers must not be accessible to the public (perhaps only from a VPN or VLAN, or through an IP management). Sometimes, application servers are similar to web servers due to their in-built capacity but are usually insufficient in providing similar security for the full-grown software of web servers. Whenever there is a security loophole needing instant patching and response, committed and separate web servers are also quicker (Smith, 2013) Industrial Espionage and Business Intelligence Gathering A serious issues facing SMEs is industrial espionage, triggering the need for prevention of such activities by their business rivals. Industrial espionage is a tangible threat in the present corporate world. Indeed, corporate espionage is defined as theft of trade information and secrets critical to a firm through unethical means, as well as theft. Various countries address this kind of theft by punitive measures based on strict order and law (Nasheri, 2005). According to McCrie (2007), education is one of the most effective security measures against industrial espionage. Education is effective in keeping organizational workers and members well informed on the general behavior and signs of espionage that can be displayed. The most sensitive points for espionage occurring in an SME setting include monetary gains, defection, revenge, competition, and blackmail. Thus, it is imperative for such businesses to identify their enemies and their intentions prior to establishing how and where to protect. One of the major prevention techniques entails identifying the firm’s strong points and aligning them with the intention for corporate espionage. Conventional deterrence security methods, such as, antivirus software and firewall, can also be set to deter or slow down attack efforts (Khosrowpour, 2000). Personnel Issues in Information Security According to Grama (2011), recruitment, employee problems, and employee wellbeing are some of the common concerns for SMEs, particularly where primary security infrastructures are concerned. For example, a firm intending to terminate employee or retrench them requires assurance that such workers do not engage in unlawful activities. Moreover, agreements including non-compete, and non-disclosure clauses are often achieved between employees and hiring firms, acting as constitutional binding that workers do not disclose sensitive information that they have gathered over time in their work. Indeed, it is preferable for SMEs to retain employees where possible as economics maintain that keeping employees is affordable as compared to replacing them. Besides, employees that leave on bad terms with the firm might cause detrimental impacts on a company and its informational assets (Smith, 2013). Furthermore, Khosrowpour (2000) says that firms ought to consider specialized exit discussions and wide involvement by human resources in aiding leaving workers with other employment alternatives with partner firms to make sure that such workers exit on good terms with the firm in order to reduce ill feelings and grudges. Regarding the issue of hiring new people, particularly for firms with greater rates of worker turnover, or experiencing a fresh startup, SMEs should have an ordered recruitment procedure, such as, preparing employment terms and conditions, using non-compete consents, and non-disclosure clauses. It should also consider educating prospective workers on the firm’s security policy; as well as creating authorized levels of access to classified organizational data (Grama, 2011). Physical security issues in information security According to Bidgoli (2006), physical security is responsible for governing and protecting physical property, including servers and computers. It concerns itself with physical accessibility to and control of property and usually overlaps with strict security regulations in the attainment of a two-tier security access system, which is a system that requires remote users to go through several hoops prior to getting the application. The appropriate implementation of stringent security results in outcomes which deter interruptions caused by physical damage to computer services, and illegal divulgence of information (Smith, 2012). In SMEs which provide notebook computers for key and mobile managerial employee’s physical security attacks are a major concern. For instance, if one of the main scientists in a firm loses the notebook on which he/she collects study data, this will compromise the firm’s performance. Furthermore, SMEs should adopt convergence, which is a new security aspect that fuses both rational and physical security in order to regulate accessibility to ensure enhanced security of the information resources (Bidgoli, 2006). Beaver (2010) says that physical access regulations are as vital to a firm’s information security system as firewalls, anti-viruses, and password policies. In fact, physical security violations may lead to more concerns for a company as compared to a worm attack. Lasting availability loss through arson or bombs, data loss and short-term availability loss are all issues to consider during the implementation of physical security. With the invention of the easily concealable iPods or USB drives, the matter of physical security is increasingly getting more urgent. In fact, Pod Slurping is one of the latest threats to information. An iPod may be pre-configured to initiate a program known as sleep.exe upon insertion in a system. The program will then start reproducing files from the system at extremely high speed, almost 100MB of data per minute (Smith, 2013). Bidgoli (2006) argues that safeguarding desktops and laptops is often ignored, especially laptops. Physical security actions differ depending on the firm. For instance, a government agency can have well-armed security guards at strategic points of the building. Since this measure would be far too expensive for SMEs to implement, some of the other commonly used physical security measures include biometrics, user awareness; access control cards, laptop locks, as well as operating system hardening should be used. Moreover, firms should consider using architecture such as doors and perimeter boundaries, electronic devices, such as turnstiles, sensors, powerful authentication technologies, and surveillance systems; access control and monitoring and security operations such as security procedures, policies and incident response instructions (Beaver, 2010). Cyber Forensic Incident Response This involves a sequence of procedures that security employees can follow in order to assist forensic investigations. The whole incident response process entails acquisition of pieces of evidence from the scene of a crime, preservation of evidence, as well as the examination of the evidence. Because forensics gathering, examination, and final judgments are outside the scope of SMEs, cyber forensics activities focus only on essential activities that these firms should perform, leaving third party forensics specialists to carry out their jobs (Vacca, 2005). The initial measure to take following a scene that needs forensic investigation involves proper safeguarding of the area in which investigations will be conducted. This entails restricting accessibility to both logically and physically affected systems, machines, and devices. Secondly, it is imperative to identify devices falling within the investigation scope and establishing the state in which they are. Notably, in case the devices are turned off, switching them on should be avoided, and if they are turned on with discernible show, photographs of the screen and the adjacent surrounding areas (Contos, Crowell, & DeRodeff, 2007) should be taken. It is common agreement among computer security specialists that most computer crimes are neither reported nor detected. To some degree, this is because numerous computer crimes are not openly apparent. For instance, whenever something is stolen, the owner voluntarily senses this as the thing is missing. However, when a hacker steals computer information by reproducing it, the original information remains the same, and the owner can access it. There are various ways in which incidents may happen and different ways in which these incidents can affect the business. Common kinds of computer incidents are worker misuse of systems, malicious code, hacking or intrusion, vandalism or website defacement, illegal access to private data, insider sabotage, and mechanical scanning techniques and probes (Contos, Crowell, & DeRodeff, 2007). Nonetheless, there are no extensive solutions used in the prevention of such incidents, and the few solutions in existence are costly, and need a huge amount of firm resource to be put in place, placing them out of the reach of SMEs. Despite this, the alternative of employing weak incident response models is more costly in the long run and only increases the damage that can be caused to an organization. In fact, studies indicate that most small to medium firms do not consider security concerns until they have become victims of incidents (Nelson, 2010). Conclusion SMEs differ from government agencies and large businesses in their type of operations, as well as business scale. These firms are cautious in resource planning because of limitations and budget constraints. This is equally the case when handling security concerns. Although SMEs may require some features to be scaled down in security considerations as compared to big firms, in certain instances, SMEs outperform big organizations. The necessity of a sound security system in an SME setting motivates the need to install turnkey security software, such as, anti-virus software and firewalls. A sound security system also usually involves disciplines like governance, education, training, disaster planning, and alignment of security with business goals. Therefore, to counteract the potential risks and threats to their information holdings, SMEs should strive to maintain effective security management of their information systems in order to realize their business objectives. References Andress, J. (2011). The basics of information security understanding the fundamentals of InfoSec in theory and practice. Waltham, MA: Syngress. Pp. 1-20. Androulidakis, I. (2012). Mobile phone security and forensics a practical approach. New York: Springer. Pp. 1-40. Beaver, K. (2010). Hacking for dummies. Hoboken, NJ: Wiley Pub. Pp. Pp. 224-230. Bidgoli, H. (2006). Handbook of Information Security Volume 2. Hoboken: John Wiley & Sons. Pp.3-50. Calder, A. (2005). A business guide to information security how to protect your company's IT assets, reduce risks and understand the law. London Sterling, VA: Kogan Page. Pp. 10- 30 Campagna, R. (2011). Mobile device security for dummies. Hoboken, N.J. Chichester: Wiley John Wiley distributor. Pp. 292-300 Contos, B.T., Crowell, W.P., & DeRodeff, C. (2007). Physical and logical security convergence powered by enterprise security management. Burlington, MA: Syngress Pub. Pp.1-30. Convery, S. (2004). Network security architectures. Indianapolis, IN: Cisco Press. Pp. 9-20. De Decker, B. (2002). Advances in network and distributed systems security IFIP TC11 WG11.4 First Annual Working Conference on Network Security: November 26-27, 2001, Leuven, Belgium. Boston: Kluwer Academic Publishers. Pp. 201-220. Debbabi, M. (2007). Embedded Java security: security for mobile devices. London: Springer. Pp.1-30. Doll, M. (2003). Defending the digital frontier: a security agenda. Hoboken, N.J: Wiley. Pp. 30- 50. Elliott, D. (2010). Business continuity management: a crisis management approach. New York, NY: Routledge. Pp.20-70. Fay, J. (2007). Encyclopedia of security management. Burlington, MA: Butterworth-Heinemann. Pp. 1-20. Grama, J. (2011). Legal issues in information security. Sudbury, Mass: Jones & Bartlett Learning. Pp.1-20. Herold, R. (2011). Managing an information security and privacy awareness and training program. Boca Raton: CRC Press. Pp.1-50. Hine, D. & Carson, D. (2007). Innovative methodologies in enterprise research. Cheltenham, UK Northampton, MA: Edward Elgar. Pp. 1-50. Johnson, M.E. (2008). Managing information risk and the economics of security. New York London: Springer. Pp. 86-90. Khosrowpour, M. (2000). Challenges of information technology management in the 21st century: 2000 Information Resources Management Association International Conference, Anchorage, Alaska, USA, May 21-24, 2000. Hershey, PA: Idea Group Pub. Mann, D. (2009). Facility management: human outsourcing solutions to clients. New Delhi: Global India Publications. Pp. 299-305. McCrie, R. (2007). Security operations management. Amsterdam Boston: Butterworth Heinemann/Elsevier. Pp. 100-120. Mitchell, C.J. (2004). Security for mobility. London: Institution of Electrical Engineers. Pp. 1-20. Nasheri, H. (2005). Economic espionage and industrial spying. Cambridge, UK New York: Cambridge University Press. Pp. 70-80. Nelson, B. (2010). Guide to computer forensics and investigations. Boston, MA: Course Technology Cengage Learning. Pp. 1-40. Newman, R. (2009). Biometrics: application, technology, & management. Boston, Mass. Andover: Course Technology Cengage Learning distributor. Pp. 1-10. OECD. (2006). Norway: information security. Paris, France: Organization for Economic Co- operation and Development OECD Publications and Information Center distributor. Pp. Pp. 83- 100. Partida, A. (2010). IT security management: IT securiteers - setting up an IT security function. Dordrecht London: Springer. Pp. 229-240 Paulus, S. (2005). ISSE 2005: securing electronic business processes: highlights of the Information Security Solutions Europe 2005 conference. Wiesbaden Germany: Vieweg. Pp. 315-320. Publishing, V. (2011). Open Information Security Management Maturity Model (O-ism3. City: Van Haren Pub. Pp.1-20. Purser, S. (2004). A practical guide to managing information security. Boston, MA: Artech House. Pp. 85-100. Reid, P. (2004). Biometrics for network security. Upper Saddle River, N.J: Prentice Hall PTR. Pp. 2-15 Smith, R. (2013). Elementary information security. Burlington, MA: Jones & Bartlett Learning. Pp. 799-810. Snedaker, S. (2007). Business continuity and disaster recovery planning for it professionals. Amsterdam: Elsevier. Pp. 119-125 Stamp, M. (2006). Information security: principles and practice. Hoboken, N.J: Wiley- Interscience. Pp. 1-30. Tipton, H.F. & Nozaki, M.K. (2007). Information security management handbook. Boca Raton: Auerbach Publications. Pp. 1-50. Vacca, J. (2005). Computer forensics computer crime scene investigation. Hingham Mass: Charles River Media. Pp. 1-20. Vacca, J. (2007). Biometric technologies and verification systems. Amsterdam Boston: Butterworth-Heinemann/Elsevier. Pp. 1-20 Vacca, J.R. (2009). Computer and information security handbook. Amsterdam Boston Burlington, Mass: Elsevier Morgan Kaufmann. Pp. 1-30. Vallabhaneni, S. (2008). Corporate management, governance, and ethics best practices. Hoboken, N.J: Wiley. Pp. 305-320. Whitman, M. (2012). Principles of information security. Boston, MA: Course Technology. Pp. 290-300. Read More