Topic Name Description
Course Introduction Page Course Syllabus
1.1: The History and Evolution of Information Security Book Information Security History

This exhibit gives a history of the evolution of users, key technologies, threats, concerns, and security techniques in information security since 1960. Click on the links in the pre-web computing (1960s-'90s), open web (1990s-2000s), and mobile and cloud (2000s-future) section. What were the threats and concerns of each time period? How did security technology or techniques develop in response to those threats?

Book Timeline of the History of Information Security
To begin, review this timeline on the history and development of information security. What was the role of the US Department of Defense (DoD) in the evolution of information security? Who or what were the influencers in the development of the confidentiality, availability, and integrity (CIA) triad?
1.2: Confidentiality, Integrity, and Availability – The CIA Triad Page The CIA Triad
The basis for information security is the CIA triad. After you watch this video, you should be able to define the three principles of confidentiality, integrity, and availability as they relate to information security and the protection of data.
1.3: Threats, Vulnerabilities, and Risks Page Threats and Vulnerabilities
This video explains threats and vulnerabilities, how they apply to information security, and how they can reduce or compromise the confidentiality, integrity, and availability (CIA) of a system. What is the difference between a threat and a vulnerability? What are threats and vulnerabilities in the context of information systems?
Page The Elements of Security: Vulnerability, Threat, Risk

Read section 1.3. When you are new to the information security industry, you may use the words vulnerability, threat, and risk interchangeably, though they actually have very different meanings. As you read, think about the differences between these terms and try to explain each term in the context of information security.

1.4: The Risk Management Process Book NIST SP 800-39
Risk can never be eliminated, but it can be managed using the risk management process. The National Institute of Standards and Technology (NIST) 800 series documents are well-known and accepted as industry standards in information security. Review the NIST SP 800-39, a special publication that outlines a process on how to manage information security risks. Read pages 32-45 for a detailed explanation of the risk management process. Pay attention to the general description for each step in the process: framing risk, assessing risk, responding to risk, and monitoring risk. After you read, you should be able to explain the order of the steps in the process and what happens during in each step.
Book Risk Management

Read this page and watch the video to learn more about the purpose of risk management and the four stages of the risk management process. Before you move on, make sure you have a good understanding of the formulas, and that you are able to use the formulas on this page to calculate single loss expectancy (SLE), annual rate of occurrence (ARO), and annual loss expectancy (ALE).

Page More on Risk Management
Watch this video, which discusses the risk management process practically. How does this reinforce the actions taken in each step of the process from NIST SP 800-39 that you read earlier?
1.5: The Incident Response Process Book NIST SP 800-61
Even though information security professionals plan to effectively manage risk, incidents still occur. NIST SP 800-61 is the National Institute of Standards and Technology (NIST) special publication that gives guidelines for organizations on how to handle security incidents. Read section 2.2 on page 6 to learn more about the need for, and the benefits of, an incident response capability. Also read section 3 on pages 21-44 to learn how to appropriately handle information security incidents. Before you move on, make sure you can explain the four stages of the incident response process: preparation; detection and analysis; containment, eradication, and recovery; and post-incident activity.
Page Incident Response
This video explains how the incident response plan for detection and countermeasures is perpetual, and expands on the stages of the incident response process.


1.6: Security Control Page Security Control

You learned about the goals of security based on the CIA triad from a previous section, and you have an understanding of the terms vulnerability, threats and risks. Now, watch this video to understand the types of controls and their functions to ensure the confidentiality, availability, and integrity of information systems.

Page Security Control Types

Controls are broken down into control types such as administrative, physical, and technical. Read this section, which will help you differentiate between administrative, technical, and physical control types.

Page Security Control Functions
Controls are further broken down into control functions. Watch this video to learn how to categorize controls by control function as either preventive, detective, deterrent, or compensating.


1.7: Defense-in-Depth Page Introduction to Defense-in-Depth

Defense-in-depth is a layered strategy to provide security to information systems. The layers are often comparted to the layers of an onion, when one layer is peeled back there is another layer of defense or protection. Watch the first two minutes of this video for an introduction to the concept of defense-in-depth.

Page Defense-in-Depth Example

Watch this video from 24:00 to 27:00 for a practical example of how layers of defense protect a system when defense-in-depth mechanisms are in place.

Page Defense-in-Depth

Read the section on defense-in-depth. Pay attention to how it compares defense-in-depth to protecting of a castle, and note how it recalls the CIA triad. After you read, you should be able to explain the concept of defense-in-depth and be able to propose a defense-in-depth security strategy for a simple system.

1.8: Human Behavioral Risks Book The Human Factor

So far, we have discussed security control types and functions and how layers of controls provide defense-in-depth. These controls protect data from outside threats, but an even greater area of concern is the "inside threat" – people. Read the introduction and the two sections on social engineering in this article about the human factor. Why are people a threat to information security?

Page Humans are the Weakest Link

Humans are the weakest link in information security. Giving someone access to information systems involves an element of trust. Watch this video about how people, not machines, are the biggest concern in cybersecurity. Then, read this article, which describes how humans the last line of defense for an organization. How can people, either intentionally or unintentionally, expose their organizations to risks?

Page Security Awareness, Training, and Education

The most effective way to combat the risk posed by people is to provide formal security awareness training. Read this section on conducting a formal security awareness training. Once read, you should understand the need for training programs, the types of security awareness training, and how to evaluate a training program.

Page Security Threats and the Human Factor

Although formal training is the most effective way to build security awareness, computer-based training is another option. Read this section on delivering security awareness training. After you read, you should be able to explain the benefits and limitations of computer-based and instructor-led security awareness training. How can human behavior be modified through security awareness and training programs?

1.9: Security Frameworks Book Security Frameworks

While working in the area of information security, it is important to have an understanding of the common security standards or frameworks. While reading this article, you will obtain some knowledge of the controls specified by ISO/IEC 27001, the Federal Information Processing Standards (FIPS), the NIST cybersecurity framework and NIST Special Publication 800-53, as well as COBIT5.

Page Center for Internet Security (CIS) Controls

The Center for Internet Security (CIS) has developed 20 controls called the CIS Top 20, to secure an organization's system against cyber attacks or threats. While watching, pay attention to the 20 controls. You are not expected to memorize all 20 controls, but it is important to know the first six controls as the implementation of these controls will protect against approximately 91 percent of security breaches.

Page Payment Card Industry Data Security Standard (PCI DSS)

The Payment Card Industry Data Security Standard (PCI DSS) is a standard that protects the security of credit card data. While watching this video you will learn about the penalties that can be inflicted on a business for non-compliance with PCI DSS. What are some of the requirements of PCI DSS compliance?