Reading List - Information Security

Core reading

The lectures and the exercises define the syllabus (pensum). The syllabus is based on the following sources.

• Torgeir Daler, Roar Gulbrandsen, Tore Audun Høie, Torbjørn Sjølstad: Håndbok i datasikkerhet - informasjonsteknologi og risikostyring 2re utgåve Tapir Akademisk Forlag ISBN 978-519-2538-9
• Whitman and Mattord: Principles of Information Security 3rd edition, Thomson Course Technology 2009.
• ISO 27000-series (27000-27005) These documents are available from the library, at least in the form of a printout. At the time of writing, they are still looking into whether more copies and/or electronic copies can be made available. Please ask them for details.
• NIST 800-series, in particular 800-30 and 800-53.
• CObIT 4. Primarily the excerpt and executive summary.
• An Introduction to Factor Analysis of Information Risk (FAIR)
• Data-Centric Security IBM white paper

It is adviceable at least to skim-read both books, and you should be familiar with all the cited standards and papers.

General reading

• Guide til Tekniske Rapporter (Norwegian) It is important that you can write technical reports and other (shorter) technical documents in a structured and legible way.

Background reading

The following documents may be useful if you want to delve deeper into particular topics, or if you find core sources difficult to read and want an alternative angle.

• Lovdata Archive of Norwegian laws and regulations
  • Datatilsynet om publisering av bilete på Internet
• Raggad: Information Security Management
• Pfleeger and Pfleeger: Security in Computing This book is going to be a useful supplement to Gollmann, as it is a bit more verbose and likely to provide supplementary examples. It also uses more figures and visual diagrams than Gollmann. On the other hand, it does not cover the module entirely.
• IEEE Security and Privacy is a professional magazine on computer security. The articles are very readable, and useful background reading.
• Ilona Ilvonen: Information Security Policies in Small Finnish Companies, in Proceedings of the 8th European Conference on Information Warfare and Security, Lisbon 2009.
• John M. D. Hunter: An Information Security Handbook 2001. Too old to be authoritative, this book gives a useful and well-structured overview of different aspects of security at different levels of an IT operation. It's worth browsing.
• Ross Anderson: Security Engineering.
• Vulnerabilities in E-governments by Vebjørn Moen et al. `This paper shows that 80% of the E-governments in the world are vulnerable to common Web Application attacks such as Cross Site Scription and SQL injection.' If you are particularly interested in the SQL injection problem discussed in the first session, I suggest that you have a look at this paper. Other papers by the same group are also available.
• Robert C. Seacord: Secure Coding in C and C++ This book specialises on the topic of software security; an interesting and important topic, which we unfortunately will have little or no time for.

$Id$