Information Security Management Handbook, Sixth Edition, Volume 1
- 85h 24m
- Harold F. Tipton, Micki Krause
- CRC Press
- 2007
Never before have there been so many laws designed to keep corporations honest. New laws and regulations force companies to develop stronger ethics policies and the shareholders themselves are holding publicly traded companies accountable for their practices. Consumers are also concerned over the privacy of their personal information and current and emerging legislation is reflecting this trend. Under these conditions, it can be difficult to know where to turn for reliable, applicable advice.
The sixth edition of the Information Security Management Handbook addresses up-to-date issues in this increasingly important area. It balances contemporary articles with relevant articles from past editions to bring you a well grounded view of the subject. The contributions cover questions important to those tasked with securing information assets including the appropriate deployment of valuable resources as well as dealing with legal compliance, investigations, and ethics. Promoting the view that the management ethics and values of an organization leads directly to its information security program and the technical, physical, and administrative controls to be implemented, the book explores topics such as risk assessments; metrics; security governance, architecture, and design; emerging threats; standards; and business continuity and disaster recovery. The text also discusses physical security including access control and cryptography, and a plethora of technology issues such as application controls, network security, virus controls, and hacking.
US federal and state legislators continue to make certain that information security is a board-level conversation and the Information Security Management Handbook, Sixth Edition continues to ensure that there you have a clear understanding of the rules and regulations and an effective method for their implementation.
About the Authors
Harold F. Tipton, CISSP, currently an independent consultant and past president of the International Information System Security Certification Consortium (ISC), was Director of Computer Security for Rockwell International Corporation for 15 years. He initiated the Rockwell computer and data securit program in 1977, and he continued to administer, develop, enhance, and expand the program to accommodate the control needs produced by technological advances until his retirement from Rockwell in 1994. He became a member of the Information Systems Security Association (ISSA) in 1982, and he served as president of the Los Angeles Chapter in 1984. From 1987 to 1989, he served as president of the national organization of ISSA. He was added to the ISSA Hall of Fame and the ISSA Honor Role in 2000. He received the Computer Security Institute "Lifetime Achievement Award" in 1994 and the (ISC) "Hal Tipton Award" in 2001.
He was a member of the National Institute for Standards and Technology (NIST) Computer and Telecommunications Security Council and the National Research Council Secure Systems Stud Committee (for the National Academy of Science). He has a B.S. in engineering from the U.S. Naval Academy, an M.P.A. from George Wa shington University, and a certificate in computer science from the University of California, Irvine. He has published several papers on information security issues in the Information Security Management Handbook Data Security Management Information Systems Security and the National Academy of Sciences report Computers at Risk
He has been a speaker at all of the major information security conferences, including the Computer Security Institute, ISSA Annual Working Conference, Computer Security Workshop, MIS Conferences, AIS Security for Space Operations, DOE Computer Security Conference, National Computer Securit Conference, IIA Security Conference, EDPAA, UCCEL Security and Audit Users Conference, and Industrial Security Awareness Conference. He has conducted and participated in information securit seminars for (ISC), Frost and Sullivan, UCI, CSULB, System Exchange Seminars, and the Institute for International Research.
Micki Krause, CISSP, has held positions in the information security profession for the past 20 years. She currently serves as the Chief Information Security Officer at Pacific Life Insurance Company in Newpor Beach, California, where she is accountable for directing its information protection and security program enterprise-wide. She has held several leadership roles in industry-influential groups, including the Information Systems Security Association (ISSA) and the International Information System Securit Certification Consortium. She is a long-term advocate for professional security education an certification. In 2003, she received industry recognition as a recipient of the Women of Vision award given by Information Security magazine. In 2002, she was honored as the second recipient of the Harold F. Tipton Award in recognition of sustained career excellence and outstanding contributions to the profession. She is a reputed speaker, published author, and co-editor of the Information Security Management Handbook series.
In this Book
-
Introduction
-
Bits to Bytes to Boardroom
-
Information Security Governance
-
Corporate Governance
-
IT Governance Institute (ITGI) Overview
-
Top Management Support Essential for Effective Information Security
-
Managing Security by the Standards—An Overview and Primer
-
Information Security for Mergers and Acquisitions
-
Information Security Governance
-
Belts and Suspenders—Diversity in Information Technology Security
-
Building Management Commitment through Security Councils, or Security Council Critical Success Factors
-
Validating Your Business Partners
-
Measuring ROI on Security
-
The Human Side of Information Security
-
Security Management
-
It Is All about Control
-
Patch Management 101—It Just Makes Good Sense!
-
Security Patch Management—The Process
-
Configuration Management—Charting the Course for the Organization
-
Information Classification—A Corporate Implementation Guide
-
Ownership and Custody of Data
-
Information Security Risk Assessment
-
Developing and Conducting a Security Test and Evaluation
-
Enterprise Security Management Program
-
Technology Convergence and Security—A Simplified Risk Management Model
-
The Role of Information Security in the Enterprise Risk Management Structure
-
Matter of Trust
-
Trust Governance in a Web Services World
-
Risk Management and Analysis
-
New Trends in Information Risk Management
-
Cyber-Risk Management—Technical and Insurance Controls for Enterprise-Level Security
-
Committee of Sponsoring Organizations (COSO)
-
Toward Enforcing Security Policy—Encouraging Personal Accountability for Corportate Information Security Policy
-
The Security Policy Life Cycle—Functions and Responsibilities
-
People, Processes, and Technology—A Winning Combination
-
Building an Effective Privacy Program
-
Establishing an E-Mail Retention Policy—Preventing Potential Legal Nightmares
-
Ten Steps to Effective Web-Based Security Policy Development and Distribution
-
Roles and Responsibilities of the Information Systems Security Officer
-
Organizing for Success—Some Human Resources Issues in Information Security
-
Information Security Policies from the Ground Up
-
Policy Development
-
Training Your Employees to Identify Potential Fraud and How to Encourage Them to Come Forward
-
Change That Attitude—The ABCs of a Persuasive Security Awareness Program
-
Maintaining Management's Commitment
-
Making Security Awareness Happen
-
Beyond Information Security Awareness Training—It Is Time To Change the Culture
-
Overview of an IT Corporate Security Organization
-
Make Security Part of Your Company's DNA
-
Building an Effective and Winning Security Team
-
When Trust Goes Beyond the Border—Moving Your Development Work Offshore
-
Maintaining Information Security during Downsizing
-
The Business Case for Information Security—Selling Management on the Protection of Vital Secrets and Products
-
How to Work with a Managed Security Service Provider
-
Considerations for Outsourcing Security
-
The Ethical and Legal Concerns of Spyware
-
Ethics and the Internet
-
Computer Ethics
-
A Look at RFID Security
-
New Emerging Information Security Technologies and Solutions
-
Sensitive or Critical Data Access Controls
-
An Introduction to Role-Based Access Control
-
Smart Cards
-
A Guide to Evaluating Tokens
-
Controlling FTP—Providing Secured Data Transfers
-
End Node Security and Network Access Management—Deciding Among Different Strategies
-
Identity Management—Benefits and Challenges
-
Blended Threat Analysis—Passwords and Policy
-
Enhancing Security through Biometric Technology
-
Single Sign-On for the Enterprise
-
Centralized Authentication Services (RADIUS, TACACS, DIAMETER)
-
An Introduction to Secure Remote Access
-
Hacker Tools and Techniques
-
A New Breed of Hacker Tools and Defenses
-
Hacker Atacks and Defenses
-
Counter-Economic Espionage
-
Insight into Intrusion Prevention Systems
-
Penetration Testing
-
Auditing Cryptography—Assessing System Security
-
Cryptographic Transitions
-
Blind Detection of Steganographic Content in Digital Images Using Cellular Automata
-
An Overview of Quantum Cryptography
-
Elliptic Curve Cryptography—Delivering High-Performance Security for E-Commerce and Communications
-
Cryptographic Key Management Concepts
-
Message Authentication
-
Fundamentals of Cryptography and Encryption
-
Steganography—The Art of Hiding Messages
-
An Introduction to Cryptography
-
Hash Algorithms—From Message Digests to Signatures
-
A Look at the Advanced Encryption Standard (AES)
-
Principles and Applications of Cryptographic Key Management
-
Preserving Public Key Hierarchy
-
PKI Registration
-
Implementing Kerberos in Distributed Systems
-
Methods of Attacking and Defending Cryptosystems
-
Perimeter Security
-
Melding Physical Security and Traditional Information Systems Security
-
Physical Security for Mission-Critical Facilities and Data Centers
-
Physical Security—A Foundation for Information Security
-
Physical Security—Controlled Access and Layered Defense
-
Computing Facility Physical Security
-
Closed-Circuit Television and Video Surveillance
-
Types of Information Security Controls
-
Workplace Violence—Event Characteristics and Prevention
-
Physical Security—The Threat after September 11, 2001
-
Enterprise Assurance—A Framework Explored
-
Creating a Secure Architecture
-
Common Models for Architecting an Enterprise Security Capability
-
The Reality of Virtual Computing
-
Formulating an Enterprise Information Security Architecture
-
Security Architecture and Models
-
The Common Criteria for IT Security Evaluation
-
Common System Design Flaws and Security Issues
-
Developing Realistic Continuity Planning Process Metrics
-
Building Maintenance Processes for Business Continuity Plans
-
Identifying Critical Business Functions
-
Selecting the Right Business Continuity Strategy
-
Contingency Planning Best Practices and Program Maturity
-
Reengineering the Business Continuity Planning Process
-
The Role of Continuity Planning in the Enterprise Risk Management Structure
-
Contingency at a Glance
-
The Business Impact Assessment Process and the Importance of Using Business Process Mapping
-
Testing Business Continuity and Disaster Recovery Plans
-
Restoration Component of Business Continuity Planning
-
Business Resumption Planning and Disaster Recovery—A Case History
-
Business Continuity Planning—A Collaborative Approach
-
The Business Impact Assessment Process
-
Network Security Utilizing an Adaptable Protocol Framework
-
The Five W's and Designing a Secure, Identity-Based, Self-Defending Network (5W Network)
-
Maintaining Network Security—Availability via Intelligent Agents
-
PBX Firewalls—Closing the Back Door
-
Network Security Overview
-
Putting Security in the Transport—TLS
-
WLAN Security Update
-
Understanding SSL
-
Packet Sniffers and Network Monitors
-
Secured Connections to External Networks
-
Security and Network Technologies
-
Wired and Wireless Physical Layer Security Issues
-
Network Router Security
-
What's Not So Simple about SNMP?
-
Network and Telecommunications Media—Security from the Ground Up
-
Security and the Physical Network Layer
-
Wireless LAN Security Challenge
-
ISO/OSI and TCP/IP Network Model Characteristics
-
VoIP Security Issues
-
An Examination of Firewall Architectures
-
Voice over WLAN
-
Spam Wars—How To Deal with Junk E-Mail
-
Secure Web Services—Holes and Fillers
-
IPSec Virtual Private Networks
-
Internet Security—Securing the Perimeter
-
Application-Layer Security Protocols for Networks
-
Application Layer—Next Level of Security
-
Security of Communication Protocols and Services
-
An Introduction to IPSec
-
VPN Deployment and Evaluation Strategy
-
Comparing Firewall Technologies
-
Cookies and Web Bugs—What They Are and How They Work Together
-
Security for Broadband Internet Access Users
-
Instant Messaging Security Issues
-
Voice Security
-
Secure Voice Communications (Vol)
-
Deep Packet Inspection Technologies
-
Wireless Penetration Testing—Case Study and Countermeasures
-
Auditing the Telephony System—Defenses against Communications Security Breaches and Toll Fraud
-
Insecurity by Proxy
-
Wireless Security
-
Packet Sniffers—Use and Misuse
-
ISPs and Denial-of-Service Attacks
-
Application Service Provider Security—Ensuring a Secure Relationship for the Client and the ASP
-
Stack-Based Buffer Overflows
-
Web Application Security
-
Security for XML and Other Metadata Languages
-
XML and Information Security
-
Application Security
-
Covert Channels
-
Security as a Value Enhancer in Application Systems Development
-
Open Source versus Closed Source
-
A Look at Java Security
-
Reflections on Database Integrity
-
Digital Signatures in Relational Database Applications
-
Security and Privacy for Data Warehouses—Opportunity or Threat?
-
Building and Assessing Security in the Software Development Lifecycle
-
Avoiding Buffer Overflow Attacks
-
Secure Development Life Cycle
-
System Development Security Methodology
-
Software Engineering Institute Capability Maturity Model
-
Enterprise Security Architecture
-
Certification and Accreditation Methodology
-
System Development Security Methodology
-
Methods of Auditing Applications
-
Hacking Methods
-
Enabling Safer Deployment of Internet Mobile Code Technologies
-
Security Considerations in Distributed Computing—A Grid Security Overview
-
Managing Unmanaged Systems
-
Storage Area Networks Security Protocols and Mechanisms
-
Operations—The Center of Support and Control
-
Why Today's Security Technologies Are So Inadequate—History, Implications, and New Approaches
-
Operations Security and Controls
-
The Nebulous Zero Day
-
Understanding Service Level Agreements
-
Physical Access Control
-
Auditing the Electronic Commerce Environment
-
Sarbanes-Oxley Compliance—A Technology Practitioner's Guide
-
Health Insurance Portability and Accountability Act Security Rule
-
Jurisdictional Issues in Global Transmissions
-
An Emerging Information Security Minimum Standard of Due Care
-
ISPs and Accountability
-
The Case for Privacy
-
Liability for Lax Computer Security in DDoS Attacks
-
Operational Forensics
-
Computer Crime Investigation and Computer Forensics
-
What Happened?
-
Potential Cyber Terrorist Attacks
-
The Evolution of the Sploit
-
Computer Crime
-
Phishing—A New Twist to an Old Game
-
It's All About Power—Information Warfare Tactics by Terrorists, Activists, and Miscreants
-
Social Engineering—The Human Factor in Information Assurance
-
Privacy Breach Incident Response
-
Security Event Management
-
DCSA—A Practical Approach to Digital Crime Scene Analysis
-
What a Computer Security Professional Needs to Know about E-Discovery and Digital Forensics
-
How To Begin A Non-Liturgical Forensic Examination
-
Honeypot Essentials
-
Managing the Response to a Computer Security Incident
-
Cyber-Crime—Response, Investigation, and Prosecution
-
Glossary