Table of Contents

Introduction 1 INFORMATION SECURITY AND RISK MANAGEMENT Section 1.1 Security Management Concepts and Principles Section 1.2 Change Control Management Section 1.3 Data Classification Section 1.4 Risk Management Section 1.5 Policies, Standards, Procedures and Guidelines Section 1.6 Security Awareness Training Section 1.7 Security Management Planning 2 ACCESS CONTROL Section 2.1 Access Control Techniques Section 2.2 Access Control Administration Section 2.3 Identification and Authentication Techniques Section 2.4 Access Control Methodologies and Implementation Section 2.5 Methods of Attack Section 2.6 Monitoring and Penetration Testing 3 CRYPTOGRAPHY Section 3.1 Use of Cryptography Section 3.2 Cryptographic Concepts, Methodologies, and Practices Section 3.4 Public Key Infrastructure (PKI) Section 3.5 System Architecture for Implementing Cryptographic Functions Section 3.6 Methods of Attack 4 PHYSICAL (ENVIRONMENTAL) SECURITY Section 4.1 Elements of Physical Security Section 4.2 Technical Controls Section 4.3 Environment and Life Safety 5 SECURITY ARCHITECTURE AND DESIGN Section 5.1 Principles of Computer and Network Organizations, Architectures, and Designs 6 BUSINESS CONTINUITY PLANNING AND DISASTER RECOVERY PLANNING Section 6.1 Business Continuity Planning Section 6.2 Disaster Recovery Planning 7 TELECOMMUNICATIONS AND NETWORK SECURITY Section 7.1 Communications and Network Security Section 7.2 Internet, Intranet, Extranet Security Section 7.3 E-mail Security Section 7.4 Secure Voice Communications Section 7.5 Network Attacks and Countermeasures 8 APPLICATION SECURITY Section 8.1 Application Issues Section 8.2 Databases and Data Warehousing Section 8.3 Systems Development Controls 9 OPERATIONS SECURITY Section 9.1 Concepts Section 9.2 Resource Protection Requirements 10 LAW, COMPLIANCE AND INVESTIGATIONS Section 10.1 Information Law Section 10.2 Investigations Section 10.3 Major Categories of Computer Crime Section 10.4 Incident Handling

About the Author

Harold F. Tipton, CISSP, currently an independent consultant and past president of the International Information System Security Certification Consortium (ISC)2, was Director of Computer Security for Rockwell International Corporation for 15 years. He initiated the Rockwell computer and data security program in 1977, and he continued to administer, develop, enhance, and expand the program to accommodate the control needs produced by technological advances until his retirement from Rockwell in 1994. He became a member of the Information Systems Security Association (ISSA) in 1982, and he served as president of the Los Angeles Chapter in 1984. From 1987 to 1989, he served as president of the national organization of ISSA. He was added to the ISSA Hall of Fame and the ISSA Honor Role in 2000. He received the Computer Security Institute “Lifetime Achievement Award” in 1994 and the (ISC)2 “Hal Tipton Award” in 2001. Micki Krause, CISSP, has held positions in the information security profession for the past 20 years. She currently serves as the Chief Information Security Officer at Pacific Life Insurance Company in Newport Beach, California, where she is accountable for directing its information protection and security program enterprise-wide. She has held several leadership roles in industry-influential groups, including the Information Systems Security Association (ISSA) and the International Information System Security Certification Consortium. She is a long-term advocate for professional security education and certification.