IT Security Solutions

Page 5 Page 7

Page 10 Page 12

Page 17 Page 18

MBITSE3 M

C_3/1810gtr

Want to maximize your buying power?

Order directly from our online store and

Receive FREE Standard Shipping

with every order, big or small.

Sign up for email alerts.

Stay up to date on our latest resources.

Visit us atwww.crcpress.comto view more information and

complete tables of contents

for these and many other

related books.

http://www.crcpress.com/product/isbn/9781439806920






3

Authoritative Resources for IT Professionals

For more information and complete contents, visit www.crcpress.com

Newly Updated!

Information Security Risk Analysis,Third EditionThomas R. PeltierThomas R. Peltier Associates, LLC, Wyandotte, Michigan, USA

Achieve a highly effective risk assessment in less than a week!

Successful security professionals have had to modify the process of responding to new threats inthe high-profile, ultra-connected business environment. Just because a threat exists, it does notmean that your organization is at risk. Information Security Risk Analysis, Third Editiondemonstrates how to separate the dangerous from the benign threats and then determine whichpose a real risk to your organization.

Providing access to more than 350 pages of helpful ancillary materials, much of it new, this volume effectively:

• Explains the key components of risk management

• Demonstrates how the components of risk management are absolutely necessary andhow they should work in your organization and business situation

• Shows how a cost-benefit analysis is part of risk management and how this analysis isperformed as part of risk mitigation

• Explains how to draw up an action plan to protect the assets of your organizationwhen the risk assessment process concludes

• Examines the difference between a Gap Analysis and a Security or Controls Assessment

• Presents up-to-date case studies and examples of all risk management components

Authored by renowned security expert and certification instructor Thomas Peltier, this author-itative reference provides you with the latest knowledge and the skill sets needed to achievea highly effective risk analysis assessment in a matter of days. Supplemented with online accessto user-friendly checklists, forms, questionnaires, sample assessments, and other documents,this work is truly a one-stop, how-to resource for security professionals.

Contents:

Risk Management. Risk Assessment Process. Quantitative versus Qualitative Risk Assessment.Other Forms of Qualitative Risk Assessment. Facilitated Risk Aanalysis and Assessment Process(FRAAP). Variations on the FRAAP. Mapping Controls. Business Impact Analysis (BIA).

Catalog no. K11810, March 2010, 456 pp., ISBN: 978-1-4398-3956-0, $79.95 / £49.99


4 Get 15% off when you order online at www.crcpress.com


New!

Information SecurityManagementConcepts and PracticeBel G. RaggadPace University, Pleasantville, New York, USA

Information security cannot be effectively man-aged unless secure methods and standards areintegrated into all phases of the informationsecurity life cycle. And, although the interna-tional community has been aggressivelyengaged in developing security standards fornetwork and information security, few booksprovide clear guidance on how to properlyapply the new standards in conducting securityaudits and creating risk-driven information secu-rity programs. This authoritative and practical resource pro-vides a general overview of security auditingbefore examining the various elements of theinformation security life cycle. It explains the ISO17799 standard and walks readers through thesteps of conducting a nominal security auditthat conforms to the standard. The text also pro-vides detailed guidance for conducting an in-depth technical security audit leading to certifi-cation against the 27001 standard. Topicsaddressed include cyber security, security riskassessments, privacy rights, HIPAA, SOX, intru-sion detection systems, security testing activities,cyber terrorism, and vulnerability assessments. Filled with review questions, workshops, andreal-world examples, the text illustrates effectiveimplementation and security auditing method-ologies. It also includes a detailed security audit-ing methodology readers can use to devise andimplement effective risk-driven security pro-grams that touch all phases of a computingenvironment—including the sequential stagesneeded to maintain IS management systemsthat conform to the latest ISO standards.

Catalog no. AU7854, January 2010, 871 pp.ISBN: 978-1-4200-7854-1, $79.95 / £49.99

New!

Official (ISC)2 Guide to theCISSP CBK, Second EditionEdited by

Harold F. TiptonHFT Associates, Villa Park, California, USA

With each new advance in connectivity comes anew wave of threats to privacy and securitycapable of destroying a company’s reputation,violating a consumer’s privacy, and compromis-ing intellectual property. This is why it is essen-tial for information security professionals to stayup to date with the latest advances in technolo-gy and the new security threats they create. Recognized as one of the best tools available forthe information security professional and espe-cially for candidates studying for the (ISC)2 CISSPexam, the Official (ISC)2® Guide to the CISSP®

CBK®, Second Edition has been updated andrevised to reflect the latest developments in thisever-changing field. Endorsed by the (ISC)2, thisbook provides unrivaled preparation for the cer-tification exam. Compiled and reviewed byCISSPs and (ISC)2 members, the text provides anexhaustive review of the 10 domains of the CBKand the high-level topics contained in eachdomain. Unique and exceptionally thorough, this editionincludes a CD with over 200 sample questions,sample exams, and a full test simulator that pro-vides the same number and types of questionswith the same allotment of time allowed in theactual exam. It will even grade the exam, pro-vide the correct answers, and identify areaswhere more study is needed.

Catalog no. K10480, January 2010, 1112 pp.ISBN: 978-1-4398-0959-4, $69.95 / £44.99



5



New!

The Executive MBA inInformation SecurityJohn J. Trinckes, Jr.Hampton, Florida, USA

As the primary sponsors and implementers ofinformation security (IS) programs, it is essentialfor those in key leadership positions to possess asolid understanding of the constantly evolvingconcepts of IS management. However, develop-ing this knowledge and keeping it currentrequires the time and energy that busy execu-tives simply don’t have. Supplying a complete overview of key concepts,The Executive MBA in Information Securityprovides the tools to ensure your organizationhas an effective and up-to-date IS managementprogram in place. This one-stop resource pro-vides a ready-to use security framework you canuse to develop workable programs and includesproven tips for avoiding common pitfalls so youcan get it right the first time. Allowing for quick and easy reference, this time-saving manual provides those in key leadershippositions with a lucid understanding of:

• The difference between information securityand IT security

• Corporate governance and how it relates toinformation security

• Steps and processes involved in hiring theright information security staff

• The different functional areas related to IS• Roles and responsibilities of the chief information security officer (CISO)

Presenting difficult concepts in a straightforwardmanner, this guide allows you to get up to speedquickly and easily on what it takes to develop aninformation security management program thatis as flexible as it is secure.

Catalog no. K10501, January 2010, c. 352 pp.ISBN: 978-1-4398-1007-1, $69.95 / £44.99

New!

Data ProtectionGovernance, Risk Management, and Compliance

David G. HillMesabi Group LLC, Westwood, Massachusetts, USA

Failure to appreciate the full dimensions of dataprotection can lead to poor data protectionmanagement, costly resource allocation issues,and exposure to unnecessary risks. Explaininghow to gain a handle on the vital aspects of dataprotection, Data Protection: Governance, RiskManagement, and Compliance begins by build-ing the foundation of data protection from a riskmanagement perspective. The book then introduces the two other pillars inthe governance, risk management, and compli-ance (GRC) framework. After exploring dataretention and data security in depth, the authorfocuses on data protection technologies from arisk management viewpoint. He also discussesthe special technology requirements for compli-ance, governance, and data security; the impor-tance of eDiscovery for civil litigation; theimpact of third-party services in conjunctionwith data protection; and data processingfacets, such as the role of tiering and server andstorage virtualization. The final chapterdescribes a model to help businesses get startedin the planning process for improving their datasecurity.By examining the relationships among thepieces of the data protection puzzle, this bookoffers a solid understanding of how data protec-tion fits into various organizations. It allowsreaders to assess their overall strategy, identifysecurity gaps, determine their unique require-ments, and decide what technologies and tac-tics can best meet those requirements.






Cyber FraudTactics, Techniques, and ProceduresExecutive EditorRick HowardVerisign iDefense Security Intelligence Services, Dulles, Virginia, USA

With millions lost each year, cyber crime hasevolved from a minor nuisance to a major con-cern involving well-organized actors and highlysophisticated organizations. This volumeexplores the state of threats present in the cyberfraud underground. It discusses phishing/pharm-ing, trojans/toolkits, direct threats, and pump-and-dump scams. By examining the operationsof the cyber criminal, the book provides perspec-tive into the general incentives, risks, and behav-ioral patterns of the fraudsters. Armed with thisinformation, organizations and individuals arebetter able to develop countermeasures andcrafting tactics to disrupt the fraud undergroundand secure their systems.

Features:

• Provides a conceptual model with which toanalyze the fraud underground

• Explores the “carding” phenomenon andother online threats

• Includes real-world examples of fraudulentemail scams

• Helps organizations determine necessaryexpenditures on countermeasures

Selected Contents:

Principles, Trends, and Mitigation Techniques.The Cyber Threat Landscape in Russia. BankingTrojans. The Russian Business Network: Rise andFall of a Criminal ISP. IFrame Attacks: AnExamination of the Business of IFrameExploitation. Inside the World of Money Mules.Preventing Malicious Code from “PhoningHome”. Distributed Denial of Service (DDoS)Attacks. Mobile Malicious Code Trends. TheTorpig Trojan Exposed. The Laqma Trojan298.

Catalog no. AU9127, 2009, 520 pp.ISBN: 978-1-4200-9127-4, $79.95 / £48.99

Insider Computer FraudAn In-depth Framework forDetecting and Defending againstInsider IT AttacksKenneth BrancikInformation Security Consultant, New York, USA

An organization’s employees often have accessto sensitive information regarding the companyand its customers. This makes greedy or dis-gruntled employees prime candidates for sabo-taging a system or selling privileged informa-tion. This book presents methods, safeguards,and techniques to help protect an organizationfrom insider computer fraud. Drawing on the author’s vast experience assess-ing the adequacy of IT security for the bankingand securities industries, the text presents apractical framework for identifying, measuring,monitoring, and controlling the risks associatedwith insider threats. It not only provides ananalysis of application or system-related risks,but also illustrates the interrelationships thatexist between an application and the IT infra-structure components it uses to transmit,process, and store sensitive data. The authorexamines the symbiotic relationship betweenthe risks, controls, threats, and action plans thatshould be deployed to enhance the overall infor-mation security governance processes.

Features:

• Establishes guidelines for determining wheninsider computer fraud is most likely to occur

• Demonstrates how IT architecture can be configured to increase the level of prevention

• Presents key fraud indicators and key fraudmetrics as tools for the detection and prevention of insider computer fraud




7



Information SecurityManagement Handbook,2009 CD-ROM EditionHarold F. TiptonHFT Associates, Villa Park, California, USA

Micki KrausePacific Life Insurance Company, Newport Beach,California, USA

The Most Comprehensive Resource Availableon Information Security Management

Every year, in response to new technologies andnew laws in different countries and regions,there are changes to the fundamental knowl-edge, skills, techniques, and tools required by allIT security professionals. In step with the light-ning-quick pace of change in the technologyfield, the Information Security ManagementHandbook has become the standard on whichall IT security programs and certifications arebased. It reflects new updates to the CommonBody of Knowledge (CBK®) that IT security pro-fessionals need to know.

An Authoritative and Portable WorkingReference—Searchable By Keyword

The multi-volume set of this authoritativeresource is now available on CD-ROM.Containing the complete contents of the set, youget a resource that is portable, searchable by key-word, and organized under the CISSP® CommonBody of Knowledge (CBK) domains. It includesthe latest developments in people, process, andtechnology identified by the CBK committee.The CD includes every chapter from the 3rd, 4th,5th, and 6th editions of the handbook. In addi-tion, it provides an extra volume’s worth of infor-mation—including chapters from other securityand networking books that have never appearedin the print editions—that you simply won’t findanywhere else. Exportable text and hard copiesare available at the click of a mouse.

Catalog no. AU0984, July 2009, 456 pp., CD-ROMISBN: 978-1-4200-9098-7, $199.95 / £127.00

Print version available online

New!

Vulnerability ManagementPark ForemanGroupM, New York, USA

Illustrated with examples drawn from more thantwo decades of the author’s multinational expe-rience, Vulnerability Management demon-strates how it is much easier to manage poten-tial weaknesses than to clean up after a violation.Covering the wide range of information thatexecutive-level officers need to know as well asthe specifics applicable to singular areas ofdepartmental responsibility, this book providesthe strategic vision and details the steps neededto prevent the exploitation of IT security gaps,especially those that are inherent in a largerorganization. Providing a fundamental understanding of tech-nology risks from an interloper’s perspective, thiswork:

• Provides a host of proven methods for assessing and reducing the potential forexploitation

• Includes helpful checklists and offers guidance on developing a complete VM program in a global company

• Provides an understanding of the technologyrisks and describes how to assess vulnerabili-ties in order to prepare for security incidents

• Covers areas often neglected and those thatare much less secure than they might appear

Contents:

Introduction. The Vulnerability Experience.Program and Organization. Technology.Selecting Technology. Process. Execution,Reporting, and Analysis. Planning. StrategicVulnerabilities. Summary.






HOWTO Secure and AuditOracle 10g and 11gRon Ben NatanCTO, Guardium Inc., Waltham, Massachusetts, USA

Oracle has more security-related functions,products, and tools than almost any other data-base engine. Unfortunately, most users are famil-iar with less than twenty percent of its securitymechanisms. Written by one of the mostrespected and knowledgeable database securityexperts in the world, this book shows readershow to navigate the options, select the righttools, and avoid common pitfalls. Structured as HOWTOs that address each securi-ty function in the context of Oracle 11g andOracle 10g, this authoritative guide explainshow to:

• Choose configuration settings to help prevent unauthorized access

• Understand when and how to encrypt data-at-rest and data-in-transit and how toimplement strong authentication

• Use and manage audit trails and advancedtechniques for auditing

• Make use of advanced tools and options,including Advanced Security Options, VirtualPrivate Database, Audit Vault, and DatabaseVault

The text provides an overview of cryptography,covering encryption and digital signatures, andshows how Oracle Wallet Manager and orapkican be used to generate and manage certifi-cates. Providing succinct instructions highlight-ed by examples, this ultimate guide to securitybest practices for Oracle bridges the gapbetween those who install and configure securi-ty features and those who secure and auditthem.


Oracle IdentityManagementGovernance, Risk, and ComplianceArchitecture, Third Edition

Marlin B. PohlmanOracle Corporation, Redwood Shores, California, USA

This book is the definitive guide for corporatestewards struggling to meet regulatory compli-ance pressures while embarking on the path ofprocess and system remediation. It is written bya director of Oracle Corporation who is recog-nized as one of the primary educators on identi-ty management, regulatory compliance, andcorporate governance. In the book’s first chapters, Dr. Pohlman exam-ines multinational regulations and delves intothe nature of governance, risk, and compliance.He cites common standards and illustrates anumber of well-known compliance frameworks.Next, he focuses on specific software compo-nents that enable secure business operations. Tocomplete the picture, he discusses elements ofthe Oracle architecture, vaulting solutions, anddata hubs, which collect, enforce, and store pol-icy information. Examining case studies from the five most regu-lated business verticals—financial services, retail,pharma-life sciences, higher education, and theUS public sector—this work explains how to:

• Attain and maintain high levels of integrity • Eliminate redundancy and excessive expensein identity management

• Map solutions directly to region and legislation • Hold providers accountable for contractedservices

Identity management is the first line of defense inthe corporate internal ecosystem. Reconciling the-ory and practicality, this volume makes sure thatdefense is workable, responsive, and effective.

Catalog no. AU7247, 2008, 552 pp., Soft CoverISBN: 978-1-4200-7247-1, $74.95 / £46.99



9



Information TechnologyControl and Audit, Third EditionSandra Senft and Frederick Gallegos California State Polytechnic University, Pomona, USA

Praise for the Previous Edition:

“… very useful for beginners as well as practitioners… well written and presented. ... should provideresiliency to IT security in the emerging cyberworld.”

— Information Systems Control Journal

Reflects the Latest Technological Advances

Updated and revised, Information TechnologyControl and Audit, Third Edition provides a fun-damental understanding of IT governance, con-trols, auditing applications, systems develop-ment, and operations. This volume meets theincreasing need for audit and control profession-als to understand information technology and thecontrols required to manage this key resource.

A Powerful Primer for the CISA and CGEIT Exams

Supporting and analyzing the CobiT model, thistext prepares IT professionals for the CISA andCGEIT exams. With summary sections, exercises,review questions, and references for furtherreadings, it promotes the mastery of the con-cepts and practical implementation of controlsneeded to effectively manage information tech-nology resources. New in the Third Edition:

• Reorganized and expanded to align to theCobiT objectives

• Supports study for both the CISA and CGEITexams

• Includes chapters on IT financial and sourcingmanagement

• Adds a section on Delivery and Support control objectives

• Includes additional content on audit andcontrol of outsourcing, change management,risk management, and compliance


Complete Guide to Securityand Privacy MetricsMeasuring Regulatory Compliance,Operational Resilience, and ROIDebra S. HerrmannU.S. Nuclear Regulatory Commission, Washington, D.C., USA

“Provides valuable directions on how measurementworks and what goes into producing a useful met-ric. … when faced with the necessity of developinga metrics program to measure the effectiveness ofsome aspect of your security efforts, this ratherimposing tome is one I would recommend … . Themaster table in the introduction provides a quickguide to the particular section most relevant to thereader’s need …”

— Richard Austin, in IEEE Cipher

This book defines more than 900 metrics formeasuring compliance with current legislation,the resiliency of your security controls, andreturn on investment. It explains what needs tobe measured, why and how to measure it, andhow to tie security and privacy metrics to busi-ness goals and objectives. The metrics are scaled by information sensitivity,asset criticality, and risk; aligned to correspondwith different lateral and hierarchical functions;designed with flexible measurement boundaries;and can be implemented individually or in com-bination. The text includes numerous examplesand sample reports and stresses a completeassessment by evaluating physical, personnel, IT,and operational security controls.

Features:

• Provides a practical foundation for establishingan effective and efficient security metrics program

• Explains how to measure compliance withsecurity and privacy laws and regulations

• Covers the operational resilience of a systemor network, pre- or post-deployment






Information AssuranceArchitectureKeith D. WillettCTN Technologies, Millersville, Maryland, USA

Protect Your Secrets from Exposure

Keith D. Willett draws on more than 25 years oftechnical, security, and business experience toprovide a framework for organizations to aligninformation assurance with the enterprise andtheir overall mission. This work provides theknow-how to create a formal information assur-ance architecture that complements an enter-prise architecture, systems engineering, and theenterprise life cycle management (ELCM). Information Assurance Architecture consists ofa framework, a process, and many supportingtools, templates and methodologies. The frame-work provides a reference model for the consid-eration of security in many contexts and fromvarious perspectives; the process provides direc-tion on how to apply that framework. Mr. Willettteaches readers how to identify and use the righttools for the right job. Furthermore, he demon-strates a disciplined approach in thinking about,planning, implementing and managing security,emphasizing that solid solutions can be madeimpenetrable when they are seamlessly integrat-ed with the whole of an enterprise.This book covers many information assurancesubjects, including disaster recovery and fire-walls. The objective is to present security servic-es and security mechanisms in the context ofinformation assurance architecture, and in anenterprise context of managing business risk.

Features:

• Highlights the distinctions between securityarchitecture, enterprise architecture, solutionsarchitecture, and systems engineering

• Describes how the Zachman EA model andthe Federal Enterprise Architecture (FEA)models can be used together effectively


Information SecurityManagement MetricsA Definitive Guide to EffectiveSecurity Monitoring andMeasurementW. Krag Brotby, CISMEnterprise Security Architect, Thousand Oaks, California, USA

You can’t manage what you can’t measure

The 20/20 hindsight of audits is no longer aneffective solution to security weaknesses. Thisbook offers a radical new approach for develop-ing and implementing security metrics essentialfor supporting business activities and managinginformation risk. This volume shows readers how to develop met-rics that can be used across an organization toassure its information systems are functioning,secure, and supportive of the organization’sbusiness objectives. It provides a comprehensiveoverview of security metrics, discusses the met-rics in use today, and looks at promising newdevelopments. Later chapters explore ways todevelop effective strategic and managementmetrics for information security governance, riskmanagement, program implementation andmanagement, and incident management andresponse. With three decades of enterprise informationsecurity experience, author W. Krag Brotby pres-ents a workable approach to developing andmanaging cost-effective enterprise informationsecurity. He provides readers with the under-standing and the metrics required to ensure thatevery facet of security is linked to business objec-tives. Case studies effectively demonstrate specif-ic ways that metrics can be implemented acrossan enterprise to maximize business benefit.




11



CISO Soft SkillsSecuring Organizations Impaired by Employee Politics, Apathy, andIntolerant PerspectivesRon Collette and Mike GentileCISOHandbook.com & Traxx Consulting Services,Newport Beach, California, USA

Skye Gentile,Cabrillo College, Aptos, California, USA

As organizations struggle to implement effectivesecurity measures, all too often they focus solelyon the tangible elements. While these items areessential, they represent only half of the securityequation. This companion volume to the highlytouted CISO Handbook presents tools to empow-er security practitioners to identify the intangiblenegative influencers that plague most organiza-tions—supplying techniques to identify, mini-mize, and overcome these pitfalls.The text begins by explaining how using thewrong criteria to measure security can result in afalse claim of adequate security. Instead, theauthors recommend that organizations measurethe success of their efforts using a practicalapproach that illustrates both the tangible andintangible requirements of a healthy securityeffort. The middle section discusses the rootcauses that negatively influence a CISO’s and anorganization’s ability to secure itself. It explainswhat a CISO can do about these security con-straints and provides numerous exercises, tools,and techniques to identify, limit, and compen-sate for the influence of security constraints inany type of organization. The final chapters provide proactive techniquesthat CISOs can put to use to secure challengingwork environments. Reflecting the experienceand solutions of those that are in the trenches ofmodern organizations, this volume providespractical ideas that will make the jobs of securi-ty practitioners much easier.


The CISO HandbookA Practical Guide to Securing Your CompanyMichael Gentile and Ron ColletteCISOHandbook.com & Traxx Consulting Services,Newport Beach, California, USA

Thomas D. AugustSony Corporation of America, San Diego, California, USA

Providing unique insights and guidance intodesigning and implementing an effective infor-mation security program, The CISO Handbookpresents several essential high-level conceptsbefore building a robust framework that willenable you to map the concepts to your com-pany’s environment. The book is presented inchapters that follow a consistent methodology:Assess, Plan, Design, Execute, and Report. Assess identifies the elements that drive the needfor infomation security programs, enabling youto conduct an analysis of your business and reg-ulatory requirements. Plan discusses how tobuild the foundation of your program, allowingyou to develop an executive mandate, reportingmetrics, and an organizational matrix withdefined roles and responsibilities. Design demon-strates how to construct the policies and proce-dures to meet your identified business objec-tives, explaining how to perform a gap analysisbetween the existing environment and thedesired end-state, define project requirements,and assemble a rough budget. Execute empha-sizes the creation of a successful executionmodel for the implementation of security proj-ects against the backdrop of common businessconstraints. Report focuses on communicatingback to the external and internal stakeholderswith information that fits the various audiences. Each chapter includes an overview, followed byfoundation concepts, and a methodology sec-tion that details the steps necessary to achievethe goals for that particular chapter.






The Effective CIOHow to Achieve Outstanding Successthrough Strategic Alignment, FinancialManagement, and IT GovernanceEric J. BrownNCI Building Systems, The Woodlands, Texas, USA

William A. Yarberry, Jr.ICCM Consulting, Houston, Texas, USA

In a business world of uncertain budgets, relent-less technology changes, and intense productiondemands, theory is good, but practice sells. Thisbook is all about practice: successfully deliveringthe nuts-and-bolts for effective governance execu-tion. It helps to dissolve the negative image manyCIOs have as remote, purely rational decisionmachines, while demonstrating how to improvequality and throughput in your business.This complete resource includes governancechecklists, sample IT controls, merger and acquisi-tion recommendations, and a detailed frameworkfor IT policies. Authored by two highly regarded ITmanagement experts, the book provides a surveyof existing strategies and also includes detailedproblem-solving ideas, such as how to structureoptimal IT and telecom contracts with suppliers,the implications of SOP-98, and accounting forsoftware costs. The book seamlessly brings together two perspec-tives—that of a working CIO who must cope withday-to-day pressures for results, and that of an ITaudit consultant with a special focus on gover-nance and internal control. Unlike many otherCIO-related books that merely discuss strategies,The Effective CIO includes easy-to-follow guide-lines and governance principles that can be put touse right away.

Selected Contents:

Core Skills and Career Development. InformationTechnology Governance. Information TechnologyFinance. Project Management. Creating GoodEnough Code. Enterprise Architecture. Mergersand Acquisitions. Sourcing.


New!

Security Manager’s Guide to DisastersManaging Through Emergencies,Violence, and Other Workplace ThreatsAnthony D. ManleyWantagh, New York, USA

Explores the Wide Range of Disasters That can Jeopardize an Organization

Recent years have witnessed a dramatic increasein the number of natural disasters and man-made events that have threatened the livelihoodsof businesses and organizations worldwide. Thisessential reference examines the most significantemergencies that may confront the security man-ager and provides comprehensive guidance onhow to prepare for a potential crisis, what to doin the event of one, and how to mitigate theeffects.The author discusses all types of disasters, cover-ing a range of major occurrences that couldthreaten or harm any business or institutionalentity. These include terrorism, industrial espi-onage and sabotage, workplace violence, strikes,natural disasters, fires and medical emergencies.The topics run the gamut of events that securitydirectors, loss prevention professionals, and riskmanagers may confront in the course of theirduties.The book provides strategies for preventing orreducing the severity of an incident and initiatingimmediate and professional responses to reducethe loss of life, injuries, property damage, and lia-bility. It also provides instruction on adequateinteraction and cooperation with public safetyagencies, local government, and other publicand private utility services. By focusing onresponse, recovery, and restoration, the authorlays out a system for placing the business or insti-tution back into operation as soon as possible.




13



Building an EffectiveInformation Security PolicyArchitectureSandy BacikConsultant, Fuquay Varina, North Carolina, USA

Information security teams are charged withdeveloping and maintaining a set of documentsthat will protect the assets of an enterprise fromconstant threats and risks. In order for thesesafeguards and controls to be effective, theymust suit the particular business needs of theenterprise. A guide for security professionals, Building anEffective Information Security PolicyArchitecture explains how to review, develop,and implement effective security architecturesfor any enterprise. Through the use of question-naires and interviews, the book demonstrateshow to evaluate an organization’s culture and itsability to meet various security standards andrequirements. Because the effectiveness of a pol-icy is dependent on cooperation and compli-ance, the author also provides tips on how tocommunicate the policy and gain support for it. Suitable for any level of technical aptitude, thisbook is a valuable guide for evaluating the busi-ness needs and risks of an enterprise and incor-porating this information into an effective secu-rity policy architecture.

Contents:

Determining the Organization. What is a PolicyArchitecture? Getting Ready to Start.Communication Skills within the Organization.What Goes into the Architecture. Putting itTogether. Crafting Communication forMaximum Effectiveness. Continuing to Moldyour Style through Experience.


How to Develop andImplement a SecurityMaster PlanTimothy D. GilesNewnan, Georgia, USA“This practical guide details how to construct a cus-tomized, comprehensive, five-year corporate securityplan that synchronizes with the strategies of anybusiness or institution.”

– In ASIS Dynamics, May/June 2009

This book explains how to develop a plan andimplementation strategy that aligns with anorganization’s particular philosophies, strategies,goals, programs, and processes. Readers learnhow to outline risks and then formulate appro-priate mitigation strategies. This guide providestested, real-world solutions on how to:

• Conduct an effective, efficient assessment ofthe site and security personnel, meticulouslyaddressing the particular needs of many different environments

• Make decisions about security philosophies,strategies, contract relationships, technology,and equipment replacement

• Interview executive and security managementto determine their concerns, educate them,and ensure that they buy in to your plan

• Use all gathered data to construct and finalize the Security Master Plan and thenimplement it into the management of thebusiness

Author Tim Giles worked at IBM for 31 yearsserving as Director of Security for the company’soperations in the United States and Canada, aswell as Latin America and Asia-Pacific. Hisimmeasurable experience and insight providereaders with an extraordinarily comprehensiveunderstanding that they can use to design andexecute a highly effective, tailored security pro-gram.




14



The Security RiskAssessment HandbookA Complete Guide for PerformingSecurity Risk AssessmentsDouglas J. LandollEn Pointe Technologies, Austin, Texas, USA

Complete with charts, checklists, examples, andtemplates to speed up data gathering, analysis,and document development, this complete guideprovides detailed insight into precisely how toconduct an information security risk assessment. Designed for security professionals and their cus-tomers who want a more in-depth understandingof the risk assessment process, this volume con-tains real-world advice that promotes professionaldevelopment. It also enables security consumersto better negotiate the scope and rigor of a secu-rity assessment, effectively interface with a securi-ty assessment team, deliver insightful commentson a draft report, and have a greater understand-ing of final report recommendations.This book will help you save time and money byeliminating guesswork as to what assessmentsteps to perform, and how to perform them. Byimproving the efficiency of the assessmentprocess, security consultants will be able to delivera higher-quality service with a larger profit margin.The text will also allow consumers to intelligentlysolicit and review proposals, positioning them torequest affordable security risk assessments fromquality vendors that meet the needs of theirorganizations.

Contents:

Information Security Risk Assessment Basics.Project Definition. Security Risk AssessmentPreparation. Data Gathering. Administrative DataGathering. Technical Data Gathering. PhysicalData Gathering. Security Risk Analysis. SecurityRisk Mitigation. Security Risk AssessmentReporting. Security Risk Assessment ProjectManagement. Security Risk AssessmentApproaches.


How to Complete a Risk Assessment in 5 Days or LessThomas R. PeltierThomas R. Peltier Associates, LLC, Wyandotte, Michigan, USA

Presents Case Studies and Examples of all Risk Management Components

Based on the seminars of Tom Peltier, this volumepresents the various processes that an organiza-tion can employ in assessing risk, fully detailingeach of its strengths and weaknesses. This infor-mation will allow managers to determine whatprocesses best fit the needs of a given situation tomitigate risk levels. Always conscious of the bot-tom line, the author discusses the cost-benefitanalysis of risk mitigation and looks at specificways to manage costs. The conclusions present-ed are supported by numerous case studies andexplained through diagrams that show how toapply risk management skills in an organizationwith regard to any business endeavor.

Features:

• Presents and explains the key components ofrisk management

• Demonstrates how the components of riskmanagement work in any organization andbusiness situation

• Explains how to draw up an action plan toprotect the assets of the organization whenthe risk assessment process concludes

• Examines the difference between a GapAnalysis and a Security or Controls Assessment

Selected Contents:

The Facilitated Risk Analysis and AssessmentProcess (FRAAP). Risk Analysis (Project ImpactAnalysis). Pre-Screening. Business ImpactAnalysis. Gap Analysis. Appendix A FacilitatorSkills. Appendix B FRAAP Team Members.Appendix C Project Scope Statement.




15



Mechanics of UserIdentification andAuthenticationFundamentals of Identity ManagementDobromir TodorovConsultant, Buckinghamshire, UK

“By the authors providing a ‘hacker’ perspective,readers will more fully understand the ramificationsof having an insecure computer, server, network,program, database and or policy. … There areimportant discussions of the non-technical kind [ofinsecurity] like policy, which is too often overlookedin many organizations. … What is most impressiveabout the book is its outlines of specific exploits andattacks with prescribed defenses. … Coupled withgood illustrations and detailed explanations, this isa great resource…”

—E-Streams, Vol. 7, No. 9

“… a must-have book for those preparing for theCISSP exam and for any information security profes-sional.”

—Zentralblatt MATH 1054

Effective and fool-proof user identification andauthentication are essential to modern security.Providing a hacker perspective, this text intro-duces the philosophy behind user authentica-tion and access control and presents key con-cepts for practical applications. It outlines theprocess of controlled access to resourcesthrough authentication, authorization, andaccounting and provides specific information onthe user authentication process for both UNIXand Windows. Addressing more advanced appli-cations and services, the author presents com-mon security models such as GSSAPI and dis-cusses authentication architecture. Each methodis presented with a specific authentication sce-nario.


Official (ISC)2® Guide to the SSCP® CBK®

Edited by

Harold F. Tipton, Diana-Lynn Contesti,Kevin Henry, Douglas Andre, Paul A. Henry,Bonnie A. Goins, and Eric Waxvik

Offers Guidance from World Leaders in IS Implementation

The SSCP® certification is the key to unlockingthe upper ranks of security implementation atthe world’s most prestigious organizations. Ifyou’re serious about becoming a leading tacti-cian at the front lines, the (ISC)²® SystemsSecurity Certified Practitioner (SSCP) certifica-tion is an absolute necessity. Nowhere else are the seven domains of the CBKembodied more adeptly than in the Official(ISC)²® Guide to the SSCP® CBK®. In a milestoneeffort, five of the of the world’s leading tacticiansin IT security discuss the critical role that policy,procedures, standards, and guidelines play with-in the overall information security managementinfrastructure. Through clear descriptions accompanied bynumerous tables, bulleted lists, charts, easy-to-follow instructions, sample questions, and anentire chapter of self-assessment questions, thisbook builds a solid, product-independent under-standing of information security fundamentals.

Contents:

Access Controls. Security Operations andAdministration. Analysis and Monitoring. Risk,Response, and Recovery. Cryptography.Networks and Telecommunications. MaliciousCode.






Understanding andApplying Cryptography and Data SecurityAdam J. ElbirtThe Charles Stark Draper Laboratory, Cambridge,Massachusetts, USA

Provides the Foundation for ConstructingCryptographic Protocols

Addressing real-world implementation issues,Understanding and Applying Cryptographyand Data Security emphasizes cryptographicalgorithm and protocol implementation in hard-ware, software, and embedded systems. The firstseveral chapters present various types of symmet-ric-key cryptographic algorithms. These chaptersexamine basic substitution ciphers, cryptanalysis,the Data Encryption Standard (DES), and theAdvanced Encryption Standard (AES). Subsequent chapters on public-key cryptographicalgorithms cover the underlying mathematicsbehind the computation of inverses, the use of fastexponentiation techniques, tradeoffs betweenpublic- and symmetric-key algorithms, and theminimum key lengths necessary to maintainacceptable levels of security. The final chapterspresent the components needed for the creationof cryptographic protocols and investigate differ-ent security services and their impact on the con-struction of cryptographic protocols. The authorprovides readers with C and VHDL frameworksand testing environments on a CD-ROM.

Features:

• Describes cryptography and data securityfrom an implementation point of view, spanning hardware, software, and embeddedsystems

• Focuses on cryptographic algorithms beforedealing with the construction of cryptographicprotocols

• Includes many examples, problems, and aCD-ROM with C and VHDL frameworks forimplementation of problems


Multimedia ContentEncryptionTechniques and ApplicationsShiguo LianFrance Telecom R&D, Beijing, China

To fully protect multimedia data from piracy orunauthorized use, it must be secured throughencryption prior to its transmission or distribution.Multimedia Content Encryption: Techniquesand Applications begins with the history of mul-timedia encryption and then examines generalperformance requirements of encryption and fun-damental encrypting techniques. It discusses com-mon techniques of complete, partial, and com-pression-combined encryption; as well as themore specialized forms, including perception, scal-able, and commutative encryption. Shiguo Lian is the author or co-author of morethan fifty peer-reviewed journal and conferencearticles. In this book, Lian reviews watermarking,joint fingerprint embedding and decryption, typi-cal attacks on multimedia encryption, as well asthe principles for designing secure algorithms andvarious applications. An exploration of openissues, up-and-coming topics, and areas for furtherresearch rounds out the coverage. By following the techniques outlined in this book,users will be better able to protect the integrity oftheir multimedia data and develop greater confi-dence that their data will not be misappropriated.

Contents:

Performance Requirement of MultimediaContent Encryption. Fundamental Techniques.Complete Encryption. Partial Encryption.Compression-Combined Encryption. PerceptualEncryption. Scalable Encryption. CommutativeWatermarking and Encryption. Joint FingerprintEmbedding and Decryption. Typical Attacks onMultimedia Encryption. Some Principles forSecure Multimedia Encryption. MultimediaEncryption in Typical Applications. Open Issues.

Catalog no. AU6527, 2009, 224 pp.,ISBN: 978-1-4200-6527-5, $104.95 / £66.99



17



New!

Security of MobileCommunicationsNoureddine BoudrigaUniversity of the 7th of November at Carthage, Tunisia

The explosive demand for mobile communica-tions is driving the development of wireless tech-nology at an unprecedented pace. Unfortunately,this exceptional growth is also giving rise to amyriad of security issues at all levels.Providing technicians and designers with a com-prehensive resource, Security of MobileCommunications brings together the policies,practices, and guidelines needed to identify andaddress the security issues related to today’s wireless sensor networks, satellite services, mobilee-services, and inter-system roaming and inter-connecting systems. It details the major mobilestandards for securing mobile communicationsand examines the architectures able to providedata confidentiality, authentication, integrity, andprivacy in various wireless environments. Professor Noureddine Boudriga, an international-ly recognized authority, goes beyond analysis,standards, and guidelines to define the roles andresponsibilities that network operators, serviceproviders, and even customers need to fulfill toassure our mobile communications are as secureas they are prolific.

Features:

• Provides an up-to-date analysis of the typesof attacks and viruses that must be protectedagainst

• Reviews the new mechanisms and standardsimplemented by GSM, 3G, WLAN, and adhoc networks

• Details architectures that provide access control, authentication, and authorization

• Explores security features related to IP mobility, mobile payments, multimedia applications, VoIP, and SIM-like cards


Security SoftwareDevelopmentAssessing and Managing Security RisksDouglas A. Ashbaugh, CISSPSoftware Engineering Services, West Des Moines, Iowa, USA

Threats to application security continue to evolvejust as quickly as the systems that protect againstcyber-threats. In many instances, traditional fire-walls and controls no longer get the job done. Thelatest line of defense is to build security featuresinto software as it is being developed. Drawing on the author’s extensive experience, thisbook illustrates how to achieve cost -effective soft-ware application security by monitoring and regu-lating risks early on and integrating assessmentand management into the development life cycle.It identifies the two primary reasons for inade-quate security safeguards, as well as the problemsthat have plagued software security for more thana decade. Highlighting recent trends, this guide: • Outlines and compares various techniques forassessing, identifying, and managing securityrisks and vulnerabilities—detailing how toexecute each approach

• Explains the fundamental terms and conceptsrelated to the security process

• Explains the pros and cons of each method,phase by phase—helping you select the onethat best suits your needs

• Clearly illustrates how to analyze relevantthreats to your applications and then imple-ment time- and money-saving techniques tosafeguard against those threats

Selected Contents:

Current Trends in Application Security. Riskassessment methodologies. Identifying Threats.Identification of Vulnerabilities. Identification ofAssets. Analyzing Risks. Managing Risks.Looking at Risk Assessment and RiskManagement within the Phases of the SoftwareDevelopment Life Cycle.






New!

Building an Enterprise-WideBusiness ContinuityProgramKelley OkolitaMBCP (Master Business Continuity Planner)

Provides Access to Online Resources

If you had to evacuate your building right nowand couldn’t get back in for two weeks … wouldyou know what to do to ensure your businesscontinues to operate? Would your staff? Increasing threats to business make it essentialfor corporations and institutions to developplans to ensure the preservation of businessoperations—and the technology that supportsthem—should risks become reality.Building an Enterprise-Wide BusinessContinuity Program goes beyond theory toprovide planners with actual tools needed tobuild a continuity program in any enterprise.Drawing on over two decades of experience cre-ating continuity plans and exercising them inactual recoveries, including 9/11 and HurricaneKatrina, Kelley Okolita MBCP, provides authori-tative guidance on each step of the process.Complete with a sample plan and helpful tips forgetting started, the text explains how to:

• Validate your plan• Keep it action-ready over the course of time• Sell the continuity program to senior leadership

• Disasters can happen anywhere, anytime,and for any number of reasons. By proactivelyplanning for such events, smart leaders canprepare their organizations to minimize tragicconsequences and restore order quickly.


Second Edition of a Bestseller!

Business ResumptionPlanning, Second EditionEdited byLeo A. WrobelTelLAWCom Labs, Inc., Ovilla, Texas, USA

Offering hundreds of tips, templates, checklists,and pointers to additional information, the sec-ond edition of this bestselling resource will helpyou create effective recovery plans for your organ-ization. It provides the information needed tocoordinate first responders to meet any disasterscenario head on. New to the Second Edition:

• The latest techniques for conducting an efficient Business Impact Analysis and anaccurate Failure Mode Effects Analysis

• Advice on how to successfully recover fromGround Zero events, such as Oklahoma City,the World Trade Center, and HurricaneKatrina

• Tips on how to maintain command, control,communications, computers, and intelligenceduring a disaster

• An explanation of how the recently enactedSarbanes-Oxley Act of 2002 impacts planning efforts

• Plans and templates for assessing vulnerabilityin WANs, Open Networks, physical facilities,environmentals, and enhanced services

• An examination of legal ramifications resultingfrom a failure to plan—including new liabilityissues

The book presents case studies and examples thatillustrate the vulnerabilities of today’s mission criti-cal systems. It details the steps you should take toassess your exposure and then explains how toreduce that exposure. It also includes a CD-ROMthat contains time-saving worksheets, checklists,audit forms, work breakdown structures, andreports.




19



Critical InfrastructureUnderstanding Its Component Parts,Vulnerabilities, Operating Risks, and Interdependencies

Tyson MacaulayCISSIP, CISA, ISSPCS, Ottawa, Ontario, Canada

Critical Infrastructure (CI) is fundamental to thefunctioning of a modern economy, and conse-quently, maintaining CI security is paramount.However, despite all the security technologyavailable for threats and risks to CI, this crucialarea often generates more fear than rational dis-cussion. Apprehension unfortunately promptsmany involved in CI policy to default to old-fash-ioned intuition rather than depend on modernconcrete risk assessment as the basis for vitalsecurity decisions. Going beyond definitions, this book looks at theiron triangle within CI: power, telecom, andfinance. It introduces the concept of CI as anindustrial and enterprise risk conductor, high-lighting the reality that a CI failure can propa-gate a crisis with far-reaching repercussions.

Focuses on Canada and the US Equally fora Useful Cross-Border Security Analysis

With $2.5 trillion at stake in United States’ CIalone, supreme standards and metrics aremandatory for solid protection of such a sophis-ticated and complex area. This powerful volumeis dedicated to moving CI security into the 21stcentury, illustrating the danger in basing criticalCI policy decisions on the existing legacy framesof reference. It represents one of the first com-plete departures from policy, planning, andresponse strategies based on intuition and anec-dotal evidence.


Enterprise Systems Backupand RecoveryA Corporate Insurance PolicyPreston de GuiseIDATA Pty Ltd., Sydney, Australia

A well-designed backup system comes about onlywhen several key factors coalesce—businessinvolvement, IT acceptance, best practice designs,enterprise software, and reliable hardware. Thisbook provides organizations with a comprehen-sive understanding of the principles and featuresinvolved in effective enterprise backups.The text recommends corporate procedures andpolicies that need to be established for compre-hensive data protection. It provides informationrelevant to any organization, regardless of theoperating system deployed, what backup systemis in place, or what planning has been done forbusiness continuity. It explains how to includebackup into every phase of system planning,development, operation, and maintenance. It alsoprovides proven techniques for improving currentbackup system performance. After reviewing the concepts in this book, organi-zations will be able to answer these questions:

• What features and functionality should beexpected in a backup environment?

• What terminology and concepts are uniqueto backup software, and what can be relatedto other areas?

• How can a backup system be monitored successfully?

• How can the performance of a backup system be improved?

By utilizing the information in this book, organi-zations can take a big step toward improving thesecurity of their data and preventing the devas-tating loss of data and business revenue that canoccur with poorly constructed or inefficient sys-tems.

Catalog no. AU6396, 2009, 308 pp., Soft CoverISBN: 978-1-4200-7639-4, $73.95 / £46.99





Digital PrivacyTheory, Technologies, and PracticesEdited by

Alessandro Acquisti, Stefanos Gritzalis,Costos Lambrinoudakis, and Sabrina De VimercatiAccording to recent surveys, privacy andanonymity are the fundamental issues of con-cern for most Internet users, ranked higher thanease-of-use, spam, cost, and even security.Digital Privacy: Theory, Techniques, andPractices covers recent technologies, best prac-tices, and research results, as well as legal, regu-latory, and ethical issues. Established researchers whose work enjoysworldwide recognition draw on contributionsfrom experts in academia, industry, and govern-ment to delineate theoretical, technical, andpractical aspects of digital privacy. They providean up-to-date, integrated approach to privacyissues that spells out what digital privacy is andcovers the threats, rights, and provisions of thelegal framework in terms of technical countermeasures for the protection of an individual’sprivacy. The work includes coverage of proto-cols, mechanisms, applications, architectures,systems, and experimental studies. Even though the utilization of personal informa-tion can improve customer services, increaserevenues, and lower business costs, it can beeasily misused and lead to violations of privacy.Currently there is no book available that com-bines such a wide range of privacy topics withsuch a stellar cast of contributors. Filling thatvoid, Digital Privacy: Theory, Techniques, andPractices gives you the foundation for buildingeffective and legal privacy protocols into yourbusiness processes.


Malicious BotsAn Inside Look into the Cyber-CriminalUnderground of the InternetKen Dunham and Jim MelnickiSIGHT Partners, Inc., Dallas, Texas, USA

“If you like to read about real life cases from thedark zone, the book will appeal to you . . .”

– Berislav Kucan, Net Security, May 14, 2009

Originally designed as neutral entities, comput-erized bots are increasingly being used mali-ciously by online criminals in mass spammingevents, fraud, extortion, identity theft, and soft-ware theft. This book explores the rise of dan-gerous bots and exposes the nefarious methodsof “botmasters”. With sufficient technical detail to empower ITprofessionals, this volume provides in-depthcoverage of the top bot attacks against financialand government networks over the last severalyears. The book presents exclusive details of theoperation of the notorious Thr34t Krew, one ofthe most malicious bot herder groups in recenthistory. Largely unidentified by anti-virus com-panies, their bots spread globally for months,launching massive distributed denial of service(DDoS) attacks and warez (stolen software dis-tributions). For the first time, this story is pub-licly revealed, showing how the botherders gotarrested, along with details on other bots in theworld today. The text also provides unique descriptions of thecriminal marketplace—how criminals makemoney off of your computer. With unprecedent-ed detail, the book goes on to explain step-by-step how a hacker launches a botnet attack, pro-viding specifics that only those entrenched inthe cyber-crime investigation world could possi-bly offer.




21



Intelligent Network VideoUnderstanding Modern VideoSurveillance SystemsFredrik Nilsson and Axis Communications Inc. Chelmsford, Massachusetts, USA

“… provides the first complete reference for develop-ing, implanting, and maintaining the latest surveil-lance systems . . . guides readers through a well-organized tour of the building blocks of modernvideo surveillance systems, including network cam-eras, video encoders, storage, servers, sensors, andvideo management.”

– ASIS Dynamics, May/June 2009

This resource provides detailed coverage ofadvanced digital networking and intelligentvideo capabilities and optimization. It addressesgeneral concepts, explains why IP-based systemsprovide better image quality and more scalableand flexible systems at a lower cost, and pro-vides current information on cameras and DVRs.It also discusses frame rate control, indoor/out-door installations, and specifications on MPEG-4and other digital video formats. The book is accompanied by a CD containingtools for deploying and optimizing an installa-tion. It is an essential resource for security systemdesigners, consultants, and installers, as well asbusiness and security managers.

Contents:

Introduction to Network Video. The Evolutionof Video Surveillance Systems. ImageGeneration. Camera Considerations. IPNetwork Technologies. System Considerations.Video Management. Intelligent Video System.Quick Start: Checklist when Designing aNetwork Video System.


New!

Intelligent VideoSurveillanceSystems and TechnologyEdited by

Yunqian MaHoneywell International, Inc., Minnesota, USA

Gang QianArizona State University, Tempe, USA

From the streets of London to subway stations inNew York City, surveillance cameras ubiquitous-ly collect hundreds of thousands of videos, oftenrunning 24/7. How can such vast volumes ofvideo data be stored, analyzed, indexed, andsearched? How can advanced video analysis andsystems autonomously recognize people anddetect targeted activities real-time? Collatingand presenting the latest informationIntelligent Video Surveillance: Systems andTechnology explores these issues, from funda-mentals principle to algorithmic design and sys-tem implementation.Written and edited by a collection of industryexperts, the book presents state-of-the-art tech-nologies and systems in intelligent video surveil-lance. The book integrates key research, design,and implementation themes of intelligent videosurveillance systems and technology into onecomprehensive reference. The chapters coverthe computational principles behind the tech-nologies and systems and include system imple-mentation issues as well as examples of success-ful applications of these technologies. Fully illustrated with line art, tables, and photo-graphs demonstrating the collected video andresults obtained using the related algorithms,including a color plate section, the book pro-vides a high-level blueprint for advances andinsights into future directions of the field.






Information SecurityDesign, Implementation,Measurement, and Compliance

Timothy P. LaytonGrover, Missouri, USA

“I have had the pleasure of working with Tim on sev-eral large risk assessment projects and I havetremendous respect for his knowledge and experi-ence as an information security practitioner. … Iknow you will benefit from Tim’s guidance on howto get the most from your risk assessment efforts. Fortoday’s information security leaders, there is not atopic more important.”

—Gary Geddes, CISSP, Strategic Security Advisor,

Microsoft Corporation

Information Security: Design, Implementation,Measurement, and Compliance outlines a com-plete roadmap to successful adaptation andimplementation of a security program based onthe ISO/IEC 17799:2005 (27002) Code ofPractice for Information Security Management.The book first describes a risk assessment model,a detailed risk assessment methodology, and aninformation security evaluation process. Uponthis foundation, the author presents a proposedsecurity baseline for all organizations, an execu-tive summary of the ISO/IEC 17799 standard,and a gap analysis exposing the differencesbetween the recently rescinded version and thenewly released version of the standard. Finally,he devotes individual chapters to each of the 11control areas defined in the standard, coveringsystematically the 133 controls within the 39control objectives.Tim Layton’s Information Security is a practicaltool to help you understand the ISO/IEC 17799standard and apply its principles within yourorganization’s unique context.


IT Auditing and Sarbanes-Oxley ComplianceKey Strategies for BusinessImprovement

Dimitris N. ChorafasConsultant for Major Corporations, France & Switzerland

Written as a contribution to the accounting andauditing professions as well as to IT practitioners,IT Auditing and Sarbanes-Oxley Compliance:Key Strategies for Business Improvement linkstwo key strategies for business improvement:information technology auditing and Sarbanes-Oxley compliance. Both require ethical account-ing practices, focused auditing activities, a func-tioning system of internal control, and a closewatch by the board’s audit committee and CEO.Based on more than four decades of experienceas a consultant to the boards of major corpora-tions in manufacturing and banking, the authoraddresses objectives, practices, and businessopportunities expected from auditing informa-tion systems. Topics discussed include the con-cept of internal control, auditing functions,internal and external auditors, and the responsi-bilities of the board of directors. The book uses several case studies to illustrateand clarify the material. Its chapters analyze theunderlying reasons for failures in IT projects andexplain how they can be avoided, examine criti-cal technical questions concerning informationtechnology, discuss problems related to systemreliability and response time, and explore issuesof compliance.The book concludes by presenting readers witha “what if” scenario. If Sarbannes-Oxley legisla-tion had passed the U.S. Congress in the late1990s or even 2000, how might this have influ-enced the financial statements of Enron andWorldcom?




Our up-to-date, officially sanctionedstudy guides and resources put you atthe top of your field. The breadth and

depth of experience of theauthors gives insight intothe key issues in certificationand accreditation, including

roles and responsibili-ties, the InformationSecurity life cycle, andpitfalls to avoid.







Pre

sort

ed S

tand

ard

US

Pos

tage

PAID

Per

mit

382

Sou

th H

olla

nd IL

6000 Broken Sound Parkway, N

W, Suite 300

Boca Raton, FL 33487, USA

Pag

e 3

Fo

r a c

om

ple

te li

st

of

Auho

rita

tive

Reso

urc

es f

or

IT P

rofe

ssio

nals

ple

ase v

isit w

ww

.crc

pre

ss.c

om

Pag

e 4

Pag

e 5

Use this Promo Code

when ordering to

SAVE 15%!




Documents

IT Security Solutions