Preface Chapter 1: Why Study Information Security? Introduction The Growing Importance of IT Security and New Career Opportunities An Increase in Demand by Government and Private Industry Becoming an Information Security Specialist Schools Are Responding to Demands The Importance of a Multidisciplinary Approach Contextualizing Information Security Information Security Careers Meet the Needs of Business Summary Chapter 2: Information Security Principles of Success Introduction Principle 1: There Is No Such Thing As Absolute Security Principle 2: The Three Security Goals Are Confidentiality, Integrity, and Availability Integrity Models Availability Models Principle 3: Defense in Depth as Strategy Principle 4: When Left on Their Own, People Tend to Make the Worst Security Decisions Principle 5: Computer Security Depends on Two Types of Requirements: Functional and Assurance Principle 6: Security Through Obscurity Is Not an Answer Principle 7: Security = Risk Management Principle 8: The Three Types of Security Controls Are Preventative, Detective, and Responsive Principle 9: Complexity Is the Enemy of Security Principle 10: Fear, Uncertainty, and Doubt Do Not Work in Selling Security Principle 11: People, Process, and Technology Are All Needed to Adequately Secure a System or Facility Principle 12: Open Disclosure of Vulnerabilities Is Good for Security! Summary Chapter 3: Certification Programs and the Common Body of Knowledge Introduction Certification and Information Security International Information Systems Security Certifications Consortium (ISC)2 The Information Security Common Body of Knowledge Information Security Governance and Risk Management Security Architecture and Design Business Continuity and Disaster Recovery Planning Legal Regulations, Investigations, and Compliance Physical (Environmental) Security Operations Security Access Control Cryptography Telecommunications and Network Security Software Development Security Other Certificate Programs in the IT Security Industry Certified Information Systems Auditor Certified Information Security Manager Certified in Risk and Information Systems Control Global Information Assurance Certifications (ISC)2 Specialization Certificates CCFP: Certified Cyber Forensics Professional HCISPP: HealthCare Information Security and Privacy Practitioner Vendor-Specific and Other Certification Programs Summary Chapter 4: Governance and Risk Management Introduction Security Policies Set the Stage for Success Understanding the Four Types of Policies Programme-Level Policies Programme-Framework Policies Issue-Specific Policies System-Specific Policies Developing and Managing Security Policies Security Objectives Operational Security Policy Implementation Providing Policy Support Documents Regulations Standards and Baselines Guidelines Procedures Suggested Standards Taxonomy Asset and Data Classification Separation of Duties Employment Hiring Practices Risk Analysis and Management Education, Training, and Awareness Who Is Responsible for Security? Summary Chapter 5: Security Architecture and Design Introduction Defining the Trusted Computing Base Rings of Trust Protection Mechanisms in a TCB System Security Assurance Concepts Goals of Security Testing Formal Security Testing Models The Trusted Computer Security Evaluation Criteria Division D: Minimal Protection Division C: Discretionary Protection Division B: Mandatory Protection Division A: Verified Protection The Trusted Network Interpretation of the TCSEC The Information Technology Security Evaluation Criteria Comparing ITSEC to TCSEC ITSEC Assurance Classes The Canadian Trusted Computer Product Evaluation Criteria The Federal Criteria for Information Technology Security The Common Criteria Protection Profile Organization Security Functional Requirements Evaluation Assurance Levels The Common Evaluation Methodology Confidentiality and Integrity Models Bell-LaPadula Model Biba Integrity Model Advanced Models Summary Chapter 6: Business Continuity Planning and Disaster Recovery Planning Introduction Overview of the Business Continuity Plan and Disaster Recovery Plan Why the BCP Is So Important Types of Disruptive Events Defining the Scope of the BCP Creating the Business Impact Analysis Disaster Recovery Planning Identifying Recovery Strategies Understanding Shared-Site Agreements Using Alternate Sites Making Additional Arrangements Testing the DRP Summary Chapter 7: Law, Investigations, and Ethics Introduction Types of Computer Crime How Cybercriminals Commit Crimes The Computer and the Law Legislative Branch of the Legal System Administrative Branch of the Legal System Judicial Branch of the Legal System Intellectual Property Law Patent Law Trademarks Trade Secrets Privacy and the Law International Privacy Issues Privacy Laws in the United States Computer Forensics The Information Security Professional’s Code of Ethics Other Ethics Standards Computer Ethics Institute Internet Activities Board: Ethics and the Internet Code of Fair Information Practices Summary Chapter 8: Physical Security Control Introduction Understanding the Physical Security Domain Physical Security Threats Providing Physical Security Summary Chapter 9: Operations Security Introduction Operations Security Principles Operations Security Process Controls Operations Security Controls in Action Software Support Configuration and Change Management Backups Media Controls Documentation Maintenance Interdependencies Summary Chapter 10: Access Control Systems and Methodology Introduction Terms and Concepts Identification Authentication Least Privilege (Need to Know) Information Owner Discretionary Access Control Access Control Lists Mandatory Access Control Role-Based Access Control Principles of Authentication The Problems with Passwords Multifactor Authentication Biometrics Single Sign-On Kerberos Federated Identities Remote User Access and Authentication Remote Access Dial-In User Service Virtual Private Networks Summary Chapter 11: Cryptography Introduction Applying Cryptography to Information Systems Basic Terms and Concepts Strength of Cryptosystems Cryptosystems Answer the Needs of Today’s E-Commerce The Role of Keys in Cryptosystems Putting the Pieces to Work Digesting Data Digital Certificates Examining Digital Cryptography Hashing Functions Block Ciphers Implementations of PPK Cryptography Summary Chapter 12: Telecommunications, Network, and Internet Security Introduction An Overview of Network and Telecommunications Security Network Security in Context The Open Systems Interconnection Reference Model The Protocol Stack The OSI Reference Model and TCP/IP The OSI Model and Security Data Network Types Local Area Networks Wide Area Networks Internet Intranet Extranet Protecting TCP/IP Networks Basic Security Infrastructures Routers Firewalls Intrusion Detection Systems Intrusion Prevention Systems Virtual Private Networks IPSec Encapsulating Security Protocol Security Association Internet Security Association and Key Management Protocol Security Policies IPSec Key Management Applied VPNs Cloud Computing Summary Chapter 13: Software Development Security Introduction The Practice of Software Engineering Software Development Life Cycles Don’t Bolt Security On–Build It In Catch Problems Sooner Rather Than Later Requirements Gathering and Analysis Systems Design and Detailed Design Design Reviews Development (Coding) Phase Testing Deployment Security Training Measuring the Secure Development Program Open Software Assurance Maturity Model (OpenSAMM) Building Security in Maturity Model (BSIMM) Summary Chapter 14: Securing the Future Introduction Operation Eligible Receiver Carders, Account Takeover, and Identity Theft Some Definitions ZeuS Banking Trojan Phishing and Spear Phishing Other Trends in Internet (In)Security The Year (Decade?) of the Breach The Rosy Future for InfoSec Specialists Summary Appendix A: Common Body of Knowledge Access Control Telecommunications and Network Security Information Security Governance and Risk Management Software Development Security Cryptography Security Architecture and Design Operations Security Business Continuity and Disaster Recovery Planning Legal Regulations, Investigations, and Compliance Physical (Environmental) Security Appendix B: Security Policy and Standards Taxonomy Appendix C: Sample Policies Sample Computer Acceptable Use Policy 1.0.0 Acceptable Use Policy Sample Email Use Policy 1.0.0 Email Use Policy Sample Password Policy 1.0.0 Password Policy Sample Wireless (WiFi) Use Policy 1.0.0 Wireless Communication Policy Appendix D: HIPAA Security Rule Standards HIPAA Security Standards Administrative Procedures Physical Safeguards Technical Security Services Technical Security Mechanisms 9780789753250 TOC 5/7/2014

The definitive, comprehensive guide to the latest Information Security Common Body of Knowledge [(ISC)² CBK] for every IT security student and professional Thoroughly updated to reflect the latest knowledge for all ten domains of the (ISC)² CBK Wide-ranging coverage, from security management and physical security to cryptography and application development security Covers new technologies, practices, and procedures, ranging from cloud and mobile to BYOD Includes revamped case studies, review questions, and exercises throughout

Extensively updated coverage of all technologies, practices, and procedures Updated case studies, review questions, and exercises All-new coverage of cloud security, mobile security, BYOD, and other key trends