Fifth Edition
Information
Security
Management
Handbook
© 2004 by CRC Press LLC
AUERBACH PUBLICATIONS
www.auerbach-publications.com
To Order Call: 1-800-272-7737 • Fax: 1-800-374-3401
E-mail:
Asset Protection and Security Management
Handbook
POA Publishing
ISBN: 0-8493-1603-0
Building a Global Information Assurance
Program
Raymond J. Curts and Douglas E. Campbell
ISBN: 0-8493-1368-6
Building an Information Security Awareness
Program
Mark B. Desman
ISBN: 0-8493-0116-5
Critical Incident Management
Alan B. Sterneckert
ISBN: 0-8493-0010-X
Cyber Crime Investigator's Field Guide
Bruce Middleton
ISBN: 0-8493-1192-6
Cyber Forensics: A Field Manual for Collecting,
Examining, and Preserving Evidence of

Computer Crimes
Albert J. Marcella, Jr. and Robert S. Greenfield
ISBN: 0-8493-0955-7
The Ethical Hack: A Framework for Business
Value Penetration Testing
James S. Tiller
ISBN: 0-8493-1609-X
The Hacker's Handbook: The Strategy Behind
Breaking into and Defending Networks
Susan Young and Dave Aitel
ISBN: 0-8493-0888-7
Information Security Architecture:
An Integrated Approach to Security in the
Organization
Jan Killmeyer Tudor
ISBN: 0-8493-9988-2
Information Security Fundamentals
Thomas R. Peltier
ISBN: 0-8493-1957-9
Information Security Management Handbook,
5th Edition
Harold F. Tipton and Micki Krause
ISBN: 0-8493-1997-8
Information Security Policies, Procedures, and
Standards: Guidelines for Effective Information
Security Management
Thomas R. Peltier
ISBN: 0-8493-1137-3
Information Security Risk Analysis
Thomas R. Peltier

ISBN: 0-8493-0880-1
Information Technology Control and Audit
Fredrick Gallegos, Daniel Manson,
and Sandra Allen-Senft
ISBN: 0-8493-9994-7
Investigator's Guide to Steganography
Gregory Kipper
0-8493-2433-5
Managing a Network Vulnerability Assessment
Thomas Peltier, Justin Peltier, and John A. Blackley
ISBN: 0-8493-1270-1
Network Perimeter Security: Building Defense
In-Depth
Cliff Riggs
ISBN: 0-8493-1628-6
The Practical Guide to HIPAA Privacy and
Security Compliance
Kevin Beaver and Rebecca Herold
ISBN: 0-8493-1953-6
A Practical Guide to Security Engineering and
Information Assurance
Debra S. Herrmann
ISBN: 0-8493-1163-2
The Privacy Papers: Managing Technology,
Consumer, Employee and Legislative Actions
Rebecca Herold
ISBN: 0-8493-1248-5
Public Key Infrastructure: Building Trusted
Applications and Web Services
John R. Vacca

ISBN: 0-8493-0822-4
Securing and Controlling Cisco Routers
Peter T. Davis
ISBN: 0-8493-1290-6
Strategic Information Security
John Wylder
ISBN: 0-8493-2041-0
Surviving Security: How to Integrate People,
Process, and Technology, Second Edition
Amanda Andress
ISBN: 0-8493-2042-9
A Technical Guide to IPSec Virtual
Private Networks
James S. Tiller
ISBN: 0-8493-0876-3
Using the Common Criteria for IT Security
Evaluation
Debra S. Herrmann
ISBN: 0-8493-1404-6
OTHER INFORMATION SECURITY BOOKS FROM AUERBACH
© 2004 by CRC Press LLC
AUERBACH PUBLICATIONS
A CRC Press Company
Boca Raton London New York Washington, D.C.
Fifth Edition
Edited by
Harold F. Tipton, CISSP
Micki Krause, CISSP
Information
Security

Management
Handbook
© 2004 by CRC Press LLC

This book contains information obtained from authentic and highly regarded sources. Reprinted material is quoted with
permission, and sources are indicated. A wide variety of references are listed. Reasonable efforts have been made to publish
reliable data and information, but the author and the publisher cannot assume responsibility for the validity of all materials
or for the consequences of their use.
Neither this book nor any part may be reproduced or transmitted in any form or by any means, electronic or mechanical,
including photocopying, microfilming, and recording, or by any information storage or retrieval system, without prior
permission in writing from the publisher.
All rights reserved. Authorization to photocopy items for internal or personal use, or the personal or internal use of specific
clients, may be granted by CRC Press LLC, provided that $1.50 per page photocopied is paid directly to Copyright clearance
Center, 222 Rosewood Drive, Danvers, MA 01923 USA. The fee code for users of the Transactional Reporting Service is
ISBN 0-8493-1997-8 /03/$0.00+$1.50. The fee is subject to change without notice. For organizations that have been
granted a photocopy license by the CCC, a separate system of payment has been arranged.
The consent of CRC Press LLC does not extend to copying for general distribution, for promotion, for creating new works,
or for resale. Specific permission must be obtained in writing from CRC Press LLC for such copying.
Direct all inquiries to CRC Press LLC, 2000 N.W. Corporate Blvd., Boca Raton, Florida 33431.

Trademark Notice:

Product or corporate names may be trademarks or registered trademarks, and are used only for
identification and explanation, without intent to infringe.

Visit the CRC Press Web site at www.crcpress.com

© 2004 by CRC Press LLC
Auerbach is an imprint of CRC Press LLC
No claim to original U.S. Government works

International Standard Book Number 0-8493-1997-8
Library of Congress Card Number 2003061151
Printed in the United States of America 1 2 3 4 5 6 7 8 9 0
Printed on acid-free paper

Library of Congress Cataloging-in-Publication Data

Information security management handbook / Harold F. Tipton, Micki Krause, editors.—5th ed.
p. cm.
Includes bibliographical references and index.
ISBN 0-8493-1997-8 (alk. paper)
1. Computer security—Management—Handbooks, manuals, etc. 2. Data
protection—Handbooks, manuals, etc. I. Tipton, Harold F. II. Krause, Micki.
QA76.9.A25I54165 2003
658

¢

.0558—dc22 2003061151

AU1997_Frame_FM Page iv Tuesday, November 25, 2003 3:15 PM
© 2004 by CRC Press LLC

Chapter 1, “Enhancing Security through Biometric Technology,” by Stephen D. Fried, CISSP,

©

Lucent Tech-
nologies. All rights reserved.
Chapter 18, “Packet Sniffers and Network Monitors,” by James S. Tiller, CISA, CISSP, and Bryan D. Fish, CISSP,


©

Lucent Technologies. All rights reserved.
Chapter 30, “ISO/OSI Layers and Characteristics,” by George G. McBride, CISSP,

©

Lucent Technologies. All
rights reserved.
Chapter 32, “IPSec Virtual Private Networks,” by James S. Tiller, CISA, CISSP,

©

INS. All rights reserved.
Chapter 58, “Security Patch Management,” by Jeffrey Davis, CISSP,

©

Lucent Technologies. All rights reserved.
Chapter 62, “Trust Governance in a Web Services World,” by Daniel D. Houser, CISSP, MBA, e-Biz+,

©

Nation-
wide Mutual Insurance Company. All rights reserved.
Chapter 68, “Security Assessment,” by Sudhanshu Kairab,

©


Copyright 2003 INTEGRITY. All rights reserved.
Chapter 70, “A Progress Report on the CVE Initiative,” by Robert Martin, Steven Christey, and David Baker,

©

Copyright 2003 MITRE Corp. All rights reserved.
Chapter 87, “How to Work with a Managed Security Service Provider,” by Laurie Hill McQuillan,

©

2003. Laurie
Hill McQuillan. All rights reserved.
Chapter 99, “Digital Signatures in Relational Database Applications,” by Mike R. Prevost,

©

2002 Mike R. Prevost
and Gradkell Systems, Inc. Used with permission.
Chapter 108, “Three New Models for the Application of Cryptography,” by Jay Heiser, CISSP,

©

Lucent Tech-
nologies. All rights reserved.
Chapter 110, “Message Authentication,” by James S. Tiller, CISA, CISSP,

©

INS. All rights reserved.
Chapter 128, “Why Today’s Security Technologies Are So Inadequate: History, Implications, and New

Approaches,” by Steven Hofmeyr, Ph.D.,

©

2003 Sana Security. All rights reserved.
Chapter 131, “Improving Network-Level Security through Real-Time Monitoring and Intrusion Detection,”
by Chris Hare, CISSP, CISA,

©

International Network Services. All rights reserved.
Chapter 142, “Liability for Lax Computer Security in DDOS Attacks,” by Dorsey Morrow, JD, CISSP,

©

2003.
Dorsey Morrow. All rights reserved.
Chapter 152, “CIRT: Responding to Attack,” by Chris Hare, CISSP, CISA,

©

International Network Services. All
rights reserved.
Chapter 156, “Software Forensics,” by Robert M. Slade,

©

Robert M. Slade. All rights reserved.

AU1997_Frame_FM Page v Tuesday, November 25, 2003 3:15 PM

© 2004 by CRC Press LLC
Table of Contents
Contributors
Introduction

1 ACCESS CONTROL SYSTEMS AND METHODOLOGY
Section 1.1 Access Control Techniques
Enhancing Security through Biometric Technology
Stephen D. Fried, CISSP
Biometrics: What is New?
Judith M. Myerson
It is All About Control
Chris Hare, CISSP, CISA
Controlling FTP: Providing Secured Data Transfers
Chris Hare, CISSP, CISA
Section 1.2 Access Control Administration
Types of Information Security Controls
Harold F. Tipton
When Technology and Privacy Collide
Edward H. Freeman
Privacy in the Healthcare Industry
Kate Borten, CISSP
The Case for Privacy
Michael J. Corby, CISSP
Section 1.3 Identification and Authentication Techniques
Biometric Identification
Donald R. Richards, CPP
© 2004 by CRC Press LLC
Single Sign-On for the Enterprise
Ross A. Leo, CISSP

Single Sign-On
Ross A. Leo, CISSP
Section 1.4 Access Control Methodologies and Implementation
Relational Data Base Access Controls Using SQL
Ravi S. Sandhu
Centralized Authentication Services (RADIUS, TACACS, DIAMETER)
William Stackpole, CISSP
Implementation of Access Controls
Stanley Kurzban
An Introduction to Secure Remote Access
Christina M. Bird, Ph.D., CISSP
Section 1.5 Methods of Attack
Hacker Tools and Techniques
Ed Skoudis, CISSP
A New Breed of Hacker Tools and Defenses
Ed Skoudis, CISSP
Social Engineering: The Forgotten Risk
John Berti, CISSP and Marcus Rogers, Ph.D., CISSP
Breaking News: The Latest Hacker Attacks and Defenses
Ed Skoudis, CISSP
Counter-Economic Espionage
Craig A. Schiller, CISSP
Section 1.6 Monitoring and Penetration Testing
Penetration Testing
Stephen D. Fried, CISSP
The Self-Hack Audit
Stephen James
Penetration Testing
Chuck Bianco, FTTR, CISA, CISSP
© 2004 by CRC Press LLC

2 TELECOMMUNICATIONS, NETWORK, AND INTERNET
SECURITY
Section 2.1 Communications and Network Security
Understanding SSL
Chris Hare, CISSP, CISA
Packet Sniffers and Network Monitors
James S. Tiller, CISA, CISSP and Bryan D. Fish, CISSP
Secured Connections to External Networks
Steven F. Blanding
Security and Network Technologies
Chris Hare, CISSP, CISA
Wired and Wireless Physical Layer Security Issues
James Trulove
Network Router Security
Steven F. Blanding
Dial-Up Security Controls
Alan Berman and Jeffrey L. Ott
What’s Not So Simple about SNMP?
Chris Hare, CISSP, CISA
Network and Telecommunications Media: Security from the Ground Up
Samuel Chun, CISSP
Security and the Physical Network Layer
Matthew J. Decker, CISSP, CISA, CBCP
Security of Wireless Local Area Networks
Franjo Majstor, CISSP
Securing Wireless Networks
Sandeep Dhameja, CISSP
Wireless Security Mayhem: Restraining the Insanity of Convenience
Mark T. Chapman, MSCS, CISSP, IAM
Wireless LAN Security Challenge

Frandinata Halim, CISSP, CCSP, CCDA, CCNA, MSCE and Gildas Deograt, CISSP

An Introduction to LAN/WAN Security
Steven F. Blanding
© 2004 by CRC Press LLC
ISO/OSI and TCP/IP Network Model Characteristics
George G. McBride, CISSP
Integrity and Security of ATM
Steve Blanding
Section 2.2 Internet/Intranet/Extranet
Enclaves: The Enterprise as an Extranet
Bryan T. Koch, CISSP
IPSec Virtual Private Networks
James S. Tiller, CISA, CISSP
Firewalls: An Effective Solution for Internet Security
E. Eugene Schultz, Ph.D., CISSP
Internet Security: Securing the Perimeter
Douglas G. Conorich
Extranet Access Control Issues
Christopher King, CISSP
Network Layer Security
Steven F. Blanding
Transport Layer Security
Steven F. Blanding
Application-Layer Security Protocols for Networks
William Stackpole, CISSP
Application Layer: Next Level of Security
Keith Pasley, CISSP
Security of Communication Protocols and Services
William Hugh Murray, CISSP

Security Management of the World Wide Web

Lynda L. McGhie and Phillip Q. Maier
An Introduction to IPSec
William Stackpole, CISSP
Wireless Internet Security

Dennis Seymour Lee
VPN Deployment and Evaluation Strategy
Keith Pasley, CISSP
© 2004 by CRC Press LLC
How to Perform a Security Review of a Checkpoint Firewall
Ben Rothke, CISSP
Comparing Firewall Technologies
Per Thorsheim
The (In) Security of Virtual Private Networks
James S. Tiller, CISA, CISSP
Cookies and Web Bugs
William T. Harding, Ph.D., Anita J. Reed, CPA, and Robert L. Gray, Ph.D.
Leveraging Virtual Private Networks
James S. Tiller, CISA, CISSP
Wireless LAN Security
Mandy Andress, CISSP, SSCP, CPA, CISA
Expanding Internet Support with IPv6
Gilbert Held
Virtual Private Networks: Secure Remote Access Over the Internet
John R. Vacca
Applets and Network Security: A Management Overview
Al Berg
Security for Broadband Internet Access Users

James Trulove
New Perspectives on VPNs
Keith Pasley, CISSP
An Examination of Firewall Architectures
Paul A. Henry, CISSP, CNE
Deploying Host-Based Firewalls across the Enterprise: A Case Study
Jeffery Lowder, CISSP
Section 2.3 E-mail Security
Instant Messaging Security Issues
William Hugh Murray, CISSP
Email Security

Bruce A. Lobree
Email Security

Clay Randall
Protecting Against Dial-In Hazards: Email and Data Communications

Leo A. Wrobel

© 2004 by CRC Press LLC
Section 2.4 Secure Voice Communications
Protecting Against Dial-In Hazards: Voice Systems

Leo A. Wrobel
Voice Security
Chris Hare, CISSP, CISA
Secure Voice Communications (VoI)
Valene Skerpac, CISSP
Section 2.5 Network Attacks and Countermeasures

Preventing DNS Attacks
Mark Bell
Preventing a Network from Spoofing and Denial of Service Attacks
Gilbert Held
Packet Sniffers: Use and Misuse
Steve A. Rodgers, CISSP
ISPs and Denial-of-Service Attacks
K. Narayanaswamy, Ph.D.
3 INFORMATION SECURITY MANAGEMENT
Section 3.1 Security Management Concepts and Principles
Measuring ROI on Security

Carl F. Endorf, CISSP, SSCP, GSEC
Security Patch Management

Jeffrey Davis, CISSP
Purposes of Information Security Management

Harold F. Tipton
The Building Blocks of Information Security

Ken M. Shaurette
The Human Side of Information Security
Kevin Henry, CISA, CISSP
Security Management
Ken Buszta, CISSP
Securing New Information Technology
Louis Fried
E-mail Security Using Pretty Good Privacy
William Stallings

© 2004 by CRC Press LLC
Section 3.2 Change Control Management
Configuration Management: Charting the Course for the Organization
Mollie E. Krehnke, CISSP, IAM and David C. Krehnke, CISSP, CISM, IAM
Section 3.3 Data Classification
Information Classification: A Corporate Implementation Guide
Jim Appleyard
Section 3.4 Risk Management
A Matter of Trust
Ray Kaplan, CISSP, CISA, CISM
Trust Governance in a Web Services World
Daniel D. Houser, CISSP, MBA, e-Biz+
Risk Management and Analysis
Kevin Henry, CISA, CISSP
New Trends in Information Risk Management
Brett Regan Young, CISSP, CBCP
Information Security in the Enterprise
Duane E. Sharp
Managing Enterprise Security Information
Matunda Nyanchama, Ph.D., CISSP and Anna Wilson, CISSP, CISA
Risk Analysis and Assessment
Will Ozier
Managing Risk in an Intranet Environment

Ralph L. Kliem
Security Assessment
Sudhanshu Kairab, CISSP, CISA
Evaluating the Security Posture of an Information Technology Environment:
The Challenges of Balancing Risk, Cost, and Frequency of Evaluating
Safeguards


Brian R. Schultz, CISSP, CISA
© 2004 by CRC Press LLC
Cyber-Risk Management: Technical and Insurance Controls for Enterprise-Level
Security

Carol A. Siegel, Ty R. Sagalow, and Paul Serritella
Section 3.5 Employment Policies and Practices
A Progress Report on the CVE Initiative

Robert Martin, Steven Christey, and David Baker
Roles and Responsibilities of the Information Systems Security Officer

Carl Burney, CISSP
Information Protection: Organization, Roles, and Separation of Duties
Rebecca Herold, CISSP, CISA, FLMI
Organizing for Success: Some Human Resources Issues in Information Security
Jeffrey H. Fenton, CBCP, CISSP and James M. Wolfe, MSM
Ownership and Custody of Data
William Hugh Murray, CISSP
Hiring Ex-Criminal Hackers
Ed Skoudis, CISSP
Information Security and Personnel Practices
Edward H. Freeman
Section 3.6 Risk Management
Information Security Policies from the Ground Up
Brian Shorten, CISSP, CISA
Policy Development
Chris Hare, CISSP, CISA
Risk Analysis and Assessment


Will Ozier
Server Security Policies

Jon David
Toward Enforcing Security Policy: Encouraging Personal Accountability for
Corporate Information Security Policy

John O. Wylder, CISSP
The Common Criteria for IT Security Evaluation

Debra S. Herrmann
© 2004 by CRC Press LLC
A Look at the Common Criteria

Ben Rothke, CISSP
The Security Policy Life Cycle: Functions and Responsibilities

Patrick D. Howard, CISSP
Section 3.7 Security Awareness Training
Security Awareness Program

Tom Peltier
Maintaining Management’s Commitment
William Tompkins, CISSP, CBCP
Making Security Awareness Happen
Susan D. Hansche, CISSP
Making Security Awareness Happen: Appendices
Susan D. Hansche, CISSP
Section 3.8 Security Management Planning

Maintaining Information Security during Downsizing
Thomas J. Bray, CISSP
The Business Case for Information Security: Selling Management on the
Protection of Vital Secrets and Products
Sanford Sherizen, Ph.D., CISSP
Information Security Management in the Healthcare Industry
Micki Krause
Protecting High-Tech Trade Secrets

William C. Boni
How to Work with a Managed Security Service Provider
Laurie Hill McQuillan, CISSP
Considerations for Outsourcing Security
Michael J. Corby, CISSP
Outsourcing Security
James S. Tiller, CISA, CISSP
© 2004 by CRC Press LLC
4 APPLICATION PROGRAM SECURITY
Section 4.1 APPLICATION ISSUES
Security Models for Object-Oriented Databases
James Cannady
Web Application Security
Mandy Andress, CISSP, SSCP, CPA, CISA
The Perfect Security: A New World Order

Ken Shaurette
Security for XML and Other Metadata Languages
William Hugh Murray, CISSP
XML and Information Security
Samuel C. McClintock

Testing Object-Based Applications
Polly Perryman Kuver
Secure and Managed Object-Oriented Programming
Louis B. Fried
Application Service Providers
Andres Llana Jr.
Application Security
Walter S. Kobus, Jr., CISSP
Covert Channels
Anton Chuvakin, Ph.D., GCIA, GCIH
Security as a Value Enhancer in Application Systems Development
Lowell Bruce McCulley, CISSP
Open Source versus Closed Source
Ed Skoudis, CISSP
PeopleSoft Security
Satnam Purewal
World Wide Web Application Security
Sean Scanlon
© 2004 by CRC Press LLC
Section 4.2 Databases and Data Warehousing
Reflections on Database Integrity
William Hugh Murray, CISSP
Datamarts and Data Warehouses: Keys to the Future or Keys to the Kingdom?

M. E. Krehnke and D. K. Bradley
Digital Signatures in Relational Database Applications

Mike R. Prevost
Security and Privacy for Data Warehouses: Opportunity or Threat?


David Bonewell, CISSP, CISA, Karen Gibbs, and Adriaan Veldhuisen
Relational Database Security: Availability, Integrity, and Confidentiality

Ravi S. Sandhu and Sushil Jojodia
Section 4.3 Systems Development Controls
Enterprise Security Architecture
William Hugh Murray, CISSP
Certification and Accreditation Methodology
Mollie E. Krehnke, CISSP, IAM and David C. Krehnke, CISSP, CISM, IAM
A Framework for Certification Testing
Kevin J. Davidson, CISSP
System Development Security Methodology
Ian Lim, CISSP and Ioana V. Carastan, CISSP
A Security-Oriented Extension of the Object Model for the Development of an
Information System

Sureerut Inmor, Vatcharaporn Esichaikul, and Dencho N. Batanov
Methods of Auditing Applications
David C. Rice, CISSP and Graham Bucholz
Section 4.4 Malicious Code
Malware and Computer Viruses
Robert M. Slade, CISSP
© 2004 by CRC Press LLC
An Introduction to Hostile Code and It’s Control
Jay Heiser
A Look at Java Security
Ben Rothke, CISSP
Section 4.5 Methods of Attack
The RAID Advantage
Tyson He y n

Malicious Code: The Threat, Detection, and Protection
Ralph Hoefelmeyer, CISSP and Theresa E. Phillips, CISSP
5 CRYPTOGRAPHY
Section 5.1 Use of Cryptography
Three New Models for the Application of Cryptography
Jay Heiser, CISSP
Auditing Cryptography: Assessing System Security
Steve Stanek
Section 5.2 Cryptographic Concepts, Methodologies, and Practices
Message Authentication
James S. Tiller, CISA, CISSP
Fundamentals of Cryptography and Encryption
Ronald A. Gove
Steganography: The Art of Hiding Messages
Mark Edmead, CISSP, SSCP, TICSA
An Introduction to Cryptography
Javek Ikbel, CISSP
Hash Algorithms: From Message Digests to Signatures
Keith Pasley, CISSP
A Look at the Advanced Encryption Standard (AES)
Ben Rothke, CISSP
Introduction to Encryption
Jay Heiser
© 2004 by CRC Press LLC
Section 5.3 Private Key Algorithms
Principles and Applications of Cryptographic Key
Management
William Hugh Murray, CISSP
Section 5.4 Public Key Infrastructure (PKI)
Getting Started with PKI

Harry DeMaio
Mitigating E-Business Security Risks: Public Key Infrastructures in the Real
World

Douglas C. Merrill and Eran Feigenbaum
Preserving Public Key Hierarchy
Geoffrey C. Grabow, CISSP
PKI Registration
Alex Golod, CISSP
Section 5.5 System Architecture for Implementing Cryptographic
Functions
Implementing Kerberos in Distributed Systems
Joe Kovara, CTP and Ray Kaplan, CISSP, CISA, CISM
Section 5.6 Methods of Attack
Methods of Attacking and Defending Cryptosystems
Joost Houwen, CISSP
6 ENTERPRISE SECURITY ARCHITECTURE
Section 6.1 Principles of Computer and Network Organizations,
Architectures, and Designs
Security Infrastructure: Basics of Intrusion Detection Systems
Ken M. Shaurette, CISSP, CISA, NSA, IAM
Systems Integrity Engineering
Don Evans
Introduction to UNIX Security for Security Practitioners
Jeffery J. Lowder
Enterprise Security Architecture
William Hugh Murray
© 2004 by CRC Press LLC
Microcomputer and LAN Security
Stephen Cobb

Reflections on Database Integrity
William Hugh Murray
Firewalls, 10 Percent of the Solution: A Security Architecture Primer
Chris Hare, CISSP, CISA
The Reality of Virtual Computing
Chris Hare, CISSP, CISA
Overcoming Wireless LAN Security Vulnerabilities
Gilbert Held
Section 6.2 Principles of Security Models, Architectures and
Evaluation Criteria
Formulating an Enterprise Information Security Architecture
Mollie Krehnke, CISSP, IAM and David Krehnke,CISSP, CISM, IAM
Security Architecture and Models
Foster J. Henderson, CISSP, MCSE and Kellina M. Craig-Henderson, Ph.D.
Security Models for Object-Oriented Data Bases
James Cannady
Section 6.3 Common Flaws and Security Issues — System
Architecture and Design
Common System Design Flaws and Security Issues
William Hugh Murray, CISSP
7 OPERATIONS SECURITY
Section 7.1 Concepts
Operations: The Center of Support and Control

Kevin Henry, CISA, CISSP
Why Today’s Security Technologies Are So Inadequate: History, Implications,
and New Approaches

Steven Hofmeyr, Ph.D.
© 2004 by CRC Press LLC

Information Warfare and the Information Systems Security Professional
Jerry Kovacich
Steps for Providing Microcomputer Security
Douglas B. Hoyt
Protecting the Portable Computing Environment
Phillip Q. Maier
Operations Security and Controls
Patricia A.P. Fisher
Data Center Security: Useful Intranet Security Methods and Tools
John R. Vacca
Section 7.2 Resource Protection Requirements
Physical Access Control

Dan M. Bowers, CISSP
Software Piracy: Issues and Prevention
Roxanne E. Burkey
Section 7.3 Auditing
Auditing the Electronic Commerce Environment
Chris Hare, CISSP, CISA
Section 7.4 Intrusion Detection
Improving Network-Level Security through Real-Time Monitoring and
Intrusion Detection
Chris Hare, CISSP, CISA
Intelligent Intrusion Analysis: How Thinking Machines Can
Recognize Computer Intrusions

Bryan D. Fish, CISSP
How to Trap the Network Intruder
Jeff Flynn
Intrusion Detection: How to Utilize a Still Immature Technology

E. Eugene Schultz and Eugene Spafford
Section 7.5 Operations Controls
Directory Security
Ken Buszta, CISSP
© 2004 by CRC Press LLC
8 BUSINESS CONTINUITY PLANNING
Section 8.1 Business Continuity Planning
Reengineering the Business Continuity Planning Process
Carl B. Jackson, CISSP, CBCP
The Role of Continuity Planning in the Enterprise Risk
Management Structure
Carl B. Jackson, CISSP, CBCP
Business Continuity in the Distributed Environment
Steven P. Craig
The Changing Face of Continuity Planning
Carl Jackson, CISSP, CDCP
Section 8.2 Disaster Recovery Planning
Restoration Component of Business Continuity Planning
John Dorf, ARM and Martin Johnson, CISSP
Business Resumption Planning and Disaster Recovery: A Case History
Kevin Henry, CISA, CISSP
Business Continuity Planning: A Collaborative Approach
Kevin Henry, CISA, CISSP
Section 8.3 Elements of Business Continuity Planning
The Business Impact Assessment Process
Carl B. Jackson, CISSP, CBCP
9 LAW, INVESTIGATION, AND ETHICS
Section 9.1 Information Law
Jurisdictional Issues in Global Transmissions
Ralph Spencer Poore, CISSP, CISA, CFE

© 2004 by CRC Press LLC
Liability for Lax Computer Security in DDoS Attacks
Dorsey Morrow, JD, CISSP
The Final HIPAA Security Rule Is Here! Now What?
Todd Fitzgerald, CISSP, CISA
HIPAA 201: A Framework Approach to HIPAA Security Readiness
David MacLeod, Ph.D., CISSP, Brian Geffert, CISSP, CISA, and David Deckter, CISSP
Internet Gripe Sites: Bally v. Faber
Edward H. Freeman
State Control of Unsolicited E-mail: State of Washington v. Heckel
Edward H. Freeman
The Legal Issues of Disaster Recovery Planning
Tar i Schreide r
Section 9.2 Investigations
Computer Crime Investigations: Managing a Process without Any Golden Rules
George Wade, CISSP
Operational Forensics
Michael J. Corby, CISSP
Computer Crime Investigation and Computer Forensics
Thomas Welch, CISSP, CPP
What Happened?
Kelly J. Kuchta, CPP, CFE
Section 9.3 Major Categories of Computer Crime
The International Dimensions of Cybercrime
Ed Gabrys, CISSP
Computer Abuse Methods and Detection
Donn B. Parker
Section 9.4 Incident Handling
Honeypot Essentials
Anton Chuvakin, Ph.D., GCIA, GCIH

© 2004 by CRC Press LLC
CIRT: Responding to Attack
Chris Hare, CISSP, CISA
Managing the Response to a Computer Security Incident
Michael Vangelos, CISSP
Cyber-Crime: Response, Investigation, and Prosecution
Thomas Akin, CISSP
Incident Response Exercises
Ken M. Shaurette, CISSP, CISA, CISM, IAM and Thomas J. Schleppenbach
Software Forensics
Robert M. Slade, CISSP
Reporting Security Breaches
James S. Tiller, CISSP
Incident Response Management
Alan B. Sterneckert, CISA, CISSP, CFE, CCCI
Section 9.5 Ethics
Ethics and the Internet
Micki Krause, CISSP
Computer Ethics
Peter S. Tippett
10 PHYSICAL SECURITY
Section 10.1 Facility Requirements
Physical Security: A Foundation for Information Security
Christopher Steinke, CISSP
Physical Security: Controlled Access and Layered Defense
Bruce R. Mathews, CISSP
Computing Facility Physical Security
Alan Brusewitz, CISSP, CBCP
Closed Circuit Television and Video Surveillance
David Litzau, CISSP

© 2004 by CRC Press LLC
Section 10.2 Technical Controls
Types of Information Security Controls
Harold F. Tipton, CISSP
Physical Security
Tom Peltier
Section 10.3 Environment and Life Safety
Physical Security: The Threat after September 11th, 2001
Jaymes Williams, CISSP
Glossary
© 2004 by CRC Press LLC