Information Security

Description

Mark Merkow, CISSP, CISM, CSSLP, is a technical director for a Fortune 100 financial services firm, where he works on implementing and operating a software security practice for the enterprise. He has more than 35 years of IT experience, including 20 years in IT security. Mark has worked in a variety of roles, including applications development, systems analysis and design, security engineering, and security management. Mark holds a master’s degree in decision and info systems from Arizona State University (ASU), a master’s of education in Distance Learning from ASU, and a bachelor’s degree in Computer Info Systems from ASU.

Jim Breithaupt is a data integrity manager for a major bank, where he manages risk for a large data mart. He has more than 30 years of data processing experience and has co-authored several other books on information systems and information security, along with Mark Merkow.

• Extensively updated coverage of all technologies, practices, and procedures
• Updated case studies, review questions, and exercises
• All-new coverage of cloud security, mobile security, BYOD, and other key trends

The definitive, comprehensive guide to the latest Information Security Common Body of Knowledge [(ISC)² CBK] for every IT security student and professional

• Thoroughly updated to reflect the latest knowledge for all ten domains of the (ISC)² CBK
• Wide-ranging coverage, from security management and physical security to cryptography and application development security
• Covers new technologies, practices, and procedures, ranging from cloud and mobile to BYOD
• Includes revamped case studies, review questions, and exercises throughout

• Thoroughly updated to reflect the latest knowledge for all ten domains of the (ISC)² CBK
• Wide-ranging coverage, from security management and physical security to cryptography and application development security
• Covers new technologies, practices, and procedures, ranging from cloud and mobile to BYOD
• Includes revamped case studies, review questions, and exercises throughout

Preface

Chapter 1: Why Study Information Security?

Introduction

The Growing Importance of IT Security and New Career Opportunities

An Increase in Demand by Government and Private Industry

Becoming an Information Security Specialist

Schools Are Responding to Demands

The Importance of a Multidisciplinary Approach

Contextualizing Information Security

Information Security Careers Meet the Needs of Business

Summary

Chapter 2: Information Security Principles of Success

Introduction

Principle 1: There Is No Such Thing As Absolute Security

Principle 2: The Three Security Goals Are Confidentiality, Integrity, and Availability

Integrity Models

Availability Models

Principle 3: Defense in Depth as Strategy

Principle 4: When Left on Their Own, People Tend to Make the Worst Security Decisions

Principle 5: Computer Security Depends on Two Types of Requirements: Functional and Assurance

Principle 6: Security Through Obscurity Is Not an Answer

Principle 7: Security = Risk Management

Principle 8: The Three Types of Security Controls Are Preventative, Detective, and Responsive

Principle 9: Complexity Is the Enemy of Security

Principle 10: Fear, Uncertainty, and Doubt Do Not Work in Selling Security

Principle 11: People, Process, and Technology Are All Needed to Adequately Secure a System or Facility

Principle 12: Open Disclosure of Vulnerabilities Is Good for Security!

Summary

Chapter 3: Certification Programs and the Common Body of Knowledge

Introduction

Certification and Information Security

International Information Systems Security Certifications Consortium (ISC)2

The Information Security Common Body of Knowledge

Information Security Governance and Risk Management

Security Architecture and Design

Business Continuity and Disaster Recovery Planning

Legal Regulations, Investigations, and Compliance

Physical (Environmental) Security

Operations Security

Access Control

Cryptography

Telecommunications and Network Security

Software Development Security

Other Certificate Programs in the IT Security Industry

Certified Information Systems Auditor

Certified Information Security Manager

Certified in Risk and Information Systems Control

Global Information Assurance Certifications

(ISC)2 Specialization Certificates

CCFP: Certified Cyber Forensics Professional

HCISPP: HealthCare Information Security and Privacy Practitioner

Vendor-Specific and Other Certification Programs

Summary

Chapter 4: Governance and Risk Management

Introduction

Security Policies Set the Stage for Success

Understanding the Four Types of Policies

Programme-Level Policies

Programme-Framework Policies

Issue-Specific Policies

System-Specific Policies

Developing and Managing Security Policies

Security Objectives

Operational Security

Policy Implementation

Providing Policy Support Documents

Regulations

Standards and Baselines

Guidelines

Procedures

Suggested Standards Taxonomy

Asset and Data Classification

Separation of Duties

Employment Hiring Practices

Risk Analysis and Management

Education, Training, and Awareness

Who Is Responsible for Security?

Summary

Chapter 5: Security Architecture and Design

Introduction

Defining the Trusted Computing Base

Rings of Trust

Protection Mechanisms in a TCB

System Security Assurance Concepts

Goals of Security Testing

Formal Security Testing Models

The Trusted Computer Security Evaluation Criteria

Division D: Minimal Protection

Division C: Discretionary Protection

Division B: Mandatory Protection

Division A: Verified Protection

The Trusted Network Interpretation of the TCSEC

The Information Technology Security Evaluation Criteria

Comparing ITSEC to TCSEC

ITSEC Assurance Classes

The Canadian Trusted Computer Product Evaluation Criteria

The Federal Criteria for Information Technology Security

The Common Criteria

Protection Profile Organization

Security Functional Requirements

Evaluation Assurance Levels

The Common Evaluation Methodology

Confidentiality and Integrity Models

Bell-LaPadula Model

Biba Integrity Model

Advanced Models

Summary

Chapter 6: Business Continuity Planning and Disaster Recovery Planning

Introduction

Overview of the Business Continuity Plan and Disaster Recovery Plan

Why the BCP Is So Important

Types of Disruptive Events

Defining the Scope of the BCP

Creating the Business Impact Analysis

Disaster Recovery Planning

Identifying Recovery Strategies

Understanding Shared-Site Agreements

Using Alternate Sites

Making Additional Arrangements

Testing the DRP

Summary

Chapter 7: Law, Investigations, and Ethics

Introduction

Types of Computer Crime

How Cybercriminals Commit Crimes

The Computer and the Law

Legislative Branch of the Legal System

Administrative Branch of the Legal System

Judicial Branch of the Legal System

Intellectual Property Law

Patent Law

Trademarks

Trade Secrets

Privacy and the Law

International Privacy Issues

Privacy Laws in the United States

Computer Forensics

The Information Security Professional’s Code of Ethics

Other Ethics Standards

Computer Ethics Institute

Internet Activities Board: Ethics and the Internet

Code of Fair Information Practices

Summary

Chapter 8: Physical Security Control

Introduction

Understanding the Physical Security Domain

Physical Security Threats

Providing Physical Security

Summary

Chapter 9: Operations Security

Introduction

Operations Security Principles

Operations Security Process Controls

Operations Security Controls in Action

Software Support

Configuration and Change Management

Backups

Media Controls

Documentation

Maintenance

Interdependencies

Summary

Chapter 10: Access Control Systems and Methodology

Introduction

Terms and Concepts

Identification

Authentication

Least Privilege (Need to Know)

Information Owner

Discretionary Access Control

Access Control Lists

Mandatory Access Control

Role-Based Access Control

Principles of Authentication

The Problems with Passwords

Multifactor Authentication

Biometrics

Single Sign-On

Kerberos

Federated Identities

Remote User Access and Authentication

Remote Access Dial-In User Service

Virtual Private Networks

Summary

Chapter 11: Cryptography

Introduction

Applying Cryptography to Information Systems

Basic Terms and Concepts

Strength of Cryptosystems

Cryptosystems Answer the Needs of Today’s E-Commerce

The Role of Keys in Cryptosystems

Putting the Pieces to Work

Digesting Data

Digital Certificates

Examining Digital Cryptography

Hashing Functions

Block Ciphers

Implementations of PPK Cryptography

Summary

Chapter 12: Telecommunications, Network, and Internet Security

Introduction

An Overview of Network and Telecommunications Security

Network Security in Context

The Open Systems Interconnection Reference Model

The Protocol Stack

The OSI Reference Model and TCP/IP

The OSI Model and Security

Data Network Types

Local Area Networks

Wide Area Networks

Internet

Intranet

Extranet

Protecting TCP/IP Networks

Basic Security Infrastructures

Routers

Firewalls

Intrusion Detection Systems

Intrusion Prevention Systems

Virtual Private Networks

IPSec

Encapsulating Security Protocol

Security Association

Internet Security Association and Key Management Protocol

Security Policies

IPSec Key Management

Applied VPNs

Cloud Computing

Summary

Chapter 13: Software Development Security

Introduction

The Practice of Software Engineering

Software Development Life Cycles

Don’t Bolt Security On–Build It In

Catch Problems Sooner Rather Than Later

Requirements Gathering and Analysis

Systems Design and Detailed Design

Design Reviews

Development (Coding) Phase

Testing

Deployment

Security Training

Measuring the Secure Development Program

Open Software Assurance Maturity Model (OpenSAMM)

Building Security in Maturity Model (BSIMM)

Summary

Chapter 14: Securing the Future

Introduction

Operation Eligible Receiver

Carders, Account Takeover, and Identity Theft

Some Definitions

ZeuS Banking Trojan

Phishing and Spear Phishing

Other Trends in Internet (In)Security

The Year (Decade?) of the Breach

The Rosy Future for InfoSec Specialists

Summary

Appendix A: Common Body of Knowledge

Access Control

Telecommunications and Network Security

Information Security Governance and Risk Management

Software Development Security

Cryptography

Security Architecture and Design

Operations Security

Business Continuity and Disaster Recovery Planning

Legal Regulations, Investigations, and Compliance

Physical (Environmental) Security

Appendix B: Security Policy and Standards Taxonomy

Appendix C: Sample Policies

Sample Computer Acceptable Use Policy

1.0.0 Acceptable Use Policy

Sample Email Use Policy

1.0.0 Email Use Policy

Sample Password Policy

1.0.0 Password Policy

Sample Wireless (WiFi) Use Policy

1.0.0 Wireless Communication Policy

Appendix D: HIPAA Security Rule Standards

HIPAA Security Standards

Administrative Procedures

Physical Safeguards

Technical Security Services

Technical Security Mechanisms

9780789753250 TOC 5/7/2014

Fully updated for today’s technologies and best practices, Information Security: Principles and Practices, Second Edition thoroughly covers all 10 domains of today’s Information Security Common Body of Knowledge. Written by two of the world’s most experienced IT security practitioners, it brings together foundational knowledge that prepares readers for real-world environments, making it ideal for introductory courses in information security, and for anyone interested in entering the field. This edition addresses today’s newest trends, from cloud and mobile security to BYOD and the latest compliance requirements. The authors present updated real-life case studies, review questions, and exercises throughout.

Information Security: Principles and Practices, Second Edition

Everything You Need to Know About Modern Computer Security, in One Book

Clearly explains all facets of information security in all 10 domains of the latest Information Security Common Body of Knowledge [(ISC)2 CBK].

Thoroughly updated for today’s challenges, technologies, procedures, and best practices.

The perfect resource for anyone pursuing an IT security career.

Fully updated for the newest technologies and best practices, Information Security: Principles and Practices, Second Edition thoroughly covers all 10 domains of today’s Information Security Common Body of Knowledge.

Two highly experienced security practitioners have brought together all the foundational knowledge you need to succeed in today’s IT and business environments. They offer easy-to-understand, practical coverage of topics ranging from security management and physical security to cryptography and application development security.

This edition fully addresses new trends that are transforming security, from cloud services to mobile applications, “Bring Your Own Device” (BYOD) strategies to today’s increasingly rigorous compliance requirements. Throughout, you’ll find updated case studies, review questions, and exercises–all designed to reveal today’s real-world IT security challenges and help you overcome them.

Learn how to

— Recognize the evolving role of IT security

— Identify the best new opportunities in the field

— Discover today’s core information security principles of success

— Understand certification programs and the CBK

— Master today’s best practices for governance and risk management

— Architect and design systems to maximize security

— Plan for business continuity

— Understand the legal, investigatory, and ethical requirements associated with IT security

— Improve physical and operational security

— Implement effective access control systems

— Effectively utilize cryptography

— Improve network and Internet security

— Build more secure software

— Define more effective security policies and standards

— Preview the future of information security

Additional information

Dimensions	1.00 × 7.00 × 9.00 in
Imprint	Pearson IT Certification
Format	gen
ISBN-13	09780789753250
ISBN-10	0789753251
Author	Jim Breithaupt, Mark S. Merkow
Subjects	BYOD security, Internet security, IT operations security, access control systems, IT security ethics, HIPAA IT security, IT security compliance, DRP, Disaster Recovery Planning, BCP, Business Continuity Planning, Security Architecture and Models, Security Management, mobile security, cybersecurity, security best practices, Information Security Common Body of Knowledge, cloud security, ISC2, physical security, H-11 PEARSON IT CERTIFICATION, IT Professional, Employability, network security, higher education, certification, cryptography