Information Systems Security

This guide shows how to protect against accidental and malicious damage to information systems resources. It also serves as a review for those planning to take the Certified Information Systems Security Practitioner (CISSP) examination.

Topics are organized in the same manner as the International Information System Security Certification Consortium, Inc. (ISC)**2 Common Body of Knowledge. Policies that protects against computer theft through illicit hacker networks, the spread of computer virus codes, computer fraud, and other threats are explained in chapters in:

• Computer and System Security — Penetration methods, countermeasures, and how to design secure systems
• Application Program Security — Software controls, specification and verification, database systems security, integrity controls, accounting, and auditing
• Operations Security — Interface controls, media controls, personnel controls, documentation controls, and backup procedures
• Physical Security — Fire prevention, access control, water exposure problems, document libraries, waste disposal, and off-site storage concern

The authors explain Rainbow Series controls and non-government access controls. They provide guidelines on risk management, safeguards, computer access control software, cryptography, and contingency planning. Among the new areas explored are:

• Data integrity policy and theory
• ISO/OSI security architecture
• Telecommunications security issues
• Current trends in investigative work

Sections on legal and regulatory issues encompass federal and state computer crime laws, control of strategic materials, transborder data flow, guidelines on privacy of data, and ethical issues. Common "attacks" on information security are listed in the appendix and are cross-referenced to explanations of what happened and what action to take.

Information Systems Security meets the reference needs of information systems auditors, information systems managers, security officers, security analysts, and information security managers.

• Introduction
• Organization of this Book
• Background
• Existing Programs
• The Consortium Approach
• Groups that Formed the Consortium
• Code of Ethics
• Code of Good Practice
• The Body of Knowledge
• Information Background Knowledge
• Overview
1. Development of Security Program
2. Risk Analysis
3. Contingency Planning
4. Legal Issues for Managers
5. System Validation and Verification (Accreditation)
6. Information Systems Audit

1. Access Control
1. Ownership, Accountability, and Controls
2. User Authentication and Password Management
3. Access Control Administration
4. Computer Access Control Software
2. Cryptography
1. Definitions and Characteristics
2. Public Key and Private Key: Key Characteristics
3. Key Management
4. Link level, End-to-End
5. Block Mode, Cipher Block Chaining, Stream Ciphers (Synchronous and Self-synchronous)
6. Cryptanalysis and Strength of Ciphers (Theoretically Secure, Computationally Secure)
7. Error Detection and Correction Features of Encryption Methods
8. Implementation: DES, RSA
9. Applications: MAC, X9.9, Digital Signature, Cryptogrphic Checksum
10. Advantages and Disadvantages
3. Risk Management
1. Asset Identification and Valuation
2. Threat and Exposure Assessment
3. Safeguards and Countermeasures
4. Perception and Communication of Risk
4. Business Continuity Planning
1. Backups and Procedures
2. Catastrophe, Contingency, and Continuation
3. Contingency and Disaster Planning
4. Security and Controls in Off-site Backup and Facilities
5. Business and DP Insurance
6. Software Escrow Arrangements
5. Data Classification
1. Elements and Objectives of a Classification Scheme
2. Criteria for Classifying Data
3. Statistical Interference
4. Government Clearances and Data Sensitivities
5. Procedures and Management for a Classification Scheme
6. Security Awareness
1. Components of EDP Security: Administrative and Organizational Controls
2. Organizational and Administrative Controls
3. Personnel Considerations
7. Computer and Systems Security
1. Secure Operating Systems
2. Present Guidelines and Standards: Trusted computing base
3. Design Principles for Secure Systems
4. Common Flaws and Penetration Methods
5. Computer Virus Code
6. Countermeasures
8. Telecommunications Security
1. Telecommunications Fundamentals
2. Types of Attacks
3. Electronic Emissions and TEMPEST
4. Communications
5. Network Design
6. Locus of attack
9. Organization Architecture
1. Responsibility Areas, System Security Officer
2. Common Forms of Organizations
3. Organizational Considerations for Computer Security Incident Response
4. Management of Information Technology and Services
10. Legal/Regulatory
1. Introduction
2. Laws As Tools for Computer Security
3. Constitutional Structure
4. Broad Categories of Law
5. Federal Computer Crime Laws
6. State Computer Crime Laws
7. Model Computer Crime Bills
8. Introduction to Civil Law
9. Introduction to Criminal Law
10. Control of Strategic Materials
11. Transborder Data Flows
12. Privacy of Data — OECD Guidelines
11. Investigation
1. Evidence — Proof in Court
2. Authorized Use and a Computer Use Policy
3. Computer Abuse Checklist
4. Review of Documents
5. Review of the Abuser's Alleged Conduct
6. The Information Security Specialist's Role
12. Application Program Security
1. Software Controls: Development
2. Software Controls: Maintenance
3. Assurance
4. Formal Specification and Verification
5. Database Systems Security
6. Integrity Controls
7. Accounting and Auditing
8. Specific Controls
13. Physical Security
1. Site Location and Construction
2. Physical Access
3. Power
4. Air Conditioning
5. Water Exposures and Problems
6. Fire Prevention
7. Fire Protection
8. Tape and Media Libraries, Retention Policies
9. Document (Hard-Copy) Libraries
10. Waste Disposal
11. Off-site Storage
12. Physical Attack Parameters
14. Operations Security
1. Organization of Computer Operations
2. Separation of Duties
3. Controls at Interfaces
4. Media Controls
5. Backup Procedures
6. Console Capabilities
7. Personnel Controls
8. Documentation Controls
15. Information Ethics
1. Ethical Decision-Making
2. Professional Societies
3. Canadian System Security Centre
4. National Computer Security Center
5. National Institute of Standards and Technology
6. Professional Certifications
16. Policy Development
1. Formal Security Policy Consideration
2. Informal Security Policy
3. Publication and Staff Acknowledgement
4. Model Computer Security Policies

1. References
2. Attacks
1. General Definitions
2. Cryptography Attacks
3. Communication Attacks
4. Attacks on Data and Databases
5. Operating System Attacks
6. Malicious Code
7. Console and Operations Room Attacks
8. Physical Attacks
3. Security Videos

Extremely boring book, but it covers the subject OK. A bit dated now, though.