Introduction - Information Security Management Handbook, Sixth Edition (2012)

Information Security Management Handbook, Sixth Edition (2012)


Halfway through 2011, the Wall Street Journal labeled it the “Year of the Security Breach.”

Victims ranged from small caps to multinationals, with two important things in common—a reliance on technology and vulnerable humans.

As we write this introduction, headlines such as the following declare the state of security:

Multi-national Electronics Firm Grapples with U.S. Lawsuits after PSN Hack

Heads Roll as Scandal Grows; Sr. Exec Arrested

Chief of Scotland Yard Resigns

LulzSec and Anonymous Vow to Hack On

One may very well question whether the man-years of investment in firewalls, malware fixes, policies, and awareness made us more secure. A better question may be: Will a preponderance of technology always make us less than 100 percent safe?

It seems that the ubiquity of computers and networks will always enable chance, motive, and means to do harm. And once a threat is deployed, the good guys are behind the eight ball, scrambling to install fixes that may or may not resolve the situation. Case in point: Buffer overflow was identified as a security issue several years ago, yet we still suffer from the effects of it today.

Moreover, current and future innovations such as cloud computing, mobile banking, digital wallets, and near-field communications—to name a few—provide opportunities for exploitation. Thus, we continue to hear: “it’s more a question of when, not if.”

So, vigilance is key; awareness and action are indisputably essential. And, useful, constructive information at the ready is critical.

Hence, we offer the 2012 Information Security Management Handbook, with topics aligned to the profession’s Common Body of Knowledge and encompassing all the requisite aspects of information security.

This edition addresses a range of topics including the following:

Access Control—Technologies and administration, including the most current requirements for the updated laws

Telecommunications and Network Security—Addressing the Internet, intranet, and extranet

Information Security and Risk Management—Organizational culture, preparing for a security audit and the risks of social media

Application Security—Ever-present malware threats and building security into the development process

Security Architecture and Design—Principles of design, including zones of trust

Cryptography—Elliptic curve cryptosystems, format-preserving encryption

Operations Security—Event analysis

Business Continuity and Disaster Recovery Planning—Business continuity in the cloud

Legal, Regulations, Compliance, and Investigation—Persistent threats, incident response in the virtual realm

Physical Security—Essential aspects of physical security

The Handbook’s uses are many—as study material for domain and professional certification, implementation of a new security technology, strategy for risk management, and/or just plain good reading.

As always, we are grateful to our authors who offer their “been there, done that” experience and expertise, and we wish our readers the very best of luck in their professional endeavors.