Skip to:Content
Cover image for Information security management handbook. Volume 5
Information security management handbook. Volume 5
6th ed.
Publication Information:
Boca Raton : Auerbach Publications, 2012
Physical Description:
xiv, 544 p. : ill. ; 26 cm.


Item Barcode
Call Number
Material Type
Item Category 1
30000010320875 QA76.9.A25 I544 2012 Open Access Book Book

On Order



Updated annually to keep up with the increasingly fast pace of change in the field, the Information Security Management Handbook is the single most comprehensive and up-to-date resource on information security (IS) and assurance. Facilitating the up-to-date understanding required of all IS professionals, the Information Security Management Handbook, Sixth Edition, Volume 5 reflects the latest issues in information security and the CISSP® Common Body of Knowledge (CBK®).

This edition updates the benchmark Volume 1 with a wealth of new information to help IS professionals address the challenges created by complex technologies and escalating threats to information security. Topics covered include chapters related to access control, physical security, cryptography, application security, operations security, and business continuity and disaster recovery planning.

The updated edition of this bestselling reference provides cutting-edge reporting on mobile device security, adaptive threat defense, Web 2.0, virtualization, data leakage, governance, and compliance. Also available in a fully searchable CD-ROM format, it supplies you with the tools and understanding to stay one step ahead of evolving threats and ever-changing standards and regulations.

Author Notes

Harold F. Tipton is an independent consultant and past president of the International Information System Security Certification Consortium, and has been a director of computer security for Rockwell International Corporation, Seal Beach, California, for about 15 years. He initiated the Rockwell computer and data security program in 1977 and then continued to administer, develop, enhance, and expand the program to accommodate the control needs produced by technological advances until his retirement from Rockwell in 1994.

Tipton has been a member of the Information Systems Security Association (ISSA) since 1982. He was the president of the Los Angeles chapter in 1984 and president of the national ISSA organization (1987-1989). He was added to the ISSA Hall of Fame and the ISSA Honor Roll in 2000 and elected an ISSA Distinguished Fellow in 2009. Tipton was a member of the National Institute for Standards and Technology (NIST), the Computer and Telecommunications Security Council, and the National Research Council Secure Systems Study Committee (for the National Academy of Science). He received his bachelor of science in engineering from the United States Naval Academy and his master of arts in personnel administration from George Washington University in Washington, D. C.; he also received his certificate in computer science from the University of California, Irvine, California. He is a Certified Information System Security Professional, an Information Systems Security Architecture Professional, and an Information Systems Security Management Professional.

He has published several papers on information security issues for Auerbach Publishers in the Handbook of Information Security Management and Data Security Management, and other publishers, in the Information Security Journal, the National Academy of Sciences' Computers at Risk, DataPro Reports, various Elsevier publications, and the ISSA Journal. He has been a speaker at all the major information security conferences, including the following: Computer Security Institute, the ISSA Annual Working Conference, the Computer Security Workshop, MIS Conferences, AIS Security for Space Operations, DOE Computer Security Conference, National Computer Security Conference, IIA Security Conference, EDPAA, UCCEL Security & Audit Users' Conference, and Industrial Security Awareness Conference.

He has conducted/participated in information security seminars for International Information Systems Security Certification Consortium [(ISC)2®]; Frost & Sullivan; University of California, Irvine; California State University, Long Beach; System Exchange Seminars; and the Institute for International Research. He participated in the Ernst & Young video, "Protecting Information Assets." He is currently serving as the Editor of the Handbook of Information Security Management (Auerbach). He chairs the (ISC)2's CBK committees and QA committee. He received the Computer Security Institute's Lifetime Achievement Award in 1994 and the (ISC)2's Harold F. Tipton Lifetime Achievement Award in 2001.

Micki Krause Nozaki, MBA, CISSP, has held positions in the information security profession for the past 20 years. Nozaki was named one of the 25 most influential women in the field of information security by industry peers and Information Security magazine as part of their recognition of "Women of Vision" in the field of information technology security. She received the Harold F. Tipton Lifetime Achievement Award in recognition of sustained career excellence and outstanding contributions to the profession. She has held several leadership roles in industry-influential groups, including the ISSA and the (ISC)2, and is a passionate advocate for professional security leadership. She is also a reputed speaker, published author, and coeditor of the Information Security Management Handbook series.

Table of Contents

Rob SheinSandy BacikSalahuddin KamranGeorges J. JahchanSalahuddin KamranDavid O'berryFoster HendersonE. Eugene Schultz and Edward RayRebecca HeroldRobert PittmanTodd FitzgeraldSandy BacikRobert M. SladeChris HareAnne ShultzJames C. MurphyChris HareSandy BacikChris HarePradnyesh RanePedro Peris-Lopez and Julio Cesar Hernandez-Castro and Juan M. Estevez-Tapiador and Arturo RibagordaRalph Spencer PooreJeff StapletonPaul HenrySamuel ChunSean M. PriceSandy BacikSandy BacikCarl JacksonSeth KinnettSalahuddin KamranSalahuddin KamranLeo Kahng
Introductionp. x
Editorsp. xi
Contributorsp. xiii
Domain 1 Access Control
Access Control Techniques
1 Whitelisting for Endpoint Defensep. 3
2 Whitelistingp. 15
Access Control Administration
3 RFID and Information Securityp. 21
4 Privileged User Managementp. 37
5 Privacy in the Age of Social Networkingp. 55
Domain 2 Telecommunications and Network Security
Communications and Network Security
6 IF-MAP as a Standard for Security Data Interchangep. 69
Internet, Intranet, Extranet Security
7 Understating the Ramifications of IPv6p. 117
8 Managing Security in Virtual Environmentsp. 137
Domain 3 Information Security and Risk Management
Security Management Concepts and Principles
9 Do Your Business Associate Security and Privacy Programs Live Up to HIPAA and HITECH Requirements?p. 153
10 Organization Culture Awareness Will Cultivate Your Information Security Programp. 163
Risk Management
11 Role-Based Information Security Governance: Avoiding the Company Oil Slickp. 179
12 Social Networking Security Exposurep. 193
13 Social Networking, Social Media, and Web 2.0 Security Risksp. 199
14 Applying Adult Education Principles to Security Awareness Programsp. 207
Security Management Planning
15 Controlling the Emerging Data Dilemma: Building Policy for Unstructured Data Accessp. 215
16 Governance and Risk Management within the Context of Information Securityp. 229
17 Improving Enterprise Security through Predictive Analysisp. 267
Employment Policies and Practices
18 Security Outsourcingp. 283
Domain 4 Application Development Security
System Development Controls
19 The Effectiveness of Access Management Reviewsp. 293
20 Securing SaaS Applications: A Cloud Security Perspective for Application Providersp. 301
21 Attacking RFID Systemsp. 313
Domain 5 Cryptograph
Cryptographic Concepts, Methodologies, and Practices
22 Cryptography: Mathematics vs. Engineeringp. 337
23 Cryptographic Message Syntaxp. 343
Domain 6 Security Architecture and Design
Principles of Computer and Network Organizations, Architectures, and Designs
24 An Introduction to Virtualization Securityp. 367
Domain 7 Operations Security
Operations Controls
25 Warfare and Security: Deterrence and Dissuasion in the Cyber Erap. 391
26 Configuration, Change, and Release Managementp. 403
27 Tape Backup Considerationsp. 423
28 Productivity vs. Securityp. 429
29 Continuity Planning for Small- and Medium-Sized Organizationsp. 435
Domain 9 Legal, Regulations, Compliance, and Investigations
Information Law
30 The Cost of Risk: An Examination of Risk Assessment and Information Security in the Financial Industryp. 447
31 Data Security and Privacy Legislationp. 455
Incident Handling
32 Discovery of Electronically Stored Informationp. 473
Domain 10 Physical (Environmental) Security
Elements of Physical Security
33 The Layered Defense Model and Perimeter Intrusion Detectionp. 489
Indexp. 505
Information Security Management Handbook, Sixth Edition: Comprehensive Table of Contentsp. 521
Go to:Top of Page