Page 5
Page 7
Visit us at
www.crcpress.com Page 10
to view more information and
Page 12
complete tables of contents for these and many other related books.
Sign up for email alerts. Page 18
Stay up to date on our latest resources. Want to maximize your buying power? Order directly from our online store and
Receive FREE Standard Shipping with every order, big or small.
MBITSE3 MC_3/1810gtr
Page 17
Authoritative Resources for IT Professionals
Newly Updated!
Information Security Risk Analysis, Third Edition Thomas R. Peltier Thomas R. Peltier Associates, LLC, Wyandotte, Michigan, USA
Achieve a highly effective risk assessment in less than a week! Successful security professionals have had to modify the process of responding to new threats in the high-profile, ultra-connected business environment. Just because a threat exists, it does not mean that your organization is at risk. Information Security Risk Analysis, Third Edition demonstrates how to separate the dangerous from the benign threats and then determine which pose a real risk to your organization. Providing access to more than 350 pages of helpful ancillary materials, much of it new, this volume effectively: • Explains the key components of risk management • Demonstrates how the components of risk management are absolutely necessary and how they should work in your organization and business situation • Shows how a cost-benefit analysis is part of risk management and how this analysis is performed as part of risk mitigation • Explains how to draw up an action plan to protect the assets of your organization when the risk assessment process concludes • Examines the difference between a Gap Analysis and a Security or Controls Assessment • Presents up-to-date case studies and examples of all risk management components Authored by renowned security expert and certification instructor Thomas Peltier, this authoritative reference provides you with the latest knowledge and the skill sets needed to achieve a highly effective risk analysis assessment in a matter of days. Supplemented with online access to user-friendly checklists, forms, questionnaires, sample assessments, and other documents, this work is truly a one-stop, how-to resource for security professionals.
Contents: Risk Management. Risk Assessment Process. Quantitative versus Qualitative Risk Assessment. Other Forms of Qualitative Risk Assessment. Facilitated Risk Aanalysis and Assessment Process (FRAAP). Variations on the FRAAP. Mapping Controls. Business Impact Analysis (BIA). Catalog no. K11810, March 2010, 456 pp., ISBN: 978-1-4398-3956-0, $79.95 / £49.99
For more information and complete contents, visit www.crcpress.com
3
Authoritative Resources for IT Professionals
New!
New!
Information Security Management
Official (ISC)2 Guide to the CISSP CBK, Second Edition
Concepts and Practice Bel G. Raggad Pace University, Pleasantville, New York, USA
Information security cannot be effectively managed unless secure methods and standards are integrated into all phases of the information security life cycle. And, although the international community has been aggressively engaged in developing security standards for network and information security, few books provide clear guidance on how to properly apply the new standards in conducting security audits and creating risk-driven information security programs. This authoritative and practical resource provides a general overview of security auditing before examining the various elements of the information security life cycle. It explains the ISO 17799 standard and walks readers through the steps of conducting a nominal security audit that conforms to the standard. The text also provides detailed guidance for conducting an indepth technical security audit leading to certification against the 27001 standard. Topics addressed include cyber security, security risk assessments, privacy rights, HIPAA, SOX, intrusion detection systems, security testing activities, cyber terrorism, and vulnerability assessments. Filled with review questions, workshops, and real-world examples, the text illustrates effective implementation and security auditing methodologies. It also includes a detailed security auditing methodology readers can use to devise and implement effective risk-driven security programs that touch all phases of a computing environment—including the sequential stages needed to maintain IS management systems that conform to the latest ISO standards.
Edited by
Harold F. Tipton HFT Associates, Villa Park, California, USA
With each new advance in connectivity comes a new wave of threats to privacy and security capable of destroying a company’s reputation, violating a consumer’s privacy, and compromising intellectual property. This is why it is essential for information security professionals to stay up to date with the latest advances in technology and the new security threats they create. Recognized as one of the best tools available for the information security professional and especially for candidates studying for the (ISC)2 CISSP exam, the Official (ISC)2® Guide to the CISSP® CBK®, Second Edition has been updated and revised to reflect the latest developments in this ever-changing field. Endorsed by the (ISC)2, this book provides unrivaled preparation for the certification exam. Compiled and reviewed by CISSPs and (ISC)2 members, the text provides an exhaustive review of the 10 domains of the CBK and the high-level topics contained in each domain. Unique and exceptionally thorough, this edition includes a CD with over 200 sample questions, sample exams, and a full test simulator that provides the same number and types of questions with the same allotment of time allowed in the actual exam. It will even grade the exam, provide the correct answers, and identify areas where more study is needed. Catalog no. K10480, January 2010, 1112 pp. ISBN: 978-1-4398-0959-4, $69.95 / £44.99
Catalog no. AU7854, January 2010, 871 pp. ISBN: 978-1-4200-7854-1, $79.95 / £49.99
4
Get 15% off when you order online at www.crcpress.com
Authoritative Resources for IT Professionals
New!
New!
The Executive MBA in Information Security
Data Protection
John J. Trinckes, Jr.
Governance, Risk Management, and Compliance
Hampton, Florida, USA
David G. Hill
As the primary sponsors and implementers of information security (IS) programs, it is essential for those in key leadership positions to possess a solid understanding of the constantly evolving concepts of IS management. However, developing this knowledge and keeping it current requires the time and energy that busy executives simply don’t have. Supplying a complete overview of key concepts, The Executive MBA in Information Security provides the tools to ensure your organization has an effective and up-to-date IS management program in place. This one-stop resource provides a ready-to use security framework you can use to develop workable programs and includes proven tips for avoiding common pitfalls so you can get it right the first time. Allowing for quick and easy reference, this timesaving manual provides those in key leadership positions with a lucid understanding of:
Mesabi Group LLC, Westwood, Massachusetts, USA
• The difference between information security and IT security • Corporate governance and how it relates to information security • Steps and processes involved in hiring the right information security staff • The different functional areas related to IS • Roles and responsibilities of the chief information security officer (CISO) Presenting difficult concepts in a straightforward manner, this guide allows you to get up to speed quickly and easily on what it takes to develop an information security management program that is as flexible as it is secure. Catalog no. K10501, January 2010, c. 352 pp. ISBN: 978-1-4398-1007-1, $69.95 / £44.99
Failure to appreciate the full dimensions of data protection can lead to poor data protection management, costly resource allocation issues, and exposure to unnecessary risks. Explaining how to gain a handle on the vital aspects of data protection, Data Protection: Governance, Risk Management, and Compliance begins by building the foundation of data protection from a risk management perspective. The book then introduces the two other pillars in the governance, risk management, and compliance (GRC) framework. After exploring data retention and data security in depth, the author focuses on data protection technologies from a risk management viewpoint. He also discusses the special technology requirements for compliance, governance, and data security; the importance of eDiscovery for civil litigation; the impact of third-party services in conjunction with data protection; and data processing facets, such as the role of tiering and server and storage virtualization. The final chapter describes a model to help businesses get started in the planning process for improving their data security. By examining the relationships among the pieces of the data protection puzzle, this book offers a solid understanding of how data protection fits into various organizations. It allows readers to assess their overall strategy, identify security gaps, determine their unique requirements, and decide what technologies and tactics can best meet those requirements. Catalog no. K10353, January 2010, 330 pp. ISBN: 978-1-4398-0692-0, $69.95 / £44.99
For more information and complete contents, visit www.crcpress.com
5
Authoritative Resources for IT Professionals
Cyber Fraud
Insider Computer Fraud
Tactics, Techniques, and Procedures
An In-depth Framework for Detecting and Defending against Insider IT Attacks
Executive Editor
Rick Howard Verisign iDefense Security Intelligence Services, Dulles, Virginia, USA
With millions lost each year, cyber crime has evolved from a minor nuisance to a major concern involving well-organized actors and highly sophisticated organizations. This volume explores the state of threats present in the cyber fraud underground. It discusses phishing/pharming, trojans/toolkits, direct threats, and pumpand-dump scams. By examining the operations of the cyber criminal, the book provides perspective into the general incentives, risks, and behavioral patterns of the fraudsters. Armed with this information, organizations and individuals are better able to develop countermeasures and crafting tactics to disrupt the fraud underground and secure their systems.
Features: • Provides a conceptual model with which to analyze the fraud underground • Explores the “carding” phenomenon and other online threats • Includes real-world examples of fraudulent email scams • Helps organizations determine necessary expenditures on countermeasures
Selected Contents: Principles, Trends, and Mitigation Techniques. The Cyber Threat Landscape in Russia. Banking Trojans. The Russian Business Network: Rise and Fall of a Criminal ISP. IFrame Attacks: An Examination of the Business of IFrame Exploitation. Inside the World of Money Mules. Preventing Malicious Code from “Phoning Home”. Distributed Denial of Service (DDoS) Attacks. Mobile Malicious Code Trends. The Torpig Trojan Exposed. The Laqma Trojan298.
Kenneth Brancik Information Security Consultant, New York, USA
An organization’s employees often have access to sensitive information regarding the company and its customers. This makes greedy or disgruntled employees prime candidates for sabotaging a system or selling privileged information. This book presents methods, safeguards, and techniques to help protect an organization from insider computer fraud. Drawing on the author’s vast experience assessing the adequacy of IT security for the banking and securities industries, the text presents a practical framework for identifying, measuring, monitoring, and controlling the risks associated with insider threats. It not only provides an analysis of application or system-related risks, but also illustrates the interrelationships that exist between an application and the IT infrastructure components it uses to transmit, process, and store sensitive data. The author examines the symbiotic relationship between the risks, controls, threats, and action plans that should be deployed to enhance the overall information security governance processes.
Features: • Establishes guidelines for determining when insider computer fraud is most likely to occur • Demonstrates how IT architecture can be configured to increase the level of prevention • Presents key fraud indicators and key fraud metrics as tools for the detection and prevention of insider computer fraud Catalog no. AU4659, 2008, 504 pp. ISBN: 978-1-4200-4659-5, $87.95 / £56.69
Catalog no. AU9127, 2009, 520 pp. ISBN: 978-1-4200-9127-4, $79.95 / £48.99
6
Get 15% off when you order online at www.crcpress.com
Authoritative Resources for IT Professionals
New!
Vulnerability Management Park Foreman GroupM, New York, USA
Illustrated with examples drawn from more than two decades of the author’s multinational experience, Vulnerability Management demonstrates how it is much easier to manage potential weaknesses than to clean up after a violation. Covering the wide range of information that executive-level officers need to know as well as the specifics applicable to singular areas of departmental responsibility, this book provides the strategic vision and details the steps needed to prevent the exploitation of IT security gaps, especially those that are inherent in a larger organization. Providing a fundamental understanding of technology risks from an interloper’s perspective, this work: • Provides a host of proven methods for assessing and reducing the potential for exploitation • Includes helpful checklists and offers guidance on developing a complete VM program in a global company • Provides an understanding of the technology risks and describes how to assess vulnerabilities in order to prepare for security incidents • Covers areas often neglected and those that are much less secure than they might appear
Information Security Management Handbook, 2009 CD-ROM Edition Harold F. Tipton HFT Associates, Villa Park, California, USA
Micki Krause Pacific Life Insurance Company, Newport Beach, California, USA
The Most Comprehensive Resource Available on Information Security Management Every year, in response to new technologies and new laws in different countries and regions, there are changes to the fundamental knowledge, skills, techniques, and tools required by all IT security professionals. In step with the lightning-quick pace of change in the technology field, the Information Security Management Handbook has become the standard on which all IT security programs and certifications are based. It reflects new updates to the Common Body of Knowledge (CBK®) that IT security professionals need to know. An Authoritative and Portable Working Reference—Searchable By Keyword
Introduction. The Vulnerability Experience. Program and Organization. Technology. Selecting Technology. Process. Execution, Reporting, and Analysis. Planning. Strategic Vulnerabilities. Summary.
The multi-volume set of this authoritative resource is now available on CD-ROM. Containing the complete contents of the set, you get a resource that is portable, searchable by keyword, and organized under the CISSP® Common Body of Knowledge (CBK) domains. It includes the latest developments in people, process, and technology identified by the CBK committee. The CD includes every chapter from the 3rd, 4th, 5th, and 6th editions of the handbook. In addition, it provides an extra volume’s worth of information—including chapters from other security and networking books that have never appeared in the print editions—that you simply won’t find anywhere else. Exportable text and hard copies are available at the click of a mouse.
Catalog no. K10093, January 2010, 347 pp. ISBN: 978-1-4398-0150-5, $79.95 / £48.99
Catalog no. AU0984, July 2009, 456 pp., CD-ROM ISBN: 978-1-4200-9098-7, $199.95 / £127.00
Contents:
Print version available online
For more information and complete contents, visit www.crcpress.com
7
Authoritative Resources for IT Professionals
HOWTO Secure and Audit Oracle 10g and 11g
Oracle Identity Management
Ron Ben Natan
Governance, Risk, and Compliance Architecture, Third Edition
CTO, Guardium Inc., Waltham, Massachusetts, USA
Oracle has more security-related functions, products, and tools than almost any other database engine. Unfortunately, most users are familiar with less than twenty percent of its security mechanisms. Written by one of the most respected and knowledgeable database security experts in the world, this book shows readers how to navigate the options, select the right tools, and avoid common pitfalls. Structured as HOWTOs that address each security function in the context of Oracle 11g and Oracle 10g, this authoritative guide explains how to: • Choose configuration settings to help prevent unauthorized access • Understand when and how to encrypt data-at-rest and data-in-transit and how to implement strong authentication • Use and manage audit trails and advanced techniques for auditing • Make use of advanced tools and options, including Advanced Security Options, Virtual Private Database, Audit Vault, and Database Vault The text provides an overview of cryptography, covering encryption and digital signatures, and shows how Oracle Wallet Manager and orapki can be used to generate and manage certificates. Providing succinct instructions highlighted by examples, this ultimate guide to security best practices for Oracle bridges the gap between those who install and configure security features and those who secure and audit them. Catalog no. AU4127, 2009, 470 pp. ISBN: 978-1-4200-8412-2, $69.95 / £42.99
8
Marlin B. Pohlman Oracle Corporation, Redwood Shores, California, USA
This book is the definitive guide for corporate stewards struggling to meet regulatory compliance pressures while embarking on the path of process and system remediation. It is written by a director of Oracle Corporation who is recognized as one of the primary educators on identity management, regulatory compliance, and corporate governance. In the book’s first chapters, Dr. Pohlman examines multinational regulations and delves into the nature of governance, risk, and compliance. He cites common standards and illustrates a number of well-known compliance frameworks. Next, he focuses on specific software components that enable secure business operations. To complete the picture, he discusses elements of the Oracle architecture, vaulting solutions, and data hubs, which collect, enforce, and store policy information. Examining case studies from the five most regulated business verticals—financial services, retail, pharma-life sciences, higher education, and the US public sector—this work explains how to: • Attain and maintain high levels of integrity • Eliminate redundancy and excessive expense in identity management • Map solutions directly to region and legislation • Hold providers accountable for contracted services Identity management is the first line of defense in the corporate internal ecosystem. Reconciling theory and practicality, this volume makes sure that defense is workable, responsive, and effective. Catalog no. AU7247, 2008, 552 pp., Soft Cover ISBN: 978-1-4200-7247-1, $74.95 / £46.99
Get 15% off when you order online at www.crcpress.com
Authoritative Resources for IT Professionals
Information Technology Control and Audit, Third Edition Sandra Senft and Frederick Gallegos California State Polytechnic University, Pomona, USA
Praise for the Previous Edition: “… very useful for beginners as well as practitioners … well written and presented. ... should provide resiliency to IT security in the emerging cyberworld.” — Information Systems Control Journal
Reflects the Latest Technological Advances Updated and revised, Information Technology Control and Audit, Third Edition provides a fundamental understanding of IT governance, controls, auditing applications, systems development, and operations. This volume meets the increasing need for audit and control professionals to understand information technology and the controls required to manage this key resource. A Powerful Primer for the CISA and CGEIT Exams Supporting and analyzing the CobiT model, this text prepares IT professionals for the CISA and CGEIT exams. With summary sections, exercises, review questions, and references for further readings, it promotes the mastery of the concepts and practical implementation of controls needed to effectively manage information technology resources. New in the Third Edition:
Complete Guide to Security and Privacy Metrics Measuring Regulatory Compliance, Operational Resilience, and ROI Debra S. Herrmann U.S. Nuclear Regulatory Commission, Washington, D.C., USA
“Provides valuable directions on how measurement works and what goes into producing a useful metric. … when faced with the necessity of developing a metrics program to measure the effectiveness of some aspect of your security efforts, this rather imposing tome is one I would recommend … . The master table in the introduction provides a quick guide to the particular section most relevant to the reader’s need …” — Richard Austin, in IEEE Cipher
This book defines more than 900 metrics for measuring compliance with current legislation, the resiliency of your security controls, and return on investment. It explains what needs to be measured, why and how to measure it, and how to tie security and privacy metrics to business goals and objectives. The metrics are scaled by information sensitivity, asset criticality, and risk; aligned to correspond with different lateral and hierarchical functions; designed with flexible measurement boundaries; and can be implemented individually or in combination. The text includes numerous examples and sample reports and stresses a complete assessment by evaluating physical, personnel, IT, and operational security controls.
• Reorganized and expanded to align to the CobiT objectives • Supports study for both the CISA and CGEIT exams • Includes chapters on IT financial and sourcing management • Adds a section on Delivery and Support control objectives • Includes additional content on audit and control of outsourcing, change management, risk management, and compliance
• Provides a practical foundation for establishing an effective and efficient security metrics program • Explains how to measure compliance with security and privacy laws and regulations • Covers the operational resilience of a system or network, pre- or post-deployment
Catalog no. AU6550, 2009, 774 pp. ISBN: 978-1-4200-6550-3, $89.95 / £59.99
Catalog no. AU5402, 2007, 848 pp. ISBN: 978-0-8493-5402-1, $129.95 / £83.99
Features:
For more information and complete contents, visit www.crcpress.com
9
Authoritative Resources for IT Professionals
Information Security Management Metrics
Information Assurance Architecture
A Definitive Guide to Effective Security Monitoring and Measurement
Keith D. Willett
W. Krag Brotby, CISM
Keith D. Willett draws on more than 25 years of technical, security, and business experience to provide a framework for organizations to align information assurance with the enterprise and their overall mission. This work provides the know-how to create a formal information assurance architecture that complements an enterprise architecture, systems engineering, and the enterprise life cycle management (ELCM). Information Assurance Architecture consists of a framework, a process, and many supporting tools, templates and methodologies. The framework provides a reference model for the consideration of security in many contexts and from various perspectives; the process provides direction on how to apply that framework. Mr. Willett teaches readers how to identify and use the right tools for the right job. Furthermore, he demonstrates a disciplined approach in thinking about, planning, implementing and managing security, emphasizing that solid solutions can be made impenetrable when they are seamlessly integrated with the whole of an enterprise. This book covers many information assurance subjects, including disaster recovery and firewalls. The objective is to present security services and security mechanisms in the context of information assurance architecture, and in an enterprise context of managing business risk.
Enterprise Security Architect, Thousand Oaks, California, USA
You can’t manage what you can’t measure The 20/20 hindsight of audits is no longer an effective solution to security weaknesses. This book offers a radical new approach for developing and implementing security metrics essential for supporting business activities and managing information risk. This volume shows readers how to develop metrics that can be used across an organization to assure its information systems are functioning, secure, and supportive of the organization’s business objectives. It provides a comprehensive overview of security metrics, discusses the metrics in use today, and looks at promising new developments. Later chapters explore ways to develop effective strategic and management metrics for information security governance, risk management, program implementation and management, and incident management and response. With three decades of enterprise information security experience, author W. Krag Brotby presents a workable approach to developing and managing cost-effective enterprise information security. He provides readers with the understanding and the metrics required to ensure that every facet of security is linked to business objectives. Case studies effectively demonstrate specific ways that metrics can be implemented across an enterprise to maximize business benefit. Catalog no. AU5285, 2009, 200 pp. ISBN: 978-1-4200-5285-5, $79.95 / £48.99
CTN Technologies, Millersville, Maryland, USA
Protect Your Secrets from Exposure
Features: • Highlights the distinctions between security architecture, enterprise architecture, solutions architecture, and systems engineering • Describes how the Zachman EA model and the Federal Enterprise Architecture (FEA) models can be used together effectively Catalog no. AU8067, 2008, 624 pp. ISBN: 978-0-8493-8067-9, $79.95 / £52.99
10
Get 15% off when you order online at www.crcpress.com
Authoritative Resources for IT Professionals
The CISO Handbook
CISO Soft Skills
A Practical Guide to Securing Your Company
Securing Organizations Impaired by Employee Politics, Apathy, and Intolerant Perspectives
Michael Gentile and Ron Collette CISOHandbook.com & Traxx Consulting Services, Newport Beach, California, USA
Ron Collette and Mike Gentile
Thomas D. August
CISOHandbook.com & Traxx Consulting Services, Newport Beach, California, USA
Sony Corporation of America, San Diego, California, USA
Skye Gentile,
Providing unique insights and guidance into designing and implementing an effective information security program, The CISO Handbook presents several essential high-level concepts before building a robust framework that will enable you to map the concepts to your company’s environment. The book is presented in chapters that follow a consistent methodology: Assess, Plan, Design, Execute, and Report. Assess identifies the elements that drive the need for infomation security programs, enabling you to conduct an analysis of your business and regulatory requirements. Plan discusses how to build the foundation of your program, allowing you to develop an executive mandate, reporting metrics, and an organizational matrix with defined roles and responsibilities. Design demonstrates how to construct the policies and procedures to meet your identified business objectives, explaining how to perform a gap analysis between the existing environment and the desired end-state, define project requirements, and assemble a rough budget. Execute emphasizes the creation of a successful execution model for the implementation of security projects against the backdrop of common business constraints. Report focuses on communicating back to the external and internal stakeholders with information that fits the various audiences. Each chapter includes an overview, followed by foundation concepts, and a methodology section that details the steps necessary to achieve the goals for that particular chapter.
Cabrillo College, Aptos, California, USA
As organizations struggle to implement effective security measures, all too often they focus solely on the tangible elements. While these items are essential, they represent only half of the security equation. This companion volume to the highly touted CISO Handbook presents tools to empower security practitioners to identify the intangible negative influencers that plague most organizations—supplying techniques to identify, minimize, and overcome these pitfalls. The text begins by explaining how using the wrong criteria to measure security can result in a false claim of adequate security. Instead, the authors recommend that organizations measure the success of their efforts using a practical approach that illustrates both the tangible and intangible requirements of a healthy security effort. The middle section discusses the root causes that negatively influence a CISO’s and an organization’s ability to secure itself. It explains what a CISO can do about these security constraints and provides numerous exercises, tools, and techniques to identify, limit, and compensate for the influence of security constraints in any type of organization. The final chapters provide proactive techniques that CISOs can put to use to secure challenging work environments. Reflecting the experience and solutions of those that are in the trenches of modern organizations, this volume provides practical ideas that will make the jobs of security practitioners much easier.
Catalog no. AU1952, 2006, 352 pp. ISBN: 978-0-8493-1952-5, $79.95 / £52.99
Catalog no. AU9102, 2009, 288 pp. ISBN: 978-1-4200-8910-3, $69.95 / £46.99
For more information and complete contents, visit www.crcpress.com
11
Authoritative Resources for IT Professionals
The Effective CIO
New!
How to Achieve Outstanding Success through Strategic Alignment, Financial Management, and IT Governance
Security Manager’s Guide to Disasters
William A. Yarberry, Jr.
Managing Through Emergencies, Violence, and Other Workplace Threats
ICCM Consulting, Houston, Texas, USA
Anthony D. Manley
In a business world of uncertain budgets, relentless technology changes, and intense production demands, theory is good, but practice sells. This book is all about practice: successfully delivering the nuts-and-bolts for effective governance execution. It helps to dissolve the negative image many CIOs have as remote, purely rational decision machines, while demonstrating how to improve quality and throughput in your business. This complete resource includes governance checklists, sample IT controls, merger and acquisition recommendations, and a detailed framework for IT policies. Authored by two highly regarded IT management experts, the book provides a survey of existing strategies and also includes detailed problem-solving ideas, such as how to structure optimal IT and telecom contracts with suppliers, the implications of SOP-98, and accounting for software costs. The book seamlessly brings together two perspectives—that of a working CIO who must cope with day-to-day pressures for results, and that of an IT audit consultant with a special focus on governance and internal control. Unlike many other CIO-related books that merely discuss strategies, The Effective CIO includes easy-to-follow guidelines and governance principles that can be put to use right away.
Wantagh, New York, USA
Eric J. Brown NCI Building Systems, The Woodlands, Texas, USA
Selected Contents: Core Skills and Career Development. Information Technology Governance. Information Technology Finance. Project Management. Creating Good Enough Code. Enterprise Architecture. Mergers and Acquisitions. Sourcing. Catalog no. AU6460, 2009, 336 pp. ISBN: 978-1-4200-6460-5, $79.95 / £49.99
12
Explores the Wide Range of Disasters That can Jeopardize an Organization Recent years have witnessed a dramatic increase in the number of natural disasters and manmade events that have threatened the livelihoods of businesses and organizations worldwide. This essential reference examines the most significant emergencies that may confront the security manager and provides comprehensive guidance on how to prepare for a potential crisis, what to do in the event of one, and how to mitigate the effects. The author discusses all types of disasters, covering a range of major occurrences that could threaten or harm any business or institutional entity. These include terrorism, industrial espionage and sabotage, workplace violence, strikes, natural disasters, fires and medical emergencies. The topics run the gamut of events that security directors, loss prevention professionals, and risk managers may confront in the course of their duties. The book provides strategies for preventing or reducing the severity of an incident and initiating immediate and professional responses to reduce the loss of life, injuries, property damage, and liability. It also provides instruction on adequate interaction and cooperation with public safety agencies, local government, and other public and private utility services. By focusing on response, recovery, and restoration, the author lays out a system for placing the business or institution back into operation as soon as possible. Catalog no. K10448, January 2010, 408 pp. ISBN: 978-1-4398-0906-8, $99.95 / £60.99
Get 15% off when you order online at www.crcpress.com
Authoritative Resources for IT Professionals
Building an Effective Information Security Policy Architecture
How to Develop and Implement a Security Master Plan
Sandy Bacik
Timothy D. Giles
Consultant, Fuquay Varina, North Carolina, USA
Newnan, Georgia, USA “This practical guide details how to construct a customized, comprehensive, five-year corporate security plan that synchronizes with the strategies of any business or institution.”
Information security teams are charged with developing and maintaining a set of documents that will protect the assets of an enterprise from constant threats and risks. In order for these safeguards and controls to be effective, they must suit the particular business needs of the enterprise. A guide for security professionals, Building an Effective Information Security Policy Architecture explains how to review, develop, and implement effective security architectures for any enterprise. Through the use of questionnaires and interviews, the book demonstrates how to evaluate an organization’s culture and its ability to meet various security standards and requirements. Because the effectiveness of a policy is dependent on cooperation and compliance, the author also provides tips on how to communicate the policy and gain support for it. Suitable for any level of technical aptitude, this book is a valuable guide for evaluating the business needs and risks of an enterprise and incorporating this information into an effective security policy architecture.
Contents: Determining the Organization. What is a Policy Architecture? Getting Ready to Start. Communication Skills within the Organization. What Goes into the Architecture. Putting it Together. Crafting Communication for Maximum Effectiveness. Continuing to Mold your Style through Experience. Catalog no. AU5905, 2008, 368 pp. ISBN: 978-1-4200-5905-2, $83.95 / £52.99
– In ASIS Dynamics, May/June 2009
This book explains how to develop a plan and implementation strategy that aligns with an organization’s particular philosophies, strategies, goals, programs, and processes. Readers learn how to outline risks and then formulate appropriate mitigation strategies. This guide provides tested, real-world solutions on how to: • Conduct an effective, efficient assessment of the site and security personnel, meticulously addressing the particular needs of many different environments • Make decisions about security philosophies, strategies, contract relationships, technology, and equipment replacement • Interview executive and security management to determine their concerns, educate them, and ensure that they buy in to your plan • Use all gathered data to construct and finalize the Security Master Plan and then implement it into the management of the business Author Tim Giles worked at IBM for 31 years serving as Director of Security for the company’s operations in the United States and Canada, as well as Latin America and Asia-Pacific. His immeasurable experience and insight provide readers with an extraordinarily comprehensive understanding that they can use to design and execute a highly effective, tailored security program. Catalog no. AU6251, 2009, 352 pp. ISBN: 978-1-4200-8625-6, $83.95 / £52.99
For more information and complete contents, visit www.crcpress.com
13
Authoritative Resources for IT Professionals
The Security Risk Assessment Handbook A Complete Guide for Performing Security Risk Assessments Douglas J. Landoll En Pointe Technologies, Austin, Texas, USA
Complete with charts, checklists, examples, and templates to speed up data gathering, analysis, and document development, this complete guide provides detailed insight into precisely how to conduct an information security risk assessment. Designed for security professionals and their customers who want a more in-depth understanding of the risk assessment process, this volume contains real-world advice that promotes professional development. It also enables security consumers to better negotiate the scope and rigor of a security assessment, effectively interface with a security assessment team, deliver insightful comments on a draft report, and have a greater understanding of final report recommendations. This book will help you save time and money by eliminating guesswork as to what assessment steps to perform, and how to perform them. By improving the efficiency of the assessment process, security consultants will be able to deliver a higher-quality service with a larger profit margin. The text will also allow consumers to intelligently solicit and review proposals, positioning them to request affordable security risk assessments from quality vendors that meet the needs of their organizations.
Contents: Information Security Risk Assessment Basics. Project Definition. Security Risk Assessment Preparation. Data Gathering. Administrative Data Gathering. Technical Data Gathering. Physical Data Gathering. Security Risk Analysis. Security Risk Mitigation. Security Risk Assessment Reporting. Security Risk Assessment Project Management. Security Risk Assessment Approaches. Catalog no. AU2998, 2006, 504 pp. ISBN: 978-0-8493-2998-2, $87.95 / £56.69
14
How to Complete a Risk Assessment in 5 Days or Less Thomas R. Peltier Thomas R. Peltier Associates, LLC, Wyandotte, Michigan, USA
Presents Case Studies and Examples of all Risk Management Components Based on the seminars of Tom Peltier, this volume presents the various processes that an organization can employ in assessing risk, fully detailing each of its strengths and weaknesses. This information will allow managers to determine what processes best fit the needs of a given situation to mitigate risk levels. Always conscious of the bottom line, the author discusses the cost-benefit analysis of risk mitigation and looks at specific ways to manage costs. The conclusions presented are supported by numerous case studies and explained through diagrams that show how to apply risk management skills in an organization with regard to any business endeavor.
Features: • Presents and explains the key components of risk management • Demonstrates how the components of risk management work in any organization and business situation • Explains how to draw up an action plan to protect the assets of the organization when the risk assessment process concludes • Examines the difference between a Gap Analysis and a Security or Controls Assessment
Selected Contents: The Facilitated Risk Analysis and Assessment Process (FRAAP). Risk Analysis (Project Impact Analysis). Pre-Screening. Business Impact Analysis. Gap Analysis. Appendix A Facilitator Skills. Appendix B FRAAP Team Members. Appendix C Project Scope Statement. Catalog no. AU6275, 2009, 444 pp. ISBN: 978-1-4200-6275-5, $84.95 / £52.99
Get 15% off when you order online at www.crcpress.com
Authoritative Resources for IT Professionals
Mechanics of User Identification and Authentication
Official (ISC)2® Guide to the SSCP® CBK®
Fundamentals of Identity Management
Harold F. Tipton, Diana-Lynn Contesti, Kevin Henry, Douglas Andre, Paul A. Henry, Bonnie A. Goins, and Eric Waxvik
Dobromir Todorov Consultant, Buckinghamshire, UK
“By the authors providing a ‘hacker’ perspective, readers will more fully understand the ramifications of having an insecure computer, server, network, program, database and or policy. … There are important discussions of the non-technical kind [of insecurity] like policy, which is too often overlooked in many organizations. … What is most impressive about the book is its outlines of specific exploits and attacks with prescribed defenses. … Coupled with good illustrations and detailed explanations, this is a great resource…” —E-Streams, Vol. 7, No. 9
“… a must-have book for those preparing for the CISSP exam and for any information security professional.” —Zentralblatt MATH 1054
Effective and fool-proof user identification and authentication are essential to modern security. Providing a hacker perspective, this text introduces the philosophy behind user authentication and access control and presents key concepts for practical applications. It outlines the process of controlled access to resources through authentication, authorization, and accounting and provides specific information on the user authentication process for both UNIX and Windows. Addressing more advanced applications and services, the author presents common security models such as GSSAPI and discusses authentication architecture. Each method is presented with a specific authentication scenario.
Edited by
Offers Guidance from World Leaders in IS Implementation The SSCP® certification is the key to unlocking the upper ranks of security implementation at the world’s most prestigious organizations. If you’re serious about becoming a leading tactician at the front lines, the (ISC)²® Systems Security Certified Practitioner (SSCP) certification is an absolute necessity. Nowhere else are the seven domains of the CBK embodied more adeptly than in the Official (ISC)²® Guide to the SSCP® CBK®. In a milestone effort, five of the of the world’s leading tacticians in IT security discuss the critical role that policy, procedures, standards, and guidelines play within the overall information security management infrastructure. Through clear descriptions accompanied by numerous tables, bulleted lists, charts, easy-tofollow instructions, sample questions, and an entire chapter of self-assessment questions, this book builds a solid, product-independent understanding of information security fundamentals.
Contents: Access Controls. Security Operations and Administration. Analysis and Monitoring. Risk, Response, and Recovery. Cryptography. Networks and Telecommunications. Malicious Code. Catalog no. AU2774, 2007, 608 pp. ISBN: 978-0-8493-2774-2, $64.95 / £41.99
Catalog no. AU5219, 2007, 760 pp. ISBN: 978-1-4200-5219-0, $87.95 / £56.69
For more information and complete contents, visit www.crcpress.com
15
Authoritative Resources for IT Professionals
Multimedia Content Encryption Techniques and Applications Shiguo Lian France Telecom R&D, Beijing, China
To fully protect multimedia data from piracy or unauthorized use, it must be secured through encryption prior to its transmission or distribution. Multimedia Content Encryption: Techniques and Applications begins with the history of multimedia encryption and then examines general performance requirements of encryption and fundamental encrypting techniques. It discusses common techniques of complete, partial, and compression-combined encryption; as well as the more specialized forms, including perception, scalable, and commutative encryption. Shiguo Lian is the author or co-author of more than fifty peer-reviewed journal and conference articles. In this book, Lian reviews watermarking, joint fingerprint embedding and decryption, typical attacks on multimedia encryption, as well as the principles for designing secure algorithms and various applications. An exploration of open issues, up-and-coming topics, and areas for further research rounds out the coverage. By following the techniques outlined in this book, users will be better able to protect the integrity of their multimedia data and develop greater confidence that their data will not be misappropriated.
Contents: Performance Requirement of Multimedia Content Encryption. Fundamental Techniques. Complete Encryption. Partial Encryption. Compression-Combined Encryption. Perceptual Encryption. Scalable Encryption. Commutative Watermarking and Encryption. Joint Fingerprint Embedding and Decryption. Typical Attacks on Multimedia Encryption. Some Principles for Secure Multimedia Encryption. Multimedia Encryption in Typical Applications. Open Issues. Catalog no. AU6527, 2009, 224 pp., ISBN: 978-1-4200-6527-5, $104.95 / £66.99
16
Understanding and Applying Cryptography and Data Security Adam J. Elbirt The Charles Stark Draper Laboratory, Cambridge, Massachusetts, USA
Provides the Foundation for Constructing Cryptographic Protocols Addressing real-world implementation issues, Understanding and Applying Cryptography and Data Security emphasizes cryptographic algorithm and protocol implementation in hardware, software, and embedded systems. The first several chapters present various types of symmetric-key cryptographic algorithms. These chapters examine basic substitution ciphers, cryptanalysis, the Data Encryption Standard (DES), and the Advanced Encryption Standard (AES). Subsequent chapters on public-key cryptographic algorithms cover the underlying mathematics behind the computation of inverses, the use of fast exponentiation techniques, tradeoffs between public- and symmetric-key algorithms, and the minimum key lengths necessary to maintain acceptable levels of security. The final chapters present the components needed for the creation of cryptographic protocols and investigate different security services and their impact on the construction of cryptographic protocols. The author provides readers with C and VHDL frameworks and testing environments on a CD-ROM.
Features: • Describes cryptography and data security from an implementation point of view, spanning hardware, software, and embedded systems • Focuses on cryptographic algorithms before dealing with the construction of cryptographic protocols • Includes many examples, problems, and a CD-ROM with C and VHDL frameworks for implementation of problems Catalog no. AU6160, 2009, 416 pp. ISBN: 978-1-4200-6160-4, $79.95 / £44.99
Get 15% off when you order online at www.crcpress.com
Authoritative Resources for IT Professionals
New!
Security of Mobile Communications Noureddine Boudriga
Security Software Development Assessing and Managing Security Risks Douglas A. Ashbaugh, CISSP
University of the 7th of November at Carthage, Tunisia
Software Engineering Services, West Des Moines, Iowa, USA
The explosive demand for mobile communications is driving the development of wireless technology at an unprecedented pace. Unfortunately, this exceptional growth is also giving rise to a myriad of security issues at all levels. Providing technicians and designers with a comprehensive resource, Security of Mobile Communications brings together the policies, practices, and guidelines needed to identify and address the security issues related to today’s wireless sensor networks, satellite services, mobile e-services, and inter-system roaming and interconnecting systems. It details the major mobile standards for securing mobile communications and examines the architectures able to provide data confidentiality, authentication, integrity, and privacy in various wireless environments. Professor Noureddine Boudriga, an internationally recognized authority, goes beyond analysis, standards, and guidelines to define the roles and responsibilities that network operators, service providers, and even customers need to fulfill to assure our mobile communications are as secure as they are prolific.
Threats to application security continue to evolve just as quickly as the systems that protect against cyber-threats. In many instances, traditional firewalls and controls no longer get the job done. The latest line of defense is to build security features into software as it is being developed. Drawing on the author’s extensive experience, this book illustrates how to achieve cost -effective software application security by monitoring and regulating risks early on and integrating assessment and management into the development life cycle. It identifies the two primary reasons for inadequate security safeguards, as well as the problems that have plagued software security for more than a decade. Highlighting recent trends, this guide: • Outlines and compares various techniques for assessing, identifying, and managing security risks and vulnerabilities—detailing how to execute each approach • Explains the fundamental terms and concepts related to the security process • Explains the pros and cons of each method, phase by phase—helping you select the one that best suits your needs • Clearly illustrates how to analyze relevant threats to your applications and then implement time- and money-saving techniques to safeguard against those threats
Features: • Provides an up-to-date analysis of the types of attacks and viruses that must be protected against • Reviews the new mechanisms and standards implemented by GSM, 3G, WLAN, and ad hoc networks • Details architectures that provide access control, authentication, and authorization • Explores security features related to IP mobility, mobile payments, multimedia applications, VoIP, and SIM-like cards Catalog no. AU7941, January 2010, 630 pp. ISBN: 978-0-8493-7941-3, $99.95 / £60.99
Selected Contents: Current Trends in Application Security. Risk assessment methodologies. Identifying Threats. Identification of Vulnerabilities. Identification of Assets. Analyzing Risks. Managing Risks. Looking at Risk Assessment and Risk Management within the Phases of the Software Development Life Cycle. Catalog no. AU6380, 2009, 321 pp. ISBN: 978-1-4200-6380-6, $83.95 / £52.99
For more information and complete contents, visit www.crcpress.com
17
Authoritative Resources for IT Professionals
New!
Second Edition of a Bestseller!
Building an Enterprise-Wide Business Continuity Program
Business Resumption Planning, Second Edition
Kelley Okolita
Leo A. Wrobel
MBCP (Master Business Continuity Planner)
TelLAWCom Labs, Inc., Ovilla, Texas, USA
Provides Access to Online Resources If you had to evacuate your building right now and couldn’t get back in for two weeks … would you know what to do to ensure your business continues to operate? Would your staff? Increasing threats to business make it essential for corporations and institutions to develop plans to ensure the preservation of business operations—and the technology that supports them—should risks become reality. Building an Enterprise-Wide Business Continuity Program goes beyond theory to provide planners with actual tools needed to build a continuity program in any enterprise. Drawing on over two decades of experience creating continuity plans and exercising them in actual recoveries, including 9/11 and Hurricane Katrina, Kelley Okolita MBCP, provides authoritative guidance on each step of the process. Complete with a sample plan and helpful tips for getting started, the text explains how to: • Validate your plan • Keep it action-ready over the course of time • Sell the continuity program to senior leadership • Disasters can happen anywhere, anytime, and for any number of reasons. By proactively planning for such events, smart leaders can prepare their organizations to minimize tragic consequences and restore order quickly. Catalog no. AU8645, January 2010, 344 pp. ISBN: 978-1-4200-8864-9, $79.95 / £49.99
18
Edited by
Offering hundreds of tips, templates, checklists, and pointers to additional information, the second edition of this bestselling resource will help you create effective recovery plans for your organization. It provides the information needed to coordinate first responders to meet any disaster scenario head on. New to the Second Edition: • The latest techniques for conducting an efficient Business Impact Analysis and an accurate Failure Mode Effects Analysis • Advice on how to successfully recover from Ground Zero events, such as Oklahoma City, the World Trade Center, and Hurricane Katrina • Tips on how to maintain command, control, communications, computers, and intelligence during a disaster • An explanation of how the recently enacted Sarbanes-Oxley Act of 2002 impacts planning efforts • Plans and templates for assessing vulnerability in WANs, Open Networks, physical facilities, environmentals, and enhanced services • An examination of legal ramifications resulting from a failure to plan—including new liability issues The book presents case studies and examples that illustrate the vulnerabilities of today’s mission critical systems. It details the steps you should take to assess your exposure and then explains how to reduce that exposure. It also includes a CD-ROM that contains time-saving worksheets, checklists, audit forms, work breakdown structures, and reports. Catalog no. AU1459, 2009, 512 pp. ISBN: 978-0-8493-1459-9, $94.95 / £60.99
Get 15% off when you order online at www.crcpress.com
Authoritative Resources for IT Professionals
Critical Infrastructure Understanding Its Component Parts, Vulnerabilities, Operating Risks, and Interdependencies
Enterprise Systems Backup and Recovery A Corporate Insurance Policy Preston de Guise
Tyson Macaulay
IDATA Pty Ltd., Sydney, Australia
CISSIP, CISA, ISSPCS, Ottawa, Ontario, Canada
A well-designed backup system comes about only when several key factors coalesce—business involvement, IT acceptance, best practice designs, enterprise software, and reliable hardware. This book provides organizations with a comprehensive understanding of the principles and features involved in effective enterprise backups. The text recommends corporate procedures and policies that need to be established for comprehensive data protection. It provides information relevant to any organization, regardless of the operating system deployed, what backup system is in place, or what planning has been done for business continuity. It explains how to include backup into every phase of system planning, development, operation, and maintenance. It also provides proven techniques for improving current backup system performance. After reviewing the concepts in this book, organizations will be able to answer these questions:
Critical Infrastructure (CI) is fundamental to the functioning of a modern economy, and consequently, maintaining CI security is paramount. However, despite all the security technology available for threats and risks to CI, this crucial area often generates more fear than rational discussion. Apprehension unfortunately prompts many involved in CI policy to default to old-fashioned intuition rather than depend on modern concrete risk assessment as the basis for vital security decisions. Going beyond definitions, this book looks at the iron triangle within CI: power, telecom, and finance. It introduces the concept of CI as an industrial and enterprise risk conductor, highlighting the reality that a CI failure can propagate a crisis with far-reaching repercussions.
Focuses on Canada and the US Equally for a Useful Cross-Border Security Analysis With $2.5 trillion at stake in United States’ CI alone, supreme standards and metrics are mandatory for solid protection of such a sophisticated and complex area. This powerful volume is dedicated to moving CI security into the 21st century, illustrating the danger in basing critical CI policy decisions on the existing legacy frames of reference. It represents one of the first complete departures from policy, planning, and response strategies based on intuition and anecdotal evidence. Catalog no. AU6835, 2009, 344 pp. ISBN: 978-1-4200-6835-1, $83.95 / £52.99
• What features and functionality should be expected in a backup environment? • What terminology and concepts are unique to backup software, and what can be related to other areas? • How can a backup system be monitored successfully? • How can the performance of a backup system be improved? By utilizing the information in this book, organizations can take a big step toward improving the security of their data and preventing the devastating loss of data and business revenue that can occur with poorly constructed or inefficient systems. Catalog no. AU6396, 2009, 308 pp., Soft Cover ISBN: 978-1-4200-7639-4, $73.95 / £46.99
For more information and complete contents, visit www.crcpress.com
19
Authoritative Resources for IT Professionals
Digital Privacy
Malicious Bots
Theory, Technologies, and Practices
An Inside Look into the Cyber-Criminal Underground of the Internet
Edited by
Alessandro Acquisti, Stefanos Gritzalis, Costos Lambrinoudakis, and Sabrina De Vimercati According to recent surveys, privacy and anonymity are the fundamental issues of concern for most Internet users, ranked higher than ease-of-use, spam, cost, and even security. Digital Privacy: Theory, Techniques, and Practices covers recent technologies, best practices, and research results, as well as legal, regulatory, and ethical issues. Established researchers whose work enjoys worldwide recognition draw on contributions from experts in academia, industry, and government to delineate theoretical, technical, and practical aspects of digital privacy. They provide an up-to-date, integrated approach to privacy issues that spells out what digital privacy is and covers the threats, rights, and provisions of the legal framework in terms of technical counter measures for the protection of an individual’s privacy. The work includes coverage of protocols, mechanisms, applications, architectures, systems, and experimental studies. Even though the utilization of personal information can improve customer services, increase revenues, and lower business costs, it can be easily misused and lead to violations of privacy. Currently there is no book available that combines such a wide range of privacy topics with such a stellar cast of contributors. Filling that void, Digital Privacy: Theory, Techniques, and Practices gives you the foundation for building effective and legal privacy protocols into your business processes. Catalog no. AU5217, 2008, 496 pp. ISBN: 978-1-4200-5217-6, $77.95 / £49.99
20
Ken Dunham and Jim Melnick iSIGHT Partners, Inc., Dallas, Texas, USA
“If you like to read about real life cases from the dark zone, the book will appeal to you . . .” – Berislav Kucan, Net Security, May 14, 2009
Originally designed as neutral entities, computerized bots are increasingly being used maliciously by online criminals in mass spamming events, fraud, extortion, identity theft, and software theft. This book explores the rise of dangerous bots and exposes the nefarious methods of “botmasters”. With sufficient technical detail to empower IT professionals, this volume provides in-depth coverage of the top bot attacks against financial and government networks over the last several years. The book presents exclusive details of the operation of the notorious Thr34t Krew, one of the most malicious bot herder groups in recent history. Largely unidentified by anti-virus companies, their bots spread globally for months, launching massive distributed denial of service (DDoS) attacks and warez (stolen software distributions). For the first time, this story is publicly revealed, showing how the botherders got arrested, along with details on other bots in the world today. The text also provides unique descriptions of the criminal marketplace—how criminals make money off of your computer. With unprecedented detail, the book goes on to explain step-bystep how a hacker launches a botnet attack, providing specifics that only those entrenched in the cyber-crime investigation world could possibly offer. Catalog no. AU6903, 2009, 168 pp. ISBN: 978-1-4200-6903-7, $59.95 / £40.99
Get 15% off when you order online at www.crcpress.com
Authoritative Resources for IT Professionals
New!
Intelligent Network Video
Intelligent Video Surveillance
Understanding Modern Video Surveillance Systems
Systems and Technology
Fredrik Nilsson and Axis Communications Inc.
Edited by
Yunqian Ma Honeywell International, Inc., Minnesota, USA
Gang Qian Arizona State University, Tempe, USA
From the streets of London to subway stations in New York City, surveillance cameras ubiquitously collect hundreds of thousands of videos, often running 24/7. How can such vast volumes of video data be stored, analyzed, indexed, and searched? How can advanced video analysis and systems autonomously recognize people and detect targeted activities real-time? Collating and presenting the latest information Intelligent Video Surveillance: Systems and Technology explores these issues, from fundamentals principle to algorithmic design and system implementation. Written and edited by a collection of industry experts, the book presents state-of-the-art technologies and systems in intelligent video surveillance. The book integrates key research, design, and implementation themes of intelligent video surveillance systems and technology into one comprehensive reference. The chapters cover the computational principles behind the technologies and systems and include system implementation issues as well as examples of successful applications of these technologies. Fully illustrated with line art, tables, and photographs demonstrating the collected video and results obtained using the related algorithms, including a color plate section, the book provides a high-level blueprint for advances and insights into future directions of the field. Catalog no. K10681, January 2010, 590 pp. ISBN: 978-1-4398-1328-7, $119.95 / £72.99
Chelmsford, Massachusetts, USA
“… provides the first complete reference for developing, implanting, and maintaining the latest surveillance systems . . . guides readers through a wellorganized tour of the building blocks of modern video surveillance systems, including network cameras, video encoders, storage, servers, sensors, and video management.” – ASIS Dynamics, May/June 2009
This resource provides detailed coverage of advanced digital networking and intelligent video capabilities and optimization. It addresses general concepts, explains why IP-based systems provide better image quality and more scalable and flexible systems at a lower cost, and provides current information on cameras and DVRs. It also discusses frame rate control, indoor/outdoor installations, and specifications on MPEG-4 and other digital video formats. The book is accompanied by a CD containing tools for deploying and optimizing an installation. It is an essential resource for security system designers, consultants, and installers, as well as business and security managers.
Contents: Introduction to Network Video. The Evolution of Video Surveillance Systems. Image Generation. Camera Considerations. IP Network Technologies. System Considerations. Video Management. Intelligent Video System. Quick Start: Checklist when Designing a Network Video System. Catalog no. AU6156, 2009, 416 pp. ISBN: 978-1-4200-6156-7, $83.95 / £52.99
For more information and complete contents, visit www.crcpress.com
21
Authoritative Resources for IT Professionals
Information Security Design, Implementation, Measurement, and Compliance Timothy P. Layton
IT Auditing and Sarbanes-Oxley Compliance Key Strategies for Business Improvement
Grover, Missouri, USA
Dimitris N. Chorafas
“I have had the pleasure of working with Tim on several large risk assessment projects and I have tremendous respect for his knowledge and experience as an information security practitioner. … I know you will benefit from Tim’s guidance on how to get the most from your risk assessment efforts. For today’s information security leaders, there is not a topic more important.”
Consultant for Major Corporations, France & Switzerland
—Gary Geddes, CISSP, Strategic Security Advisor, Microsoft Corporation
Information Security: Design, Implementation, Measurement, and Compliance outlines a complete roadmap to successful adaptation and implementation of a security program based on the ISO/IEC 17799:2005 (27002) Code of Practice for Information Security Management. The book first describes a risk assessment model, a detailed risk assessment methodology, and an information security evaluation process. Upon this foundation, the author presents a proposed security baseline for all organizations, an executive summary of the ISO/IEC 17799 standard, and a gap analysis exposing the differences between the recently rescinded version and the newly released version of the standard. Finally, he devotes individual chapters to each of the 11 control areas defined in the standard, covering systematically the 133 controls within the 39 control objectives. Tim Layton’s Information Security is a practical tool to help you understand the ISO/IEC 17799 standard and apply its principles within your organization’s unique context. Catalog no. AU7087, 2007, 264 pp. ISBN: 978-0-8493-7087-8, $98.95 / £62.99
22
Written as a contribution to the accounting and auditing professions as well as to IT practitioners, IT Auditing and Sarbanes-Oxley Compliance: Key Strategies for Business Improvement links two key strategies for business improvement: information technology auditing and SarbanesOxley compliance. Both require ethical accounting practices, focused auditing activities, a functioning system of internal control, and a close watch by the board’s audit committee and CEO. Based on more than four decades of experience as a consultant to the boards of major corporations in manufacturing and banking, the author addresses objectives, practices, and business opportunities expected from auditing information systems. Topics discussed include the concept of internal control, auditing functions, internal and external auditors, and the responsibilities of the board of directors. The book uses several case studies to illustrate and clarify the material. Its chapters analyze the underlying reasons for failures in IT projects and explain how they can be avoided, examine critical technical questions concerning information technology, discuss problems related to system reliability and response time, and explore issues of compliance. The book concludes by presenting readers with a “what if” scenario. If Sarbannes-Oxley legislation had passed the U.S. Congress in the late 1990s or even 2000, how might this have influenced the financial statements of Enron and Worldcom? Catalog no. AU6170, 2009, 305 pp. ISBN: 978-1-4200-8617-1, $94.95 / £60.99
Get 15% off when you order online at www.crcpress.com
Our up-to-date, officially sanctioned study guides and resources put you at the top of your field. The breadth and depth of experience of the authors gives insight into the key issues in certification and accreditation, including roles and responsibilities, the Information Security life cycle, and pitfalls to avoid.
SAVE 15%!
Use this Promo Code when ordering to
6000 Broken Sound Parkway, NW, Suite 300 Boca Raton, FL 33487, USA
Page 4
Page 5
For a complete list of Auhoritative Resources for IT Professionals please visit www.crcpress.com
Page 3
Presorted Standard US Postage PAID Permit 382 South Holland IL