Handbook of Information Security Management:Introduction

Table of Contents


As predicted in our first edition of the Handbook of Information Security Management, published in 1993, the practice of information security has become much more complicated and the need for qualified information security professionals has become critical. During this time, the International Information Systems Security Certification Consortium (ISC2) has made significant progress in testing and certifying information security practitioners as Certified Information System Security Professionals (CISSPs). Currently, almost 1000 practitioners have achieved certification and several hundred sit for the examination annually.

Preparing for the examination is no trivial task because a thorough understanding of all of the items in the Common Body of Knowledge (CBK) for the field is necessary. The Handbook of Information Security Management has become one of the important references used by candidates during these intense preparation activities.

Certification Support

To make this and future editions of the handbook even more useful, we have mapped the table of contents to correspond to the 10 domains of the certification examination. This structure to the book’s table of contents will enable reviewers to more easily locate topics for special study. One or more chapters of the book address specific topics in each domain. Since the scope of the field is so broad, no single volume can include all topics. Therefore, we intend to add about 30% new topics each year to ensure that the latest pertinent information becomes readily available.

Domain 1 addresses access control. Access control consists of all of the various mechanisms (physical, logical, and administrative) used to ensure that only authorized persons or processes are allowed to use or access a system. Three categories of access control focus on: (1) access control principles and objectives, (2) access control issues, and (3) access control administration.

Domain 2 addresses communications security. Communications security involves ensuring the integrity and confidentiality of information transmitted via telecommunications media as well as ensuring the availability of the telecommunications media itself. Three categories of communications security are: (1) telecommunications security objectives, threats, and countermeasures; (2) network security; and (3) Internet security.

Domain 3 addresses risk management and business continuity planning. Risk management encompasses all activities involved in the control of risk (risk assessment, risk reduction, protective measures, risk acceptance, and risk assignment). Business continuity planning involves the planning of specific, coordinated actions to avoid or mitigate the effects of disruptions to normal business information processing functions.

Domain 4 addresses policy, standards, and organization. Policies are used to describe management intent, standards provide a consistent level of security in an organization, and an organization architecture enables the accomplishment of security objectives. Four categories include: (1) information classification, (2) security awareness, (3) organization architecture, and (4) policy development.

Domain 5 addresses computer architecture and system security. Computer architecture involves the aspects of computer organization and configuration that are employed to achieve computer security while system security involves the mechanisms that are used to maintain the security of system programs. PC and LAN security issues, problems, and countermeasures are also in this domain.

Domain 6 addresses law, investigation, and ethics. Law involves the legal and regulatory issues faced in an information security environment. Investigation consists of guidelines and principles necessary to successfully investigate security incidents and preserve the integrity of evidence. Ethics consists of knowledge of the difference between right and wrong and the inclination to do the right thing.

Domain 7 addresses application program security. Application security involves the controls placed within the application program to support the security policy of the organization. Topics discussed include threats, applications development, availability issues, security design, and application/data access control.

Domain 8 addresses cryptography. Cryptography is the use of secret codes to achieve desired levels of confidentiality and integrity. Two categories focus on: (1) cryptographic applications and uses and (2) crypto technology and implementations. Included are basic technologies, encryption systems, and key management methods.

Domain 9 addresses (computer) operations security. Computer operations security involves the controls over hardware, media and the operators with access privileges to these. Several aspects are included — notably, operator controls, hardware controls, media controls trusted system operations, trusted facility management, trusted recovery, and environmental contamination control.

Domain 10 addresses physical security. Physical security involves the provision of a safe environment for information processing activities with a focus on preventing unauthorized physical access to computing equipment. Three categories include: (1) threats and facility requirements, (2) personnel physical access control, and (3) microcomputer physical security.

Micki Krause

Hal Tipton

Fall 1997

Table of Contents

The CISSP Open Study Guide Web Site

We are proud to bring to all of our members a legal copy of this outstanding book. Of course this version is getting a bit old and investing in the latest version would help you out in your studies and also show your appreciation to Auerbach for letting me use their book on the site.