Table Of ContentInformation Security / Certification
OFFICIAL (ISC)2® GUIDE
TO THE ISSMP®CBK®
O
As the recognized leader in the field of information security education and certification,
the (ISC)2® promotes the development of information security professionals around the T F
world. The Certified Information Systems Security Professional-Information Systems
O F
Security Management Professional (CISSP-ISSMP®) examination assesses individuals’
I
understanding of security management practices. Obtaining certification validates your C
T
ability to create and implement effective information security management programs
I
that meet the security needs of today’s organizations. H
A
Preparing professionals for certification and job readiness, the Official (ISC)2® E L
Guide to the ISSMP® CBK® supplies a complete overview of the management
topics related to information security. It provides for an expanded enterprise model I (
S I
of security and management that delves into project management, risk management, S
S
and continuity planning. Facilitating the mastery of the five ISSEP domains required
C
M
for certification, the book includes authoritative coverage of enterprise security
)
management, enterprise-wide system development, compliance of operations security,
P 2
business continuity planning, and disaster recovery planning, as well as legal and ethical ®
considerations. ® G
C
U
• P resents a complete overview of the managerial elements related to B
information security
K I
D
• Examines a larger enterprise model of security and management ®
E
• P rovides an all-inclusive analysis of the five domains of the CISSP-ISSMP
CBK—including sample questions for each domain
Representing over a century of combined experience working at the forefront of
The most complete compendium of industry knowledge
information security, the editor and distinguished team of contributors provide
compiled by the foremost experts in global security. A must-
unprecedented coverage of the things you need to know to achieve certification. This
have for those seeking to attain the Information Systems
book will not only help you prepare for the CISSP-ISSMP certification exam, but also
Security Management Professional (ISSMP)® credential.
provide you with a solid foundation to enhance your career path—whether you’re a
seasoned security veteran or just starting out. Edited by Harold F. Tipton, CISSP-ISSAP, ISSMP
AU9443
6000 Broken Sound Parkway, NW
Suite 300, Boca Raton, FL 33487
270 Madison Avenue
an informa business New York, NY 10016
2 Park Square, Milton Park
www.crcpress.com
Abingdon, Oxon OX14 4RN, UK AN AUERBACH BOOK
AU9443_COVER_final.indd 1 3/10/11 10:29 AM
OFFICIAL (ISC)2®
GUIDE TO THE
ISSMP®CBK®
OTHER BOOKS IN THE (ISC)2® PRESS SERIES
Official (ISC)2® Guide to the ISSMP® CBK®
Harold F. Tipton, Editor
ISBN: 978-1-4200-9443-5
Official (ISC)2® Guide to the SSCP® CBK®, Second Edition
Harold F. Tipton, Editor
ISBN: 978-1-4398-0483-4
Official (ISC)2® Guide to the ISSAP® CBK®
Harold F. Tipton, Editor
ISBN: 978-1-4398-0093-5
Official (ISC)2® Guide to the ISSMP® CBK®
Harold F. Tipton, Editor
ISBN: 978-1-4200-9443-5
Official (ISC)2® Guide to the CISSP® CBK®, Second Edition
Harold F. Tipton, Editor
ISBN: 978-1-4398-0959-3
CISO Leadership: Essential Principles for Success
Todd Fitzgerald and Micki Krause, Editors
ISBN: 978-0-8493-7943-X
Building and Implementing a Security Certification and Accreditation
Program: Official (ISC)2® Guide to the CAP® CBK®
Patrick D. Howard
ISBN: 978-0-8493-2062-3
Official (ISC)2® Guide to the CISSP®-ISSEP® CBK®
Susan Hansche
ISBN: 978-0-8493-2341-X
Edited by
Harold F. Tipton, CISSP-ISSAP, ISSMP
Auerbach Publications
Taylor & Francis Group
6000 Broken Sound Parkway NW, Suite 300
Boca Raton, FL 33487-2742
© 2011 by Taylor and Francis Group, LLC
Auerbach Publications is an imprint of Taylor & Francis Group, an Informa business
No claim to original U.S. Government works
Printed in the United States of America on acid-free paper
10 9 8 7 6 5 4 3 2 1
International Standard Book Number-13: 978-1-4200-9444-2 (Ebook-PDF)
This book contains information obtained from authentic and highly regarded sources. Reasonable
efforts have been made to publish reliable data and information, but the author and publisher cannot
assume responsibility for the validity of all materials or the consequences of their use. The authors and
publishers have attempted to trace the copyright holders of all material reproduced in this publication
and apologize to copyright holders if permission to publish in this form has not been obtained. If any
copyright material has not been acknowledged please write and let us know so we may rectify in any
future reprint.
Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced,
transmitted, or utilized in any form by any electronic, mechanical, or other means, now known or
hereafter invented, including photocopying, microfilming, and recording, or in any information stor-
age or retrieval system, without written permission from the publishers.
For permission to photocopy or use material electronically from this work, please access www.copy-
right.com (http://www.copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC), 222
Rosewood Drive, Danvers, MA 01923, 978-750-8400. CCC is a not-for-profit organization that pro-
vides licenses and registration for a variety of users. For organizations that have been granted a pho-
tocopy license by the CCC, a separate system of payment has been arranged.
Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are
used only for identification and explanation without intent to infringe.
Visit the Taylor & Francis Web site at
http://www.taylorandfrancis.com
and the Auerbach Web site at
http://www.auerbach-publications.com
Contents
Editor.............................................................................................................vii
Contributors....................................................................................................ix
Foreword.........................................................................................................xi
Introduction.................................................................................................xiii
1 Enterprise.Security.Management.Practices.............................................1
JAMES.LITCHKO
2 Enterprise-Wide.Systems.Development.Security...................................73
MAURA.VAN.DER.LINDEN
3 Overseeing.Compliance.of.Security.Operations.................................129
KEITH.D..WILLETT
4 Understanding.Business.Continuity.Planning.(BCP),.Disaster.
Recovery.Planning.(DRP),.and.Continuity.of.Operations.
Planning.(COOP)................................................................................257
CHERYL.HENNELL
5 Law.Investigation,.Forensics,.and.Ethics............................................339
CRAIG.STEVEN.WRIGHT
Appendix:.Answers.to.Review.Questions....................................................407
v
© 2011 by Taylor & Francis Group, LLC
Editor
Hal.Tipton, currently an independent consultant, is a past president of the Inter
national Information System Security Certification Consortium and was a director
of computer security for Rockwell International Corporation for about 15 years.
He initiated the Rockwell computer and data security program in 1977 and then
continued to administer, develop, enhance, and expand the program to accom
modate the control needs produced by technological advances until his retirement
from Rockwell in 1994.
Tipton has been a member of the Information Systems Security Association
(ISSA) since 1982. He was the president of the Los Angeles chapter in 1984 and
the president of the national organization of ISSA (1987–1989). He was added to
the ISSA Hall of Fame and the ISSA Honor Roll in 2000.
Tipton was a member of the National Institute for Standards and Technology
(NIST), the Computer and Telecommunications Security Council, and the National
Research Council Secure Systems Study Committee (for the National Academy of
Sciences). He received his BS in engineering from the U.S. Naval Academy and
his MA in personnel administration from George Washington University; he also
received his certificate in computer science from the University of California at
Irvine. He is a certified information system security professional (CISSP), ISSAP,
and ISSMP.
He has published several papers on information security issues for Auerbach
Publishers (Handbook of Information Security Management Data Security Manage
ment); Information Security Journal; National Academy of Sciences (Computers at
Risk); Data Pro Reports; and Elsevier ISSA Access magazine.
He has been a speaker at all the major information security conferences includ
ing the Computer Security Institute, the ISSA Annual Working Conference, the
Computer Security Workshop, MIS Conferences, AIS Security for Space Oper ations,
DOE Computer Security Conference, National Computer Security Conference, IIA
Security Conference, EDPAA, UCCEL Security & Audit Users Conference, and
Industrial Security Awareness Conference.
He has conducted or participated in information security seminars for (ISC)2,
Frost & Sullivan, UCI, CSULB, System Exchange Seminars, and the Institute for
vii
© 2011 by Taylor & Francis Group, LLC
viii ◾ Editor
International Research. He participated in the Ernst & Young video “Protecting
Information Assets.” He is currently the editor of the Handbook of Information
Security Management (Auerbach Publications). He chairs the (ISC)2 CBK
Committees and the QA Committee. He received the Computer Security Institute’s
Lifetime Achievement Award in 1994, the (ISC)2’s Hal Tipton Award in 2001, and
the (ISC)2 Founders Award in 2009.
© 2011 by Taylor & Francis Group, LLC
Contributors
James.Litchko, CISSPISSEP, CAP, MBCI, CMAS, is Senior Security Expert
at Litchko & Associates. Mr. Litchko has worked as a security and management
expert for over 30 years. He has been an executive with five organizations and
supervised and supported the securing of over 200 military, government, and com
mercial IT systems. Since 2008, he has supported the securing of IT systems at
DHS, DOE, VHA, NASA, EPA, USAF, DOJ, and FEMA. Jim created and taught
the first graduate IT security course at Johns Hopkins University (JHU) and was
a manager at NSA. Jim holds a masters degree from JHU and has authored five
books on security and management topics.
Craig.S..Wright,.CISSPISSAP, ISSMP,.is a director with Information Defence
in Australia. He holds both the GSEMalware and GSECompliance certifica
tions from GIAC. He is a perpetual student with numerous postgraduate degrees
including an LLM specializing in international commercial law and ecommerce
law, a master’s degree in mathematical statistics from Newcastle, and is working
on his fourth ITfocused masters degree (in system development) at Charles Stuart
University, Australia, where he lectures on subjects in digital forensics. He is writ
ing his second doctorate on the quantification of information system risk at CSU.
Cheryl.Hennell, EdD, MSc, CISSP, SBCI, has worked in the IT industry for
40 years. Her employment includes systems development for the Ministry of
Defence, systems analysis for the Civil Service, European consultancy for a blue
chip organization, and 20 years as a senior university lecturer. She is currently head
of IT and information assurance for Openreach, BT. She earned her master’s in
information systems design from Kingston University, London, and her doctor
ate from the University of Southampton, UK, and is a specialist in the Business
Continuity Institute, UK. She is also an ambassador for Childnet.
Cheryl was the course director for the first digital forensics degree in the UK,
which she created and delivered for the University of Portsmouth. She has been an
invited speaker at international conferences in Europe, the Middle East, and Africa.
ix
© 2011 by Taylor & Francis Group, LLC
