Domain I: Information Security and Risk Management | 5 | v6

ABSTRACT

Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Kenneth J. Knapp and Thomas E. Marshall

6 Managing Security by the Standards: An Overview and Primer . . . . . . . . . . . . . . . . 59

Bonnie A. Goins

7 Information Security for Mergers and Acquisitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Craig A. Schiller

8 Information Security Governance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

Ralph Spencer Poore

9 Belts and Suspenders: Diversity in Information Technology Security . . . . . . . . . . . 95

Jeffrey Davis

10 Building Management Commitment through Security Councils,

or Security Council Critical Success Factors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

Todd Fitzgerald

11 Validating Your Business Partners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

Jeff Misrahi

12 Measuring ROI on Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

Carl F. Endorf

13 The Human Side of Information Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

Kevin Henry

14 Security Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

Ken Buszta

15 It Is All about Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165

Chris Hare

16 Patch Management 101: It Just Makes Good Sense! . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

Lynda L. McGhie

17 Security Patch Management: The Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185

Felicia M. Nicastro

18 Conﬁguration Management: Charting the Course for the

Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201

Mollie E. Krehnke and David C. Krehnke

19 Information Classiﬁcation: A Corporate Implementation Guide . . . . . . . . . . . . . . . 221

Jim Appleyard

20 Ownership and Custody of Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233

William Hugh Murray

21 Information Security Risk Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243

Samantha Thomas Cruz

22 Developing and Conducting a Security Test and Evaluation . . . . . . . . . . . . . . . . . . . 251

Sean M. Price

23 Enterprise Security Management Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261

George G. McBride

24 Technology Convergence and Security: A Simpliﬁed Risk

Management Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271

Ken M. Shaurette

25 The Role of Information Security in the Enterprise Risk

Management Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281

Carl B. Jackson and Mark Carey

26 A Matter of Trust . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295

Ray Kaplan

27 Trust Governance in a Web Services World . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311

Daniel D. Houser

28 Risk Management and Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321

Kevin Henry

29 New Trends in Information Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331

Brett Regan Young

30 Cyber-Risk Management: Technical and Insurance Controls for

Enterprise-Level Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339

Carol A. Siegel, Ty R. Sagalow, and Paul Serritella

31 Committee of Sponsoring Organizations (COSO) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355

Mignona Cote

32 Toward Enforcing Security Policy: Encouraging Personal Accountability

for Corportate Information Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367

John O. Wylder

33 The Security Policy Life Cycle: Functions and

Responsibilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377

Patrick D. Howard

34 People, Processes, and Technology: AWinning

Combination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389

Felicia M. Nicastro

35 Building an Effective Privacy Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401

Rebecca Herold

36 Establishing an E-Mail Retention Policy: Preventing

Potential Legal Nightmares . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415

Stephen D. Fried

37 Ten Steps to Effective Web-Based Security Policy

Development and Distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427

Todd Fitzgerald

38 Roles and Responsibilities of the Information Systems

Security Ofﬁcer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443

Carl Burney

39 Organizing for Success: Some Human Resources Issues

in Information Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451

Jeffrey H. Fenton and James M. wolfe

40 Information Security Policies from the Ground Up

Brian Shorten . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465

41 Policy Development

Chris Hare . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475

42 Training Your Employees to Identify Potential Fraud and How to

Encourage Them to Come Forward . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499

Rebecca Herold

43 Change That Attitude: The ABCs of a Persuasive Security Awareness

Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521

Samuel W. Chun

44 Maintaining Management’s Commitment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531

William Tompkins

45 Making Security Awareness Happen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 541

Susan D. Hansche

46 Beyond Information Security Awareness Training: It Is Time

To Change the Culture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 555

Stan Stahl

47 Overview of an IT Corporate Security Organization . . . . . . . . . . . . . . . . . . . . . . . . . . 567

Jeff Davis

48 Make Security Part of Your Company’s DNA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 579

Ken M. Shaurette

49 Building an Effective and Winning Security Team . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 591

Lynda L. McGhie

50 When Trust Goes Beyond the Border: Moving Your Development

Work Offshore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607

Stephen D. Fried

51 Maintaining Information Security during Downsizing . . . . . . . . . . . . . . . . . . . . . . . . 619

Thomas J. Bray

52 The Business Case for Information Security: Selling Management

on the Protection of Vital Secrets and Products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 625

Sanford Sherizen

53 How to Work with a Managed Security Service Provider . . . . . . . . . . . . . . . . . . . . . . 631

Laurie Hill McQuillan

54 Considerations for Outsourcing Security

Michael J. Corby . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 643

55 The Ethical and Legal Concerns of Spyware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 659

Janice C. Sipior, Burke T. Ward, and Georgina R. Roselli

56 Ethics and the Internet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 673

Micki Krause

57 Computer Ethics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 685

Peter S. Tippett