ABSTRACT
Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Kenneth J. Knapp and Thomas E. Marshall
6 Managing Security by the Standards: An Overview and Primer . . . . . . . . . . . . . . . . 59
Bonnie A. Goins
7 Information Security for Mergers and Acquisitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Craig A. Schiller
8 Information Security Governance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Ralph Spencer Poore
9 Belts and Suspenders: Diversity in Information Technology Security . . . . . . . . . . . 95
Jeffrey Davis
10 Building Management Commitment through Security Councils,
or Security Council Critical Success Factors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Todd Fitzgerald
11 Validating Your Business Partners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Jeff Misrahi
12 Measuring ROI on Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Carl F. Endorf
13 The Human Side of Information Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Kevin Henry
14 Security Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Ken Buszta
15 It Is All about Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Chris Hare
16 Patch Management 101: It Just Makes Good Sense! . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Lynda L. McGhie
17 Security Patch Management: The Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
Felicia M. Nicastro
18 Configuration Management: Charting the Course for the
Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Mollie E. Krehnke and David C. Krehnke
19 Information Classification: A Corporate Implementation Guide . . . . . . . . . . . . . . . 221
Jim Appleyard
20 Ownership and Custody of Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
William Hugh Murray
21 Information Security Risk Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
Samantha Thomas Cruz
22 Developing and Conducting a Security Test and Evaluation . . . . . . . . . . . . . . . . . . . 251
Sean M. Price
23 Enterprise Security Management Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
George G. McBride
24 Technology Convergence and Security: A Simplified Risk
Management Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
Ken M. Shaurette
25 The Role of Information Security in the Enterprise Risk
Management Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
Carl B. Jackson and Mark Carey
26 A Matter of Trust . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
Ray Kaplan
27 Trust Governance in a Web Services World . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
Daniel D. Houser
28 Risk Management and Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
Kevin Henry
29 New Trends in Information Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
Brett Regan Young
30 Cyber-Risk Management: Technical and Insurance Controls for
Enterprise-Level Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
Carol A. Siegel, Ty R. Sagalow, and Paul Serritella
31 Committee of Sponsoring Organizations (COSO) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355
Mignona Cote
32 Toward Enforcing Security Policy: Encouraging Personal Accountability
for Corportate Information Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367
John O. Wylder
33 The Security Policy Life Cycle: Functions and
Responsibilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
Patrick D. Howard
34 People, Processes, and Technology: AWinning
Combination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389
Felicia M. Nicastro
35 Building an Effective Privacy Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401
Rebecca Herold
36 Establishing an E-Mail Retention Policy: Preventing
Potential Legal Nightmares . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415
Stephen D. Fried
37 Ten Steps to Effective Web-Based Security Policy
Development and Distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427
Todd Fitzgerald
38 Roles and Responsibilities of the Information Systems
Security Officer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443
Carl Burney
39 Organizing for Success: Some Human Resources Issues
in Information Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451
Jeffrey H. Fenton and James M. wolfe
40 Information Security Policies from the Ground Up
Brian Shorten . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465
41 Policy Development
Chris Hare . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475
42 Training Your Employees to Identify Potential Fraud and How to
Encourage Them to Come Forward . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499
Rebecca Herold
43 Change That Attitude: The ABCs of a Persuasive Security Awareness
Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521
Samuel W. Chun
44 Maintaining Management’s Commitment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531
William Tompkins
45 Making Security Awareness Happen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 541
Susan D. Hansche
46 Beyond Information Security Awareness Training: It Is Time
To Change the Culture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 555
Stan Stahl
47 Overview of an IT Corporate Security Organization . . . . . . . . . . . . . . . . . . . . . . . . . . 567
Jeff Davis
48 Make Security Part of Your Company’s DNA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 579
Ken M. Shaurette
49 Building an Effective and Winning Security Team . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 591
Lynda L. McGhie
50 When Trust Goes Beyond the Border: Moving Your Development
Work Offshore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607
Stephen D. Fried
51 Maintaining Information Security during Downsizing . . . . . . . . . . . . . . . . . . . . . . . . 619
Thomas J. Bray
52 The Business Case for Information Security: Selling Management
on the Protection of Vital Secrets and Products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 625
Sanford Sherizen
53 How to Work with a Managed Security Service Provider . . . . . . . . . . . . . . . . . . . . . . 631
Laurie Hill McQuillan
54 Considerations for Outsourcing Security
Michael J. Corby . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 643
55 The Ethical and Legal Concerns of Spyware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 659
Janice C. Sipior, Burke T. Ward, and Georgina R. Roselli
56 Ethics and the Internet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 673
Micki Krause
57 Computer Ethics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 685
Peter S. Tippett