Information Security
Management Handbook
Sixth Edition
VOLUME 2
CRC_AU6708_FM.indd iCRC_AU6708_FM.indd i 1/29/2008 5:33:20 PM1/29/2008 5:33:20 PM
AUERBACH PUBLICATIONS
www.auerbach-publications.com
To Order Call: 1-800-272-7737 Fax: 1-800-374-3401
E-mail:
802.1X Port-Based Authentication
Edwin Lyle Brown
ISBN: 1-4200-4464-8
Approach to Security in the Organization,
Second Edition
Jan Killmeyer
ISBN: 0-8493-1549-2
Audit and Trace Log Management:
Consolidation and Analysis
Phillip Q. Maier
ISBN: 0-8493-2725-3
The CISO Handbook: A Practical Guide to
Securing Your Company
Michael Gentile, Ron Collette and Tom August
ISBN: 0-8493-7943-1
CISO Leadership: Essential Principles for Success
Todd Fitzgerald adn Micki Krause
ISBN: 0-8493-1952-8
Complete Guide to CISM Certification
Thomas R. Peltier and Justin Peltier
ISBN: 0-849-35356-4

Information Security: Design, Implementation,
Measurement, and Compliance
Timothy P. Layton
ISBN: 0-8493-7087-6
Information Security Architecture: An Integrated
Information Security Cost Management
Ioana V. Bazavan and Ian Lim
ISBN: 0-8493-9275-6
Information Security Fundamentals
Thomas R. Peltier, Justin Peltier and John A. Blackley
ISBN: 0-8493-1957-9
Information Security Management Handbook,
Sixth Edition
Harold F. Tipton and Micki Krause
ISBN: 0-8493-7495-2
Information Security Risk Analysis,
Second Edition
Thomas R. Peltier
ISBN: 0-8493-3346-6
Insider Computer Fraud: An In-Depth Framework
for Detecting and Defending against Insider IT
Attacks
Kenneth Brancik
ISBN: 1-4200-4659-4
Investigations in the Workplace
Eugene F. Ferraro
ISBN: 0-8493-1648-0
Managing an Information Security and Privacy
Awareness and Training Program
Rebecca Herold

Taylor & Francis Group, an informa business
VOLUME 2
CRC_AU6708_FM.indd iiiCRC_AU6708_FM.indd iii 1/29/2008 5:33:21 PM1/29/2008 5:33:21 PM
Auerbach Publications
Taylor & Francis Group
6000 Broken Sound Parkway NW, Suite 300
Boca Raton, FL 33487-2742
© 2008 by Taylor & Francis Group, LLC
Auerbach is an imprint of Taylor & Francis Group, an Informa business
No claim to original U.S. Government works
Printed in the United States of America on acid-free paper
10 9 8 7 6 5 4 3 2 1
International Standard Book Number-13: 978-1-4200-6708-8 (Hardcover)
This book contains information obtained from authentic and highly regarded sources. Reprinted material is quoted
with permission, and sources are indicated. A wide variety of references are listed. Reasonable efforts have been made to
publish reliable data and information, but the author and the publisher cannot assume responsibility for the validity of
all materials or for the consequences of their use.
Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmitted, or uti-
lized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopy-
ing, microfilming, and recording, or in any information storage or retrieval system, without written permission from the
publishers.
For permission to photocopy or use material electronically from this work, please access www.copyright.com (http://
www.copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC) 222 Rosewood Drive, Danvers, MA 01923,
978-750-8400. CCC is a not-for-profit organization that provides licenses and registration for a variety of users. For orga-
nizations that have been granted a photocopy license by the CCC, a separate system of payment has been arranged.
Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for
identification and explanation without intent to infringe.
Library of Congress Cataloging-in-Publication Data
Tipton, Harold F.
Information security management handbook / Harold F. Tipton, Micki Krause. -- 6th ed.

Risk Management
4
Using Quasi-Intelligence Resources to Protect the Enterprise ...................................47
CR AIG A. SCHILLER
5
Information Risk Management: A Process Approach
to Risk Diagnosis and Treatment ...............................................................................71
NICK HALVORSON
6
Department-Level Transformation ............................................................................83
R. SCOTT McCOY
7
Setting Priorities in Your Security Program ..............................................................93
DEREK SCHATZ
8
Why and How Assessment of Organization Culture Shapes
Security Strategies ....................................................................................................109
DON SAR ACCO
9
A Look Ahead ...........................................................................................................135
SAMANTHA THOMAS
CRC_AU6708_FM.indd vCRC_AU6708_FM.indd v 1/29/2008 5:33:22 PM1/29/2008 5:33:22 PM
vi Ⅲ Contents
DOMAIN 2: ACCESS CONTROL
Access Control Techniques
10
Authentication Tokens .............................................................................................145
PAUL A. HENRY
11
Authentication and the Role of Tokens ....................................................................153

19
ISO Standards Draft Content ..................................................................................245
SCOTT ERKONEN
20
Security Frameworks ................................................................................................253
ROBERT M. SLADE
CRC_AU6708_FM.indd viCRC_AU6708_FM.indd vi 1/29/2008 5:33:22 PM1/29/2008 5:33:22 PM
Contents Ⅲ vii
DOMAIN 6: TELECOMMUNICATIONS AND NETWORK SECURITY
Communications and Network Security
21
Facsimile Security ....................................................................................................273
BEN ROTHKE
Internet, Intranet, and Extranet Security
22
Network Content Filtering and Leak Prevention .....................................................289
GEORGE J. JAHCHAN
Network Attacks and Countermeasures
23
 e Ocean Is Full of Phish .......................................................................................295
TODD FITZGERALD
DOMAIN 7: APPLICATION SECURITY
Application Issues
24
Neural Networks and Information Assurance Uses ................................................ 307
SEAN M. PRICE
25
Information Technology Infrastructure Library
and Security Management Overview .......................................................................333
DAVID McPHEE

Information security is an interesting, many times frustrating discipline to institutionalize.
 e commonly accepted triad—people, process, technology—trips easily off the tongue. How-
ever, breaking down the threesome into its subcomponents gives one pause. Information security
truly is a complex composite of many fi elds of study, including sociology, psychology, anthropol-
ogy, virology, criminology, cryptology, etiology, and technology.
 us, we give tribute here to those who willingly choose to slay the dragons, oftentimes fi nding
themselves tilting at windmills instead.
Further, and importantly, we want to give tribute to, and underscore the contributions of, our
authors.
We can only speculate on what compels an individual to take keyboard in hand in an eff ort to
share information and experiences that will benefi t others. And yet, year after year, we have a select
community of practitioners and professionals who give their all for the good of the industry.
 is volume of the handbook is no exception.  e topics featured encompass a broad spectrum
of areas, ranging from the fundamentals of access control, malicious software, and network secu-
rity to more esoteric, but equally important, organizational culture and governance framework
discussions. All of the chapters share a common property—they contain gems of information that
aff ord the readers a leg up in their individual eff orts to instill adequate and appropriate levels of
security within their organizations.
To our readers, Don Quixotes that you are, we wish you good luck and good reading.
And to our authors, we sincerely thank you for your valuable and valued contributions.
Hal Tipton
Micki Krause
CRC_AU6708_FM.indd ixCRC_AU6708_FM.indd ix 1/29/2008 5:33:22 PM1/29/2008 5:33:22 PM
CRC_AU6708_FM.indd xCRC_AU6708_FM.indd x 1/29/2008 5:33:22 PM1/29/2008 5:33:22 PM
xi
Editors
Harold F. Tipton, currently an independent consultant and past president of the (ISC)
2
, was
director of computer security for Rockwell International Corporation for about 15 years. He initi-

pated in the Ernst & Young video “Protecting Information Assets.” He is currently serving as editor
of the Auerbach Handbook of Information Security publications. He received the Computer Security
Institute Lifetime Achievement Award in 1994 and the (ISC)
2
Hal Tipton Award in 2001.
Micki Krause, M.B.A., CISSP, has held positions in the information security profession for the
past 20 years. She is currently the chief information security offi cer at Pacifi c Life Insurance
Company in Newport Beach, California, where she is accountable for directing the information
protection and security program for the enterprise. Pacifi c Life is the 15th largest life insurance
CRC_AU6708_FM.indd xiCRC_AU6708_FM.indd xi 1/29/2008 5:33:22 PM1/29/2008 5:33:22 PM
xii Ⅲ Editors
company in the nation and provides life and health insurance products, individual annuities,
mutual funds, group employee benefi ts, and a variety of investment products and services.
Krause was named one of the 25 most infl uential women in the fi eld of information security by
industry peers and Information Security magazine as part of their recognition of Women of Vision
in the information technology (IT) security fi eld and received the Harold F. Tipton Award in
recognition of sustained career excellence and outstanding contributions to the profession.
Micki has held several leadership roles in industry-infl uential groups including the Information
Systems Security Information (ISSA) and the International Information Systems Security Certifi -
cation Consortium (ISC)
2
®
and is a passionate advocate for professional security leadership.
She is a reputed speaker, published author, and coeditor of the Information Security Manage-
ment Handbook series.
CRC_AU6708_FM.indd xiiCRC_AU6708_FM.indd xii 1/29/2008 5:33:22 PM1/29/2008 5:33:22 PM
xiii
Contributors
Dean R. Bushmiller has had fun for the past 20 years learning and teaching everything he can
in technology and security. His consulting experience in accounting systems, inventory control,

one of the fi rst ISO 27001 certifi cations in the U.S.
CRC_AU6708_FM.indd xiiiCRC_AU6708_FM.indd xiii 1/29/2008 5:33:23 PM1/29/2008 5:33:23 PM
xiv Ⅲ Contributors
Todd Fitzgerald, CISSP, CISA, CISM, serves as a Medicare systems security offi cer for National
Government Services, LLC (NGS), Milwaukee, Wisconsin, which is the nation’s largest processor
of Medicare claims and a subsidiary of WellPoint, Inc., the nation’s largest health insurer.
Todd was named as a fi nalist for the 2005 Midwest Information Security Executive (ISE) of the
Year Award, nominee for the national award, and judge for the 2006 central region awards and has
moderated several ISE Executive Roundtables in 2006. Todd is the co-author of CISO Leadership:
Essential Principles for Success, and has authored articles on information security for  e 2007 Offi cial
(ISC)
2
Guide to the CISSP Exam, Information Security Magazine,  e Information Security Hand-
book,  e HIPAA Program Reference Book, Managing an Information Security and Privacy Awareness
and Training Program, and several other security-related publications. Todd is also a member of the
editorial board for (ISC)
2
Journal, Information Systems Security Magazine, and the Darkreading.com
security publication and is frequently called upon to present at international, national, and local
conferences. Todd serves on the board of directors for the Health Insurance Portability and Account-
ability Act (HIPAA) Collaborative of Wisconsin and is an active leader, participant, and presenter in
multiple industry associations such as ISSA, Blue Cross Blue Shield Information Security Advisory
Group, CMS/Gartner Security Best Practices Group, Workgroup for Electronic Data Interchange,
ISACA, Executive Alliance Information Security Executive Roundtables, and others.
Todd has 28 years of IT experience, including 20 years of management. Prior to joining NGS,
Todd held various broad-based senior IT management positions for Fortune 500 organizations
such as American Airlines, IMS Health, Zeneca (subsidiary of AstraZeneca Pharmaceuticals), and
Syngenta as well as prior positions with Blue Cross Blue Shield of Wisconsin.
Todd holds a BS in business administration from the University of Wisconsin at LaCrosse and
an MBA with highest honors from Oklahoma State University.

At Secure Computing
®
, Henry plays a key strategic role in launching new products and
retooling existing product lines. In his role as vice president of technology evangelism, Henry
also advises and consults on some of the world’s most challenging and high-risk information
security projects, including the National Banking System in Saudi Arabia; the U.S. Depart-
ment of Defense’s Satellite Data Project; and both government and telecommunications projects
throughout Japan.
Henry is frequently cited by major and trade print publications as an expert on both technical
security topics and general security trends and serves as an expert commentator for network broad-
cast outlets such as NBC and CNBC. In addition, Henry regularly authors thought leadership
articles on technical security issues, and his expertise and insight help shape the editorial direction
of key security publications such as the Information Security Management Handbook, for which he
is a regular contributor.
Paul serves as a featured and keynote speaker at network security seminars and conferences
worldwide, delivering presentations on diverse topics including network access control, cyber-
crime, distributed denial-of-service attack risk mitigation, fi rewall architectures, computer and
network forensics, enterprise security architectures, and managed security services.
Rebecca Herold, CIPP, CISSP, CISA, CISM, FLMI, is an information privacy, security and
compliance consultant, author, and instructor with her own company since mid-2004, Rebecca
Herold, LLC. She has over 16 years of privacy and information security experience, and assists
organizations in various industries throughout the world with all aspects of their information
privacy, security, and regulatory compliance programs. Rebecca was instrumental in building
the information security and privacy program while at Principal Financial Group, which was
recognized as the 1998 CSI Information Security Program of the Year. In October 2007, Rebecca
was named one of the “Best Privacy Advisers” in two of the three categories by Computerworld
magazine. Rebecca was also named one of the “Top 59 Infl uencers in IT Security” for 2007 by IT
Security magazine. Rebecca is an adjunct professor for the Norwich University master of science
in information assurance program.
Rebecca has authored or coauthored many books and is currently authoring her eleventh.

As EMEA senior technical director at CipherOptics, Inc., he is responsible for driving to mar-
ket the latest generation of data-protection solutions. Previously, as technical director at Fortinet,
Inc., he was responsible for security products and solutions based on the modern perimeter secu-
rity architecture, whereas at Cisco Systems, Inc., he was recognized as a trusted advisor through-
out the EMEA for the leading security projects. He achieved a CCIE certifi cation from Cisco
Systems, Inc., in 1995 and CISSP certifi cation from (ISC)
2
in 2000. Franjo is also an external
CISSP instructor at the (ISC)
2
international vendor neutral nonprofi t organization for certifi ca-
tion of information security professionals and is a mentor and recognized lecturer of an ICT Audit
and Security postgraduate study joint program between ULB, UCL, and Solvay Business School
in Brussels, Belgium.
As a recognized security professional, Franjo is also a frequent speaker at worldwide confer-
ences on network security topics. Most relevant so far were NetSec (New Orleans, 2001), IPSec
Summit and IPv6 Global Summit (Paris, 2002), ISSE (Vienna, 2003), IEEE (Bonn, 2003), RSA
Security (Paris, 2002; Amsterdam, 2003; Barcelona, 2004; San Francisco, 2005; San Jose, 2006;
Nice, 2006), and IDC (London, 2004; Prague, 2005). For the RSA Security 2005 conference, he
was invited as an independent judge for the Perimeter Defense Track paper selections.
George G. McBride, CISSP, CISM, is a senior manager in the Enterprise Risk Services group at
Deloitte & Touche, LLP, in New York City and has worked in the network security industry for
more than 14 years. Before joining Deloitte, George was with Aon Consulting, Lucent Technolo-
gies, and Global Integrity. George has focused on the fi nancial and telecommunications industry
and has supported risk management, secure network architecture development, technology risk
assessments, and more. He has spoken at MIS, RSA, (ISC)
2
, and other conferences worldwide on
a wide variety of topics such as penetration testing, risk assessments, Voice-over-IP and telephony
security, and mobile data security. He has contributed to  e Black Book on Corporate Security and

. Poore is an inventor, author, and frequent speaker on topics ranging
from privacy in electronic commerce to transnational border data fl ows. Poore worked closely with
the GLBA, HIPAA, and Sarbanes–Oxley rollouts for a Fortune 400 company.
Poore is a Certifi ed Fraud Examiner, Certifi ed Information Systems Auditor, CISSP, Qualifi ed
Security Assessor, and is certifi ed in Homeland Security-Level III.
Sean M. Price, CISA, CISSP, is an independent information security consultant residing in
Northern Virginia. He provides security consulting and architecture services to commercial and
government entities. Price has more than 12 years of information security experience, which con-
sists of system security administration, user information assurance training, policy and procedure
development, security plan development, security testing and evaluation, and security architect
activities. His academic background includes a bachelor’s degree in accounting and business, a
master’s degree in information systems, and he is currently pursuing doctoral studies in com-
puter information systems. He has previously contributed to the Information Security Management
Handbook, the Offi cial (ISC)
2
Guide to the CISSP CBK, and the IEEE Computer magazine. His
areas of interest in security research include access control, information fl ow, insider threat, and
machine learning.
Edward Ray is president of NetSec Design & Consulting, Inc., which specializes in computer, data,
and network security and secure network design. Specifi c areas of expertise include implementation
CRC_AU6708_FM.indd xviiCRC_AU6708_FM.indd xvii 1/29/2008 5:33:23 PM1/29/2008 5:33:23 PM
xviii Ⅲ Contributors
of defense in-depth layered security solutions utilizing Cisco, Juniper, Tipping Point, Windows,
UNIX, Linux, Free/OpenBSD, Novell, and Mac-based hardware and software; PKI/Kerberos/
LDAP implementation on Windows 2003/XP/Linux; intrusion detection and analysis; wired and
wireless penetration testing and vulnerability analysis; HIPAA security and privacy rule implemen-
tation; and wired and wireless PC & network security design (802.11 a/b/g/i). Ray has an MS in
electrical engineering from the University of California at Los Angeles (1997) and a BS in electri-
cal engineering from Rutgers University (1990) and holds the CISSP, GCIA, GCIH, and MCSE
professional certifi cations.

Ben is also a frequent speaker at industry conferences such as the Computer Security Institute
(CSI), RSA, MISTI, NetSec, and ISACA and is a CISSP and Certifi ed Information Security
Manager (CISM). He is a member of HTCIA, ISSA, ISACA, ASIS, CSI, and InfraGard.
Don Saracco, Ed.D., joined MLC & Associates, Inc., in 1997 with over 25 years experience in
human resource and organizational development in manufacturing, health care, and government
organizations as a manager and consultant. His background includes the design and delivery
of corporate education and training as well as executive coaching, facilitation of organizational
change, and process improvement. In addition, he has served as an adjunct faculty member for a
state university and a private business school.
CRC_AU6708_FM.indd xviiiCRC_AU6708_FM.indd xviii 1/29/2008 5:33:23 PM1/29/2008 5:33:23 PM
Contributors Ⅲ xix
Don served for several years as a faculty member of the Business Recovery Managers Sympo-
sium presented by the MIS Institute. His speaking credits include Business Continuity Planning
and Y2K Preparedness workshops for the International Quality & Productivity Center in Atlanta,
Georgia; Orlando, Florida; and Las Vegas, Nevada; and the 4th International Conference on
Corporate Earthquake Programs in Shizuoka, Japan, as well as the annual Contingency Planning
and Management Magazine Conference and Exposition. In addition, Don has presented papers at
national and international conferences sponsored by the International Society for Performance
Improvement, the Association for Quality and Participation, RIMS, and Continuity Insights. He
has also worked as an adjunct faculty member in graduate business programs at two accredited
universities.
Derek Schatz, CISSP, is currently the lead security architect for network systems at Boeing Com-
mercial Airplanes. He has been in information security for over 10 years in both enterprise and
consulting roles, including a stint in the Big 5. He has spoken at a number of conferences besides
teaching information security. He holds a bachelor’s degree in economics from the University of
California at Irvine.
Craig A. Schiller CISSP-ISSMP, ISSAP serves as chief information security offi cer of Portland
State University and as the president of Hawkeye Security Training, LLC.
He has worked in the computer industry for the past 27 years. For 17 of those years, he worked
as an information security professional.

tatives on various security-related issues and has served as an expert witness in legal cases.
Robert M. Slade is an information security and management consultant from North Vancouver,
British Columbia, Canada.
His initial research into computer viral programs developed into the writing and reviewing
of security books and eventually into conducting review seminars for CISSP candidates. He also
promotes the Community Security Education project, attempting to promote security awareness
for the general public as a means of reducing overall information security threats.
Samantha  omas is the CSO at a $290-billion fi nancial regulatory organization in the United
States.  omas is a founding board member of the University of California at Davis Network
Security Certifi cation Program, and she has developed curricula for universities, institutes, and
private industries. She is a regularly requested international keynote and think tank facilitator.
 omas has been a featured speaker in fi ve European Union countries, South Africa, Austra-
lia, Mexico, and Papua New Guinea. Her writings, interviews, and quotations are published in
international newspapers, magazines, and books.  omas creates and provides “online safety” for
K–8 children, parents, and school administrators. She is a U.S. Executive Alliance Information
Security Executive of the Year (Western Region) nominee.
Guy Vancollie is the MD EMEA for CipherOptics, leading provider of data protection solutions.
Prior to joining CipherOptics, Guy was the CMO for Ubizen and an evangelist in the emerging
space of managed security services. Earlier in his career, he managed both U.S. fi eld marketing
and international marketing for RSA Security, was director of EMEA marketing for AltaVista
Internet Software, and held several positions with Digital Equipment Corp.
Vancollie has spoken on Internet and security topics at conferences such as IT Asia and
CommunicAsia, EEMA, and IMC, as well as Gartner Sector 5, Infosecurity Europe, and the
RSA Conference.
Vancollie earned an MS degree in electrical engineering magna cum laude from the State Uni-
versity of Ghent in Belgium, a degree in management from the Vlerick School of Management,
and an MBA from the MIT Sloan School.
CRC_AU6708_FM.indd xxCRC_AU6708_FM.indd xx 1/29/2008 5:33:24 PM1/29/2008 5:33:24 PM
DOMAIN
1

CRC_AU6708_Ch001.indd 3CRC_AU6708_Ch001.indd 3 12/10/2007 6:08:31 PM12/10/2007 6:08:31 PM
4 Ⅲ Information Security Management Handbook
solution, this chapter provides you with a solid background to understand thoroughly and leverage
this emerging technology in the future.
Integrated, unifi ed, and universal threat management all have much the same implementa-
tions and goals; their names are diff erent only because they were chosen by diff erent vendors. For
the sake of consistency within this chapter, we will choose to use the phrase “integrated threat
management.”
To start, let us examine the defi nition of ITM and what it brings to the enterprise. First, ITM
is focused on threats that may aff ect an organization. A threat is defi ned as some entity that may
be capable of attacking or aff ecting the organization’s infrastructure. When used in a quantitative
manner, the threat component also includes likelihood and impact considerations as well. Perhaps
it is a malicious payload carried via Hypertext Transfer Protocol or via e-mail, or perhaps it is a
“0-day” virus not yet seen by an antivirus software manufacturer. It may be a phishing site and
the accompanying e-mails inviting users to visit the site to verify their account information or it
may be a polymorphic worm whose purpose is to evade fi rewalls while continuously morphing its
signature as it attacks the next target.
An ITM platform should, by defi nition, protect an enterprise against all of these threats and
provide a platform to monitor and manage the ITM. To address these threats, the platform may
include the following functions:
An intrusion detection system (IDS) or an intrusion prevention system (IPS)
Antivirus solution
Antispyware solution
Unsolicited commercial e-mail fi ltering
Content fi ltering that includes e-mail and instant messenger content management
Uniform resource locator (URL) fi ltering, which may include serving as a Web cache proxy
Firewalls
Virtual private network (VPN) connectivity
It is important to note that in the absence of a defi ned standard for ITM, almost any product with
an integrated (unifi ed) combination of functions listed here can and likely has been called an ITM