Information Security

This is a complete, cover-to-cover revision of the most authoritative volume available on information security (the first edition of which was titled "Network Security: The Complete Reference"), and covers all of the most important tools and practices that concern any information security practitioner today, including the very latest information available on security standards and regulations. "Information Security: The Complete Reference, Second Edition" guides security practitioners through how to plan, implement, and maintain a secure data environment, protect confidential information, and ensure corporate networks are in compliance with the latest regulations. The book covers essential standards, such as ISO 27001, CoBIT, and SAS 70. Important legal regulations (and their context and relevance), such as Sarbanes-Oxley (SOX), SB 1386, SB 1841, FFIEC, Gramm-Leach-Bliley (GLB), and HIPAA are highlighted throughout where their relevance intersects with topics--enhancing this edition's value and practicality.

This authoritative volume includes contributions from 30+ technical experts and leaders in the security industry. New chapters have been added on VoIP security, controlling application behavior, and operational security. The chapters covering system security, planning and response, and standards compliance have been extensively revised.

The 35 chapters are divided into six parts. Part 1 covers the elements of network security foundations including policies, organization, and defense models. Part II covers access control, including security management, operational security, and data security. Part III gets into key network security aspects, including firewalls, virtual private networks, wireless security, VoIP security, and more. Part IV explains system security, focusing on security models, UNIX, Linux, and Windows Security. Part V covers application security, including J2EE, Windows .NET, database security, writing secure software, and more. Part VI explains planning and response, including disaster recovery, attacks and countermeasures, incident response, as well as legal, regulatory, and standards compliance.

The first edition of this book was titled "Network Security: The Complete Reference."

"Information Security: The Complete Reference, Second Edition" Now presents essential security standards and regulation information paired with related topics throughout the book, greatly enhancing ease-of-use and the ability to readily apply business recommendations Teaches end-to-end IT security concepts and techniques, complete with methodology, analysis, case examples, tips, and all the technical supporting details needed to suit an IT audience's requirements Spans from a beginner to advanced practitioner level Includes detailed updates on how to assure business compliance with IT standards and regulations, including ISO 27001, CoBIT, SAS 70, and SOX Offers completely updated coverage of Linux/UNIX, wireless, secure Windows, VPN, software development, and physical premises Contains comprehensive information on how to design an effective security defense model, develop and deploy computer, personnel, and physical security policies, design and manage authentication and authorization methods, and much more

Mark Rhodes-Ousley, CISSP, CISM, MCSE, has specialized in information security for nearly 20 years. He advised, designed, and installed security technologies and policies for dozens of companies beginning with California's first Internet firewall installation in Santa Clara County. Rhodes-Ousley's rich experience includes security management for companies such as SunPower, Merrill Lynch, National City Bank, Robert Half International, PG&E, Clorox, The Gap, Sun Microsystems, Hitachi Data Systems, and Aspect Communications. Mark was a co-author of the first edition of this book, titled Network Security The Complete Reference.

Part 1: Network Security Foundations
1 Overview
2 Risk Analysis and Defense Models
3 Security Policies
4 Security Organization

Part 2: Access Control
5 Security Management
6 Physical Security
7 Operational Security
8 Authentication and Authorization Controls
9 Data Security

Part 3: Network Security
10 Network Design Considerations
11 Network Device Security
12 Firewalls
13 Virtual Private Networks
14 Wireless Network Security
15 Intrusion Detection Systems
16 Integrity and Availability
17 Network Role-Based Security
18 Voice-Over-IP (VOIP) Security

Part 4: System Security
19 Operating System Security Models
20 Unix Security
21 Linux Security
22 Windows Security

Part 5: Application Security
23 Principles of Application Security
24 Controlling Application Behavior
25 Writing Secure Software
26 J2EE Security
27 Windows .NET Security
28 Database Security

Part 6: Planning and Response
29 Disaster Recovery and Business Continuity
30 Attacks and Countermeasures
31 Incident Response and Forensic Analysis
32 Legal, Regulatory, and Standards Compliance