nformation Technology / Security & Auditing T O ill ’H e a r Information Security n l e y Management Handbook Sixth Edition • Volume 7 Edited by M Richard O’Hanley • James S. Tiller I a n n f Updated annually, the Information Security Management Handbook, Sixth Edition, ao Volume 7 is the most comprehensive and up-to-date reference available on information security gr and assurance. Bringing together the knowledge, skills, techniques, and tools required of IT m security professionals, it facilitates the up-to-date understanding required to stay one step e ahead of evolving threats, standards, and regulations. ma t Reporting on the latest developments in information security and recent changes to the (ISC)2® e i CISSP® Common Body of Knowledge (CBK®), this volume features 27 new chapters on topics o n such as BYOD, IT consumerization, smart grids, security, and privacy. n t • Covers the fundamental knowledge, skills, techniques, and tools required by HS IT security professionals • Updates its bestselling predecessors with new developments in information ae security and the (ISC)2 CISSP CBK nc • Provides valuable insights from leaders in the field on the theory and practice du of computer security technology br • Facilitates the comprehensive and up-to-date understanding you need to stay i fully informed ot y o The ubiquitous nature of computers and networks will always provide the opportunity and k means to do harm. This edition updates its popular predecessors with the information you need to address the vulnerabilities created by recent innovations such as cloud computing, mobile banking, digital wallets, and near-field communications. This handbook is also available on CD. Sixth Edition Volume 7 K16337 ISBN: 978-1-4665-6749-8 90000 © 2010 Taylor & Francis Group, LLC 9 781466 567498 K16337_COVER_final.indd 1 7/24/13 11:07 AM Information Security Management Handbook Sixth Edition Volume 7 © 2010 Taylor & Francis Group, LLC OTHER INFORMATION SECURITY BOOKS FROM AUERBACH Asset Protection through Security Awareness Guide to the De-Identification of Personal Tyler Justin Speed Health Information ISBN 978-1-4398-0982-2 Khaled El Emam ISBN 978-1-4665-7906-4 Automatic Defense Against Zero-day Polymorphic Worms in Communication Information Security Governance Simplified: Networks From the Boardroom to the Keyboard Mohssen Mohammed and Al-Sakib Khan Pathan Todd Fitzgerald ISBN 978-1-4665-5727-7 ISBN 978-1-4398-1163-4 The Complete Book of Data Anonymization: Information Security Policy Development for From Planning to Implementation Compliance: ISO/IEC 27001, NIST SP 800-53, Balaji Raghunathan HIPAA Standard, PCI DSS V2.0, and AUP V5.0 ISBN 978-1-4398-7730-2 Barry L. Williams ISBN 978-1-4665-8058-9 The Complete Guide to Physical Security Paul R. Baker and Daniel J. Benny Information Technology Control and Audit, ISBN 978-1-4200-9963-8 Fourth Edition Sandra Senft, Frederick Gallegos, and Aleksandra Davis Conflict and Cooperation in Cyberspace: ISBN 978-1-4398-9320-3 The Challenge to National Security Panayotis A. Yannakogeorgos and Adam B. Lowther Iris Biometric Model for Secured Network Access (Editors) Franjieh El Khoury ISBN 978-1-4665-9201-8 ISBN 978-1-4665-0213-0 Cybersecurity: Public Sector Threats Managing the Insider Threat: No Dark Corners and Responses Nick Catrantzos Kim J. Andreasson ISBN 978-1-4398-7292-5 ISBN 978-1-4398-4663-6 Network Attacks and Defenses: A Hands-on The Definitive Guide to Complying with the Approach HIPAA/HITECH Privacy and Security Rules Zouheir Trabelsi, Kadhim Hayawi, Arwa Al Braiki, John J. Trinckes, Jr. and Sujith Samuel Mathew ISBN 978-1-4665-0767-8 ISBN 978-1-4665-1794-3 Digital Forensics Explained Noiseless Steganography: The Key to Covert Greg Gogolin Communications ISBN 978-1-4398-7495-0 Abdelrahman Desoky ISBN 978-1-4398-4621-6 Digital Forensics for Handheld Devices Eamon P. Doherty PRAGMATIC Security Metrics: Applying ISBN 978-1-4398-9877-2 Metametrics to Information Security W. Krag Brotby and Gary Hinson Effective Surveillance for Homeland Security: ISBN 978-1-4398-8152-1 Balancing Technology and Social Issues Francesco Flammini, Roberto Setola, and Giorgio Securing Cloud and Mobility: A Practitioner’s Guide Franceschetti (Editors) Ian Lim, E. Coleen Coolidge, and Paul Hourani ISBN 978-1-4398-8324-2 ISBN 978-1-4398-5055-8 Electronically Stored Information: Security and Privacy in Smart Grids The Complete Guide to Management, Yang Xiao (Editor) Understanding, Acquisition, Storage, ISBN 978-1-4398-7783-8 Search, and Retrieval Security for Wireless Sensor Networks using David R. Matthews Identity-Based Cryptography ISBN 978-1-4398-7726-5 Harsh Kupwade Patil and Stephen A. Szygenda Enterprise Architecture and Information ISBN 978-1-4398-6901-7 Assurance: Developing a Secure Foundation The 7 Qualities of Highly Secure Software James A. Scholz Mano Paul ISBN 978-1-4398-4159-4 ISBN 978-1-4398-1446-8 AUERBACH PUBLICATIONS www.auerbach-publications.com • To Order Call: 1-800-272-7737 • E-mail: [email protected] OTHER INFORMATION SECURITY BOOKS FROM AUERBACH Asset Protection through Security Awareness Guide to the De-Identification of Personal Tyler Justin Speed Health Information ISBN 978-1-4398-0982-2 Khaled El Emam ISBN 978-1-4665-7906-4 Automatic Defense Against Zero-day Polymorphic Worms in Communication Information Security Governance Simplified: Networks From the Boardroom to the Keyboard Mohssen Mohammed and Al-Sakib Khan Pathan Todd Fitzgerald Information Security ISBN 978-1-4665-5727-7 ISBN 978-1-4398-1163-4 The Complete Book of Data Anonymization: Information Security Policy Development for From Planning to Implementation Compliance: ISO/IEC 27001, NIST SP 800-53, Balaji Raghunathan HIPAA Standard, PCI DSS V2.0, and AUP V5.0 Management Handbook ISBN 978-1-4398-7730-2 Barry L. Williams ISBN 978-1-4665-8058-9 The Complete Guide to Physical Security Paul R. Baker and Daniel J. Benny Information Technology Control and Audit, ISBN 978-1-4200-9963-8 Fourth Edition Sandra Senft, Frederick Gallegos, and Aleksandra Davis Conflict and Cooperation in Cyberspace: Sixth Edition ISBN 978-1-4398-9320-3 The Challenge to National Security Panayotis A. Yannakogeorgos and Adam B. Lowther Iris Biometric Model for Secured Network Access (Editors) Franjieh El Khoury ISBN 978-1-4665-9201-8 ISBN 978-1-4665-0213-0 Cybersecurity: Public Sector Threats Managing the Insider Threat: No Dark Corners and Responses Nick Catrantzos Volume 7 Kim J. Andreasson ISBN 978-1-4398-7292-5 ISBN 978-1-4398-4663-6 Network Attacks and Defenses: A Hands-on The Definitive Guide to Complying with the Approach HIPAA/HITECH Privacy and Security Rules Zouheir Trabelsi, Kadhim Hayawi, Arwa Al Braiki, John J. Trinckes, Jr. and Sujith Samuel Mathew ISBN 978-1-4665-0767-8 ISBN 978-1-4665-1794-3 Digital Forensics Explained Noiseless Steganography: The Key to Covert Greg Gogolin Communications ISBN 978-1-4398-7495-0 Abdelrahman Desoky ISBN 978-1-4398-4621-6 Digital Forensics for Handheld Devices Edited by Eamon P. Doherty PRAGMATIC Security Metrics: Applying ISBN 978-1-4398-9877-2 Metametrics to Information Security W. Krag Brotby and Gary Hinson Effective Surveillance for Homeland Security: Richard O’Hanley • James S. Tiller ISBN 978-1-4398-8152-1 Balancing Technology and Social Issues Francesco Flammini, Roberto Setola, and Giorgio Securing Cloud and Mobility: A Practitioner’s Guide Franceschetti (Editors) Ian Lim, E. Coleen Coolidge, and Paul Hourani ISBN 978-1-4398-8324-2 ISBN 978-1-4398-5055-8 Electronically Stored Information: Security and Privacy in Smart Grids The Complete Guide to Management, Yang Xiao (Editor) Understanding, Acquisition, Storage, ISBN 978-1-4398-7783-8 Search, and Retrieval Security for Wireless Sensor Networks using David R. Matthews Identity-Based Cryptography ISBN 978-1-4398-7726-5 Harsh Kupwade Patil and Stephen A. Szygenda Enterprise Architecture and Information ISBN 978-1-4398-6901-7 Assurance: Developing a Secure Foundation The 7 Qualities of Highly Secure Software James A. Scholz Mano Paul ISBN 978-1-4398-4159-4 ISBN 978-1-4398-1446-8 AUERBACH PUBLICATIONS www.auerbach-publications.com • To Order Call: 1-800-272-7737 • E-mail: [email protected] © 2010 Taylor & Francis Group, LLC CRC Press Taylor & Francis Group 6000 Broken Sound Parkway NW, Suite 300 Boca Raton, FL 33487-2742 © 2014 by Taylor & Francis Group, LLC CRC Press is an imprint of Taylor & Francis Group, an Informa business No claim to original U.S. Government works Version Date: 20130723 International Standard Book Number-13: 978-1-4665-6752-8 (eBook - PDF) This book contains information obtained from authentic and highly regarded sources. Reasonable efforts have been made to publish reliable data and information, but the author and publisher cannot assume responsibility for the valid- ity of all materials or the consequences of their use. The authors and publishers have attempted to trace the copyright holders of all material reproduced in this publication and apologize to copyright holders if permission to publish in this form has not been obtained. If any copyright material has not been acknowledged please write and let us know so we may rectify in any future reprint. Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmitted, or uti- lized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopy- ing, microfilming, and recording, or in any information storage or retrieval system, without written permission from the publishers. For permission to photocopy or use material electronically from this work, please access www.copyright.com (http:// www.copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400. CCC is a not-for-profit organization that provides licenses and registration for a variety of users. For organizations that have been granted a photocopy license by the CCC, a separate system of payment has been arranged. Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identification and explanation without intent to infringe. Visit the Taylor & Francis Web site at http://www.taylorandfrancis.com and the CRC Press Web site at http://www.crcpress.com Contents Introduction .........................................................................................................................ix Contributors ......................................................................................................................xiii DOMAIN 2: TELECOMMUNICATIONS AND NETWORK SECURITY Communications and Network Security 1 Securing the Grid .........................................................................................................3 TERRY KOMPERDA Network Attacks and Countermeasures 2 Attacks in Mobile Environments ................................................................................23 NOUREDDINE BOUDRIGA DOMAIN 3: I NFORMATION SECURITY AND RISK MANAGEMENT Security Management Concepts and Principles 3 Security in the Cloud .................................................................................................35 SANDY BACIK 4 Getting the Best Out of Information Security Projects ..............................................45 TODD FITZGERALD 5 Mobility and Its Impact on Enterprise Security .........................................................57 PRASHANTH VENKATESH AND BALAJI RAGHUNATHAN 6 An Introduction to Digital Rights Management ........................................................67 ASHUTOSH SAXENA AND RAVI SANKAR VEERUBHOTLA 7 Information Security on the Cheap ............................................................................81 BEAU WOODS 8 Organizational Behavior (Including Institutions) Can Cultivate Your Information Security Program .................................................................................101 ROBERT K. PITTMAN, JR. v © 2010 Taylor & Francis Group, LLC vi ◾ Contents 9 Metrics for Monitoring .............................................................................................121 SANDY BACIK Policies, Standards, Procedures, and Guidelines 10 Security Implications of Bring Your Own Device, IT Consumerization, and Managing User Choices .....................................................................................133 SANDY BACIK 11 Information Assurance: Open Research Questions and Future Directions .............143 SETH J. KINNETT Security Awareness Training 12 Protecting Us from Us: Human Firewall Vulnerability Assessments .......................151 KEN M. SHAURETTE AND TOM SCHLEPPENBACH DOMAIN 4: APPLICATION DEVELOPMENT SECURITY Application Issues 13 Service-Oriented Architecture ..................................................................................161 WALTER B. WILLIAMS Systems Development Controls 14 Managing the Security Testing Process ....................................................................179 ANTHONY MEHOLIC 15 Security and Resilience in the Software Development Life Cycle ............................197 MARK S. MERKOW AND LAKSHMIKANTH RAGHAVAN DOMAIN 5: CRYPTOGRAPHY Cryptographic Concepts, Methodologies, and Practices 16 Cloud Cryptography ................................................................................................209 JEFF STAPLETON DOMAIN 6: SECURITY ARCHITECTURE AND DESIGN Principles of Security Models, Architectures, and Evaluation Criteria 17 Identity and Access Management Architecture ........................................................221 JEFF CRUME 18 FedRAMP: Entry or Exit Ramp for Cloud Security? ...............................................239 DEBRA S. HERRMANN © 2010 Taylor & Francis Group, LLC Contents ◾ vii DOMAIN 7: OPERATIONS SECURITY Concepts 19 Data Storage and Network Security .........................................................................251 GREG SCHULZ DOMAIN 9: L EGAL, REGULATIONS, COMPLIANCE, AND INVESTIGATIONS Information Law 20 National Patient Identifier and Patient Privacy in the Digital Era ..........................259 TIM GODLOVE AND ADRIAN BALL 21 Addressing Social Media Security and Privacy Challenges ......................................267 REBECCA HEROLD Investigations 22 What Is Digital Forensics and What Should You Know about It? ...........................279 GREG GOGOLIN 23 eDiscovery ................................................................................................................287 DAVID G. HILL 24 Overview of the Steps of the Electronic Discovery Reference Model .......................293 DAVID G. HILL 25 Cell Phone Protocols and Operating Systems ..........................................................303 EAMON P. DOHERTY Major Categories of Computer Crime 26 Hacktivism: The Whats, Whys, and Wherefores .....................................................321 CHRIS HARE Compliance 27 PCI Compliance .......................................................................................................345 TYLER JUSTIN SPEED 28 HIPAA/HITECH Compliance Overview.................................................................357 JOHN J. TRINCKES, JR. Information Security Management Handbook: Comprehensive Table of Contents .........387 © 2010 Taylor & Francis Group, LLC