2nd Edition

Official (ISC)2 Guide to the SSCP CBK

Edited By Harold F. Tipton Copyright 2011
    468 Pages 40 B/W Illustrations
    by Auerbach Publications

    The (ISC)²® Systems Security Certified Practitioner (SSCP®) certification is one of the most important credentials an information security practitioner can have. Having helped thousands of people around the world obtain this distinguished certification, the bestselling Official (ISC)2 Guide to the SSCP CBK® has quickly become the book that many of today’s security practitioners depend on to attain and maintain the required competence in the seven domains of the (ISC)² CBK.

    Picking up where the popular first edition left off, the Official (ISC)2 Guide to the SSCP CBK, Second Edition brings together leading IT security tacticians from around the world to discuss the critical role that policy, procedures, standards, and guidelines play within the overall information security management infrastructure. Offering step-by-step guidance through the seven domains of the SSCP CBK, the text:

    • Presents widely recognized best practices and techniques used by the world's most experienced administrators
    • Uses accessible language, bulleted lists, tables, charts, and diagrams to facilitate a clear understanding
    • Prepares you to join the thousands of practitioners worldwide who have obtained (ISC)² certification

    Through clear descriptions accompanied by easy-to-follow instructions and self-assessment questions, this book will help you establish the product-independent understanding of information security fundamentals required to attain SSCP certification. Following certification it will be a valuable guide to addressing real-world security implementation challenges.

    Access Controls; Paul Henry
    Access Control Concepts
    Architecture Models
    Identification, Authentication, Authorization, and Accountability
    Remote Access Methods
    Other Access Control Areas
    Sample Questions

    Cryptography; Christopher M. Nowell
    The Basics
    Symmetric Cryptography
    General Cryptography
    Specific Hashes
    Specific Protocols
    X.509
    Sample Questions

    Malicious Code; Ken Dunham
    Introduction to Windows Malcode Security Management
    Malcode Naming Conventions and Types
    Brief History of Malcode
    Vectors of Infection
    Payloads
    Identifying Infections
    Behavioral Analysis of Malcode
    Malcode Mitigation
    Sample Questions

    Monitoring and Analysis; Mike Mackrill
    Policy, Controls, and Enforcement
    Audit
    Monitoring
    Sample Questions

    Networks and Telecommunications; Eric Waxvik and Samuel Chun
    Introduction to Networks and Telecommunications
    Network Protocols and Security Characteristics
    Data Communications and Network Infrastructure Components and Security Characteristics
    Wireless Local Area Networking
    Sample Questions

    Security Operations and Administration; C. Karen Stopford
    Security Program Objectives: The C-I-A Triad
    Code of Ethics
    Security Best Practices
    Designing a Security Architecture
    Security Program Frameworks
    Aligning Business, IT, and Security
    Security Architecture and Models
    Access Control Models
    Identity and Access Management
    Managing Privileged User Accounts
    Outsourcing Security and Managed Security Service Providers
    Business Partner Security Controls
    Security Policies, Standards, Guidelines, and Procedures
    Considerations for Safeguarding Confidentiality
    Privacy and Monitoring
    Information Life Cycle
    Protecting Confidentiality and Information Classification
    Information Handling Policy
    Information Collection
    Secure Information Storage
    Secure Output
    Record Retention and Disposal
    Disclosure Controls: Data Leakage Prevention
    Secure Application Development
    Web Application Vulnerabilities and Secure Development Practices
    Implementation and Release Management
    Systems Assurance and Controls Validation
    Certification and Accreditation
    Security Assurance Rating: Common Criteria
    Change Control
    Configuration Management
    Patch Management
    Monitoring System Integrity
    Endpoint Protection
    Thin Client Implementations
    Metrics
    Security Awareness and Training
    Review Questions
    References

    Risk, Response, and Recovery; Chris Trautwein
    Introduction to Risk Management
    Incident Response
    Forensics
    Recovery

    Appendix: Questions and Answers
    Access Controls
    Cryptography
    Malicious Code
    Monitoring and Analysis
    Networks and Telecommunications
    Risk, Response, and Recovery
    Security Operations and Administration

    Index

    Biography

    Harold F. Tipton, currently an independent consultant, was a past president of the International Information System Security Certification Consortium and a director of computer security for Rockwell International Corporation for about 15 years. He initiated the Rockwell computer and data security program in 1977 and then continued to administer, develop, enhance, and expand the program to accommodate the control needs produced by technological advances until his retirement from Rockwell in 1994.

    Tipton has been a member of the Information Systems Security Association (ISSA) since 1982. He was the president of the Los Angeles chapter in 1984, and the president of the national organization of ISSA (1987–1989). He was added to the ISSA Hall of Fame and the ISSA Honor Role in 2000.

    Tipton was a member of the National Institute for Standards and Technology (NIST), the Computer and Telecommunications Security Council, and the National Research Council Secure Systems Study Committee (for the National Academy of Science). He received his BS in engineering from the U.S. Naval Academy and his MA in personnel administration from George Washington University; he also received his certificate in computer science from the University of California, Irvine. He is a certified information system security professional (CISSP), ISSAP, & ISSMP.

    He has published several papers on information security issues for Auerbach Publications (Handbook of Information Security Management, Data Security Management, and Information Security Journal), National Academy of Sciences (Computers at Risk), Data Pro Reports, Elsevier, and ISSA (Access).

    He has been a speaker at all the major information security conferences including the Computer Security Institute, the ISSA Annual Working Conference, the Computer Security Workshop, MIS Conferences, AIS Security for Space Operations, DOE Computer Security Conference, National Computer Security Conference, IIA Security Conference, EDPAA, UCCEL Security & Audit Users Conference, and Industrial Security Awareness Conference.

    He has conducted/participated in information security seminars for (ISC)2, Frost & Sullivan, UCI, CSULB, System Exchange Seminars, and the Institute for International Research. He participated in the Ernst & Young video "Protecting Information Assets." He is currently serving as the editor of the Handbook of Information Security Management (Auerbach). He chairs the (ISC)2 CBK Committees and the QA Committee. He received the Computer Security Institute’s Lifetime Achievement Award in 1994, the (ISC)2’s Hal Tipton Award in 2001 and the (ISC)2 Founders Award in 2009.