Official (ISC)2® Guide to the ISSMP® CBK®

About the Editor: Hal Tipton, currently an independent consultant, is a past president of the International Information System Security Certification Consortium and was a director of computer security for Rockwell International Corporation for about 15 years. He initiated the Rockwell computer and data security program in 1977 and then continued to administer, develop, enhance, and expand the program to accommodate the control needs produced by technological advances until his retirement from Rockwell in 1994. Tipton has been a member of the Information Systems Security Association (ISSA) since 1982. He was the president of the Los Angeles chapter in 1984 and the president of the national organization of ISSA (1987–1989). He was added to the ISSA Hall of Fame and the ISSA Honor Role in 2000. Tipton was a member of the National Institute for Standards and Technology (NIST), the Computer and Telecommunications Security Council, and the National Research Council Secure Systems Study Committee (for the National Academy of Sciences). He received his BS in engineering from the U.S. Naval Academy and his MA in personnel administration from George Washington University; he also received his certificate in computer science from the University of California at Irvine. He is a certified information system security professional (CISSP), ISSAP, and ISSMP. He has been a speaker at all the major information security conferences including the following: Computer Security Institute, the ISSA Annual Working Conference, the Computer Security Workshop, MIS Conferences, AIS Security for Space Operations, DOE Computer Security Conference, National Computer Security Conference, IIA Security Conference, EDPAA, UCCEL Security & Audit Users Conference, and Industrial Security Awareness Conference. He has conducted/participated in information security seminars for (ISC)2, Frost & Sullivan, UCI, CSULB, System Exchange Seminars, and the Institute for International Research. He participated in the Ernst & Young video "Protecting Information Assets." He is currently the editor of the Handbook of Information Security Management (Auerbach Publications). He chairs the (ISC)2 CBK Committees and the QA Committee. He received the Computer Security Institute’s Lifetime Achievement Award in 1994, the (ISC)2’s Hal Tipton Award in 2001, and the (ISC)2 Founders Award in 2009. About the Contributors: James Litchko, CISSP-ISSEP, CAP, MBCI, CMAS, Senior Security Expert, Litchko & Associates. Mr. Litchko has worked as a security and management expert for over 30 years. He has been an executive with five organizations and supervised and supported the securing of over 200 military, government, and commercial IT systems. Since 2008, he supported the securing of IT systems at DHS, DOE, VHA, NASA, EPA, USAF, DOJ, and FEMA. Jim created and taught the first graduate IT security course at Johns Hopkins University (JHU) and was a manager at NSA. Jim holds a masters degree from JHU and has authored five books on security and management topics. Craig S. Wright, CISSP-ISSAP, ISSMP, is a director with Information Defense in Australia. He holds both the GSE-Malware and GSE-Compliance certifications from GIAC. He is a perpetual student with numerous postgraduate degrees including an LLM specializing in international commercial law and ecommerce law, a masters degree in mathematical statistics from Newcastle, and is working on his fourth IT-focused masters degree (in system development) at Charles Stuart University, Australia, where he lectures on subjects in digital forensics. He is writing his second doctorate on the quantification of information system risk at CSU. Cheryl Hennell, EdD, MSc, CISSP, SBCI, has worked in the IT industry for 40 years. Her employment includes systems development for the Ministry of Defence, systems analysis for the Civil Service, European Consultancy for a blue chip organization, and 20 years as a senior university lecturer. She is currently head of IT and information assurance for Openreach, BT. She earned her master’s in information systems design from Kingston University, London, and her doctorate from the University of Southampton, UK, and is a specialist in the Business Continuity Institute, UK. She is also an ambassador for Childnet. Cheryl was the course director for the first digital forensics degree in the UK, which she created and delivered for the University of Portsmouth. She has been an invited speaker at international conferences in Europe, the Middle East, and Africa. Her subjects include information assurance, audit, risk and governance, physical security, and business continuity and disaster recovery. Maura van der Linden spent over a decade in software testing at Microsoft Corporation with a specialization in security testing, including working in the Security Technology Unit on the Malware Response Team. After serving as a technical reviewer for MSDN Magazine, she wrote her first article on SQL injection testing for MSDN Magazine. She then wrote her first book, Testing Code Security, Auerbach, Boca Raton, FL, in order to teach other testers the need for and intricacy of security testing. Though now working as a programming writer, she maintains her close ties to the test and security communities. Keith Willet, CISSP-ISSAP, has over 25 years experience in information technology spanning academia and commercial, local, and national governments. Mr. Willett has a BS in computer science from Towson University, Maryland, an MS in business from the University of Baltimore, Maryland, and an MSIA from Norwich University, Vermont, and he holds the CISSP and ISSAP designations from (ISC)2. Willett is the author of Information Assurance Architecture and coauthor of How to Achieve 27001 Certification, both published by Auerbach. When not working, Mr. Willet enjoys world travel, cuisine, and wine, and has enjoyed all in over 125 cities across 30 countries.

Enterprise Security Management Practices; James Litchko
Enterprise-Wide Systems Development Security; Maura Van Der Linden
Overseeing Compliance of Security Operations; Keith D. Willett
Understanding Business Continuity Planning (BCP), Disaster Recovery Planning (DRP), and Continuity of Operations Planning (COOP); Cheryl Hennell
Law Investigation, Forensics, and Ethics; Craig Steven Wright
Appendix: Answers to Review Questions