The Binomial Bookstore

The Information Systems Security Officer's Guide:
Establishing and Managing an Information Protection Program
SECOND EDITION
by Dr. Gerald L. Kovacich, CFE, CPP, CISSP

* Six new chapters present the latest information and resources to counter
information security threats
* Every chapter contains opening objectives and closing summaries to
clarify key
points
* Accessible, easy-to-read style for the busy professional

- - - - - - - -
- - -

“Introductory books to the job of Information Systems Security Officer have been
sorely
needed for a long time. Dr. Gerald L. Kovacich has taken a significant step towards
filling
that need with his book Information Systems Security Officer’s Guide. This is a
small volume,
only 172 pages long, which is easily read and to the point. It is suited for self-study
as well as
for introductory courses, in the private as well as in the public sector.” - - -
Information
Security Bulletin, December, 1999.

- - - - - - - -
- - -

“Information systems security continues to grow and change based on new
technology and
Internet usage trends. In order to protect your organization's confidential
information, you
need information on the latest trends and practical advice from an authority you
can trust. The
new ISSO Guide is just what you need.

“Information Systems Security Officer's Guide, Second Edition, from Gerald
Kovacich has
been updated with the latest information and guidance for information security
officers. It
includes more information on global changes and threats, managing an
international
information security program, and additional metrics to measure organization
performance. It
also includes six entirely new chapters on emerging trends such as high-tech
fraud,
investigative support for law enforcement, national security concerns, and
information
security consulting.

“This essential guide covers everything from effective communication to career
guidance for
the information security officer. You'll turn to it again and again for practical
information and
advice on establishing and managing a successful information protection program.

- - - - - - -

“The following statements are what others who have read the first edition of The
Information
Systems Security Officer's Guide: Establishing and Managing an Information
Protection
Program have said:

“If you are looking to grow as a security professional, this book can definitely help
you.
Regardless of if you're just getting started in the industry or if you have 20 years
under your
belt, you will learn something from this author. It discusses everything from
marketing
yourself, getting hired, planning, hiring staff, performing risk management,
classifying your
information, doing metrics analysis and of course how to deal with people and
politics in your
"ISSO" position. A definite must have for anyone looking to manage an Information
Security
program for an organization.-Scott C. Sanchez, CISSP, New York, NY, USA

- - - - - - -

“I read this book for an Internet Security course and I was very intrigued with its
handling of
the subject matter. As the title suggests, it is a guide for an ISSO's job. It gives
clear insight
as to what you should be focusing on and how you should expect to handle your
day to day
job and also how important it is to get the entire company involved in your efforts. I
enjoyed
this book very much.” Arthur E. Gousby III, Hoboken, NJ, USA

- - - - - - -

“This guide is a very comprehensive introduction to everything an information
system security
officer should know, plan and do. It contains valuable information for personal
marketing. It is
an easy understandable book with lots of factual information-my favourite tutorial of
the year.”
- Lilian Hages, Germany

- - - - - - -

“I have found the Information Systems Security Officer's Guide by Dr. Gerald
Kovacich
provides many gems of wisdom, not only valuable to me as a former ISSO, but
also in my
role as a business continuity planning (BCP) professional. For example, I've
struggled with
how to facilitate BCP communication and interaction among our mission-critical
organizations. Making the BCP charter consistent with the company's Strategic,
Tactical and
Annual Plans, as Dr. Kovacich suggested, has provided the needed common
thread of BCP
motivation for rapid deployment. Most importantly from a personal perspective, the
idea of
the ISSO Portfolio in the chapter titled "How to Market Yourself as an ISSO" is
worth its
weight in gold! By following Dr. Kovacich's advice, I was able to effectively compete
for and
win my current global BCP management job.” - Robert L. McCord, Senior
Manager,
Worldwide Business Continuity Programs, Ingram Micro Inc., California, USA

- - - - - - -

“Having both a law enforcement and private sector background, I appreciated the
premise of
Dr. Kovacich's book as it related to the information Security Officer's duties and
challenges.
His approach will enable the reader to better understand the corporate environment
concerning, not only the management process involved in protecting information,
but also the
importance of communicating and interacting with the organization in a way that
people feel
motivated to develop and maintain a successful and effective InfoSec program. The
book
discusses important management tenets and procedures which demonstrates the
author's
insight and experience in dealing with "real world" InfoSec issues. This book is
easy reading
and provides a clear understanding of the information security functions by taking
the reader
through the business and management environment and at the same time
stressing a very
important point that is often overlooked, i.e., an awareness and expectation that
change is
constant. I've recommended this book to those who are currently in the information
security
business and anyone who is attempting to pursue a career in this field. This book
would be
an ideal supplement to a variety of college courses and/or seminars pertaining to
business
and information technology.” - Jerry Swick, WorldCom Network Security
Operations Center,
Investigative Services, Los Angeles, California, USA

- - - - - - -

“Greater than I expected. Well thought-out and organized; written in simple, clear
language;
good advice and guidelines for the new ISSO; excellent examples of using
management
techniques and tools for establishing an effective InfoSec program; forward looking,
especially the chapter on 21st Century Challenges for the ISSO. This is a
one-of-a-kind book
for the InfoSec professional and a must reading by all people interested in an
InfoSec career.
Even the experienced ISSO can find great value in this book. If an ISSO followed
the
guidance offered, success is almost a certainty. A book that should be adopted for
required
study in business management, computer science, and information security
courses.” -
Motomu Akashi, Security Manager and Software Engineer, Ford Aerospace
Corporation,
Western Development Labs (Retired), Palo Alto, California, USA

- - - - - - -

“Shows good research done prior to writing. * Written in easy to understand terms.
* Very
well organized. * Contains highly factual information. * Accurately portrays the
ISSO position.
* A must for any person responsible for developing and maintaining corporate
Information
Systems security processes. * This guide is the best on the market today.” - J.
Ervin, former
Automated Information Systems Security Supervisor, Northrop Grumman
Corporation,
Palmdale, California, USA

- - - - - - -

“Companies are paying closer attention to information security management
issues. Those
who don't have policies and procedures are putting them together, and those that
already
have them know they need constant management. The world needs knowledgeable
infosecurity managers, but experience is hard to come by. If you're one of those
trying to get
a foot in the door, even if you already have a nonmanagement InfoSec job, you can
use all
the advice you can get. Information Systems Security Officer's Guide may be just
what you
need to get started.” - Information Security Magazine book review by David J.
Bianco,
October 2002

- - - - - - -

TABLE OF CONTENTS

Preface
Acknowledgments
About the Author
Introduction by William Boni, Edward Halibozek, Andy Jones, and Steve Lutz

SECTION 1: THE WORKING ENVIRONMENT OF AN ISSO
1. Understanding the Information World Environment
2. Understanding the Business and Management Environment 3. Understanding
Today's
Threats to Information Assets
4. The International Widget Corporation (IWC)

SECTION II: THE DUTIES AND RESPONSIBILITIES OF AN ISSO
5. The ISSO's Position, Duties, and Responsibilities
6. The InfoSec Strategic, Tactical, and Annual Plans
7. Establishing a CIAPP and InfoSec Organization
8. Determining and Establishing InfoSec Functions
9. Establishing a Metrics Management System
10. Annual Reevaluation and Future Plans
11. High-Technology Crimes Investigative Support
12. InfoSec in the Interest of National Security

SECTION III: THE GLOBAL, PROFESSIONAL, AND PERSONAL CHALLENGES
OF AN
ISSO
13. The Related World of Information Warfare, Information Operations, and
Information
Assurance
14. The ISSO and Ethical Conduct
15. ISSO Career Development
16. How to Market Yourself as an ISSO
17. So, Are You Ready to Become an InfoSec Consultant?
18. 21st-Century Challenges for the ISSO

Index

- - - - - - -

EXCERPT FROM THE PREFACE

“Because of the popularity of the first edition of this "ISSO" book, the publishers
asked me to
do a Second Edition. When I agreed to write a second edition, I wanted to be sure
not only
that it would be brought up to date, but that it would continue to be a useful
reference for you,
the reader. Over the years since the book was first published, I have received
comments and
recommendations as to the book's content and what should be included in any
new editions.
I also solicited numerous information systems security (InfoSec) professionals for
their
comments. Based on everyone's input, this new edition was written.
The changes in this edition include:
- An update of all chapters;
- The rearrangement of the chapters based on InfoSec professionals' input
into
what they considered a more logical flow;
- The dividing up of the chapters of this book into three major sections:
Section I: The Working Environment of an ISSO;
Section II: The Duties and Responsibilities of an ISSO; and
Section III: The Global, Professional, and Personal Challenges of an ISSO.
- Six new chapters:
Chapter 3, Understanding Today's Threats to Information Assets;
Chapter 11, High-Technology Crimes Investigative Support;
Chapter 12 , InfoSec in the Interest of National Security;
Chapter 13, The Related World of Information Assurance, Information
Operations,
and Information Warfare;
Chapter 14, The ISSO and Ethical Conduct; and
Chapter 17, So, Are You Ready to Become an InfoSec Consultant'?.

“As with any book, sometimes the readers were critical of this book's first edition.
That's fine
if one can sit down and discuss InfoSec and ISSO responsibilities with the critics.
After all,
they have important points that could be considered when updating the book.
However, that
is usually not possible.

“So, with all that said, let me state for the record what this book is not:
- It is not a book that is the "end all and be all" of ISSO and InfoSec
functions,
duties, and responsibilities. The rapid changes in information environments, high
technology,
etc., make such a book impossible.
- It is not a technical book and does not purport to be-it will not tell you how
to
install
a firewall. The rationale is that there are many good books on the market that cover
specific
aspects of InfoSec, nar rowly focused and very technical. It is expected that the
ISSO will
read these books as needed based on specific InfoSec needs of the ISSO.

“In short, this book's goal is to provide a basic overview of the InfoSec
professional's (ISSO)
world, duties, responsibilities and challenges in the 21st century. It is a primer. It
is about an
ISSO who must establish and manage an InfoSec program for an international
corporation,
although all of the material is applicable to various work environments, such as
government
agencies or charitable organizations.

“It was written because over the years many associates and I had to establish and
manage
such organizations and found no primer to guide us, So, over the past 40 years
that I have
been involved in various aspects of security, eventually focusing on InfoSec and its
related
functions in about 1980, I think I have developed a basic approach that has been
successful.
Others who have read this book, listened to my lectures based on what became
this book,
and whom I have mentored over the years have agreed with me.

“So, if you are an InfoSec techie, engineer, or the like looking for the Holy Grail of
information
protection, that is not what this book is about. However, if you want an ISSO
career, want to
know what the ISSO pro fession is all about, and want to be able to build a
foundation for a
successful InfoSec program and organization, then yes, this book is for you. This
book was
also written for non-InfoSec professionals in management positions, such as
corporate
security directors and business managers, who are responsible for overall
government
agency and business assets protection. These professionals should also know
what the
ISSO profession is all about and the basics of information assets protection.

“This book can also be used as a textbook or "recommended reading" for
university courses
related to security and information systems security. I hope you enjoy it.”

- - - - - - - -

CONTENTS

Foreword by John P. Kenney
Preface
Acknowledgments
Understanding the Information World Environment
Understanding the Business and Management Environment
The Corporation Incorporated
ISSO Career Development
How to Market Yourself as an ISSO
The ISSO's Position, Duties, and Responsibilities
The InfoSec Strategic, Tactical, and Annual Plans
Establishing an InfoSec Program and Organization
Determining and Establishing InfoSec Functions
Metrics Management
Annual Reevaluation and Future Plans
21st Century Challenges for the ISSO
Recommended Readings
About the Author
Index

- - - - - - - -

ABOUT THE AUTHOR:

“DR. GERALD L. KOVACICH graduated from the University of Maryland with a
bachelor's
degree in history and politics, with emphasis in Asia; the University of Northern
Colorado
with a master's degree in social science with emphasis in public administration;
Golden
Gate University with a master's degree in telecommunications management; the
DOD
Language Institute (Chinese Mandarin); and August Vollmer University with a
doctorate
degree in criminology. He was also a Certified Fraud Examiner, Certified Protection
Professional, and a Certified Information Systems Security Professional.

“Dr. Kovacich has over 40 years of industrial security, investigations, information
systems
security, and information warfare experience in both the U.S. government as a
special agent
and business as a technologist and manager for numerous technology-based,
international
corporations as an ISSO, security, audit and investigations manager, and
consultant to
United States and foreign government agencies and corporations. He has also
developed
and managed several internationally based InfoSec programs for Fortune 500
corporations;
and managed several information systems security organizations, including
providing
service and support for their information warfare products and services.

“Dr. Kovacich has taught both graduate and undergraduate courses in criminal
justice,
technology crimes investigations, and security for Los Angeles City College,
DeAnza
College, Golden Gate University, and August Vollmer University. He has also
lectured
internationally and presented workshops on these topics for national and
international
conferences, as well as writing numerous published articles on high-tech crime
investigations, information systems security, and information warfare, both
nationally and
internationally. He has written more than 100 security-related articles that have
been
published in various international magazines.

“Dr. Kovacich currently spends his time on Whidbey Island, Washington. He
continues to
conduct research, write, consult, and lecture internationally on such topics as:
- Global and nation-state information systems security;
- Corporate information systems security;
- Corporate and government fraud;
- Corporate security;
- High-tech crime investigations;
- Information assurance;
- Proprietary information protection;
- Espionage, including Netspionage, economic, and industrial; and
- Information warfare-offensive and defensive.

“He is also the founder of ShockwaveWriters.Com, an informal association of
writers,
researchers, and lecturers who concentrate on these topics.”

- - - - - - - -
2004, 400 pages. Order #DR723.
- - - - - - - -

The Binomial Bookstore

Info & Network Security, Info Protection

Rothstein Associates Inc.