Table of Contents

Introduction 1 INFORMATION SECURITY AND RISK MANAGEMENT Section 1.1 Security Management Concepts and Principles Section 1.2 Change Control Management Section 1.3 Data Classification Section 1.4 Risk Management Section 1.5 Policies, Standards, Procedures and Guidelines Section 1.6 Security Awareness Training Section 1.7 Security Management Planning 2 ACCESS CONTROL Section 2.1 Access Control Techniques Section 2.2 Access Control Administration Section 2.3 Identification and Authentication Techniques Section 2.4 Access Control Methodologies and Implementation Section 2.5 Methods of Attack Section 2.6 Monitoring and Penetration Testing 3 CRYPTOGRAPHY Section 3.1 Use of Cryptography Section 3.2 Cryptographic Concepts, Methodologies, and Practices Section 3.4 Public Key Infrastructure (PKI) Section 3.5 System Architecture for Implementing Cryptographic Functions Section 3.6 Methods of Attack 4 PHYSICAL (ENVIRONMENTAL) SECURITY Section 4.1 Elements of Physical Security Section 4.2 Technical Controls Section 4.3 Environment and Life Safety 5 SECURITY ARCHITECTURE AND DESIGN Section 5.1 Principles of Computer and Network Organizations, Architectures, and Designs 6 BUSINESS CONTINUITY PLANNING AND DISASTER RECOVERY PLANNING Section 6.1 Business Continuity Planning Section 6.2 Disaster Recovery Planning 7 TELECOMMUNICATIONS AND NETWORK SECURITY Section 7.1 Communications and Network Security Section 7.2 Internet, Intranet, Extranet Security Section 7.3 E-mail Security Section 7.4 Secure Voice Communications Section 7.5 Network Attacks and Countermeasures 8 APPLICATION SECURITY Section 8.1 Application Issues Section 8.2 Databases and Data Warehousing Section 8.3 Systems Development Controls 9 OPERATIONS SECURITY Section 9.1 Concepts Section 9.2 Resource Protection Requirements 10 LAW, COMPLIANCE AND INVESTIGATIONS Section 10.1 Information Law Section 10.2 Investigations Section 10.3 Major Categories of Computer Crime Section 10.4 Incident Handling