Commonsense Computer Security

How important is your computer data?

How much would it matter if it were:

• lost by accident?
• tampered with maliciously?
• unavailable because of inefficient procedures?
• plagued by viruses?
• stolen by competitors?

Information is an essential but vulnerable corporate asset. Who is responsible for its safety= Computer specialists? Security staff? Auditors? Or is it a key management issues?

Computer security is a people problem not a machine problem, and ultimate responsibility lies with management. It need not be expensive, complicated or technical. The solutions are straightforward, for the greatest threat is not highly sophisticated attack, but low-tech insider crimes made possible by poor procedures and a lack of work discipline. Every organization can achieve satisfactory and economical computer security using a blend of traditional security techniques tailored to the computing environment.

Commonsense Computer Security contains all you need to know to review or refine your security arrangements — whether you usa a micro, mainframe or nationwide network. Each element of computer security is described in detail but in non-technical, readable terms. Aspects covered include:

• physical, document and personnel security
• hardware and software security
• communications (network) security
• compromising emanations
• disaster planning and insurance
• the security of small systems
• developing a computer security policy
• staff training and awareness

An essential book for senior managers, computer staff, security personnel, auditors — anyone with responsibility for, or working with, electronic data.

• Part One: The nature of the problem
1. The nature of computer security
• What is a computer?
• What is security?
• What is computer security?
2. Threats and vulnerabilities
• Qualities of information
• Vulnerabilities of computers
• Threats to computers
• Risk to computers
• Methods of exploitation
3. Countering the dangers
• The nature of the security features
• Defence in depth
4. Valuing data
• Types of data
• Classification
• Part Two: responsibilities for computer security
5. Computer versus security staffs?
• The interdisciplinary approach
• Mutual problems
• The problems with being a computer person
• The problems with being a security person
• The role of the auditor
6. Allocation of computer security duties
• Naming changes
• Who's in charge?
• Chain of command
• The allocation of computer security duties
• Installation security committees
7. Registration of computers
• Why register computers?
• Responsibility for registration
• Uses for the register of computers
• Updating the register
• Serial numbering of computers
• Contents of computer registration documents
• Part Three: The solution
8. Physical security
• Defence in depth — the fortress concept
• Aims of physical security
• The physical protection of computers
• The physical protection of computer installation services and utilities
• Fire protection
9. Document security
• What is a computer document?
• Handling computer documents
• Marking computer documents
• Accounting for magnetic media
• Accounting for associated documents
• Purging magnetic media
• Backing up magnetic media
• Destruction of computer documents
• Checks and musters of computer documents
10. Personnel security
• The elements of personnel security
• Fundamental principles of personnel security
• The threats from staff members
• The motivation crime
• Personnel security measures within a computer installation
11. Hardware security
• Securing hardware from tampering
• Hardware identification devices
• Hardware integrity checks
• Maintenance procedures
• Fault tolerance
• Contracts
12. Software security
• The aims of software security
• The limitations of software security
• Software security — general measures
• Software security — access control
• Software security — separation
• Software security — audit
• Software security — programming
• Cover Channels
• The 'Orange Book' — the US Department of Defense trusted computer system evaluation criteria
• Bugs and viruses
• Some final thoughts
13. Compromising emanations (TEMPEST)
• The nature of the problem
• The dangers from TEMPEST
• Simple precautions against TEMPEST
• TEMPEST-proofed equipment
14. Communications and network security
• Methods of data transmission
• Transmission characteristics
• Networks
• Aims of communications and network security
• Threats to communications and networks
• Methods of protection — cryptology
• Methods of protection — physical and procedural security
• Hacking
15. Disaster planning
• The need for a disaster recovery plan
• Developing a disaster recovery plan
• Stand-by facilities
• Contents of the plan
• Invoking the disaster recovery plan
16. Computer insurance
• Problems with insurance
• Risks that can be covered
• Types of cover
• Claims that can be made
• Where to buy your policy
• Do's and don'ts of computer insurance
17. Security of personal computers
• History of the personal computer
• Uses of the personal computer
• Weaknesses and vulnerabilities of personal computers
• Countermeasures to protect the personal computer
• Part Four: Plan of action
18. Developing a computer security policy
• Defining the computer security policy
• Risk analysis
• Format of the computer security policy
• Contents of the computer security policy
• Uses for the computer security policy
• Security operating procedures
19. Training and awareness
• The need for training and awareness
• Training for computer security
• Awareness of computer security
• Some final thoughts

One of the best books on IT security ever written!

Do you need more info?