For persons with knowledge of security engineering, but not standards and best practices, this book introduces them to the discipline of international standards and best practices and points to references for further knowledge. It supplies the background needed to meaningfully recognize the topic that a reference might cover and highlights the references which might be of interest.
This book cannot, of course, enumerate the knowledge needed in all possible fields in which secure information systems are essential.
The period of human history in which we are living is often called the information era. An era in which the whole world has begun to communicate using information technology (IT); an era during which information has become at least as valuable as other, more tangible, resources. Modern styles of life have caused major changes to the world of economy. It is not only the size of a company, or the money it possesses – it is information – which makes a company powerful.
Information is power: information is money: information is critical. Without proper information, any organization is vulnerable to failure – whether it is a production company, service enterprise, commercial vendor, or government agency.
For the past two decades, together with the enormous growth in the amount of information in everyday life, the problem of data and information security has emerged as a global concern. Because of the increasing value of information in our life, it is essential to provide an environment where it can be processed, stored, and transmitted correctly and securely.
Today, the growing concerns about cyberterrorism, cyberwarfare, cybercrime, and the erosion of personal privacy have governments and agencies around the world crafting legislation and seeking the right standards to implement in order to improve information security.
The need for a workforce more skilled in the engineering of a secure information systems environment is clear. The discovery – and potential exploitation – of vulnerabilities in information systems by unauthorized, unethical, or criminal individuals – as well as by the uneducated user – can have a serious impact upon an owner in terms of increased costs (recovery and remediation), and a negative impact on the organization’s reputation.
Increasingly, these incidents include the theft, destruction, or compromise of critical confidential data processed by the Increasingly, these incidents include the theft, destruction, or compromise of critical confidential data processed by the system, subjecting individuals to identity theft or causing organizations to suffer significant losses from fraud. Today, 35 US states introduced legislation to require certain data breaches to be made known to the public, particularly when personal data may have been compromised. Europe is considering following suit. Such publicity has caused damage to the reputations of even established firms, resulting in loss of business, and has also prompted a number of other states to enact similar data freeze and notification laws. Current listings of such states can be found at: www.ncsl.org/programs/lis/cip/priv/breachlaws.htm.
The problem is not only the result of attempted attacks and insertion of malicious software from both inside and outside organizations but also other issues as well. Many security incidents can be traced back to vulnerabilities that were caused by inadequacies in software requirements, or defects in software design, coding, or deployment configuration. The combination of attacks with defects often result in computer and software security problems that are frequent, widespread, and often serious.
This book is a necessary preliminary step towards addressing the challenges related to achieving adequate exposure to the benefits of using international standards and best practices to address the challenges of cyberwarfare, cyberterrorism, and cybercrime, as well as the unintended consequences created by information systems users. These challenges include addressing the skill shortages within government and industry and curriculum needs within universities, colleges, and trade schools.
The ultimate goal for this book is to introduce readers to the practical use of standards and best practices to address significant problems, such as those presented by cyberwar, cyberterror, and cybercrime.
While the content of this document provides broad coverage, readers interested in gaining an even deeper knowledge in cyberwarfare, cyberterrorism, cybercrime, and international standards are encouraged to also read the references provided throughout this document.
 ‘Vulnerability: Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.’ [NIST FIPS 200].
 A study of Information Security Breaches conducted in 2006 by Price, Waterhouse, Coopers on behalf of the UK Department of Trade and Industry (DTI) measured the results of security breaches in several ways. The results indicated that relying only on an analysis of the cash cost can be misleading; rather, the impact on their reputation can be even more devastating. Additional information on this study can be obtained at: www.pwc.co.uk/pdf/pwc_dti-identityandaccessmangement.pdf
 See IT Week article at www.itweek.co.uk/information-world-review/news/2189188/uk-internet-users-informed for more about this discussion.
 ChoicePoint’s stock falling 20 percent in the period after an incident was disclosed shows another potential impact.