The 2011 (ISC)2 Security Congress

ISSUE NUMBER 16
An (ISC) 2 Digital Publication
www.isc2.org
BIG DATA
FORENSICS:
What’s in a Tool?
Incident response and
data recovery require a
solid plan, the right people,
and specifi c tools.

Annual
SECURITY CONGRESS
2 0 1 2
DRIVING SECURITY’S FUTURE
Where Traditional and Logical Security Meet
What You Can Expect:
• 200+ conference sessions available throughout 25 education tracks
• Keynote speakers (2011 included Jeb Bush, Vicente Fox, Janet Napolitano and Burt Rutan)
• Exclusive (ISC) 2 Town Hall and Member Reception
• A fun evening out for the President’s Reception
• Free 1/2 day credential clinics for CISSP ® , CSSLP ® , CAP ® and SSCP ®
• 2-day Intensive Education Programs
• Foundation Fundraising Event – watch for more details
Look for a call for speakers in December and registration opening in January.
SAVE THE DATE
(ISC) 2 Security Congress 2012
September 10-13, 2012 • Philadelphia, PA
www.isc2.org/congress2012
Collocated with ASIS 2012 58th Annual Seminar and Exhibits

COVER PHOTO BY CHRISTOPHER J. MORRIS/CORBIS; ABOVE PHOTO BY TIM FLACH
16
[ features ]
8 Big Data Forensics: All
data recovery tools are
not created equal.
Incident response and data
recovery require a solid plan, the
right people, and speci� c tools.
BY PETER FRETTY
12 Disaster Recovery Reality Check:
Are You Sure You’re Ready?
Disaster preparedness saves time
and money if the right skills and
plans are in place—and current.
BY CRYSTAL BEDELL
16 Delegation Done Right
Relinquishing control may be
di� cult at � rst, but the bene� ts for
management, sta� and the overall
company can be worthwhile.
BY COLLEEN FRYE
issue 16
2011 VOLUME 4
[ also inside ]
3 (ISC) 2 Makes a Strong Push
Executive Letter From the desk of (ISC) 2 ’s
Diana-Lynn Contesti.
4 Moderator’s Corner
Views and Reviews Highlights from (ISC) 2 ’s
event moderator.
6 FYI
Member News Read up on what (ISC) 2 members
worldwide and the organization itself are doing.
18 The (ISC) 2 Safe and Secure Online program
(ISC) 2 Foundation Call for volunteers.
20 Spreading Cyber Safety To All
Q&A Principal and an (ISC) 2 board member David Melnick
discusses Safe and Secure Online outreach in his community.
21 Chapter Passport
A step-by-step guide to building your own local
community of information security professionals.
22 (ISC) 2 Professional Associations and
Organizations Resource Guide
InfoSecurity Professional is published by IDG Enterprise Custom Solutions Group, 492 Old Connecticut Path, Framingham, MA 01701 (phone: 508 935-4796). The information contained in this publication
represents the views and opinions of the respective authors and may not represent the views and opinions of (ISC) 2 on the issues discussed as of the date of publication. No part of this document may be
reproduced, stored in or introduced into a retrieval system, or transmitted in any form by any means (electronic, mechanical, photocopying, recording or otherwise), or for any purpose, without the express written
permission of (ISC) 2 . (ISC) 2 , the (ISC) 2 digital logo and all other (ISC) 2 product, service or certifi cation names are registered marks or trademarks of the International Information Systems Security Certifi cation
Consortium, Incorporated, in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. For subscription
information or to change your address, please visit www.isc2.org. To order additional copies or obtain permission to reprint materials, please email infosecproeditor@isc2.org. To request advertising information,
please email tgaron@isc2.org. © 2011 (ISC) 2 Incorporated. All rights reserved.
ISSUE NUMBER 16 INFOSECURITY PROFESSIONAL 1

Malware Data From Over
600 Million Systems Worldwide
ONE SECURITY REPORT
The Security Intelligence Report (SIR) is an analysis of the current threat landscape
based on data from internet services and over 600 million systems worldwide to
help you protect your organization, software, and people.
View the Security Intelligence Report at www.microsoft.com/SIR
| Security Intelligence Report

executive letter
from the deSk of (ISC) 2 'S ChaIrperSon
Calling All Members:
Shape the Next Generation
(ISC) 2 provIdeS multIple opportunItIeS for memberS to
InCreaSe theIr knowledge, work wIth peerS and Support
the next generatIon of profeSSIonalS.
As 2011 comes to A close, so
does my role as an (Isc)² Board
member. I began working with (Isc)²
as an exam item writing volunteer in
1998, after which time, I served on
a number of committees and finally,
the Board of Directors.
Being involved with this organization
has been a highly rewarding
experience for me, both personally
and professionally. During my tenure,
I have met very knowledgeable people
who have helped me grow. I’ve seen what once used
to be an unrecognized profession become one of the
most in-demand career fields of the day, thanks in
large part to the passion, volunteerism and innovations
of (Isc)² members.
With the need for qualified information security
professionals at an all-time high, I challenge everyone
to put your passion for our profession to work.
It’s critical not only for our growth as professionals,
but it’s essential to the future of society and our industry.
In a recent blog, I shared the many volunteer
avenues that are available to (Isc)² members. You
just have to find the one(s) that best suit your interests
and availability.
A few months ago, we expanded our scholarship
program to offer Us$140,000 — more than ever
before — and introduced programs for women and
undergraduate students.
We formed the new (Isc)² Foundation earlier this
year to sustain goodwill initiatives like the scholarship
program to help fill the pipeline of information
security professionals. (Isc)² members can play a
critical role here, either by making a financial donation
to the Foundation or volunteering their time to
the safe and secure online program, which is a pub-
lic service that places our members
in schools to teach kids how to protect
themselves online. to date, the
program has reached nearly 70,000
children worldwide, and the demand
from schools is growing daily. If you
have a passion for teaching and information
security, We NeeD YoU!
You can sign up here: https://cyber
exchange.isc2.org/safe-secure.aspx.
Another way members are
changing the profession is through
the (Isc)² chapter program. (Isc)² chapters provide
you with a great chance to build your local
network, connect with your peers to share knowledge,
exchange resources, collaborate on projects,
and earn cPe credits. communities like these are
critical to support the current and future generation
of professionals.
Finally, we will soon be introducing an online
resource for consumers and information security
professionals around the globe. called (Isc)² security
central, this portal will be a one-stop shop for a wide
range of security assets tagged and contributed by
(Isc)² members and anyone else who has a resource
to share. Watch for details in the coming months.
(Isc)² members, as the pre-eminent cyber security
experts in the world, you have the opportunity to
continue to shape this dynamic career field. You have
made it what it is today. You can make a difference,
and (Isc)² is here to help you do that. You will find
more rewards than you ever imagined possible.
sincerely,
Diana-lynn contesti
cIssP-IssAP, IssmP, csslP, sscP
chair, (Isc)² Board of Directors
ISSue number 16 INFosecUrItY ProFessIoNAl 3

moderator’s corner
vIews ANd revIews From (IsC) 2 's eveNT moderATor
Retrospective: The 2011
(ISC) 2 Security Congress
SePtember marked the fIrSt (ISc) 2 Security congress,
which kicked off in orlando, fla., u.S., in conjunction
with the 57th annual aSIS International conference & exhibits.
It was a big hit. for those of you not involved in physical security,
aSIS is the premier professional association for this discipline,
and their annual event rivals the rSa show for sheer number of
security pros under one roof.
The partnership between aSIS and (ISc) 2 enabled attendees
from both events to float between sessions on both sides of
the security universe. This created some very interesting discussions
in all of the sessions I either attended or moderated—
and were possibly upstaged by the hallway conversations generated
by bringing these two groups of risk management practitioners together.
While we have all talked about the possibility of a convergence between physical
and information security, this event showcased some of the best interaction I have
seen to date between these two groups, and sparked a number of conversations
that are still going on in the coming months after the event has concluded.
one of the most telling details of the cross-pollination we witnessed was when
I asked for a show of hands from the aSIS members in the room during (ISc) 2 ’s
sessions. more often than not, aSIS members accounted for 50 percent or more
of the attendees in the room. maybe that explains why we had to keep bringing in
chairs to standing-room only sessions.
The best part for me was having discussions with many of my heroes in the
security industry, talking and listening to people whose opinions I have read for
years, and having the opportunity to discuss their opinions in meaningful ways.
It seemed that anything mobile or cloud-related drew the largest crowds,
indicating that these topics are still hot throughout the community. Sessions on
wireless security and privacy were new, innovative and fresh.
to hear Security congress speakers Spencer Wilcox and Winn Schwartau talk
about the risks of mobile computing and employee privacy rights, tune into the
presentation archive, Ubiquitous Computing, Pervasive Risk. (https://isc2.bright
talk.com/node/902). This archive also qualifies for three cPe credits, so pass it
along to your colleagues.
(ISc) 2 will again co-locate Security congress with aSIS in 2012 in Philadelphia
(u.S.) and expand the array of educational and social programs offered. to stay upto-date
on the 2012 program, keep your eye on the (ISc) 2 Security congress 2012
page (www.isc2.org/congress2012).
I look forward to continuing the conversation,
brandon dunlap
managing director of research, brightfly
bsdunlap@brightfly.com
www.brightfly.com
4 InfoSecurIty ProfeSSIonal Issue Number 16
Management Team
Elise Yacobellis
Executive Publisher
727-683-0782 n eyacobellis@isc2.org
Timothy Garon
Publisher
508-529-6103 n tgaron@isc2.org
Marc G. Thompson
Associate Publisher
703-637-4408 n mthompson@isc2.org
Amanda D’Alessandro
Corporate Communications Specialist
727-785-0189 x242
adalessandro@isc2.org
Sarah Bohne
Senior Communications Manager
616-719-9113 n sbohne@isc2.org
Judy Livers
Senior Manager of Marketing Development
727-785-0189 x239 n jlivers@isc2.org
Sales Team
Christa Collins
Regional Sales Manager
U.S. Southeast and Midwest
352-563-5264 n ccollins@isc2.org
Jennifer Hunt
Events Sales Manager
781-685-4667 n jhunt@isc2.org
Lisa O'Connell
Regional Sales Manager
781-460-2105 n loconnell@isc2.org
IDG Media Team
Charles Lee
Vice President, Custom Solutions Group
Alison Lutes
Project Manager
Joyce Chutchian
Senior Managing Editor
508-628-4823
jchutchian@idgenterprise.com
Kim Han
Art Director
Lisa Stevenson
Production Manager
ADVERTiSER inDEx
CA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . p . 5
Ieee . . . . . . . . . . . . . . . . . . . . . . . . . . . . . p . 14
IsACA . . . . . . . . . . . . . . . . . . . . . . . . . . . . p . 15
(IsC) 2 . . . . . . . . . . . . . . . . Inside Front Cover;
. . . . . . . . . . . Inside back Cover; back Cover
microsoft . . . . . . . . . . . . . . . . . . . . . . . . . .p . 2
Northeastern . . . . . . . . . . . . . . . . . . . . . . p . 19
rsA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . p . 10
For information about advertising in this
publication, please contact Tim Garon at
tgaron@isc2 .org .

cloud security.
can you see beyond the problem?
you can
The #1 issue for companies migrating to the cloud is identity and access management.
But for the agile business, know-ing users is always better than no-ing them.
In fact, agile businesses, using our Content-Aware Identity and Access Management solutions, have
been able to reduce security risk while improving productivity, access and efficiency. More effective
compliance, reduced IT risk, broader, more secure customer and partner relationships.
That’s what happens when no becomes know. And security turns into agility.
To see how we can help make your business more agile and secure, visit ca.com/cloudsecurity
Copyright © 2011 CA. All rights reserved.

6 InfoSecurIty ProfeSSIonal issue NuMber 16
fyı
(ISC) 2 Software Security
Certification milestone
o ver 1,000 profeSSIonaLS from 44 countries
now hold the certified Secure Software lifecycle
Professional (cSSlP®)! for details, visit https://isc2
.org/PressReleaseDetails.aspx?id=8014.
Don’t forget to take the quiz
and earn CPEs:
http://bit.ly/rTxcLf
For a list of
events (ISC) 2 is
either hosting or
sponsoring, visit
www.isc2.org/
events
(isc) 2 Named Finalist for
sc Magazine Awards 2012
(ISC) 2 ’ S C ertI f ICatI onS and eduCatI on program
continues to gain recognition from industry experts.
sc Magazine has named the cissP and cssLP as finalists for
its best Professional certification Program award, and (isc) 2 ’s
information security education and certification is a finalist for
its best Professional Training Program award.
The winners of the sc Magazine Awards 2012 will be
announced on February 28 , 2012.
(isc) 2
MeMber
News
americas ISla
Inaugural
recipients
(ISC) 2 InformatIon SeCurIty
LeaderShIp awardS (ISLa)
program expanded to central,
north and South america in 2011. (ISc) 2 is
proud to announce the inaugural winners:
Information Security Practitioner Category:
manoranjan (mano) paul, CSSLP, CISSP,
president and CEO, SecuRisk Solutions, U.S.
Managerial Professional for an Information
Security Project Category: matt Larson, vice
president, DNS research, VeriSign, U.S.
Senior Information Security Professional
Category: diego andrés Zuluaga urrea,
CISM, CGEIT, GCFA, COBIT Foundation and
chief information security officer, Isagen S.A.
E.S.P., Colombia
Up-and-Coming Information Security Professional
Category: pedro andres morales
Zamudio, CISSP, CEH, GPEN, GCIH, lead
auditor ISO 27001, OSCP, OSCWP, presales
engineer, Ximark Technologies, Peru
“expanding the ISla program to the americas
was a logical step for us, given the wealth
of information security innovation, leadership
and talent in this region,” said W. Hord
tipton, cISSP-ISSeP, caP, cISa, executive
director of (ISc)². “We were pleased with the
caliber of finalists for our inaugural year, and
we congratulate them on their pioneering
achievements.”
More information on the americas ISla
program is available at www.isc2.org/aisla.

eighth annual
GISla recipients
(ISC) 2 announCeS the wInnerS of its eighth annual U.S. Government
Information Security Leadership Awards (GISLA):
Category: technology Improvement
Individual Award: Dr. Emma Garrison-Alexander, assistant administrator
for IT at the Transportation Security Agency (TSA).
Team Award: The Information Assurance Program Management
Team, U.S. Army Combined Arms Center, led by Austin Pearson,
CISSP, PMP, ITIL V3, Server+, information assurance program manager,
supported by Mary Johnson, CISSP, GISF.
Category: federal Contractor
Individual Award: Mr. Shawn Wilson, senior manager of information
security, VeriSign, Inc.
Team Award: The NJVC Cyber Dashboard Team, led by Chris
Hughes, CISSP, CCNA, GCFW, chief engineer of cybersecurity,
and seven other CISSPs.
Special Recognition: The Joint Information Operations Warfare
Center (JIOWC) Vulnerability Assessment (JVAT) Computer
Network Security (CNS) Team, led by senior systems engineer
David Rohret, CEH, Security+, CHFI, ECSA/LPT, supported by
three other information security professionals.
Category: workforce Improvement
Team Award: Cyberspace 200/300 Professional Continuing
Education Team, Air Force Cyber Technical Center of Excellence,
led by Dr. Harold Arata III, associate director and his 28-person team.
Category: process/policy Improvement
Individual Award: Mr. Davin Knolton, CISSP, PMP, CKM, CKMP,
DAU CIO Cert, CIO/assistant chief of staff, G-6, U.S. Army
Combined Arms Center.
Team Award: Military Satellite Communications Systems
Directorate Information Assurance Manager Team, U.S. Air Force,
MILSATCOM Systems Directorate, led by Steven Martin, CISM,
and his 18-person team.
Category: Community awareness
Individual Award: Mr. Henry Yu, CISSP, CISM, chief information
security officer, NASA.
Team Award: Cybersecurity Communications Working Group
(CCWG) at the U.S. Department of Homeland Security OCISO,
led by cybersecurity strategy communications manager Joel Benge.
For more information about the winners, please visit:
https://www.isc2.org/PressReleaseDetails.aspx?id=7985.
For information about the GISLA program, visit: www.isc2.org/gisla.
multi-language
Exams Now
Available via CBT
(ISC) 2 IS expandI ng I t S
C omputer-baS ed teS t I ng
(cbT) program across Latin America,
and now offers the cissP exam in
spanish and Portuguese, and the
sscP exam in Portuguese. candidates
in Latin America may choose
to take these exams at any of the
Pearson Vue Professional or select
testing centers.
The cbT expansion began in April
2010 with the cssLP exam, with
plans to gradually transition all
credentials through 2012.
More information about cbT is
available at: www.isc2.org/cbt.
A Successful
First Congress
If you weren’t abL e to
join (isc) 2 for its first annual security
congress in 2011, be sure to save
the date for the next year’s event:
september 10 – 13, 2012 in
Philadelphia, Pa., u.s.
This year’s congress, held in conjunction
with the 57th annual Asis international
seminar and exhibits, bridged the gap
between traditional security and logical
security. Held in Orlando, Fla., u.s. in september,
the event included (isc) 2 ’s firstever
Town Hall Meeting and Americas
information security Leadership Awards,
as well as numerous educational sessions
and top-notch keynote speakers.
You can find more information about
(isc) 2 security congress at
www.isc2.org/congress2012.
issue NuMber 16 InfoSecurIty ProfeSSIonal 7

Big Data
Forensics:
What’s in a Tool?
In today’s ever-expanding world of big data, organizations are
not only taking on considerably more responsibility for protecting information assets, but
are also facing the likelihood of a continued rise in potential data incidents.
According to Dov Yoran, CEO at New York City-based
cyber security company ThreatGRID, security threats have
evolved so extensively in recent years that it is inevitable
that incidents will occur even at mid-sized businesses. “It’s
imperative to have a solid incident response process, which
should include data forensics capabilities and recovery methods
after the breach,” Yoran says. “Additionally, it is always
paramount to have a disaster recovery plan, which normally
includes recovery processes, procedures and solutions.”
All tools are not created equal
Fortunately, an array of forensic and recovery tools exists,
including data integrity tools provided with the operating
system, automated data recovery tools, and specialized
forensic data recovery tools. The most advanced tools allow
experts to recover significantly corrupted data or structural
damage, partially deleted files, and forensically reassemble
short fragments of files into their original form. The tools
even allow an expert to document the chain of events that
led to the data destruction. This all depends on the expert
using the tool having an intimate knowledge of how media
data structures operate, and good working knowledge of the
tool itself.
However, as Yoran explains, not all data recovery tools
are created equal. “Some tools are strictly for data recovery,
while others have other incident response practical features
such as case management,” he says. “The requirements for
recovering your data set should be carefully considered. It
8 INFOSECuRITY PROFESSIONAl ISSUE NUMBER 16
Incident response
and data recovery
require a solid
plan, the right
people, and
specific tools
by Peter Fretty
is often essential to budget for not just data recovery tools
but data extraction and analysis tools. These tools can aid the
investigator in determining the root cause of breaches. Technologies
such as sandboxing [a security tool for separating
running programs] and other malware analysis tools, which
can reveal compromises, should be considered as crucial as
the physical disk recovery.”
Some tools also fail to function in a forensically sound
manner, which is necessary for producing defensible electronically
stored information (ESI) in legal matters or regulatory
investigations, explains Jeff Fehrman, vice president
of forensics and consulting for global IT service provider,
Integreon. “Defensible collection demonstrates that the
appropriate procedures and chain of custody are maintained
throughout the process, in order for the ESI to be admissible
in court,” he says. “Even the best forensic tools in the hands of
untrained users can still present some serious issues for the
defensibility.”
Fehrman recommends looking for tools with a track
record of successful use in legal and compliance matters
and that have respected certification training for users.
“There are also expert consultants in the field that have
entire toolkits of software available for their use, and the
experience to know which ones are best suited for specific
types of storage media or environments,” he says. “Some
services also allow IT personnel to essentially perform the
work under an expert’s remote guidance as a cost-effective
approach to ensuring defensibility without the risk of data
spoliation.”
photo By ChRIStophER J. MoRRIS

ISSUE NUMBER 16 INFOSECURITY PROFESSIONAL 9

Selecting the Right RecoveRy tool
Selecting the best tool is often
the result of conducting sufficient
research and asking the
appropriate questions. With
this in mind, ThreatGRID’s
CEO Dov Yoran suggests the
following list of questions:
3 What type of data does the
organization need to recover?
3 What types of hardware
are involved?
3 Will we be recovering virtual machines?
3 How often will we be recovering data?
3 What is the average size of datasets we will
be recovering?
3 How do we incorporate the recovery solution into
a unified incident response process?
10 InfoSecurIty ProfeSSIonal ISSUE NUMBER 16
Legal must-dos
There are also legal concerns of key consideration as organizations
embark on a data forensics project, explains Peter laberee
of laberee law Pc. “When confidential information is
kept on the cloud, it is crucial to know, where are the servers?
This matters because the laws of the locality where the servers
are located may control your right to access the data, even to
recover lost information,” he says. laberee notes that people
ask where their data is partly because of the inherent diffuseness
of the cloud, plus the fact that legal and marketplace
remedies vary from country to country. “Despite the global
feel of the cloud, some countries’ laws will be involved when
it’s time to sue to get back data or to demonstrate compliance
with privacy rules.”
The obligation to provide secure data goes beyond just
good business. “enterprises have express legal duties relating
to data security financial information and protected health
information under HIPaa [the Health Insurance Portability
and accountability act of 1996], for example. and, we hear
much about Sarbanes-oxley [the Sarbanes-oxley act of 2002,
or SoX] in the corporate finance world,” laberee says. “under

Section 404 [of SoX], reporting companies are required to
assess their internal process and controls, and data security
and recovery are part of this. Privacy laws are also implicated
in data security concerns including Gramm-leach-Bliley [the
financial Services Modernization act of 1999, or GlB], the
fair and accurate credit transactions act [facta], and eu
[european union] rules.”
If the primary goal is to use the results in court, yoran
stresses the significance of forensically sound data recovery
software, including sandboxing solutions. “understanding
the fundamentals of the attack and how it affected one’s system
is at the core of every investigation,” he says. “Having the
Is the Data Gone?
Is the data really gone? In most instances, the answer
is a resounding no. When a user drags and drops
a file or directory into the recycle bin, or right-clicks
and selects “Move to Trash” or “Delete,” that data is
usually recoverable, explains Forensic Risk Alliance’s
Boisclair. “Even if the user empties the trash, it may
still be possible to access and view that deleted data.
However, data can be securely deleted without having
to physically destroy the device or media so as to
render it unusable,” he says. “There are a number of
software-based solutions that feature the ability to
sanitize or wipe media by erasing the data based on
recognized government and industry standards.”
Many data-wiping software applications developed
in the U.S. adhere to the standard outlined in Department
of Defense (DoD) 5220.22-M. At a high level,
secure erasure involves overwriting the location on
the disk where the data resided a number of times by
filling the media with zeros, random bytes, or a known
overwrite pattern. It is then possible to verify that the
data has been permanently erased by viewing the data
location on the media in an application that enables
the user to access and view the ones and zeros on
the physical disk—ensuring that the overwrite pattern
exists and the original data does not. A primary factor
in meeting industry standards is the number of times
the data is overwritten.
It’s important to note when using data wiping tools,
care must also be taken that any such actions are performed
in accordance with a company’s documented
data retention/destruction policies and schedule,
explains Integreon’s Fehrman. “Failure to do so could
pose issues during litigation, even if performed prior to
a lawsuit being filed. Enforcing data destruction policies
is particularly important if a legal hold has been
put in place at the start of an investigation or lawsuit,”
he says. “The deliberate destruction of potential evidence
can lead to serious legal sanctions.”
right tools on hand to do a deep analysis can not only aid in
this effort, but it’s also a requirement when considering the
myriad of potential attacks and large volumes of data each
organization owns. clearly these tools are most effective
when used by a skilled resource on the project, so in the end a
successful investigation is really the marriage between people
and technology.”
Seeking professional help
In some instances, it makes more sense for organizations to
turn to specialized partners capable of providing an array of
professional services including litigation consulting, compliance
and risk management, e-discovery, forensic data collection
as well as forensic examination and recovery exist to
assist with eSI.
one reason to do so is that for digital evidence to be valid—
and defensible in court—it must be preserved in either its original
form or a forensically defensible representation thereof,
explains Gerard Boisclair, senior manager at Providence, rI
(u.S.)-based forensic risk alliance. “In accordance with the
national Institute of Justice, examination is best conducted
on a copy of the original evidence,” he says. “Proper forensic
collection involves highly trained and certified professionals
using specialized tools such as hardware and software writeblockers
and forensic imaging tools. They also provide documentation
to prove data integrity and security via chain of
custody, media acquisition and access control, and a series of
detailed collection logs.”
according to fehrman, data forensic and recovery services
often vary based on the type of media or environment
involved, including hard drives, backup tapes, uSB pen
drives, network file shares, e-mail servers, mobile phones,
Web sites, social media networks, and cloud-based environments.
“related services include recovery of passwordprotected,
encrypted, corrupted, or deleted information,” he
says. “expert analysis or witness services are also available to
ensure the defensibility of the methods used, should they ever
be challenged during legal proceedings. This is why training
and certification through reputable providers is so important,
and when there is doubt, there is always the option to utilize
forensic experts that can provide strategic advice and provide
recommended best practices and methods.”
regardless of the preferred route, it’s crucial to select a
reputable company that practices and promotes industry
standards, explains Boisclair. “Whether recovering data at a
logical or physical level, it is likely that the data may be private,
sensitive or confidential and may even be subject to jurisdictional
requirements governing data protection,” he says.
“using a reputable tool or provider may prevent the media
from further, irreparable damage, and may also prevent
the data from being exposed to identity theft, unauthorized
download or use of confidential files as well as improper storage
or disposal of media.”
Peter Fretty is a freelance business and technology journalist
based in Michigan.
ISSUE NUMBER 16 InfoSecurIty ProfeSSIonal 11

DISASTER
RECOVERY
REALITY
CHECK:
ARE YOU
REALLY
READY?
12 INFOSECURITY PROFESSIONAL ISSUE NUMBER 16
DISASTER
PREPAREDNESS
saves time and
money if the right
skills and plans are in
place—and current.
BY CRYSTAL BEDELL
ILLUSTRATION BY KEN ORVIDAS

When was the last time your organization updated
its disaster recovery (Dr) plan or conducted a disaster recovery
test? chances are you’ve spent less time and money on Dr or
business continuity (Bc) efforts since the economic downturn.
But a slow economy is no excuse for neglecting Dr/Bc maintenance.
In fact, it’s more important than ever before, because when an incident
does occur—be it an earthquake, a fire in the data center or a poor management
decision—you need to be able to get your organization back up and running as
soon as possible.
In a 2010 study by forrester research and Disaster Recovery Journal, respondents
were asked to rate their ability to recover their data center in the event of a site failure
or a disaster. The vast majority said they felt “very prepared” or “prepared.” according
to a report co-written by forrester analyst rachel a. Dines, “The same study
found that disaster recovery spending has declined, testing has remained flat, plan
maintenance occurs less frequently, and actual recovery times have increased.”
Bottom line: organizations are disillusioned. allen Zuk, owner and managing
principle of Sierra Management consulting based in Parsippany, n.J., u.S.a., said
he sees a lot of organizations slacking off in the area of Dr. “There’s an attitude of
complacency, because nothing has happened in the last three or four years,” says
Zuk, referring to a disaster or incident.
This complacency can be costly. according to forrester, organizations took 18.5
hours to recover from an event in 2010. consider that the average reported cost of
downtime per hour was almost $145,000, and you’re looking at more than $2 million
per event.
Reality CheCk
Getting real about your organization’s disaster preparedness doesn’t have to be
costly. With a little foresight, you can actually save time and money. taking the
time to set realistic goals—even if it means hiring a consultant to help, is one tip
Zuk offers for cost-effective Dr testing. “Don’t try to boil the ocean every time,”
he says. Instead of testing every system and application, choose two or three to test
each quarter. for those unsure about which ones or how many to test, Zuk encourages
clients to reach out to a consultant. “Because we’ve done this so many times, we
know how long it will take. There are no surprises. If you plan a 24-hour test and you
come up with 52 apps, that’s just not going to happen. a consultant has the insight
to help you plan accordingly,” Zuk says.
a consultant can also help address skills gaps, which is a common problem for
organizations. Perhaps the resident Dr/Bc expert is no longer with the company,
and skills have not been replaced. “If we were to take technology out of the equation
and focus on your Dr plan, how do you ensure continuity of operations? That takes
a unique skill set. There’s a lack of talent being applied to the problem,” says Brandon
Dunlap, managing director of research at Brightfly. If the key people are not present
for whatever reason when disaster strikes, and if junior staff doesn’t have the appropriate
training, it’s going to become a prolonged and painful response.
a consultant can help you plan and execute a series of tests, for example, reducing
his or her role through each test until the organization feels confident in its ability
to execute a test. “your level of dependency is diminishing, and you’re showing
an improvement in your own internal staff and their ability,” says Zuk.
finally, Zuk recommends taking the opportunity to learn from the results of
each test and applying that knowledge to the next one. “Do a post mortem on your
tests, and be truthful about it. There’s no
failure in it; it’s about what can you learn
from what you did. Did you achieve your
goal and, if not, let’s understand what
went wrong, what didn’t work. Build in
that remediation and for the next test,
take that with you,” Zuk says.
Cloud Computing
and dR/BC
any Dr/Bc discussion would be remiss
if it failed to address the cost-saving role
of cloud computing services. Some providers
market their services specifically
for Dr purposes, but cloud services also
support Dr efforts. “The whole concept
of cloud computing addresses disaster
recovery because your services are independent
of your offices,” Dunlap says.
“The days of actually requiring a massive
data center to run your business are dwindling.
you can push everything up to the
cloud for just a few bucks a month.”
at that point, the Dr aspect becomes
a vendor problem, says Dunlap. But you
can’t move your services to the cloud
and wipe your hands clean of the issue.
“If the provider goes down and you don’t
have access, technically, you just had a
disaster.”
Dunlap advises companies to review
contracts with their legal department to
ensure that service outages and servicelevel
agreements are captured in contractual
language. “If your provider goes
down or loses your data, what recompense
do you have? Will they start paying
you $10,000 a day while you’re out of
business?” Dunlap says.
While many providers do not currently
provide the guarantees that organizations
require, Dunlap says this is
something organizations can look forward
to in the coming months and years
as it becomes a differentiator of cloud
service providers. In the meantime, have
an alternative plan for Dr/Bc.
BRing expeRienCe
to the taBle
technology is just one component of
Dr/Bc. People and processes also play a
significant role. “Business continuity and
disaster recovery go well beyond getting
your data or your apps back up. What
are you going to do about the people that
are displaced? What is your process for
ISSUE NUMBER 16 InfoSecurIty ProfeSSIonal 13

notifying customers about the outage?”
he says. � ese are examples of processes
and elements that technologists o� en fail
to consider.
“Disaster recovery has been narrowed
down to IT capabilities,” says Zuk.
“� ere is less and less involvement with
the business, which is discouraging. It
should be involved a lot more with DR
planning and testing.”
Addressing people and processes
doesn’t require a huge � nancial investment,
but it does require you to sit down
with the right people and plan for these
actualities. “It takes time and it takes
thought and it takes expertise. You have
to sit down and talk through some of this
stu� , and say ‘what if?’ � e people who
have gone through this problem before
or experienced a disaster are good people
to bring to the table,” Dunlap says.
“You can look at a manual to � gure out
how to back up to tape. But are you backing
up and restoring the right stu� ? What
gets restored � rst? Who in the organization
gets their stu� done � rst?” asks Dunlap.
“� at’s a hard conversation, but they’re
the ones that, as practitioners, we need to
come to the table prepared to have.”
MANAGING RISK
IN THE BOARD ROOM
There is another risk associated with
a company’s people that puts business
continuity in danger. It resides in conference
rooms of businesses everywhere:
potential executive or corporate risk
behavior. “Businesses run the risk of
being knocked out by bad business decisions,
but they don’t take that into consideration,”
says Dunlap.
According to Chris Kaufman, president
of Agovia Consulting, companies
lose millions of dollars every day because
of poor business decisions. Managing this
business risk is an essential part of business
continuity, and it’s vital in today’s
environment. Moreover, “It’s a low-cost
way to manage risk,” Kaufman says.
Kaufman cites a number of examples
of risky business decisions that should be
a red � ag to systems security professionals.
One of these is when management
pushes to release a product on time even
if it’s not ready. “Nobody will remember a
year from now if we’re three months late;
everyone will remember if we lose 10
14 INFOSECURITY PROFESSIONAL ISSUE NUMBER 16
percent of our business,” says Kaufman.
Another risky behavior is the purchase
of systems, products and consulting services
based on hype from trade shows
or industry conferences; or continuing
a rollout that is costing the organization
millions of dollars and is clearly doomed
to fail.
Luckily, it doesn’t cost much to mitigate
risky behavior to ensure business
continuity. It’s simply a new way to
approach decision making. “It’s common
sense,” he says, “getting people to think
along the lines of applying the decisions
they’re making today to the place they
want to be two, or � ve, or even 10 years
from now.” In other words, think about
Become an
the long-term impact of the decisions
you’re making.
� is approach also o� ers a bene� t to
CISOs. “Organizations are holistic, and
to be successful, they should operate as
a uni� ed entity. � ese concepts overarch
and tie the various pieces of the organization
together. � e ideas of risk evaluation,
risk management, and business
continuity have begun to mature. � is
should give a natural entre to partnering
with and being a part of the business, as
opposed to being an order taker,” Kaufman
says.
Crystal Bedell is a freelance writer specializing
in technology.
IEEE Certified Biometrics
®
Professional
Why CBP?
The IEEE Certified Biometrics Professional ® (CBP)
program has two major components: Certification and
Training. Professionals and organizations can
both benefit from the IEEE CBP program.
Key advantages are:
n Prove your knowledge
n Increase your credibility
n Learn a baseline of industry
knowledge
n Train employees
n Gain a competitive advantage
Learn more and register today!
www.IEEEBiometricsCertification.org

Get recognized —
our members do.
www.isaca.org/benefits-infosec
In a sea of IT professionals,
ISACA members get noticed.
Many IT and information systems professionals worldwide consider
membership in ISACA ®
essential to their career advancement.
As a nonprofit, global association, ISACA connects exceptional
people with exceptional knowledge to provide members with a
robust offering of professional resources.

DELEGATION
DONE RIGHT
16 INFOSECURITY PROFESSIONAL ISSUE NUMBER 16
Relinquishing control may be diffi cult
at fi rst, but the benefi ts for management,
staff, and the overall company
can be worthwhile. BY COLLEEN FRYE
WHILE HIS CO-FOUNDER (AND BEST FRIEND) WAS AWAY ON VACATION,
“MANAGERS
MANAGE
THINGS;
LEADERS
DEVELOP
PEOPLE.”
—HEATHER ROSENFIELD
PRESIDENT
ROSEWOOD ASSOCIATES
the co-founder of a server and storage
company took the opportunity to delegate
some purchasing responsibilities
that his partner had refused to loosen
the reins on. The employees charged
with the tasks had proven purchasing
experience. Their decisions saved
the company eight percent, and their
research surfaced a new vendor that
delivered product more quickly.
“I used that opportunity to delegate
that authority to them in his absence,
under the ruse that I couldn’t handle
it,” says Pat Taylor, founder of Atypical
Business, a channel sales and marketing
consultancy in Dallas and author
of Sales Savvy (2011). “� ey were fearful,
but I made it clear I’d take full
responsibility.”
Taylor’s partner was not happy,
of course, but after he reviewed what
transpired, he never took back the purchasing
responsibilities.
Like Taylor’s partner, many people
� nd giving up control di� cult. Yet when
delegation is done right, the employees,
management and company all bene� t.
Future leaders are groomed, new ideas
are surfaced and executive management
is freed up to focus strategically.
“Managers manage things; leaders
develop people,” says Heather Rosen-
� eld, president of Boston-based Rosewood
Associates, a licensee of the Crestcom
corporate training program. � ere
are emotional barriers to delegating,
PHOTO BY TIM FLACH

she explains, ranging “from lack of confidence
or trust in lower-level employees,
to fear of being called lazy, to lack
of control.”
for most, delegating is a learned
skill, says Seth levenson, an independent
executive coach in Brookline,
Mass. “you went into your profession—
whether it’s technology, finance, whatever—because
you liked the specialty,
not because you wanted to manage
people in that specialty. But the more
successful and higher up you go, the
more you are required to delegate.”
Success, he says, is not defined by what
a leader personally accomplishes, “but
what they can enable the organization
to accomplish, and what they can help
their people to do.”
Many of what John Baldoni, leadership
consultant, speaker, and author of
Lead with Purpose (2011), calls “super
achievers” are not predisposed to delegating
responsibilities and grooming
staff. “The perception is I should do it
myself. When you’re an individual contributor,
you’re recognized and compensated
for that individual contribution.
That doesn’t work in management. But if
you’ve always been recognized for a lot of
work individually, it’s hard to let go.”
Finding the Right Level
of Delegation
So just how much should you let go?
rosenfield says the level of delegation
depends on the personnel and the
team, how long an individual has been
with a company, and how much experience
that person has. for instance, she
explains, you might ask your employee
to be the information-gatherer, while
you make the decisions. as the individual
gains experience, you might add
responsibility by asking them to provide
options in addition to the research.
Then at a higher level of responsibility,
ask them to provide a recommendation
based on their research.
also, she adds, a leader “should delegate
results that have to be achieved
rather than a task that has to happen.”
levenson agrees: “let them know
what you want to accomplish, but not
how.”
Before that, though, levenson says
When to be Hands-On
One of the biggest barriers to delegation is micromanagement, according
to executive coach Seth Levenson. That said, he tries to steer clear of that
term, “because it has a pejorative meaning. I call it hands-on, which makes
it neutral and appropriate in certain situations,” he says.
There are typically three situations in which a hands-on style is both required
and acceptable, according to Levenson:
1. You have an employee with a performance issue.
2. You’re a new manager and you want to better understand your role and
the roles of your direct reports, so a hands-on style is appropriate—in
the beginning.
3. If your company has the spotlight on a particular project or issue,
“you would be foolish not to be all over it,” he advises.
a leader should ask if the direct report
feels ready to handle the responsibility,
and what level of advice they want to
receive. and at the outset, “agree on the
communication during the completion
of the task—is it daily, which on highly
critical tasks with a lower skill person it
may be, weekly, or when certain milestones
are reached.” If the communication
is ongoing, he says, “there should be
no surprises.”
once the responsibility is outlined
and parameters defined, Baldoni says
you need to let everyone else know, and
that you expect them to give this person
their full support.
“It’s also important to define scope,”
Baldoni says. “It’s easy to delegate on
paper, but when projects take longer or
grow in scope, if I’m supervisor do I need
to become more involved?” He adds that
the supervisor needs to let the employee
know it’s oK to ask for help.
rosenfield says that defining performance
standards and using metrics
and regular reports are key. She also
adds, “follow up and follow through.
If you give someone something and let
them run with it, and they come back
with something that’s nothing like you
expected, then you haven’t inspected
along the way and followed through
with them.”
Some Common Missteps
There are wrong ways to delegate as well.
“The most egregious error is to delegate
without authority,” Baldoni says. other
mistakes, he says, include giving someone
a mandate but no resources to carry
it out, giving someone a job but not telling
their peers, or not giving someone
decision-making authority but still holding
them accountable if things go south.
Still, if you’ve done delegation right
and it’s just not working out, you may
have to take action. But first, says levenson,
try to understand what’s not
working, and what your contribution to
that may or may not be. “It’s easy to say
another person can’t handle it,” he says.
However, if you do need to take
back responsibility, there are different
ways to do so, levenson says. If the
issue becomes an emergency all previous
agreements are off, he says, or if you
think it will never work vs. it’s just not
working now, that may affect how you
deal with the issue.
other options are to decrease the
level or scope of responsibility rather
than remove it entirely, levenson says.
or, he adds, “Maybe you spend more
time with them, or maybe you have
another direct report who’s more experienced
be a peer advisor or coach to
that person.”
above all, says rosenfield, “you have
to have balance. So many managers
today are working managers. they’re
not just managing people; they’re
responsible for a job as well. you have to
balance—my individual contribution
with my team contribution.”
Colleen Frye is a freelance technology editor
and writer based in Massachusetts.
ISSUE NUMBER 16 InfoSecurIty ProfeSSIonal 17

Giving corner
Fostering goodwill, education, and research initiatives
Help wanted: the (ISC) 2 Safe and Secure
Online program needs volunteers
Join up and help train parents, teachers and children
about cybersaFety.
a teen commItS SuIcIde In the u.S. after
having been cyberbullied. In the u.K., a parent
is arrested for roughing up a middle school boy
because he was bested on an online game. celebrities
and politicians are sexting. headlines like
these are real-life reasons that schools everywhere
are in need of the (ISc) 2 Safe and Secure online
program.
The (ISc) 2 Safe and Secure online program
is an easy-to-use training program that helps
security professionals like you get involved with
a community to show parents, teachers and children
ages seven to 14 how to be safe and secure
online—whether it is identity theft, personal safety
or securing hardware and software from malicious
attacks. The program trains (ISc) 2 certified members
to volunteer to deliver a cutting-edge, interactive
multimedia presentation at schools in their
own local community.
(ISc) 2 member surveys showed members’ desire
to make an impact on the world using their unique
cyber security skills, especially with those most
vulnerable in society….youth. educating your community
about one of today’s most serious issues and
helping to protect children online can be very satisfying.
as u.S. volunteer lynda morrison-rader
notes, “The Safe and Secure online program has
given me a chance to share security best practices
with children, teachers and parents. It has given
them a forum to begin discussions on topics that
some had not thought about, or known about.”
Parents and teachers learn a lot, too. “as a parent,
I value (ISc) 2 ’s Safe and Secure online so
highly because it talks straight to the concerns our
kids deal with every day,” notes Blair campbell,
the lead volunteer mentor in canada. “It’s very
empowering for them, and puts them in charge—
18 InfoSecurIty ProfeSSIonal issue number 16
they get to become responsible computer users and
learn how to protect themselves. I see a change following
each presentation, and it’s impressive.”
There are many more volunteers like lynda and
Blair (see page 20) who can attest to this gratifying
experience.
as need for these programs rapidly increases,
so does the need for more volunteers in canada,
hong Kong, the u.K., and the u.S. That’s where
you can help.
Become a volunteer by clicking on the Safe and
Secure online logo on the ISc2.org website. you
can also attend one of our face-to-face orientations
like the one at the rSa uSa 2012 conference in
San francisco on february 29.
to get started, just complete these easy steps:
1. check out the Safe and Secure online section
on ISc2.org and sign-up as a volunteer.
2. Successfully pass a criminal background check
(if you have had one done within the past year
or have had security clearance this will be
sufficient).
3. complete the online volunteer preparation video
and pass the short quiz afterwards or attend
an in-person volunteer orientation (available at
select industry conferences in certain locations).
4. Sign a waiver.

How to Set up Safe and Secure Online in Your Country:
(ISC) 2 certifi ed information security professionals are
intensely focused on using their skills to help secure their
own local community. In order to start a Safe and Secure
Online program in your country:
1. Develop a core group of (ISC) 2 volunteers to act as
lead volunteer mentors and volunteer organizers in their
country; (ISC) 2 Foundation staff will train them and
provide support materials, however the volunteers will
need to coordinate activities in their country.
2. Core volunteer group works to determine if any
government agencies need to give permission for SSO
volunteers to be in the schools; core volunteers and
(ISC) 2 Foundation staff work to gain permission.
3. Core group works with (ISC) 2 Foundation staff to
raise funds to support local programs. Initial launch
costs approximately $40,000 for permissions, legal
fees, presentation materials, student hand outs and
marketing materials, and the public launch (PR and
marketing to raise awareness). Ongoing maintenance
costs approximately $10,000 annually for updates
to the presentation and volunteer training materials,
students handouts and ongoing marketing to parents
and teachers. This may come from a government agency
COMBAT
Cyber Attacks
with a
Master of Science in
Information Assurance
The current need for trained information assurance professionals in
government and industry is significant and will continue to increase.
Northeastern’s MSIA program will help you become a trained IA leader.
Complete your degree in as few as four semesters—
100% online, on campus, or by mixing the formats.
Now accepting applications.
Learn more at
www.northeastern.edu/online/ia
1.877.634.6865
or may come from one or more corporate sponsors.
4. Determine if criminal background checks are available
(and fi nancially accessible) in the country (without a
background check process we are unable to assure the
school system regarding student safety).
5. Develop a legal waiver form customized to local laws.
This will be done via (ISC) 2 ’s legal department.
6. Work with educators and volunteers to customize the
standard Safe and Secure Online presentation for
the specifi c needs of a particular culture, including
language translation. For instance, in some countries,
cyber bullying is the predominant issue, while in others
child exploitation is the premier issue. This step is led by
(ISC) 2 Foundation staff with support and input from the
core volunteers.
7. Recruit and train volunteers, led by (ISC) 2 Foundation
staff with support and input from the core volunteers.
8. Plan a launch event for press, educators and (ISC) 2
members.
9. Launch!
10. Core local volunteers are responsible for reporting key
data back to (ISC) 2 Foundation staff including numbers of
presentations and students reached, on a monthly basis.
ISSUE NUMBER 16 INFOSECURITY PROFESSIONAL 19

20 InfoSecurIty ProfeSSIonal issue number 16
Q&a
experts address trending security topics
Spreading Cyber Safety To All
DaviD Melnick, principal, audit and enterprise risk services at
deloitte, and an (isc) 2 board member, recently spoke to us about
the safe and secure online outreach in his los angeles, calif.
community.
Q: How did you get started with (ISC) 2 ’s
Safe and Secure Online program?
I had the privilege of being on the
(ISc) 2 Board of Directors, which was
regularly briefed as (ISc) 2 started
their rollout of the Safe and Secure
online program in the u.S. I was
immediately taken with the obvious
fit for our professionals who have
often expressed interest in community
service.
at the same time, I had been very
involved in Deloitte’s IMPact Day program where
the entire u.S. firm mobilizes on a single day, and
approximately 50,000 professionals engage in an
array of community projects. We’d go into schools
and repaint buildings, landscape yards, and perform
academic programs. The Safe and Secure
online program was an obvious complement to
Deloitte’s efforts, so I offered up the idea of leveraging
Deloitte’s efforts over 1,100 cISSPs to deliver
this program on IMPact Day.
Q: How did you get into the school program?
I started working locally in l.a. three years
ago at John leighty Middle School where Deloitte
had an established trusted relationship with the
administration. We first presented to the principal
and administration, who loved it. from there,
we worked with the entire eighth-grade class with
more than 600 kids on the first IMPact Day.
The program provided an interactive multimedia
experience to keep the kids’ interest as we covered
major topic areas including ethics and cyber
behavior, downloading music, understanding the
laws and rules, antivirus and more.
Q: What impact has this had?
The program was a big success in the l.a. area.
The following year, we decided to roll the pro-
gram out nationally with Deloitte’s
IMPact Day. We established security
leaders regionally across the country
to develop city- and school-level
volunteer teams. It’s been a great
experience for security professionals.
Q: How does a new volunteer get
started?
(ISc) 2 can get you started. all
you need to do is sign-up online,
complete (or show proof of) a recent
criminal background check, sign a waiver form
and get introduced to the presentation materials
through a one-hour online orientation followed by
a short quiz. If you have a child or know a child in
a school, you might be able to talk to an administrator
or teacher about getting involved. once you
are introduced, then you go in and deliver the presentation.
The prepackaged content is very structured
with music and multimedia so you can just
run with it. The level of commitment is minimal,
and you get cPe credit for it as well.
Q: What have you learned from your experience?
I was caught off guard with how vulnerable
[students are], and how real this [security] problem
was.
also, most of these kids have never had this cyber
security conversation before with an adult. The kids
all are using social media and the technology, and
yet, no one is talking to them about the topic.
Q: Do you have any advice for (ISC) 2 members?
Get involved. It’s easy to register, easy to deliver,
and you will feel good when you deliver it. The first
step is to go through the process with (ISc) 2 and
put yourself out there. We’re all here to help, if you
are interested, so get online dialogues going and
things might happen.

chapter passport
MEMBERS CONNECT AND COLLABORATE
How to Build a Local (ISC) 2 Chapter
A STEP-BY-STEP GUIDE TO BUILDING YOUR OWN LOCAL
COMMUNITY OF INFORMATION SECURITY PROFESSIONALS
AS ANY INFORMATION SECURITY PROFES-
SIONAL WELL KNOWS, the value of peer networking
cannot be overstated. (ISC)² Chapters
provide members with the opportunity to network
with peers, brainstorm, exchange resources, share
knowledge, and let’s not forget, create new ways to
earn CPE credits.
4. Process legal documents: Once the application is
approved, (ISC)² will send you an information
packet containing legal paperwork necessary to
establish your chapter.
5. Receive an (ISC)² Chapter Welcome Kit: Once the
paperwork has been processed and � nalized,
you will receive a welcome kit containing your
chapter materials. You will then be an o� cial
(ISC)² Chapter!
6. New chapter announcement: (ISC)² will send an
email noti� cation on your behalf to announce
your chapter to all local (ISC)² members within
your geographic boundaries.
2 � e ( I S C Chapter ) Program was launched in
September 2011 at the (ISC) 2 Security Congress
in Orlando, Fla., U.S.A. Since September, we’ve
received more than 30 petitions from members
worldwide who are interested in starting a local
chapter for a variety of reasons: to collaborate
with other professionals with common interests;
to create awareness of the profession throughout
society; and to share information to advance the
knowledge of others, just to name a few.
� ose who have already formed or joined a chapter
can attest to the numerous bene� ts. Here are
some step-by-step guidelines for forming an (ISC) 2
Chapter in your local community:
1. Review the (ISC)² Chapter Guidelines online: � i s
document provides details on the chapter
structure and requirements needed to get your
chapter started. Visit https://www.isc2.org/CHstart/default.aspx.
2. Petition to form an (ISC)² Chapter: Complete and
submit an (ISC)² Chapter Charter Petition form.
Upon approval, (ISC) 2 For more details about the (ISC)
will reserve your right to
form a chapter in your requested territory.
3. Submit an (ISC)² Chapter Charter Application:
Complete and return the chapter application
with a minimum of 15 (ISC)² members’ signatures
to start the application process.
2 Chapter Program,
visit www.isc2.org/chapters.
(ISC) 2 CHAPTERS FORMING WORLDWIDE
Since the launch of the (ISC) 2 Chapter Program, we’ve
received numerous petitions to start chapters worldwide.
Below is a list of chartering and existing chapters. For
an updated listing or contact information, visit the (ISC) 2
Chapter Directory at www.isc2.org/ch-directory.
AMERICAS
Canada - Winnipeg, Manitoba
Mexico
U.S.A. - California - Los Angeles
U.S.A. - D.C. - National Capitol Region
U.S.A. - Florida – Orlando
ASIA-PACIFIC
India - Chennai
India - Mumbai
Indonesia
Japan
Korea
U.S.A. - Florida - Panhandle
Pakistan
U.S.A. - Florida - South Florida
Sri Lanka – Colombo
U.S.A. - Florida - Southwest Florida
U.S.A. - Florida - Tampa Bay
EMEA
U.S.A. - Georgia - Middle Georgia
U.S.A. - Indiana - Indianapolis
U.S.A. - Minnesota - Twin Cities
U.S.A. - NE Florida / S Georgia
U.S.A. - Nebraska – Omaha
U.S.A. - New York - New York Metro
U.S.A. - Ohio - Central Ohio
U.S.A. - Pennsylvania - Lehigh Valley
Germany
Ghana
Israel
Kenya
Romania
Saudi Arabia
Spain
Switzerland
U.S.A. - Texas - Lackland AFB
Tunisia
ISSUE NUMBER 16 INFOSECURITY PROFESSIONAL 21

The Information Security Associations and Organizations listed in this section represent the vast array of professional
groups that support the international information security community. These associations and organizations offer
information security education, opportunities for networking, reference materials, as well as periodic meetings and
publications. Many are membership organizations that provide access to special events, research and other resources
for information security practitioners.
Visit http://resourceguide.isc2.org for additional resource Spotlights from (ISC) 2 .
Online Resources
A host of helpful resources listed by region and category. Please note
that most sites offer English content in whole or in part.
Organizational Security
Resources Online
NORTH AND SOUTH AMERICA
Alta Associates, Inc., Executive
Recruitment
www.altaassociates.com
Brazilian Computer Emergency
Response Team (NBSO)
www.nbso.nic.br/index-en.html
Brazilian Computer Security and Incident
Response Teams (CSIRTs)
www.nbso.nic.br/contact-br.html
Brazilian Honeypots Alliance
Distributed Honeypots Project
www.honeypots-alliance.org.br
Business Software Alliance
www.bsa.org
Center for Internet Security
www.cisecurity.org
Common Criteria Portal
www.commoncriteriaportal.org
Common Vulnerabilities and
Exposures (CVE)
http://cve.mitre.org
CyberLawEnforcement.org
www.wiredcops.org
Electronic Privacy Information Center
www.epic.org
Executive Women’s Forum
www.infosecuritywomen.com
Forum of Incident Response and
Security Teams (FIRST)
www.fi rst.org
Grupo de Trabalho em SeguranÁa
(GTS) de Redes
(Network Security Working Group)
http://gts.nic.br
High-Tech Crime Network
www.htcn.org
The Honeynet.BR Project
www.honeynet.org.br
IEEE Computer Society’s Technical
Committee on Security and Privacy
www.ieee-security.org
Information Assurance Technical
Framework Forum (IATFF)
http://www.javvin.com/networksecurity/
IATTF.html
Information Security Forum
www.securityforum.org
22 INFOSECURITY PROFESSIONAL ISSUE NUMBER 16
Spotlight on 2011
Professional Associations and Organizations
ISACA
www.isaca.org
Information Systems Security
Association (ISSA)
www.issa.org
Information Technology Association of
America, Information Security (ITAA)
www.itaa.org
InfoSecurity Task Force
www.istf.com.br
Insecure.org
www.insecure.org
The International Association for
Cryptologic Research (IACR)
www.iacr.org
(ISC) 2
www.isc2.org
The Internet Engineering Task Force
www.ietf.org
Internet Storm Center, The SANS Institute
http://isc.sans.edu
Multi-State Information Sharing and
Analysis Center (MS-ISAC)
www.msisac.org
Network Information Center (NIC)
Brazil Security Office-Security Related
Links
www.nbso.nic.br/links
Network Reliability and Interoperability
Council
www.nric.org
OASIS
www.oasis-open.org
Organisation for Economic Cooperation
and Development (OECD)
Guidelines for Security of Information
Systems and Networks
www.oecd.org
Open Vulnerability Assessment Language
(OVAL)
http://oval.mitre.org
SANS Glossary of Terms Used in Security
and Intrusion Detection
www.sans.org/resources/glossary.php
The SANS Institute
www.sans.org
TechTarget Security Glossary of Terms
TechWeb Tech Encyclopedia
www.techweb.com/encyclopedia
World Wide Web Consortium,
W3C Security Resources
www.w3.org/Security
ASIA-PACIFIC
Asia PKI Consortium
http://www.apkic.org
Center for Information on Security Trade
Control, Japan
www.cistec.or.jp
China PKI Forum
Conformity Assessment Scheme
for Information Security Management
Systems (ISMS)
www.isms.jipdec.jp/en
CSEC: Computer Security Group
Information Processing Society
of Japan (IPSJ)
www.sdl.hitachi.co.jp/csec/en
Electronics and Telecommunications
Research Institute
Hong Kong PKI Forum (HKPKIF)
www.hkpkiforum.org.hk
Information and Communication Security
(Taiwan)
http://ics.stpi.org.tw
Information Processing Society of Japan
Information Technology Standard Commission
of Japan (ITSCJ)
www.itscj.ipsj.or.jp/eg
The Institute of Electronics, Information
and Communication Engineers
www.ieice.org/eng
Internet Association Japan
www.iajapan.org
National Cyber Security Awareness
Month (NCSA)
www.staysafeonline.info
ISEC Security Center, Information Technology
Promotion Agency (IPA), Japan
www.ipa.go.jp/security/jisec/jisec_e/
index.html
Japan Information Processing Development
Corporation
www.jipdec.jp/eng
Japan Information Technology
Services Industry Association
www.jisa.or.jp/security
Japan Electronics and Information
Technology Industries Association
Information Technology Security Center
http://www.jeita.or.jp/english
Korea Early Warning Information
Security (EWIS) Forum
Korea Institute of Science and
Technology Information
www.kisti.re.kr

Korean Linux Documentation
Project (KLDP)
http://kldp.org
Macao Post eSignTrust Certification
Services, Pilot Project Information
http://www.esigntrust.com/en
New Media Development Association
(NMDA)
www.nmda.or.jp/index-en.html
Taiwan Information Security Center
www.twisc.org
The Telecommunication Technology
Committee
www.ttc.or.jp/e/index.html
EUROPE, MIDDLE EAST, AFRICA
Alliance Against IP Theft
www.allianceagainstiptheft.co.uk
Associazione Nazionale Specialisti per la
Sicurezza in Aziende di Intermediazione
Finanziaria (ANSSAIF)
www.anssaif.it
CERT Renater
www.renater.fr/Securite/CERT_Renater.htm
CERT-IST
www.cert-ist.com
Competence Center for Applied Security
Technology (CAST) Forum
www.en.cast-forum.de/home
Fraud Advisory Panel
www.fraudadvisorypanel.org
Intellect
ITEK
www.itek.dk
tScheme
www.tscheme.org
Educational Resources Online
NORTH AND SOUTH AMERICA
SC Scholars
Online learning program for application security
education www.scscholars.com
American Association of Community
Colleges
www.aacc.nche.edu
Association of Universities and
Colleges of Canada
www.aucc.ca
CERT Coordination Center OCTAVE
Information, (Operationally Critical Threat,
Asset and Vulnerability Evaluation)
www.cert.org/octave
Common Event Enumeration (CEE)
A Standard Log Language for Event
Interoperability in Electronic Systems
http://cee.mitre.org
Common Weakness Enumeration (CWE)
A Community-Developed Dictionary of Software
Weakness Types
http://cwe.mitre.org
Common Configuration Enumeration
(CCE), Unique Identifi ers for Common
System Confi guration Issues
http://cce.mitre.org
Common Attack Pattern Enumeration
and Classification (CAPEC)
A Community Knowledge Resource for Building
Security Software
http://capec.mitre.org
International Association of Privacy
Professionals
The World’s Largest Organization Representing
the Privacy Profession
www.privacyassociation.org
Computer Emergency Response Team
(CERT) Coordination Center
Carnegie Mellon University, Software
Engineering Institute
www.cert.org
Privacy Tracker
The Online Resource for U.S. and State
Privacy Legislation
www.privacytracker.org
Making Security Measurable (MSM)
A Collection of Information Security Community
Standardization Activities and Initiatives
http://makingsecuritymeasurable.mitre.org
Insecure.Org — Security News and Updates
http://insecure.org
George Mason University, Center for
Secure Information Systems
Computer Security Related Links
http://csis.gmu.edu
Idaho State University, National
Information Assurance Training and
Education Center (NIATEC)
http://niatec.info/orglinks.htm
Learning Tree International
www.learningtree.com
National Academic Consortium for
Homeland Security
National Information Assurance
Training and Education Center
http://niatec.info
National Science Foundation, Federal Cyber
Service: Scholarship for Service (SFS)
www.nsf.gov/funding/pgm_summ.
jsp?pims_id=5228&org=OCI
Purdue University, The Center for
Education and Research in Information
Assurance and Security (CERIAS)
Tools and Resources
www.cerias.purdue.edu/tools_and_resources
University of Dallas, Center for
Information Assurance, IA Recommended
Links and Information Sources
University of Tulsa, Center for Information
Security
www.cis.utulsa.edu
ASIA-PACIFIC
Australian Education Network
University and College Guide
Center for Information Security and
Cryptography (CISC)
www.cs.hku.hk/cisc
China Education and Research Network
www.edu.cn/HomePage/english
Joint University Programmes Admissions
System
http://web.jupas.edu.hk/jupas/jupasFront.htm
EUROPE, MIDDLE EAST, AFRICA
Politecnico di Milano e CEFRIEL
Corso die alta formazione in Information
Security Management
www.securman.it
For Consumers, Families
and Educators
NORTH AND SOUTH AMERICA
Association for Computer Security Day
www.computersecurityday.org
Childnet International
www.childnet-int.org
The Cyber Citizen Partnership
http://cybercitizenship.org
Cyberethics for Kids
www.cybercrime.gov/rules/kidinternet.htm
CyberSmart! School Program
www.cybersmart.org
Educational Technology Clearinghouse-
Internet Safety Student Sites
http://etc.usf.edu/security
GetNetWise-About Security
http://security.getnetwise.org
Home Network Security
CERT Coordination Center
www.cert.org/tech_tips/home_networks.html
i-SAFE America
www.isafe.org
Keeping Internet Kids Safe
www.kiks.org
KidSafe.com
www.kidsafe.com
Net Family News: Online Safe Resources
for Kids and Families
http://netfamilynews.org
NetSafe Kids
www.nap.edu/netsafekids
The NetSmartz Workshop
www.netsmartz.org
Online Safety Project: Family Guide
to the Internet and Technology
www.safekids.com
Ready Kids
http://www.ready.gov/kids
Stay Safe Online, sponsored by the
National Cyber Security Alliance
(Public and private sector sponsors)
www.staysafeonline.info
U.S. Department of Education Internet
Safety Page
www.ed.gov/about/offi ces/list/os/
technology/safety.html
U.S. Secret Service Safe School Initiative
National Threat Assessment Center
www.secretservice.gov/ntac_ssi.shtml
WiredSafety
ASIA-PACIFIC
China Times
Security Information for Children
http://news.chinatimes.com/Chinatimes/
index2004/Compontent/inc-index2004-
Compontent-00top-01-safe/0,4163,,00.html
Cyber Ethics for Students and Youth
Education and Manpower Bureau, Hong Kong
http://cesy.qed.hkedcity.net
e-Security Malaysia
http://esecurity.org.my
The Hong Kong Association of Banks
http://www.hkab.org.hk/index.jsp
Hong Kong Ethics Development Centre
www.icac.org.hk/hkedc/eng/library2.asp
Hong Kong Monetary Authority
www.info.gov.hk/hkma/eng/consumer/
internet_banking_index.htm
ISSUE NUMBER 16 INFOSECURITY PROFESSIONAL 23

NetSafe: The Internet Safety Group
www.netsafe.org.nz
SingCert
Young New Zealanders’ Foundation
Internet Safety
www.4safetytoday.com/internet-safety.php
EUROPE, MIDDLE EAST, AFRICA
Safe Surfing with Doug
www.disney.co.uk/DisneyOnline/Safesurfi ng
Bank Safe Online UK
www.banksafeonline.org.uk
BSI für Bürger
www.bsi-fuer-buerger.de
Chatdanger
www.chatdanger.com
Action for Children
www.actionforchildren.org.uk
ComReg-The Consumer Website of the
Commission for Communications Regulation
www.askcomreg.ie
e-handelsfonden
www.forbrugersikkerhed.dk
makeITsecure.ie
www.makeitsecure.ie
secure-it.nrw
www.secure-it.nrw.de
think U know
www.thinkuknow.co.uk
Industry Portals —
Resources Online
NORTH AND SOUTH AMERICA
Alta Associates
www.altaassociates.com
Help Net Security
http://www.net-security.org
GovernmentSecurity.org
www.GovernmentSecurity.org
The Association for Computing
Machinery Portal
http://portal.acm.org/portal.cfm
The Biometric Consortium
www.biometrics.org
Biometric Industry Resource Guide
www.fi ndbiometrics.com
Dictionary of Computer Security Terms
www.itsecurity.com
eSecurityPlanet.com
www.esecurityplanet.com
The Ethical Hacker Network
www.ethicalhacker.net
Federal News Radio
www.FederalNewsRadio.com
Firewall.com
www.fi rewall.com
Identity Management Solutions Information
www.insideid.com
IT Toolbox-Knowledge Portal for Security
Professionals
http://security.ittoolbox.com
Linux Security Information
www.linuxsecurity.com
Modulo Security
(Portal of Information Security)
www.modulo.com.br
Neil’s Security and Privacy Resources
www.jjtc.com/Security
24 INFOSECURITY PROFESSIONAL ISSUE NUMBER 16
SearchSecurity.com
http://searchsecurity.techtarget.com
SecurityFocus News and Information
www.securityfocus.com
Security News Portal for Information
Systems Security Professionals
www.securitynewsportal.com
SRI International Computer Science
Laboratory
www.csl.sri.com
InfoSysSec.com
www.InfoSysSec.com
SecurityForumX.com
www.SecurityForumX.com
SecurityChatX.com
www.SecurityChatX.com
Windows Security.com-Network
Security Library
http://www.windowsecurity.com/whitepapers
The Open Web Application Security Project
www.owasp.org
ASIA-PACIFIC
Australian Security Industry
Association Limited
www.asial.com.au
eSafety Channel
http://security.zol.com.cn
InfoSec Hong Kong
www.infosechk.org
EUROPE, MIDDLE EAST, AFRICA
Biometrie-Online
http://www.biometrie-online.net
ICT Ireland
www.ictireland.ie
ICT Switzerland
www.ictswitzerland.ch/de
Internet Services Providers’ Association
(ISPA)
www.ispa.org.uk
Internet Watch Foundation
www.iwf.org.uk
Irish Information Security Forum
www.iisf.ie
Nigerian Computer Society
www.nigeriancomputersociety.com
.SE (The Internet Infrastructure Foundation)
www.iis.se
Securitymanager.de
www.securitymanager.de
Secuser.com
www.secuser.com
SecurityVibes.com
http://www.securityvibes.com/fr
Government Online Resources
NORTH AND SOUTH AMERICA
DoD IA Policy Chart
http://iac.dtic.mil/iatac/ia_policychart.html
Federal Republic of Brazil
www.brasil.gov.br
Ministry of Communications
www.mc.gov.br
Ministry of Justice
www.mj.gov.br
Ministry of Science and Technology
www.mct.gov.br
National Institute of Technology
www.int.gov.br
Canadian Security and Intelligence Service
www.csis-scrs.gc.ca
Communications Security Establishment
Canada’s National Cryptologic Agency
www.cse-cst.gc.ca
Office of the Privacy Commissioner
of Canada
www.privcom.gc.ca/index_e.asp
Public Safety and Emergency
Preparedness Canada
www.psepc-sppcc.gc.ca
Banco de México (Central Bank)
www.banxico.gob.mx
Mexican Secretariat of Communications
and Transportation
www.sct.gob.mx
MEXOnline.com Guide to México
(Government Sites)
www.mexonline.com/mexagncy.htm
Servicio de Administracion Tributaria (SAT)
www.sat.gob.mx
U.S. DEPARTMENT OF COMMERCE
Computer Security Resource Center
http://csrc.nist.gov
The Common Criteria Evaluation and
Validation Scheme (CCEVS)
www.niap-ccevs.org/cc-scheme
Computer Security Division, Information
Technology Laboratory
http://csrc.nist.gov
Cyber Security Tips-Small Business
Corner, Computer Security Resource
Center, National Institute of Standards
and Technology
http://csrc.nist.gov/groups/SMA/sbc/
index.html
National Institute of Standards and
Technology, Computer Security Portal
www.nist.gov/computer-security-portal.cfm
Public/Private Security Practices
www.csrc.nist.gov/pcig/ppsp.html
Federal Computer Security Program
Managers Forum, Computer Security
Resource Center
http://csrc.nist.gov/organizations/cspmf.html
National Information Assurance Training
and Education Center
http://niatec.info/ViewPage.aspx?id=0
Awareness, Training and Education,
National Institute of Standards and
Technology
http://csrc.nist.gov/groups/SMA/ate/
index.html
U.S. DEPARTMENT OF DEFENSE
Central Security Service, Information
Assurance
www.nsa.gov/ia
Information Assurance Technical
Framework Forum (IATFF), National
Security Agency-sponsored public/
private/academic forum
www.iatf.net
National IA Education & Training Program
http://www.nsa.gov/ia/academic_outreach/
iace_program/niaetp.shtml
National Security Agency
www.nsa.gov/ia
Center for High Assurance Computing Systems
(CHACS), Information Technology
Division, Naval Research Laboratory
http://www.nrl.navy.mil/chacs
Defense Information Systems Agency
(DISA), Information Assurance Support
Environment (IASE), The DOD IA Portal
http://iase.disa.mil

Department of Defense
www.defenselink.mil
Department of Defense Information
Assurance Working Groups
http://iase.disa.mil/ia-working-groups.html
U.S. Marine Corps C4II Information
Assurance Division
The Information Assurance Technology
Analysis Center (IATAC), Defense Technical
Information Center (DTIC), Defense
Information Systems Agency (DISA)
http://iac.dtic.mil/iatac
EXECUTIVE OFFICE OF THE PRESIDENT
Homeland Security Information
www.whitehouse.gov/issues/homeland-security
National Commission on Terrorist Attacks
Upon the United States
www.9-11commission.gov
Office of Management and Budget
Guidance on FISMA
www.whitehouse.gov/omb/memoranda/
m03-19.pdf
U.S. DEPARTMENT OF ENERGY
Offi ce of the CIO, CyberSecurity Page
http://cio.energy.gov/cybersecurity.htm
Information Security Resource Center
(ISRC), Pacific Northwest, National
Laboratory (PNNL)
National Nuclear Security Administration
www.nnsa.doe.gov
U.S. DEPARTMENT OF
HOMELAND SECURITY
National Strategy to Secure Cyberspace
www.dhs.gov/fi les/publications/editorial_
0329.shtm
Build Security In Home
https://buildsecurityin.us-cert.gov/daisy/
bsi/home.html
Emergency Preparedness Guidance
(Ready.gov), Specific Threats and
Responses
www.ready.gov
Homeland Security Advanced Research
Projects Agency (HSARPA)
http://www.dhs.gov/fi les/grants/scitech.shtm
Homeland Security Advisory System
www.dhs.gov/dhspublic/display?theme=29
National Infrastructure Advisory Council,
Vulnerability Disclosure Framework
www.dhs.gov/xlibrary/assets/vdwgreport.pdf
National Infrastructure Protection Plan
www.dhs.gov/dhspublic/interapp/editorial/
editorial_0827.xml
Protected Critical Infrastructure
Information (PCII) Program
http://www.dhs.gov/fi les/programs/
editorial_0404.shtm
State Homeland Security Contacts
www.dhs.gov/xgovt/editorial_0291.shtm
U.S. Department of Homeland Security
www.dhs.gov
The U.S. Computer Emergency
Readiness Team, The National
Cyber Security Response System
www.us-cert.gov
U.S. DEPARTMENT OF JUSTICE
Federal Bureau of Investigation,
Cyber Crime Portal
www.fbi.gov/about-us/investigate/cyber/cyber
Computer Crime and Intellectual Property
Section (CCIPS) of the Criminal Division,
National Computer Crime Center
www.cybercrime.gov
InfraGard, Federal Bureau of Investigation
www.infragard.net
Internet Crime Complaint Center (IC3)
www.ic3.gov
U.S. GENERAL SERVICES
ADMINISTRATION
Privacy Program
www.gsa.gov/portal/category/21419
OTHER U.S. GOVERNMENT
AGENCY RESOURCES
Biometrics.gov
www.biometrics.gov
Central Intelligence Agency
https://www.cia.gov
Committee on National Security Systems
www.cnss.gov
Federal Chief Information Officers Council
www.cio.gov
Federal Trade Commission, FTC Identity
Theft Guidelines
www.consumer.gov/idtheft
Federal Trade Commission, Online
Security-Related Resources
www.onguardonline.gov
U.S. General Services Administration
Information Security Program
www.gsa.gov/portal/content/104257
Interagency OPSEC Support Staff
www.ioss.gov
National Communications System
www.ncs.gov
National Coordinating Center for
Telecommunications (NCC)
www.ncs.gov/ncc
National Science Foundation, Digital
Government Research Program
www.digitalgovernment.org
National Science Foundation, Office of
Cyberinfrastructure (OCI)
www.nsf.gov/div/index.jsp?div=OCI
Office of the Director of National
Intelligence
www.dni.gov
Office of the National Counterintelligence
Executive (ONCIX)
ASIA-PACIFIC
State Information Center
www.sic.gov.cn
Commerce, Industry and Technology
Bureau, Anti-Spam
www.antispam.gov.hk
Commerce and Industry Branch
Intellectual Property Protection
www.citb.gov.hk/cib/ehtml/intell.html
Department of Justice
Bilingual Laws Information System
www.legislation.gov.hk
Other U.S. Government Agency Resources
Office of Personnel Management, Scholarship
for Service, Cyber Corps-Defending
America’s Cyberspace
www.sfs.opm.gov
Other U.S. Government Agency Resources
OnGuard Online
http://onguardonline.gov/index.html
Attorney-General’s Department
Crime Prevention
www.ag.gov.au/agd/WWW/ncphome.nsf/
Page/Information_Kits
Australian Federal Police
Australian High Tech Crime Centre
www.afp.gov.au/policing/e-crime.aspx
Australian Government Information
Management Office (AGIMO)
www.agimo.gov.au/infrastructure
Australian National Audit Office
www.anao.gov.au
Australian National Security
www.ag.gov.au/agd/www/NationalSecurity.nsf
Department of Defence
Information Security Page, Defence Signals
Directorate www.dsd.gov.au/infosec/index.htm#
Department of Defence
Cyber Security Operations Centre, Defence
Signals Directorate
www.dsd.gov.au/infosec/csoc.htm
Department of Finance and Administration
www.fi nance.gov.au
Department of Foreign Affairs and Trade
www.dfat.gov.au
National Archives of Australia
www.naa.gov.au
The Office of the Federal Privacy
Commissioner
www.privacy.gov.au
OnSecure
Online Security Resources and Incident Reporting
System for Australian Government Agencies
www.onsecure.gov.au
Protective Security Coordination Centre
http://www.ag.gov.au/www/agd/agd.nsf/
Page/Securitytraining_PSCCTrainingCentre
China Information Technology Security
Certification Center
www.itsec.gov.cn/webportal/portal.po
The Ministry of Industry and Information
Technology of the People’s Republic of
China
www.mii.gov.cn
The Ministry of Public Security of the
People’s Republic of China
www.mps.gov.cn
National Information Security Standard
Technical Committee (China)
www.tc260.org.cn
Standardization Administration of China
www.sac.gov.cn
State Council of the People’s Republic of
China
China Legislative Information Network System
http://english.people.com.cn/data/organs/
statecouncil.shtml
Digital 21 Strategy
www.info.gov.hk/digital21
Hong Kong Monetary Authority
www.info.gov.hk/hkma/index.htm
The Independent Commission Against
Corruption (ICAC)
Corruption Prevention Department,
Information Systems Security Checklist
www.icac.org.hk
Office of Government Chief Information
Officer
www.ogcio.gov.hk
Security Bureau
www.sb.gov.hk
Security Bureau
Hong Kong Police Force, Commercial Crime
Bureau-Technology Crime Division
www.info.gov.hk/police/hkp-home/english/tcd
Government PKI
Independent Administrative Agency
National Institute of Advanced Industrial
Science and Technology- SecureIT
http://www.aist.go.jp/index_en.html
ISSUE NUMBER 16 INFOSECURITY PROFESSIONAL 25

National Institute of Information and
Communications Technology
http://www.nict.go.jp/index.html
National Institute of Technology and
Evaluation, International Accreditation Japan
http://www.iajapan.nite.go.jp/iajapan/en/
index.html
Office of IT Security Policy
www.meti.go.jp/policy/netsecurity/index.html
Agency for Defense Development (Korea)
www.add.re.kr
Cyber Terror Response Center (CTRC)
www.ctrc.go.kr
Defense Security Command
www.dsc.or.kr
Korean National Police Agency (KNPA)
www.police.go.kr/eng
Ministry of Government Administration
and Home Affairs, National Emergency
Management Agency (NEMA)
www.nema.go.kr/eng
Ministry of National Defense
www.mnd.go.kr
Ministry of Science, Technology and
Innovation
www.mosti.gov.my
Ministry of Science, Technology and
Innovation, CyberSecurity Malaysia
(formerly known as NISER)
www.cybersecurity.org.my/en
Prime Minister’s Department
Chief Government Security Offi ce
www.cgso.jpm.my
Centre for Critical Infrastructure Protection
www.ccip.govt.nz
The Department of Internal Affairs
Internet Safety
www.dia.govt.nz/diawebsite.nsf
Government Communications Security
Bureau
www.gcsb.govt.nz
New Zealand Customs Service
www.customs.govt.nz
New Zealand Police, eCrime Lab
www.police.govt.nz/ecrime
The Privacy Commissioner
www.privacy.org.nz
Trust and Security
www.e.govt.nz/policy/trust-security
National Computer Center
www.ncc.gov.ph
Philippines National Police, Computer Crimes
www.pnp.gov.ph
Agency for Science, Technology and
Research (A*STAR)
Institute for Infocomm Research, Cryptography
& Security Department (CAS)
www.i2r.a-star.edu.sg/icsd
Centre for Strategic Infocomm Technologies
www.csit.gov.sg
Defence and Security eCitizen
http://ds.ecitizen.gov.sg
Defence Science and Technology Agency
(DSTA)
www.dsta.gov.sg
Defence Science Organisation National
Laboratories (DSO)
www.dso.org.sg
Infocomm Development Authority (IDA)
www.ida.gov.sg
Intellectual Property Office of Singapore
(IPOS)
www.ipos.gov.sg
26 INFOSECURITY PROFESSIONAL ISSUE NUMBER 16
Internal Security Department
Information Security Department
www.mha.gov.sg/isd/is.htm
Ministry of Home Affairs
www.mha.gov.sg/index.aspx
Ministry of Information, Communications
and the Arts (MICA)
www.mica.gov.sg
Singapore Police Force (SPF)
www.spf.gov.sg
EUROPE, MIDDLE EAST, AFRICA
Ministry of Science, Technology and
Innovation
http://vtu.dk/
CERTA
www.certa.ssi.gouv.fr
Serveur thématique sur la sécurité des
systèmes d’information
www.ssi.gouv.fr/fr/index.html
BSI-Bundesamt für Sicherheit in der
Informationstechnik
(Federal Offi ce for Information Security)
www.bsi.de
Bundesministerium für Bildung und
Forschung, IT-Sicherheit
www.bmbf.de/de/73.php
Bund.de IT-Sicherheit
www.bund.de
Data Protection Commissioner
www.dataprotection.ie
National Centre for Technology in Education
www.ncte.ie
Centro Nazionale per I’Informatica nella
Pubblica Amministrazione (CNIPA)
www.cnipa.gov.it
Garante per la Protezione dei Dati Personali
www.garanteprivacy.it
Istituto Superiore delle Comunicazioni
e delle Tecnologie dell’Informazione
(ISCOM)
www.isticom.it
Ministero delle Comunicazione
www.comunicazioni.it
Ministro per le Riforme e le Innovazioni
nella P.A.
www.innovazione.gov.it
National Information Technology
Development Agency (NITDA)
www.nitda.gov.ng
Federal Security Service
www.fsb.ru
State Information Technology Agency
www.sita.co.za
Centre for the Protection of National
Infrastructure (CPNI)
www.cpni.gov.uk
Centre for the Protection of National
Infrastructure (CPNI)
Warning, Advice and Reporting Point (WARP)
www.warp.gov.uk
Information Commissioner’s Office
www.informationcommissioner.gov.uk
The Information Warfare Site
Computer and Information Security
www.iwar.org.uk/comsec/index.htm
Publications
The professional publications included in this section focus on current and emerging
information security trends, tools and leadership, as well as the overall information
security and technology markets. Listings include the print and online editions, a well
as newsletters and professional journals. Collectively, these media resources provide
a wealth of information about information security issues, strategies, case studies
and technologies.
NORTH AND SOUTH AMERICA
(IN)SECURE Magazine
http://www.net-security.org/insecuremag.php
(ISC)² Journal
www.isc2.org/journal
Access Control and Security Systems
www.securitysolutions.com
ACM Transactions on Computer Systems
www.acm.org/tocs
ACM Transactions on Information and
System Security (TISSEC)
www.acm.org/pubs/tissec
ACM Transactions on Information Systems
www.acm.org/pubs/tois
b:Secure
Information Security News Website
www.bsecure.com.mx
Baguete
IT News Website
www.baguete.com.br
Biometric Digest
www.biodigest.com
Biometric Technology Today
http://www.elsevierscitech.com/nl/btt/
home.asp
Biometrics
A Journal of the International Biometric Society
http://www.biometrics.tibs.org
Canadian Security Magazine
www.canadiansecuritymag.com
CIO (Brazil)
Magazine and Website for IT and IS Managers
http://cio.uol.com.br
CIO Canada
http://www.itworldcanada.com/publication/cio
CIO Insight
www.cioinsight.com
CIO Magazine
www.cio.com
Cipher
Electronic Newsletter of the Technical
Committee on Security and Privacy, IEEE
www.ieee-security.org/cipher.html
CLEI Electronic Journal
[Latin American Center for Informatics Studies]
www.clei.cl/cleiej
CM Bulletin
[Published by National Classifi cation
Management Society]
www.classmgmt.com/publications

Communications and Networking
www.itbusiness.ca/it/client/en/Comm_
Network/Home.asp
Computer Fraud and Security
http://www.elsevierscitech.com/nl/cfs/
home.asp
Computer Law and Security Review
www.elsevier.com/locate/clsr
Computer Security Alert
[For CSI Members only]
www.gocsi.com
Computer World
IT Technical Magazine and Website
http://computerworld.uol.com.br
Computers and Security
www.elsevier.com/locate/cose
ComputerUser.com
www.computeruser.com
ComputerWorld
www.computerworld.com
ComputerWorld Canada
http://www.itworldcanada.com/publication/
computerworld
Computing Canada
www.itbusiness.ca/it/client/en/
ComputerCanada/Home.asp
Contingency Planning and Recovery
Journal (CPR-J)
www.masp.com/publications/CPR-J.html
Crypto-Gram
www.counterpane.com/crypto-gram.html
Cryptologia
www.dean.usma.edu/math/pubs/cryptologia
CSO Magazine
www.csoonline.com
Decision and Risk Report
IT, IS and Management Magazines and Websites
http://www.decisionreport.com.br/publique/
cgi/cgilua.exe/sys/start.htm?tpl=home
Disaster Recovery Journal
www.drj.com
Edge
www.itbusiness.ca/it/client/en/EDGE/
Home.asp
EDP Audit, Control and Security (EDPACS)
www.auerbach-publications.com/ejournals/
product_info/product_detail.asp?id=146
Evidencia Digital Magazine
www.guiatecnico.com.br/EvidenciaDigital
eWeek
www.eweek.com
Federal Computer Week
www.fcw.com
Federal Times
www.federaltimes.com
Government Computer News
www.gcn.com
Government Executive
www.govexec.com
Government Security News
www.gsnmagazine.com
Government Technology
http://www.govtech.com
Homeland Defense Journal
http://homelanddefense.epubxpress.com
HSToday Magazine
www.HSToday.us
IEEE Communications Society
www.comsoc.org
IEEE Computer Society
www.computer.org/computer
IEEE Internet Computing
www.computer.org/internet
IEEE Security & Privacy
www.computer.org/security
Information Management and Computer
Security
www.emeraldinsight.com/imcs.htm
Information Security
http://searchsecurity.techtarget.com
Information Security Management
Handbook
2009 CD-ROM Edition
http://www.crcpress.com/product/
isbn/9781420090987
Information Security Technical Report
http://www.elsevier.com/wps/fi nd/journal
description.cws_home/31185/description
Information Security Today
www.infosectoday.com
Information Technology Argentina
IT News Website
http://www.infotechnology.com/interior/
index.php
Information Week
www.informationweek.com
Information Week Brasil
IT and IS News Website
www.informationweek.com.br
Information Week Chile
IT News Website and Magazine
www.infoweek.biz/la
Information Week México
IT and IS News Website
www.informationweek.com.mx
Infosecurity Magazine Online
www.infosecurity-magazine.com
InfoSecurity Professional
[for (ISC) 2 Members Only]
www.isc2.org/infosecurity_professional/
default.aspx
InfoWorld
www.infoworld.com
International Journal of Information
Technology and Decision Making
www.worldscinet.com/ijitdm/ijitdm.shtml
ISACA Journal
Bimonthly
www.isaca.org
ISSA Journal
www.issa.org/current-ij-toc.html
IT Business Report
www.itbusiness.ca/it/client/en/
BusinessReport/Home.asp
IT Web
Information Technology News Website
www.itweb.com.br
ITworld.com
www.itworld.com
Journal of Cryptology
www.iacr.org/jofc/jofc.html
Journal of Information Technology
www.palgrave-journals.com/jit
Journal of Information, Law & Technology
http://elj.warwick.ac.uk/jilt
Journal of Management Information
Systems
http://www.jmis-web.org
Linux Magazine
IT magazine for professionals
http://www.linuxmagazine.com.br/
LinuxSecurity.com
www.linuxsecurity.com
Magazine Scitum
IT and IS Online Magazine
www.magazcitum.com.mx
National Defense
www.nationaldefensemagazine.org
Network Computing
www.networkcomputing.com
Network Security
http://www.elsevierscitech.com/nl/ns/
home.asp
Network World
www.networkworld.com
NetworkWorld Canada
NewsFactor Magazine Online
www.newsfactor.com
PC Magazine
www.pcmag.com
PCWorld
www.pcworld.com
Privacy and Security Law Report
www.bna.com/products/corplaw/pvln.htm
Privacy Journal
www.privacyjournal.net
Public CIO
www.public-cio.com
Revista Gerencia
IT News Magazine and Website for Managers
www.gerencia.cl
Revista IT Now
IT and IS News Magazine and Website
http://www.revistaitnow.com
Revista Security
SC Magazine
www.scmagazine.com
Secure Enterprise
http://www.networkcomputing.com/se/
SecureID News
www.secureidnews.com
Security
www.securitymagazine.com
Security Director News
www.securitydirectornews.com
Security Management
www.securitymanagement.com
Security News Portal
www.securitynewsportal.com
Security Port Newsletters
www.security-port.com/securitynewsletters.htm
Security Products and Technology News
www.sptnews.ca
SecurityInfoWatch.com
www.securityinfowatch.com
SIAM Journal on Computing
www.siam.org/journals/sicomp.php
Technology in Government
www.itbusiness.ca/it/client/en/TechGovernment/Home.asp
TechWeb: The Business Technology
Network
www.techweb.com
The IAPP Privacy Advisor
The Monthly Newsletter for Global Data
Protection Professionals
https://www.privacyassociation.org/
publications/privacy_advisor
The IAPP Privacy Tracker
A Suite of Publications for Tracking U.S. and
State Privacy Legislation
www.privacytracker.org
The Journal of Computer Security
http://jcs.stanford.edu
ISSUE NUMBER 16 INFOSECURITY PROFESSIONAL 27

Virus Bulletin
www.virusbtn.com
Windows IT Pro
www.winnetmag.com/WindowsSecurity
WServer News
www.wservernews.com
ZDNet: Tech News and White Papers
for IT Professionals
www.zdnet.com
ASIA-PACIFIC
BenefIT (India)
www.benefi tmag.com
Boannews
www.boannews.com
China Computerworld
www.ccw.com.cn
China Information Security
www.cismag.com.cn
China Network World
www.cnw.com.cn/security
CIO Asia
www.mis-asia.com/magazines/cio_asia
CIO Australia
www.cio.com.au
CIO Government Australia
www.cio.com.au/index.php/secid;21
CIO Japan
www.ciojp.com
CIO New Zealand
http://cio.co.nz
CNET Taiwan
http://taiwan.cnet.com/enterprise
Computerworld Australia
www.computerworld.com.au
Computerworld Hong Kong
www.cw.com.hk
Computerworld Japan
www.computerworld.jp
Computerworld Malaysia
www.mis-asia.com/magazines/
computerworld_malaysia
Computerworld Philippines
www.computerworld.com.ph
Computerworld Singapore
www.mis-asia.com/magazines/
computerworld_singapore
CSO (Australia)
www.csoonline.com.au
CSO InfoSec Magazine (China)
http://cso.ccw.com.cn
Dataquest (India)
www.dqindia.com
DigitalDaily
http://www.ddaily.co.kr/main/index.php
DigiTimes (Taiwan)
www.digitimes.com.tw
Electronics For You (India)
www.efymag.com
Express Computer (India)
www.express-computer.com
Information Age (Australia)
www.infoage.idg.com.au
Information Security Magazine (Taiwan)
www.informationsecurity.com.tw
Information Technology Magazine (India)
www.itmagz.com
28 INFOSECURITY PROFESSIONAL ISSUE NUMBER 16
Information Week China
www.informationweek.com.cn
IT Daily (Korea)
www.itdaily.kr
IT Home Online (Taiwan)
www.ithome.com.tw
MIS Asia
www.mis-asia.com
NetWork & Computer Security (China)
www.nsc.org.cn
Network Computing India
Network Magazine India
www.networkmagazineindia.com
Network Times (Korea)
www.datanet.co.kr
Nikkei BP Government Technology
http://bpstore.nikkeibp.co.jp/mag/ngt.html
Nikkei Communications
http://itpro.nikkeibp.co.jp/NCC/index.html
Nikkei Computer
http://itpro.nikkeibp.co.jp/NC/index.html
Nikkei IT Professional
http://itpro.nikkeibp.co.jp/NIP/index.html
Nikkei Network
http://itpro.nikkeibp.co.jp/NNW/index.html
Nikkei Software
http://itpro.nikkeibp.co.jp/NSW/index.html
Nikkei Solution Business
http://itpro.nikkeibp.co.jp/WAT/index.html
Nikkei System Kouchiku
http://itpro.nikkeibp.co.jp/SYS/index.html
PC Quest (India)
www.pcquest.com
PC World Australia
www.pcworld.idg.com.au
PC World China
www.pcworld.com.cn
PC World New Zealand
http://pcworld.co.nz
PC World Philippines
www.pcworld.com.ph
PC World Vietnam
www.pcworld.com.vn
SC Magazine Australia
www.securecomputing.net.au
Security World Magazine
www.securityworldmag.co.kr
ZDNet Asia
http://www.zdnetasia.com
ZDNet Australia
www.zdnet.com.au
ZDNet China
www.zdnet.com.cn
ZDNet Korea
www.zdnet.co.kr
EUROPE, MIDDLE EAST, AFRICA
Biometric Technology Today
www.biometrics-today.com
BugTraq
http://bugtraq.ru
ComOn
www.comon.dk
Computerworld Denmark
www.computerworld.dk
Computerworld Romania
www.computerworld.ro
Digital Investigation
The International Journal of Digital
Forensics & Incident Response
www.elsevier.com/wps/fi nd/journaldescription.
cws_home/702130/description#description
Direction Informatique
Government Business
www.governmentbusinessuk.com
Government Technology
http://www.governmenttechnology.co.uk
heise online
www.heise.de
ICT Security
www.tecnaeditrice.com
Information Security Bulletin
www.chi-publishing.com
InformationSecurity
www.itsec.ru
Infosecurity
www.infosecurity-magazine.com
InfoWeek Online
www.infoweek.ch
IT SecCity
www.itseccity.de/index.html
it-daily
http://www.it-daily.net
IT-Sicherheit
www.datakontext-press.de/it-sicherheit/
sich_hauptframe.htm
ITviikko
www.itviikko.fi
ITWeb Brainstorm
www.brainstormmag.co.za
iTWeb-The Technology News Site
iWeek
www.iweek.co.za
kes online
www.kes.info/index.html
La revue Sécurité Informatique
Les Nouvelles.net
www.lesnouvelles.net/index.html
Mag.Securs
www.mag-securs.com
Market Watch
www.marketwatch.ro
Network Security
www.elsevier.com/wps/product/
cws_home/30358
Réseaux-Télécoms
www.reseaux-telecoms.com/CSO
Search Security
www.searchsecurity.de
Security Lab (by Positive Technologies)
www.securitylab.ru
SecurityManager.de
www.securitymanager.de
SiC-Seguridad en Inform·tica y
Comunicaciones
www.revistasic.com
The Information Security Journal
www.kes.info
ZATAZ Magazine
www.zataz.com

Slam the door on would-be attackers by
learning best practices for securing each phase
of the software lifecycle. Watch these 10-15
minute webcasts, which will show you what
security measures need to take place at the
beginning in the requirements phase, how security
must be built in the design phase, and how to test
if the application is resilient enough to withstand
attacks in the testing phase.
Is your software
open to attacks?
FREE
CSSLP ®
Webcast Series:
Securing each phase
of the SDLC
www.isc2.org/csslppreview.aspx
Also, this series will feature a webcast on the value
of the CSSLP and how to study for the exam. Connect with us:
www.isc2intersec.com
www.twitter.com/isc2
www.facebook.com/csslp

Want to be the best at what you do?
Just Concentrate.
Take your career to the next level with a CISSP ® Concentration.
CISSPs with two years of professional experience in one of the
functional areas of architecture, engineering or management
may seek a CISSP Concentration to open up new opportunities
for them, including more demanding roles in larger enterprises,
more education opportunities and specialized certifications to
recognize their talents. Consider continuing your career path
with a CISSP-ISSAP, ® CISSP-ISSEP ® or CISSP-ISSMP ® .
Visit www.isc2.org/concentrations for more information.
Connect with us!
www.isc2intersec.com
https://twitter.com/isc2
www.facebook.com/isc2fb