THE MAGAZINE

Please take ten minutes to fill out the 24-question survey, by going to www.securitymanagement.com and clicking on the Salary Survey icon. (Members who have given their e-mail address to ASIS may have already received an e-mail with this link.) All information submitted is confidential. Results are only reported in the aggregate of industries and regions. The deadline for responses is February 28.

Despite its title, Cyber Terrorism: A Guide for Facility Managers is not about terrorism at all. Instead, it is a somewhat dated primer on how computers and networks function and how to create business continuity and recovery plans that take these high-tech backbones into consideration.

The Department of Homeland Security (DHS) has made many improvements in its information security program, according to the agency's Inspector General (IG). However, he notes in a new report that the agency still lacks "an accurate and complete system inventory."

CDs and DVDs give businesses a space-saving way to archive data and an easy way to retrieve it. But what standards must these media storage formats meet? The Government Information Preservation Working Group, made up of experts from the National Institute of Standards and Technology (NIST) and the DVD Association, is devising requirements for archival-quality CD and DVD media and making specifications for meeting these requirements. NIST is also developing a test for media manufacturers to determine whether their products meet these criteria.

@ Link to the project and a research paper from NIST via SM Online.

Rep. Mary Bono (R-CA) has reintroduced a bill that would require that consumers receive "a clear and conspicuous notice" prior to software being loaded onto their computers. H.R. 29, titled the Securely Protect Yourself Against Cyber Trespass Act (SPY Act), is cosponsored by lawmakers from both sides of the aisle. It was first introduced in 2004 and passed the House in October. However, the bill was not passed by the Senate before the end of the 108th Congress.

rather than the factual elements of an anecdote. How to separate the truthful from the fanciful? Noted IT security guru Mich Kabay, associate professor of information assurance at Norwich University, has created a database of more than 5,000 "interesting or significant events" related to IT security going back to 1995. The events, cataloged both in PDF format and MS Access, are classified using a taxonomy of hundreds of keywords on topics ranging from identity theft to virus hoaxes.

You'll probably find the perfect IT story to illustrate your next presentation. @ Just point your browser to SM Online  to link to the database, this month's A Site to See.

The problem is that reusable passwords do not provide true security. Biometrics offers a more secure option, and new products are making it a more viable one as well. For example, Silex Technology, Inc., recently released its Combo-Mini, a small plastic device that connects to a computer's USB port. The three-inch-long Mini features a sliding plastic cover over a small fingerprint sensor. The system software comes on a CD and installs in about ten minutes; a USB extension cable is included in the package.

Government IT managers spend three hours each day completing information security compliance reports, according to research from Intelligent Decisions, a systems integrator that interviewed more than two dozen government security professionals. But patch management tops their list of concerns. @ More from Federal Information Security Officer Survey Results is at SM Online.

A British financial services firm discovered that a fake Web site bearing its name had been set up, presumably to "phish" for customer passwords and account information. Unfortunately, it took ten days before the firm could find out a way to have the site taken down. (They ultimately went to the U.S. Secret Service for help in getting the American Internet service provider to take down the site.)

The number of security professionals will nearly double, rising to 2.1 million by 2008, predicts the International Information Systems Security Certification Consortium, or (ISC)². The rate of growth will vary by region, however, according to the group's Global Information Security Workforce Study. For example, growth of about 12 percent annually is anticipated in the Americas, while growth of about 18.3 percent is expected in the Asia/Pacific region.

Key logging gets its day in court, a portable fingerprint device protects corporate networks, the rising tide of infosec professionals, plus more.

According to statistics released by MessageLabs, a managed e-mail security services provider that scans e-mail for its clients, 73.2 percent of the messages it scanned in 2004 were spam. Of the 147 billion e-mails it scanned, it found that 1 in 16 contained a virus (MyDoom ranked first). And more than 18 million phishing e-mails were intercepted, from a low of 337,050 in January to 4,522,495 in November, jumping nearly tenfold between June and July.

@ MessageLabs Intelligence Annual E-mail Security Report 2004 is available through SM Online.

What are the benefits of using free and open-source software (FOSS) rather than a proprietary software product? And what are the risks? These questions are examined by the Federal Deposit Insurance Corporation (FDIC) in a guidance letter to financial institutions.

ASIS offers Global Terror Conference in Arlington, Virginia, in March, European conference in Copenhagen, Denmark, in April.

Stickers that say, "Hello my name is..." may be fine for modern mingling. They are not, however, a firm framework for access control. But for the guards at the Passaic Valley Water Commission, in Northeast, New Jersey, such stickers had become a quick and easy option for registering the more than 50 visitors and temporary contractors entering the treatment facility on a daily basis.

When Journey Security Services security guards witnessed a car accident while on patrol, they didn't have time to verify their coordinates and call 911. Instead the guards made a phone call to their supervisor, who tracked their precise location in seconds using the GPS tracking device in one guard's cell phone. The supervisor was able to call for an ambulance while the guards focused on helping the victims.

In June 2004, the International Organization for Standardization (known as the ISO) granted certification in the area of information security for the Certified Information Systems Security Professional (CISSP) designation. With ISO certification, the CISSP is gaining in prominence, making The CISSP Prep Guide a timely and informative resource.

 Regardless of where you are in the security hierarchy, this is the definitive text for learning what it takes to be an effective information systems security officer (ISSO). The book paints an excellent portrait of an ISSO's duties, challenges, and working environments. It includes everything from how to handle new technologies and threats to how to perform information-security duties in a national-security environment.

The book contains 18 chapters sectioned into four parts: Know the Terrorist, Identifying Cells, Detection of Activities, and Predicting Attacks. When the author discusses the detection of terrorist cells and activities, he is at his best. He explores surveillance, supply chains, cell integration and dis-integration, and various other pertinent topics, both from a high-level intel perspective and a street-level cop-on-the-beat viewpoint.

Along the book's 12 chapters, Tapper offers 126 "tips." They include ideas on protecting companies from internal fraud, external fraud, opposing attorneys, and disgruntled employees. One emphasis is on having a document-retention policy, which establishes a holding period for different kinds of information and requires the removal of outdated notes and related materials to eliminate paper trails.

This title, Advanced Surveillance, is for private investigators and others whose primary focus is conducting surveillance. Author Peter Jenkins clearly knows his subject well and offers a broad range of information about the topic. While word usage and spelling are obviously British, the issues Jenkins raises, including the difficulties and frustrations of surveillance, are universal.