Visit https://ebooknice.

com to download the full version and

explore more ebooks

(Ebook) Information security management handbook by

Harold F. Tipton, Micki Krause (editors) ISBN
9780849374951, 9781439833032, 0849374952, 1439833036

_____ Click the link below to download _____

https://ebooknice.com/product/information-security-
management-handbook-983476

Explore and download more ebooks at ebooknice.com

Here are some recommended products that might interest you.
You can download now and explore!

(Ebook) Biota Grow 2C gather 2C cook by Loucas, Jason; Viles, James

ISBN 9781459699816, 9781743365571, 9781925268492, 1459699815,
1743365578, 1925268497

https://ebooknice.com/product/biota-grow-2c-gather-2c-cook-6661374

ebooknice.com

(Ebook) Information Security Management Handbook by Harold F. Tipton,

Micki Krause Nozaki (eds.) ISBN 9781439893135, 1439893136

https://ebooknice.com/product/information-security-management-
handbook-4982032

ebooknice.com

(Ebook) Information Security Management Handbook by Harold F. Tipton,

Micki Krause Nozaki (eds.) ISBN 9781439819029, 1439819025

https://ebooknice.com/product/information-security-management-
handbook-4982144

ebooknice.com

(Ebook) Information security management handbook by Harold F. Tipton,

Micki Krause (editors) ISBN 9780849395611, 9781420003406, 0849395615,
1420003402

https://ebooknice.com/product/information-security-management-
handbook-978506

ebooknice.com
(Ebook) Information security management handbook by Harold F. Tipton,
Micki Krause (editors) ISBN 9780203005552, 9780849332104, 0203005554,
0849332109

https://ebooknice.com/product/information-security-management-
handbook-2138408

ebooknice.com

(Ebook) Information security management handbook by Harold F. Tipton,

Micki Krause (editors) ISBN 9780849311277, 9781420093186, 0849311276,
1420093185

https://ebooknice.com/product/information-security-management-
handbook-1389978

ebooknice.com

(Ebook) Information security management handbook by Harold F. Tipton,

Micki Krause (editors) ISBN 9780849315183, 9781420072419, 0849315182,
1420072412

https://ebooknice.com/product/information-security-management-
handbook-1840356

ebooknice.com

(Ebook) Information security management handbook by Harold F. Tipton,

Micki Krause (editors) ISBN 9781420067088, 9781420067101, 1420067087,
1420067109

https://ebooknice.com/product/information-security-management-
handbook-1389698

ebooknice.com

(Ebook) Information Security Management Handbook, Sixth Edition by

Micki Krause Nozaki, Harold F. Tipton (eds.) ISBN 9780262611954,
0262611953

https://ebooknice.com/product/information-security-management-
handbook-sixth-edition-4982300

ebooknice.com
AU7495—Prelims—6/2/2007—18:01—VELU—14657—XML MODEL CRC12a – pp. 1–46.
AU7495—Prelims—6/2/2007—18:01—VELU—14657—XML MODEL CRC12a – pp. 1–46.
AU7495—Prelims—6/2/2007—18:01—VELU—14657—XML MODEL CRC12a – pp. 1–46.
AU7495—Prelims—6/2/2007—18:01—VELU—14657—XML MODEL CRC12a – pp. 1–46.
 Table of Contents

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiii
Editors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxv
Contributors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxvii

1 INFORMATION SECURITY AND RISK

MANAGEMENT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Section 1.1 Security Management Concepts and Principles

1 Bits to Bytes to Boardroom . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Micki Krause

2 Information Security Governance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Todd Fitzgerald

3 Corporate Governance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
David C. Krehnke

4 IT Governance Institute (ITGI) Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Mollie E. Krehnke

5 Top Management Support Essential for Effective Information

Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Kenneth J. Knapp and Thomas E. Marshall

6 Managing Security by the Standards: An Overview and Primer . . . . . . . . . . . . . . . . 59

Bonnie A. Goins

7 Information Security for Mergers and Acquisitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Craig A. Schiller

8 Information Security Governance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

Ralph Spencer Poore

9 Belts and Suspenders: Diversity in Information Technology Security . . . . . . . . . . . 95

Jeffrey Davis

AU7495—Prelims—6/2/2007—18:01—VELU—14657—XML MODEL CRC12a – pp. 1–46.

 10 Building Management Commitment through Security Councils,
or Security Council Critical Success Factors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Todd Fitzgerald

11 Validating Your Business Partners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

Jeff Misrahi

12 Measuring ROI on Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

Carl F. Endorf

13 The Human Side of Information Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

Kevin Henry

14 Security Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

Ken Buszta

15 It Is All about Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165

Chris Hare

Section 1.2 Change Control Management

16 Patch Management 101: It Just Makes Good Sense! . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Lynda L. McGhie

17 Security Patch Management: The Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185

Felicia M. Nicastro

18 Configuration Management: Charting the Course for the

Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Mollie E. Krehnke and David C. Krehnke

Section 1.3 Data Classification

19 Information Classification: A Corporate Implementation Guide . . . . . . . . . . . . . . . 221
Jim Appleyard

20 Ownership and Custody of Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233

William Hugh Murray

Section 1.4 Risk Management

21 Information Security Risk Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
Samantha Thomas Cruz

22 Developing and Conducting a Security Test and Evaluation . . . . . . . . . . . . . . . . . . . 251

Sean M. Price

23 Enterprise Security Management Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261

George G. McBride

vi

AU7495—Prelims—6/2/2007—18:01—VELU—14657—XML MODEL CRC12a – pp. 1–46.

 24 Technology Convergence and Security: A Simplified Risk
Management Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
Ken M. Shaurette

25 The Role of Information Security in the Enterprise Risk

Management Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
Carl B. Jackson and Mark Carey

26 A Matter of Trust . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295

Ray Kaplan

27 Trust Governance in a Web Services World . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311

Daniel D. Houser

28 Risk Management and Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321

Kevin Henry

29 New Trends in Information Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331

Brett Regan Young

30 Cyber-Risk Management: Technical and Insurance Controls for

Enterprise-Level Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
Carol A. Siegel, Ty R. Sagalow, and Paul Serritella

Section 1.5 Policies, Standards, Procedures and Guidelines

31 Committee of Sponsoring Organizations (COSO) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355
Mignona Cote

32 Toward Enforcing Security Policy: Encouraging Personal Accountability

for Corportate Information Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367
John O. Wylder

33 The Security Policy Life Cycle: Functions and

Responsibilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
Patrick D. Howard

34 People, Processes, and Technology: A Winning

Combination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389
Felicia M. Nicastro

35 Building an Effective Privacy Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401

Rebecca Herold

36 Establishing an E-Mail Retention Policy: Preventing

Potential Legal Nightmares . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415
Stephen D. Fried

37 Ten Steps to Effective Web-Based Security Policy

Development and Distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427
Todd Fitzgerald

vii

AU7495—Prelims—6/2/2007—18:01—VELU—14657—XML MODEL CRC12a – pp. 1–46.

 38 Roles and Responsibilities of the Information Systems
Security Officer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443
Carl Burney

39 Organizing for Success: Some Human Resources Issues

in Information Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451
Jeffrey H. Fenton and James M. Wolfe

40 Information Security Policies from the Ground Up

Brian Shorten . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465

41 Policy Development
Chris Hare . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475

42 Training Your Employees to Identify Potential Fraud and How to

Encourage Them to Come Forward . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499
Rebecca Herold

Section 1.6 Security Awareness Training

43 Change That Attitude: The ABCs of a Persuasive Security Awareness
Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521
Samuel W. Chun

44 Maintaining Management’s Commitment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531

William Tompkins

45 Making Security Awareness Happen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 541

Susan D. Hansche

46 Beyond Information Security Awareness Training: It Is Time

To Change the Culture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 555
Stan Stahl

Section 1.7 Security Management Planning

47 Overview of an IT Corporate Security Organization . . . . . . . . . . . . . . . . . . . . . . . . . . 567
Jeffrey Davis

48 Make Security Part of Your Company’s DNA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 579

Ken M. Shaurette

49 Building an Effective and Winning Security Team . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 591

Lynda L. McGhie

50 When Trust Goes Beyond the Border: Moving Your Development

Work Offshore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607
Stephen D. Fried

viii

AU7495—Prelims—6/2/2007—18:01—VELU—14657—XML MODEL CRC12a – pp. 1–46.

 51 Maintaining Information Security during Downsizing . . . . . . . . . . . . . . . . . . . . . . . . 619
Thomas J. Bray

52 The Business Case for Information Security: Selling Management

on the Protection of Vital Secrets and Products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 625
Sanford Sherizen

53 How to Work with a Managed Security Service Provider . . . . . . . . . . . . . . . . . . . . . . 631

Laurie Hill McQuillan

54 Considerations for Outsourcing Security

Michael J. Corby . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 643

55 The Ethical and Legal Concerns of Spyware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 659

Janice C. Sipior, Burke T. Ward, and Georgina R. Roselli

Section 1.8 Ethics

56 Ethics and the Internet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 673
Micki Krause

57 Computer Ethics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 685

Peter S. Tippett

2 ACCESS CONTROL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 697

Section 2.1 Access Control Techniques

58 A Look at RFID Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 701
Ben Rothke

59 New Emerging Information Security Technologies and Solutions . . . . . . . . . . . . . . 707

Tara Chand

60 Sensitive or Critical Data Access Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 739

Mollie E. Krehnke and David C. Krehnke

61 An Introduction to Role-Based Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 751

Ian Clark

62 Smart Cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 765

James S. Tiller

63 A Guide to Evaluating Tokens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 775

Joseph T. Hootman

64 Controlling FTP: Providing Secured Data Transfers . . . . . . . . . . . . . . . . . . . . . . . . . . . 785

Chris Hare

ix

AU7495—Prelims—6/2/2007—18:01—VELU—14657—XML MODEL CRC12a – pp. 1–46.

Section 2.2 Access Control Administration
65 End Node Security and Network Access Management: Deciding
Among Different Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 803
Franjo Majster

66 Identity Management: Benefits and Challenges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 823

Lynda L. McGhie

67 Blended Threat Analysis: Passwords and Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 843

Daniel D. Houser

Section 2.3 Identification and Authentication Techniques

68 Enhancing Security through Biometric Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . 869
Stephen D. Fried

69 Single Sign-On for the Enterprise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 887

Ross A. Leo

Section 2.4 Access Control Methodologies and Implementation

70 Centralized Authentication Services (RADIUS, TACACS,
DIAMETER) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 909
Bill Stackpole

71 An Introduction to Secure Remote Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 923

Christina M. Bird

Section 2.5 Methods of Attack

72 Hacker Tools and Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 935
Ed Skoudis

73 A New Breed of Hacker Tools and Defenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 951

Ed Skoudis

74 Hacker Atacks and Defenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 965

Ed Skoudis

75 Counter-Economic Espionage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 977

Craig A. Schiller

Section 2.6 Monitoring and Penetration Testing

76 Insight into Intrusion Prevention Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 993
Gildas Deograt-Lumy and Roy Naldo

AU7495—Prelims—6/2/2007—18:01—VELU—14657—XML MODEL CRC12a – pp. 1–46.

 77 Penetration Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1005
Stephen D. Fried

3 CRYPTOGRAPHY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1019

Section 3.1 Use of Cryptography

78 Auditing Cryptography: Assessing System Security . . . . . . . . . . . . . . . . . . . . . . . . . . . 1023
Steve Stanek

Section 3.2 Cryptographic Concepts, Methodologies,

and Practices
79 Cryptographic Transitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1029
Ralph Spencer Poore

80 Blind Detection of Steganographic Content in Digital Images

Using Cellular Automata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1039
Sasan Hamidi

81 An Overview of Quantum Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1045

Ben Rothke

82 Elliptic Curve Cryptography: Delivering High-Performance

Security for E-Commerce and Communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1059
Paul Lambert

83 Cryptographic Key Management Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1067

Ralph Spencer Poore

84 Message Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1079

James S. Tiller

85 Fundamentals of Cryptography and Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1095

Ronald A. Gove

86 Steganography: The Art of Hiding Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1115

Mark Edmead

87 An Introduction to Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1121

Javek Ikbal

88 Hash Algorithms: From Message Digests to Signatures . . . . . . . . . . . . . . . . . . . . . . . 1141

Keith Pasley

89 A Look at the Advanced Encryption Standard (AES) . . . . . . . . . . . . . . . . . . . . . . . . . 1151

Ben Rothke

xi

AU7495—Prelims—6/2/2007—18:01—VELU—14657—XML MODEL CRC12a – pp. 1–46.

Section 3.3 Private Key Algorithms
90 Principles and Applications of Cryptographic Key Management . . . . . . . . . . . . . . 1159
William Hugh Murray

Section 3.4 Public Key Infrastructure (PKI)

91 Preserving Public Key Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1175
Geoffrey C. Grabow

92 PKI Registration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1183

Alex Golod

Section 3.5 System Architecture for Implementing Cryptographic

Functions
93 Implementing Kerberos in Distributed Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1197
Joe Kovara and Ray Kaplan

Section 3.6 Methods of Attack

94 Methods of Attacking and Defending Cryptosystems . . . . . . . . . . . . . . . . . . . . . . . . . 1255
Joost Houwen

4 PHYSICAL (ENVIRONMENTAL) SECURITY . . . . . . . . . . . . . . . . . . . 1271

Section 4.1 Elements of Physical Security

95 Perimeter Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1275
R. Scott McCoy

96 Melding Physical Security and Traditional Information Systems

Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1289
Kevin Henry

97 Physical Security for Mission-Critical Facilities and Data Centers . . . . . . . . . . . . 1293

Gerald Bowman

98 Physical Security: A Foundation for Information Security . . . . . . . . . . . . . . . . . . . . 1317

Christopher Steinke

99 Physical Security: Controlled Access and Layered Defense . . . . . . . . . . . . . . . . . . . . 1327

Bruce R. Matthews

100 Computing Facility Physical Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1339

Alan Brusewitz

xii

AU7495—Prelims—6/2/2007—18:01—VELU—14657—XML MODEL CRC12a – pp. 1–46.

 101 Closed-Circuit Television and Video Surveillance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1349
David A. Litzau

Section 4.2 Technical Controls

102 Types of Information Security Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1357
Harold F. Tipton

Section 4.3 Environment and Life Safety

103 Workplace Violence: Event Characteristics
and Prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1367
George Richards

104 Physical Security: The Threat after September 11, 2001 . . . . . . . . . . . . . . . . . . . . . . . 1373
Jaymes Williams

5 SECURITY ARCHITECTURE AND DESIGN . . . . . . . . . . . . . . . . . . . . 1393

Section 5.1 Principles of Computer and Network Organizations,

Architectures, and Designs
105 Enterprise Assurance: A Framework Explored . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1397
Bonnie A. Goins

106 Creating a Secure Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1403

Christopher A. Pilewski and Bonnie A. Goins

107 Common Models for Architecting an Enterprise Security

Capability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1413
Matthew J. Decker

108 The Reality of Virtual Computing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1431

Chris Hare

Section 5.2 Principles of Security Models, Architectures and

Evaluation Criteria
109 Formulating an Enterprise Information
Security Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1451
Mollie E. Krehnke and David C. Krehnke

110 Security Architecture and Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1469

Foster J. Henderson and Kellina M. Craig-Henderson

111 The Common Criteria for IT Security Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1487

Debra S. Herrmann

xiii

AU7495—Prelims—6/2/2007—18:01—VELU—14657—XML MODEL CRC12a – pp. 1–46.

Section 5.3 Common Flaws and Security Issues: System
Architecture and Design
112 Common System Design Flaws and Security Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . 1501
William Hugh Murray

6 BUSINESS CONTINUITY PLANNING AND

DISASTER RECOVERY PLANNING . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1511

Section 6.1 Business Continuity Planning

113 Developing Realistic Continuity Planning Process Metrics . . . . . . . . . . . . . . . . . . . . 1515
Carl B. Jackson

114 Building Maintenance Processes for Business Continuity Plans . . . . . . . . . . . . . . . 1529

Ken Doughty

115 Identifying Critical Business Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1541

Bonnie A. Goins

116 Selecting the Right Business Continuity Strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1549

Ken Doughty

117 Contingency Planning Best Practices and Program Maturity . . . . . . . . . . . . . . . . . . 1557

Timothy R. Stacey

118 Reengineering the Business Continuity Planning Process . . . . . . . . . . . . . . . . . . . . . . 1573

Carl B. Jackson

119 The Role of Continuity Planning in the Enterprise Risk

Management Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1587
Carl B. Jackson

Section 6.2 Disaster Recovery Planning

120 Contingency at a Glance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1601
Ken M. Shaurette and Thomas J. Schleppenbach

121 The Business Impact Assessment Process and the Importance

of Using Business Process Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1611
Carl B. Jackson

122 Testing Business Continuity and Disaster Recovery Plans . . . . . . . . . . . . . . . . . . . . . 1629

James S. Mitts

123 Restoration Component of Business Continuity Planning . . . . . . . . . . . . . . . . . . . . . 1645

John Dorf and Martin Johnson

xiv

AU7495—Prelims—6/2/2007—18:01—VELU—14657—XML MODEL CRC12a – pp. 1–46.

 124 Business Resumption Planning and Disaster Recovery:
A Case History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1655
Kevin Henry

125 Business Continuity Planning: A Collaborative Approach . . . . . . . . . . . . . . . . . . . . . 1665

Kevin Henry

Section 6.3 Elements of Business Continuity Planning

126 The Business Impact Assessment Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1675
Carl B. Jackson

7 TELECOMMUNICATIONS AND NETWORK

SECURITY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1693

Section 7.1 Communications and Network Security

127 Network Security Utilizing an Adaptable Protocol Framework . . . . . . . . . . . . . . . . 1699
Robby Fussell

128 The Five W’s and Designing a Secure, Identity-Based,

Self-Defending Network (5W Network) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1709
Samuel W. Chun

129 Maintaining Network Security: Availability via Intelligent Agents . . . . . . . . . . . . . 1721

Robby Fussell

130 PBX Firewalls: Closing the Back Door . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1731

William A. Yarberry, Jr.

131 Network Security Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1739

Bonnie A. Goins and Christopher A. Pilewski

132 Putting Security in the Transport: TLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1751

Chris Hare

133 WLAN Security Update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1761

Franjo Majstor

134 Understanding SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1777

Chris Hare

135 Packet Sniffers and Network Monitors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1791

James S. Tiller and Bryan D. Fish

136 Secured Connections to External Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1811

Steven F. Blanding

137 Security and Network Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1827

Chris Hare

xv

AU7495—Prelims—6/2/2007—18:01—VELU—14657—XML MODEL CRC12a – pp. 1–46.

 138 Wired and Wireless Physical Layer Security Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1847
James Trulove

139 Network Router Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1855

Steven F. Blanding

140 What’s Not So Simple about SNMP? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1867

Chris Hare

141 Network and Telecommunications Media: Security from the

Ground Up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1879
Samuel W. Chun

142 Security and the Physical Network Layer

Matthew J. Decker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1895

143 Wireless LAN Security Challenge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1903

Frandinata Halim and Gildas Deograt-Lumy

144 ISO/OSI and TCP/IP Network Model Characteristics . . . . . . . . . . . . . . . . . . . . . . . . . 1917

George G. McBride

Section 7.2 Internet, Intranet, Extranet Security

145 VoIP Security Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1929
Anthony Bruno

146 An Examination of Firewall Architectures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1941

Paul A. Henry

147 Voice over WLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1997

Bill Lipiczky

148 Spam Wars: How To Deal with Junk E-Mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2007

Al Bredenberg

149 Secure Web Services: Holes and Fillers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2013

Lynda L. McGhie

150 IPSec Virtual Private Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2025

James S. Tiller

151 Internet Security: Securing the Perimeter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2051

Douglas G. Conorich

152 Application-Layer Security Protocols for Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . 2061

Bill Stackpole

153 Application Layer: Next Level of Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2073

Keith Pasley

xvi

AU7495—Prelims—6/2/2007—18:01—VELU—14657—XML MODEL CRC12a – pp. 1–46.

 154 Security of Communication Protocols and Services . . . . . . . . . . . . . . . . . . . . . . . . . . . 2083
William Hugh Murray

155 An Introduction to IPSec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2093

Bill Stackpole

156 VPN Deployment and Evaluation Strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2103

Keith Pasley

157 Comparing Firewall Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2123

Per Thorsheim

158 Cookies and Web Bugs: What They Are and How They Work
Together . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2133
William T. Harding, Anita J. Reed, and Robert L. Gray

159 Security for Broadband Internet Access Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2143

James Trulove

Section 7.3 E-mail Security

160 Instant Messaging Security Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2151
William Hugh Murray

Section 7.4 Secure Voice Communications

161 Voice Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2169
Chris Hare

162 Secure Voice Communications (VoI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2181

Valene Skerpac

Section 7.5 Network Attacks and Countermeasures

163 Deep Packet Inspection Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2195
Anderson Ramos

164 Wireless Penetration Testing: Case Study and Countermeasures . . . . . . . . . . . . . . . 2203

Christopher A. Pilewski

165 Auditing the Telephony System: Defenses against Communications

Security Breaches and Toll Fraud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2213
William A. Yarberry, Jr.

166 Insecurity by Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2229

Micah Silverman

167 Wireless Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2233

Charles R. Hudson, Jr. and Chris R. Cunningham

xvii

AU7495—Prelims—6/2/2007—18:01—VELU—14657—XML MODEL CRC12a – pp. 1–46.

 168 Packet Sniffers: Use and Misuse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2243
Steve A. Rodgers

169 ISPs and Denial-of-Service Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2253

K. Narayanaswamy

8 APPLICATION SECURITY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2263

Section 8.1 Application Issues

170 Application Service Provider Security: Ensuring a Secure
Relationship for the Client and the ASP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2267
Stephen D. Fried

171 Stack-Based Buffer Overflows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2289

Jonathan S. Held

172 Web Application Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2301

Mandy Andress

173 Security for XML and Other Metadata Languages . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2311

William Hugh Murray

174 XML and Information Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2319

Samuel C. McClintock

175 Application Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2327

Walter S. Kobus, Jr.

176 Covert Channels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2335

Anton Chuvakin

177 Security as a Value Enhancer in Application Systems

Development . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2343
Lowell Bruce McCulley

178 Open Source versus Closed Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2361

Ed Skoudis

179 A Look at Java Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2381

Ben Rothke

Section 8.2 Databases and Data Warehousing

180 Reflections on Database Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2387
William Hugh Murray

181 Digital Signatures in Relational Database Applications . . . . . . . . . . . . . . . . . . . . . . . . 2395

Mike R. Prevost

xviii

AU7495—Prelims—6/2/2007—18:01—VELU—14657—XML MODEL CRC12a – pp. 1–46.

 182 Security and Privacy for Data Warehouses: Opportunity or Threat? . . . . . . . . . . . 2405
David Bonewell, Karen Gibbs, and Adriaan Veldhuisen

Section 8.3 Systems Development Controls

183 Building and Assessing Security in the Software Development
Lifecycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2425
George G. McBride

184 Avoiding Buffer Overflow Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2437

Sean M. Price

185 Secure Development Life Cycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2449

Kevin Henry

186 System Development Security Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2457

Ian Lim and Ioana V. Bazavan

187 Software Engineering Institute Capability Maturity Model . . . . . . . . . . . . . . . . . . . . 2475

Matt Nelson

188 Enterprise Security Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2491

William Hugh Murray

189 Certification and Accreditation Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2503

Mollie E. Krehnke and David C. Krehnke

190 System Development Security Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2521

Ian Lim and Ioana V. Bazavan

191 Methods of Auditing Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2537

David C. Rice and Graham Bucholz

Section 8.4 Methods of Attack

192 Hacking Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2547
Georges J. Jahchan

193 Enabling Safer Deployment of Internet Mobile Code

Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2557
Ron Moritz

9 OPERATIONS SECURITY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2569

Section 9.1 Concepts

194 Security Considerations in Distributed Computing: A Grid
Security Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2573
Sasan Hamidi

xix

AU7495—Prelims—6/2/2007—18:01—VELU—14657—XML MODEL CRC12a – pp. 1–46.

 195 Managing Unmanaged Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2579
Bill Stackpole and Man Nguyen

196 Storage Area Networks Security Protocols and Mechanisms . . . . . . . . . . . . . . . . . . . 2597

Franjo Majstor

197 Operations: The Center of Support and Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2615

Kevin Henry

198 Why Today’s Security Technologies Are So Inadequate: History,

Implications, and New Approaches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2623
Steven Hofmeyr

199 Operations Security and Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2629

Patricia A.P. Fisher

Section 9.2 Resource Protection Requirements

200 The Nebulous Zero Day . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2641
Robert M. Slade

201 Understanding Service Level Agreements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2645

Gilbert Held

202 Physical Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2651

Dan M. Bowers

Section 9.3 Auditing

203 Auditing the Electronic Commerce Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2669
Chris Hare

10 LAW, COMPLIANCE AND INVESTIGATIONS . . . . . . . . . . . . . . 2689

Section 10.1 Information Law

204 Sarbanes–Oxley Compliance: A Technology Practitioner’s
Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2693
Bonnie A. Goins

205 Health Insurance Portability and Accountability

Act Security Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2703
Lynda L. McGhie

206 Jurisdictional Issues in Global Transmissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2717

Ralph Spencer Poore

xx

AU7495—Prelims—6/2/2007—18:01—VELU—14657—XML MODEL CRC12a – pp. 1–46.

 207 An Emerging Information Security Minimum Standard
of Due Care . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2725
Robert Braun and Stan Stahl

208 ISPs and Accountability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2745

Lee Imrey

209 The Case for Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2761

Michael J. Corby

210 Liability for Lax Computer Security in DDoS Attacks . . . . . . . . . . . . . . . . . . . . . . . . 2767

Dorsey Morrow

Section 10.2 Investigations

211 Operational Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2773
Michael J. Corby

212 Computer Crime Investigation and Computer Forensics . . . . . . . . . . . . . . . . . . . . . . 2781

Thomas Welch

213 What Happened? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2813

Kelly J. Kuchta

Section 10.3 Major Categories of Computer Crime

214 Potential Cyber Terrorist Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2817
Chris Hare

215 The Evolution of the Sploit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2831

Ed Skoudis

216 Computer Crime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2845

Christopher A. Pilewski

217 Phishing: A New Twist to an Old Game . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2853

Stephen D. Fried

218 It’s All About Power:Information Warfare Tactics by Terrorists,

Activists, and Miscreants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2873
Gerald L. Kovacich, Andy Jones, and Perry G. Luzwick

Section 10.4 Incident Handling

219 Social Engineering: The Human Factor in Information
Assurance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2897
Marcus K. Rogers

xxi

AU7495—Prelims—6/2/2007—18:01—VELU—14657—XML MODEL CRC12a – pp. 1–46.

 220 Privacy Breach Incident Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2911
Rebecca Herold

221 Security Event Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2929

Glenn Cater

222 DCSA: A Practical Approach to Digital Crime Scene

Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2945
Marcus K. Rogers

223 What a Computer Security Professional Needs to Know about

E-Discovery and Digital Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2961
Larry R. Leibrock

224 How To Begin A Non-Liturgical Forensic

Examination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2967
Carol Stucki

225 Honeypot Essentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2983

Anton Chuvakin

226 Managing the Response to a Computer Security

Incident . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2989
Michael Vangelos

227 Cyber-Crime: Response, Investigation, and

Prosecution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3001
Thomas Akin

228 Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3009

229 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3151

xxii

AU7495—Prelims—6/2/2007—18:01—VELU—14657—XML MODEL CRC12a – pp. 1–46.

 Introduction

As this book goes to galley, a federal jury has found former Enron Corporation executives Kenneth L.
Lay and Jeffrey K. Skilling guilty of conspiracy and fraud in connection with the 2001 collapse of the
onetime energy trading giant.
However, long before the guilty verdicts against Lay and Skilling, the “Enron Effect” was already
impacting the behavior of some corporations.
Houston oil service company Dresser-Rand Group Inc., responded to the public outrage that followed
Enron Corp.’s 2001 collapse, referencing its more stringent ethics policy, announced its dogma of
corporate good behavior on the company’s Website. Engineering giant Fluor Corp.’s new code of conduct
has a one word description under the Exceptions section: “None.”
Moreover, new laws and regulations have forced companies to develop stronger ethics policies. More
so than ever before, shareholders are holding publicly traded companies more accountable for their
practices.
What does this have to do with Information Security? In a word, everything.
An organization’s information security program is a direct result of its management ethics and values.
Principles such as “we comply with applicable laws and regulations” and “we protect our customers’
privacy” lead directly to the technical, physical, and administrative controls that should be implemented.
US federal and state legislators continue to make certain that information security is a board-level
conversation vis-à-vis the enactment of regulations such as Sarbanes-Oxley, Gramm-Leach-Bliley, the
Payment Card Industry Standard (PCI), the Health Insurance Portability and Accountability Act
(HIPAA) and the Federal Information Security Management Act (FISMA).
Current EU privacy legislation and evolving US privacy laws, such as California’s Senate Bill 1386,
demonstrate the concerns that consumers continue to verbalize relative to the privacy of their personal
information. These laws ensure that the topic of information security remains on the board of directors’
agenda.
Is this good news for those that are tasked with securing information assets? Or are these new rules
contending for valuable resources that would otherwise be deployed for other priorities?
At some point in time, security and compliance efforts should converge. One way or the other, private
or public organizations must deal with protecting the sensitive information for which they are entrusted.
So where do we turn for practical, viable solutions? Clearly, there are more options available than at
any other time: trade magazines, internet websites, technical compositions, practitioner classes,
certificate courses, industry associations and this handbook. All sources are worth a look-see.
Many of these sources are worth placing in a spot that is easily accessible, at arm’s reach, so they can be
pulled off the shelf when a question must be answered or a solution sought.
I submit that this handbook is one of those references that should be “close at hand.”
The handbook is a compilation of treatises which address risk assessments, metrics, security
governance, emerging threats, standards, physical security and business continuity, and a plethora of
technology issues including application controls, network security, virus controls and hacking.

xxiii

AU7495—Prelims—6/2/2007—18:01—VELU—14657—XML MODEL CRC12a – pp. 1–46.

 As always, this volume balances contemporary articles with relevant articles from past editions. And as
always, we offer this information to empower you, the reader, with valuable knowledge supplied by fellow
practitioners and authorities in their fields.

Best of luck,
Hal Tipton and Micki Krause

xxiv

AU7495—Prelims—6/2/2007—18:01—VELU—14657—XML MODEL CRC12a – pp. 1–46.

 Editors

Harold F. Tipton, CISSP, currently an independent consultant and past president of the International
Information System Security Certification Consortium (ISC)2, was Director of Computer Security for
Rockwell International Corporation for 15 years. He initiated the Rockwell computer and data security
program in 1977, and he continued to administer, develop, enhance, and expand the program to
accommodate the control needs produced by technological advances until his retirement from Rockwell
in 1994. He became a member of the Information Systems Security Association (ISSA) in 1982, and he
served as president of the Los Angeles Chapter in 1984. From 1987 to 1989, he served as president of the
national organization of ISSA. He was added to the ISSA Hall of Fame and the ISSA Honor Role in 2000.
He received the Computer Security Institute “Lifetime Achievement Award” in 1994 and the (ISC)2 “Hal
Tipton Award” in 2001.
He was a member of the National Institute for Standards and Technology (NIST) Computer and
Telecommunications Security Council and the National Research Council Secure Systems Study
Committee (for the National Academy of Science). He has a B.S. in engineering from the U.S. Naval
Academy, an M.P.A. from George Washington University, and a certificate in computer science from the
University of California, Irvine. He has published several papers on information security issues in the
Information Security Management Handbook, Data Security Management, Information Systems Security,
and the National Academy of Sciences report Computers at Risk.
He has been a speaker at all of the major information security conferences, including the Computer
Security Institute, ISSA Annual Working Conference, Computer Security Workshop, MIS Conferences,
AIS Security for Space Operations, DOE Computer Security Conference, National Computer Security
Conference, IIA Security Conference, EDPAA, UCCEL Security and Audit Users Conference, and
Industrial Security Awareness Conference. He has conducted and participated in information security
seminars for (ISC)2, Frost and Sullivan, UCI, CSULB, System Exchange Seminars, and the Institute for
International Research.

Micki Krause, CISSP, has held positions in the information security profession for the past 20 years. She
currently serves as the Chief Information Security Officer at Pacific Life Insurance Company in Newport
Beach, California, where she is accountable for directing its information protection and security program
enterprise-wide. She has held several leadership roles in industry-influential groups, including the
Information Systems Security Association (ISSA) and the International Information System Security
Certification Consortium. She is a long-term advocate for professional security education and
certification. In 2003, she received industry recognition as a recipient of the “Women of Vision”
award given by Information Security magazine. In 2002, she was honored as the second recipient of the
Harold F. Tipton Award in recognition of sustained career excellence and outstanding contributions to
the profession. She is a reputed speaker, published author, and co-editor of the Information Security
Management Handbook series.

xxv

AU7495—Prelims—6/2/2007—18:01—VELU—14657—XML MODEL CRC12a – pp. 1–46.

AU7495—Prelims—6/2/2007—18:01—VELU—14657—XML MODEL CRC12a – pp. 1–46.
 Contributors

Thomas Akin, CISSP, has worked in information security for almost a decade. He is the founding
director of the Southeast Cybercrime Institute where he also serves as chairman for the Institute’s Board
of Advisors. He is an active member of the Georgia Cybercrime Task Force where he heads up the task
force’s education committee. He also works with Atlanta’s ISSA, InfraGard, and HTCIA professional
organizations. He has published several articles on information security, and he is the author of
Hardening Cisco Routers. He developed Kennesaw State University’s highly successful UNIX and Cisco
training programs and, in addition to his security certifications, is also certified in Solaris, Linux, and
AIX; is a Cisco Certified Academic Instructor (CCAI); and is a Certified Network Expert (CNX).

Mandy Andress, CISSP, SSCP, CPA, CISA, is founder and president of ArcSec Technologies, a security
consulting firm specializing in product/technology analysis. Before starting ArcSec Technologies, she
worked for Exxon, USA, and several Big 5 accounting firms, including Deloitte & Touche and Ernst &
Young. After leaving the Big 5, she became the director of security for Privada, Inc., a privacy start-up in
San Jose. At Privada, she helped develop security policies, secure network design, develop Firewall/VPN
solutions, increase physical security, secure product design, and periodic network vulnerability testing.
She has written numerous security product and technology reviews for various computer trade
publications. A member of the Network World Global Test Alliance, she is also a frequent presenter at
conferences, including NetworldCInterop, Black Hat, and TISC. She is the author of Surviving Security,
2nd Edition (Auerbach Publications, 2003).

Jim Appleyard is a senior security consultant with the IBM Security and Privacy Services consulting
practice. With 33 years of technical and management experience in information technology, he
specializes in enterprise-wide information security policies and security architecture design. He has
specific expertise in developing information security policies, procedures, and standards; conducting
business impact analysis; performing enterprise-wide security assessments; and designing data classi-
fication and security awareness programs.

Ioana V. Bazavan, CISSP, is a manager with Accenture’s global security consulting practice. She has
written security policies, standards, and processes for clients in a range of industries, including financial
services, high-tech, resources, and government.

Chuck Bianco, FTTR, CISA, CISSP, is an IT examination manager for the Office of Thrift Supervision in
Dallas, Texas. He has represented his agency on the IT subcommittee of the FFIEC. He has experienced
more than 600 IT examinations, participated in six IT symposia, written OTS’ original Disaster Recovery
Bulletin, and led the Interagency Symposium, resulting in SP-5. He was awarded the FFIEC Outstanding
Examiner Award for significant contributions, and he received two Department of the Treasury Awards
for Outstanding Performance.

xxvii

AU7495—Prelims—6/2/2007—18:02—VELU—14657—XML MODEL CRC12a – pp. 1–46.

Christina M. Bird, PhD, CISSP, was responsible for technical review and implementation of Internet
firewalls, virtual private networks, and authentication systems at Cerner Corporation in Kansas City, and,
subsequently, for Secure Network Group in Lawrence, Kansas; she was the director of network
intelligence at Counterpane Internet Security and a computer security officer for Stanford University.
Her responsibilities have included assessment of threats to corporate assets and current security practices,
technical evaluation of available products, planning for long-term growth of Internet and extranet
infrastructure, and network configuration and management in accordance with security policy. She is the
moderator of the Virtual Private Networks mailing list and the owner of VPN Resources on the World
Wide Web, a vendor neutral source of information about VPN technology.

Steven F. Blanding, CIA, CISA, CSP, CFE, CQA, was, when his contributions were written, the regional
director of technology for Arthur Andersen based in Houston, Texas. He has 25 years of experience in the
areas of financial auditing, systems auditing, quality assurance, information security, and business
resumption planning for large corporations in the consulting services, financial services, manufacturing,
retail electronics, and defense contract industries.

David Bonewell, CISSP, CISSP/EP, is the president of Accomac Consulting LLC, Cincinnati, Ohio. He
was a chief security architect with Teradata, Cincinnati, Ohio.

Dan M. Bowers, CISSP, is a consulting engineer, author, and inventor in the field of security engineering.

Gerald Bowman is currently the North American director of ACE and advanced technologies for
SYSTIMAXw Solutions for the design of the professional community and advanced technology in the
corporate enterprise. He joined the SYSTIMAX team from Superior Systems Technologies where he
was COO. Prior to that appointment, he was vice president of engineering for Riser Management
Systems, a telecommunications design, engineering, management, and consulting firm responsible for
consulting engineering projects for 78 of the tallest buildings in the United States, including 12
Carrier Hotels, numerous data centers for ISPs, high-end telecom real estate, and other corporate
enterprises.

Robert Braun, a partner in the Corporate Department of Jeffer, Mangles, Butler, & Marmaro LLP,
specializes in corporate, finance, and securities law with an emphasis on technology-oriented firms. His
practice includes the establishment and development of strategies to implement computer software,
computer hardware, communications, and e-commerce solutions as well as public and private securities
offerings; mergers and acquisitions; venture capital financing; and joint ventures. He counsels a variety of
firms on software development and licensing; formation, maintenance, and linking of websites;
electronic commerce transactions and related matters; and acquisitions, divestitures, and corporate
and strategic functions. He is a member of the American, California, and Los Angeles County Bar
Associations and is an active participant in a variety of business and technology committees and task
forces.

Thomas J. Bray, CISSP, is a principal security consultant with SecureImpact. He has more than 13 years
of information security experience in banking, information technology, and consulting. SecureImpact is
a company dedicated to providing premier security consulting expertise and advice. SecureImpact has
created its information and network service offerings to address the growing proliferation of security
risks experienced by small to mid-sized companies.

Al Bredenberg is a writer, web developer, and Internet marketing consultant. He is author of The Small
Business Guide to Internet Marketing and the editor of The NET Results News Service, both of which are
electronic publications available over the Internet.

xxviii

AU7495—Prelims—6/2/2007—18:02—VELU—14657—XML MODEL CRC12a – pp. 1–46.

Anthony Bruno, CCIE #2738, CISSP, CIPTSS, CCDP, is a senior principal consultant for INS, an
international professional services company, with over 16 years of experience in data networks and
telecommunications. Prior to consulting, he was an Air Force captain in charge of the operation and
maintenance of a large metropolitan area network. He is author of the CCDA Exam Certification Guide,
2nd Edition and the CCIE Routing & Switching Certification Exam Guide.

Alan Brusewitz, CISSP, CBCP, has more than 30 years of experience in computing in various capacities,
including system development, EDP auditing, computer operations, and information security. He has
continued his professional career leading consulting teams in cyber security services with an emphasis on
e-commerce security. He also participates in business continuity planning projects, and he is charged
with developing that practice with his current company for delivery to commercial organizations.

Graham Bucholz is a computer security research analyst for the United States government in Baltimore,
Maryland.

Carl Burney, CISSP, is a senior Internet security analyst with IBM in Salt Lake City, Utah.

Ken Buszta, CISSP, is the chief information security officer for the City of Cincinnati, Ohio, and he has
more than ten years of IT experience and six years of InfoSec experience. He served in the U.S. Navy’s
intelligence community before entering the consulting field in 1994.

Mark Carey is the CEO of DelCreo Inc., an enterprise risk management company. He directs DelCreo
operations and consulting services, including enterprise-wide risk management, business continuity and
disaster recovery planning, incident management, information security, and e-business risk management
programs in the technology industry. Prior to starting DelCreo, he managed Ernst & Young’s western U.S.
region of the business risk solutions practice. He coordinated the relationship and managed delivery of all
risk management related services, including program management, business continuity planning,
enterprise risk assessments, information security, incident management, and privacy advisory services.

Glenn Cater, CISSP, has more than 11 combined years experience in information security, IT
management, and application development. He currently holds the position of director of IT risk
consulting at Aon Consulting, Inc. In this role, he supports Aon’s electronic discovery services, high-tech
investigations, and IT security consulting practices. He joined Aon from Lucent Technologies where he
held the position of technical manager within the IT security organization. At Lucent, he supervised the
Computer Security Incident Response Team, supporting the intrusion prevention and security event
management systems. He also worked as managing principal of the reliability and security consulting
practice at Lucent Worldwide Services, leading and supporting security consulting engagements for LWS
clients. Before that, he worked as a senior network security manager at Lucent Technologies where he
managed a development team and supported internal security solutions. Prior to joining Lucent, he
began his career as a software engineer at British Aerospace working on military systems.

Tara Chand, Esq., CISSP, is the founder of Internet Promise Group LLC.

Samuel W. Chun, CISSP, is the director of information and risk assurance services with TechTeam Global
Government Solutions Inc. He has over fifteen years of experience in technical architecture and network
engineering with an emphasis on secure network environments. He is currently leading his company’s
technical compliance effort to the Sarbanes-Oxley Act of 2002.

Anton Chuvakin, PhD, GCIA, GCIH, GCFA, is a recognized security expert and book author. In his
current role as a director of product management with LogLogic, he is involved with defining and
executing on a product vision and strategy, driving the product roadmap, conducting research, and

xxix

AU7495—Prelims—6/2/2007—18:02—VELU—14657—XML MODEL CRC12a – pp. 1–46.

assisting key customers with its LogLogic implementations. He was previously a chief security strategist
with netForensics, a security information management company. A frequent conference speaker, he is an
author of Security Warrior and a contributor to Know Your Enemy II, Information Security Management
Handbook, and the upcoming Hacker’s Challenge 3. He also published numerous papers on a broad range
of security subjects. In his spare time, he maintains his security portal http://www.info-secure.org,
http://www.chuvakin.org, and several blogs.

Ian Clark is the security portfolio manager for Nokia’s business infrastructure where he has been working
on global security projects for the past five years. Prior to Nokia, he worked for EDS and spent 11 years in
the British army specializing in secure communications. He is a member of the BCS.

Douglas G. Conorich is the global solutions manager for IBM Global Service’s Managed Security
Services with over 30 years of experience with computer security through his holding a variety of
technical and management positions. He is responsible for developing new security offerings, ensuring
that the current offerings are standardized globally, and overseeing the training of new members of the
MSS team worldwide. He teaches people how to use the latest vulnerability testing tools to monitor
Internet and intranet connections and how to develop vulnerably assessments by suggesting security-
related improvements. He is also actively engaged in the research of bugs and vulnerabilities in computer
operating systems and Internet protocols, and he is involved in the development of customized alerts,
notifying clients of new potential risks to security. He has presented papers at over 400 conferences,
published numerous computer security-related articles on information security in various magazines and
periodicals, and held associate professor positions at several colleges and universities.

Michael J. Corby, CCP, CISSP, the senior director of Risk Management at Gartner Consulting, has over
35 years of experience in IT strategy, operations, development, and security. He has successfully managed
large projects and developed flexible IT infrastructures and sound security organizations for hundreds of
the world’s most successful organizations. He is also the founder of (ISC) 2 Inc., the organization that
established the CISSP credential. In 1992, he was named the first recipient of the Computer Security
Institute’s Lifetime Achievement Award. A frequent global speaker and author, he formerly held executive
positions with several global consulting organizations, including Netigy Corporation and QinetiQ prior
to joining Gartner Group Consulting through the acquisition of Meta Group, and he was formerly CIO
for a division of Ashland Oil and for Bain & Company. A business owner for over 15 years (M Corby &
Associates, Inc.) and a community supporter, he has established a reputation for creativity and excellence
in technology and its application to business needs. He is based in the Lowell, Massachusetts office.

Mignona Cote, CISA, CISM, has over 15 years of management-level experience securing and improving
technical operations for companies like PepsiCo, Nortel Networks, and Verizon. She recently joined a
large financial institution to leverage her expertise in the security and auditing field into the financial
control environment. Her experience spans across multiple technologies and disciplines, ranging from
running incident response teams, vulnerability management initiatives to leading hardening programs to
secure networks and large scale application environments. She maintains hands-on experience with the
growing malware concerns while ensuring proactive and detective controls such as IPS/IDS solutions are
protecting enterprises. She is a member of the North Dallas chapter of the Institute of Internal Auditors
and a member of ISACA.

Kellina M. Craig-Henderson, PhD, is an associate professor of social psychology at Howard University

in Washington, D.C. His work has been supported by grants from the National Science Foundation and
the Center for Human Resource Management at the University of Illinois.

Chris R. Cunningham, CISSP, is an Internet security engineer at Wilmington Trust Corporation. His
responsibilities include the security architecture and management of policies and technologies that

xxx

AU7495—Prelims—6/2/2007—18:02—VELU—14657—XML MODEL CRC12a – pp. 1–46.

contribute to the security of the Wilmington Trust Corporation and its affiliates in the United States and
abroad. His experience is in both cyber and physical security for financial institutions.

Jeffrey Davis, CISSP, has been working in information security for over ten years. He is currently a senior
manager at Lucent Technologies, and he is involved with intrusion detection, anti-virus, and threat
assessment.

Matthew J. Decker, CISSP, CISA, CISM, CBCP, is a principal with Agile Risk Management, specializing
in information security consulting and computer forensics services. During his career, he has been a
senior manager with a Big 4 accounting firm, provided security consulting services for Lucent
Technologies and International Network Services, devoted engineering and security consulting
support to the United States Special Operations Command (USSOCOM) with Booz Allen Hamilton,
and served nine years with the National Security Agency (NSA). He is a member of the ISSA, ISACA, and
DRII, and he served as president to the Tampa Bay Chapter of ISSA from 1999 to 2003.

Gildas Deograt-Lumy, CISSP, is a CISSP CBK seminar instructor. He has been working in the IT field for
more than eleven years with a focus over the past six years on information security. His experience
includes development and implementation of physical access control, security policy, architecture, and
awareness programs. Presently, he is an information system security officer for Total E&P Head Quarter,
implementing policy, conducting audits, and responsible for various projects such as implementing
network-based IDS/IPS across worldwide corporate networks and creating enclave systems to deal with
high-grade attacks. Before working in France, he was the chief information security officer at TotalFinaElf
E&P Indonesia, a board member of the Information System Security Association Indonesia, and a board
member of Kampus Diakoneia Modern, a non-government organization in Indonesia that serves
homeless people and street children.

John Dorf, ARM, is a senior manager in the Actuarial Services Group of Ernst & Young. Specializing in
insurance underwriting and risk management consulting, he earned his 19 years of experience as a risk
manager at several Fortune 500 financial service and manufacturing firms. Before joining Ernst & Young,
he was a senior risk manager at General Electric Capital Corporation. He has also held risk management
positions at Witco Corporation, National Westminster Bank, and the American Bureau of Shipping.
Prior to becoming a risk manager, he spent seven years as an underwriting manager and senior marine
insurance underwriter at AIG and Atlantic Mutual.

Ken Doughty, has over 25 years experience in IS auditing and business continuity both in the public and
private sectors. He holds an Accounting Degree and a Graduate Diploma in Internal Auditing from the
University of Technology, Sydney (UTS). In September 2000, he had his first book published, “Business
Continuity: Protecting Your Organization’s Life” (Auerbach Publications, 2000). In 2002 he received the
ISACA’s Best Speaker & Conference Contributor Award. A former TAB Limited (NSW) CIO and lecturer
at UTS, Ken was one of the standout presenters at both the 2003 and 2004 itSMFA National Conferences.

Mark Edmead, CISSP, SSCP, TICSA, is president of MTE Software, Inc., and he has more than 25 years of
experience in software development, product development, and network/information systems security.
Fortune 500 companies have often turned to him to help them with projects related to Internet and
computer security. He previously worked for KPMG Information Risk Management Group and IBM’s
Privacy and Security Group where he performed network security assessments, security system reviews,
development of security recommendations, and ethical hacking. Other projects include helping
companies develop secure and reliable network system architecture for their Web-enabled businesses.
He was managing editor of the SANS Digest and contributing editor to the SANS Step-by-Step Windows
NT Security Guide. He is co-author of Windows NT: Performance, Monitoring and Tuning, and he
developed the SANS Business Continuity/Disaster Recovery Plan Step-by-Step Guide.

xxxi

AU7495—Prelims—6/2/2007—18:02—VELU—14657—XML MODEL CRC12a – pp. 1–46.

Carl F. Endorf, CISSP, is a senior security analyst for one of the largest insurance and banking companies
in the United States. He has practical experience in forensics, corporate investigations, and Internet
security.

Jeffrey H. Fenton, CBCP, CISSP, is the corporate IT crisis assurance/mitigation manager and technical
lead for IT risk management and a senior staff computer system security analyst in the corporate
information security office at Lockheed Martin Corporation. He joined Lockheed Missiles and Space
Company in Sunnyvale, California, as a system engineer in 1982, and he transferred into its
telecommunications group in 1985. Fenton completed a succession of increasingly complex assignments,
including project manager for the construction and activation of an earthquake resistant network center
on the Sunnyvale campus in 1992 and group leader for network design and operations from 1993
through 1996.

Bryan D. Fish, CISSP, is a security consultant for Lucent Technologies in Dallas, Texas. He holds a BS in
computer engineering and an MCS with a focus on internetworking and computer system security, both
of which are from Texas A&M University. His professional interests include security programs and
policies and applications of cryptography in network security.

Patricia A.P. Fisher, is president of Janus Associates, a company that specializes in computer security.

Todd Fitzgerald, CISSP, CISA, CISM, is the director of systems security and systems security officer for
United Government Services LLC. He has over 25 years of broad-based information technology
experience, holding senior IT management positions with Fortune 500 and Global Fortune 250
companies. He is a member of the Board of Directors and Security Taskforce co-chair for the HIPAA
Collaborative of Wisconsin (HIPAA COW), a participant in the CMS/Gartner Security Best Practices
Group, Blue Cross Blue Shield Association Information Security Advisory Group; he is a previous board
member for several Information Systems Security Associations (ISSA), and he is a frequent speaker and
writer on security issues. He largely focuses on issues related to security management, risk assessments,
policy development, organizing security, security assessments, regulatory compliance (HIPAA, CAST,
NIST, ISO 17799), security awareness, and developing security programs.

Stephen D. Fried, CISSP, is the vice president for information security and privacy at Metavante
Corporation. He is a seasoned information security professional with over 20 years experience in
information technology. For the past ten years, he has concentrated his efforts on providing effective
information security management to large organizations. He has led the creation of security programs for
two Fortune 500 companies, and he has extensive background in such diverse security issues as risk
assessment and management, security policy development, security architecture, infrastructure and
perimeter security design, outsource relationship security, offshore development, intellectual property
protection, security technology development, business continuity, secure e-business design, and
information technology auditing. A frequent speaker at conferences in the United States as well as
international locations, he is active in many security industry organizations.

Robby Fussell, CISSP, NSA IAM, GSEC, is an information security/assurance manager for a government
contracting company. He is currently performing academic research in the area of preventing cascading
failures in scale-free networks using artificial intelligence techniques.

Karen Gibbs is a senior data warehouse architect with Teradata in Dayton, Ohio.

Bonnie A. Goins, MSIS, CISSP, NSA IAM, ISS, is a senior security strategist at Isthmus Group, Inc. where
she is the co-practice leader for IGI’s Security Practice. She has over 15 years experience in the areas of
information security; secure network design and implementation; risk, business impact, and security

xxxii

AU7495—Prelims—6/2/2007—18:02—VELU—14657—XML MODEL CRC12a – pp. 1–46.

assessment methods; project management; executive strategy and management consulting; and
information technology. She has extensive working experience in regulated industries. She has
functioned as a National Security Practice competency leader for multiple companies, and she has
also established premier partnerships with Novell and Microsoft across the business continuity/disaster
recovery and security disciplines. She is a co-author of the Digital Crime Prevention Lab and a
contributing reviewer for SANS’ HIPAA Step-by-Step.

Alex Golod, CISSP, is an infrastructure specialist for EDS in Troy, Michigan.

Ronald A. Gove, PhD, is Vice President, Science Applications International Corp., Columbia, MD.

Robert L. Gray, PhD, is currently chair of the Quantitative Methods and Computer Information Systems
Department at Western New England College, and he has more than 20 years of academic and
management experience in the IT field.

Geoffrey C. Grabow, CISSP, was Chief Technology Officer of beTRUSTED and Leader - Pricewaterhou-
seCoopers Cryptographic Centre of Excellence.

Frandinata Halim, CISSP, MCSE, is a senior security consultant at ITPro Citra Indonesia PT. He has
ample experience and qualifications in providing clients with managed security services, information
system security consulting, secure network deployment, and other services. In addition, he is competent
and knowledgeable in the use and hardening of the Windows environment, Cisco security devices, the
number of IDSs, firewalls, and others, currently holding certifications from the (ISC)2, Cisco Systems,
and Microsoft.

Sasan Hamidi, PhD, is the chief security officer at Interval International, Inc.

Susan D. Hansche, CISSP-ISSEP, is a senior manager for information system security awareness and
training at PEC Solutions based in Fairfax, Virginia. She has designed numerous training courses on
information technology and information systems security for both private-sector and government
clients. She is co-author of the Official (ISC)2 Guide to the CISSP Exam.

William T. Harding, PhD, is the dean of the College of Business Administration and an associate
professor at Texas A & M University, in Corpus Christi.

Chris Hare, CISSP, CISA, CISM, is employed with a large U.S. financial institution as the information
systems auditor. He has taught information security at Algonquin College (Ottawa, Canada), and he sat
on the advisory council for this program. He frequently speaks on Unix, specialized technology and
applications, security, and audit at conferences.

Gilbert Held is an award-winning author and lecturer. He is the author of over 40 books and 450
technical articles. Some of his recent book titles include Building a Wireless Office and The ABCs of IP
Addressing, published by Auerbach Publications.

Jonathan S. Held, graduated from the University of Pennsylvania with a B.A. in mathematics and
proceeded to serve seven years in the U.S. Navy as a cryptologic officer. Awarded an M.S. in computer
science from the Naval Postgraduate School, he is currently a software design engineer for Microsoft in
Seattle, Washington. He has been involved in the design and testing of a variety of Microsoft product
offerings, including Commerce Server 2002, BizTalk Accelerator for Suppliers, Solution for Internet
Business, and BizTalk Accelerator for Financial Services. He co-authored the books Data Encryption

xxxiii

AU7495—Prelims—6/2/2007—18:02—VELU—14657—XML MODEL CRC12a – pp. 1–46.

Techniques with Basic and C++ as well as Securing E-Business Applications and Communications
(Auerbach Publications).

Foster J. Henderson, CISSP, MCSE, CRP, CNA, is an information assurance analyst for Analytic Services,
Inc. (ANSER). He is currently a member of the Network Operations and Security Branch within the
federal government, covering a wide range of IA matters.

Kevin Henry, CISA, CISSP, is the director of program development for (ISC)2 Institute, and he is a
regular speaker at conferences and training seminars worldwide with frequent requests to provide in-
depth training, foundational and advanced information systems security and audit courses, and detailed
presentations and workshops on key issues surrounding the latest issues in the information systems
security field. He combines over twenty years experience in telecom and consulting engagements
for major government and corporate clients with an interesting and comfortable learning style that
enhances the understanding, relevance, and practical applications of the subject matter. He has also had
several articles published in leading trade journals and in the Handbook of Information Security
Management.

Paul A. Henry, CISSP, is the senior vice president of CyberGuard Corporation. He has more than 20 years
experience with security and safety controls for high-risk environments such as nuclear power plants and
industrial boiler sites. In addition, he has developed and managed security projects for major government
and commercial organizations worldwide. He has written technical papers on port scanning basics, buffer
over-runs, firewall architectures and burner management and process controls for nuclear power plants
as well as white papers on covert channel attacks, distributed denial of service (DDoS) attacks, common
mode noise and common mode rejection, PLC programming, and buffer over-runs. He also frequently
serves as a featured and keynote speaker at network security seminars and conferences worldwide,
presenting white papers on diverse topics, including DDoS attack risk mitigation, firewall architectures,
intrusion methodology, enterprise security, and managed security services. In addition to his CISSP
certification, he holds many other security certifications such as MCPCI, MCSE, CCSA, CCSE, CFSA,
CFSO, CISM, and CISA.

Rebecca Herold, CISM, CISA, CISSP, FLMI, is an information privacy, security, and compliance
consultant, author, and instructor. She has over 15 years of information privacy, security, and regulatory
compliance experience, and she assists organizations of all sizes with their information privacy, security,
and regulatory compliance programs. Prior to owning her own business, she was the vice president of
privacy services and chief procurement officer at DelCreo for two years. She was also the senior systems
security consultant at Principal Financial Group where she was instrumental in building an information
security and privacy program that was awarded the 1998 CSI Information Security Program of the Year.
She is the author of The Privacy Papers (Auerbach, 2001) and Managing an Information Security and
Privacy Training and Awareness Program (Auerbach, 2005), and she is coauthor of The Practical Guide to
HIPAA Privacy and Security Compliance (Auerbach, 2003) and The Business Executive Practical Guides to
Compliance and Security Risks book series in 2004.

Debra S. Herrmann is the technical advisor for information security and software safety in the FAA
Office of the Chief Scientist. In this capacity, she is leading four major collaborative research
initiatives: security metrics, adaptive quarantine, FAA protection profile library, and integration of
common criteria and security certification and accreditation (C&A) evaluations. Previously, she was
the manager of security engineering for the $1.7B FAA Telecommunications Infrastructure (FTI)
program, one of the first programs to apply the common criteria to a nation-wide safety-critical
WAN. Prior to that position, she worked for a number of years in the defense/intelligence
community. She has published several papers and three books, including Using the Common Criteria
for IT Security Evaluation (Auerbach, 2003); A Practical Guide to Security Engineering and Information

xxxiv

AU7495—Prelims—6/2/2007—18:02—VELU—14657—XML MODEL CRC12a – pp. 1–46.

Assurance (Auerbach, 2001); and Software Safety and Reliability—Techniques, Approaches and
Standards of Key Industrial Sectors (IEEE Computer Society, 1999). She has also been active in the
international standards community for many years, serving as the U.S. government representative to
International Electrotechnical Commission (IEC) software safety engineering standards committees,
chair of the Society of Aerospace Engineers (SAE) subcommittee that issued the JA 1003 software
reliability engineering standard, and a member of the IEEE Software Engineering Standards balloting
pool.

Steven Hofmeyr, PhD, is chief scientist and founder of Sana Security, Inc. Hofmeyr has authored and
coauthored many articles published in conference proceedings and peer- reviewed journals on
computer security, immunology, and adaptive computation. He has served on the program
committee for the ACM’s New Security Paradigms Workshop, and he is currently on the program
committee for the Artificial Immune Systems workshop at the IEEE World Congress on Compu-
tational Intelligence.

Joseph T. Hootman is the president of Computer Security Systems, Inc., a computer and information
security consulting and product sales firm based in Northern California.

Daniel D. Houser, CISSP, MBA, e-BizC, is a senior security engineer with Nationwide Mutual Insurance
Company.

Joost Houwen, CISSP, CISA, is the security manager for Network Computing Services at BCHydro. He
has a diverse range of IT and information security experience.

Patrick D. Howard, CISSP is a senior information security consultant for the Titan Corporation, and he
has over 31 years experience in security management and law enforcement. He has been performing
security certification and accreditation tasks for over 14 years as both a security manager and a consultant
from both government and commercial industry perspectives. He has experience with implementing
security C&A with numerous federal departments and agencies, and he has been charged with developing
C&A and risk management guidance for a wide variety of organizations. He has extensive practical
experience in implementing programs and processes based on NIST guidance, OMB Circular A-130,
Appendix III, and BS 7799/ISO 17799. He has direct working experience in security plan development for
complex systems, sensitivity definition, use of minimum security baselines, risk analysis, vulnerability
assessment, controls validation, risk mitigation, and documenting certification and accreditation
decisions. He has also developed and presented training on all of these processes. He is the author of
Building and Implementing a Security Certification and Accreditation Program (Auerbach Publications,
2005).

Charles R. Hudson, Jr., CISSP, CISM, is an information security manager and assistant vice president at
Wilmington Trust Company. He is a regular speaker at national conferences, speaking at more than
fifteen conferences in the past five years as a subject matter expert. He has been involved in writing
magazine articles for Computer World, Security Watch, and Information Security.

Lee Imrey, CISSP, CISA, CPP, is an information security specialist with the U.S. Department of Justice
where he writes policies to secure critical and classified information, and he works with various
government organizations to implement practices and technological procedures consistent with those
policies. Previously, he was a senior communications manager with (ISC)2 and a lead instructor for the
CISSP CBK Review Seminar. He has worked for telecommunications, retail, and consulting organi-
zations, and he continues to contribute to the profession in several volunteer capacities, including as

xxxv

AU7495—Prelims—6/2/2007—18:02—VELU—14657—XML MODEL CRC12a – pp. 1–46.

a member of the ASIS Information Technology Security Council and as chair of the ISSA Committee on
Professional Ethics.

Carl B. Jackson, CISSP, CBCP, is the business continuity program director with Pacific Life Insurance.
He has more than 25 years experience in the areas of continuity planning, information security, and
information technology internal control and quality assurance reviews and audits. Prior to joining Pacific
Life, he worked with several information security consulting companies and as a partner with Ernst &
Young where he was the firm’s BCP line leader. He has extensive consulting experience with numerous
major organizations in multiple industries, including manufacturing, financial services, transportation,
healthcare, technology, pharmaceutical, retail, aerospace, insurance, and professional sports manage-
ment. He also has extensive industry business information security experience as an information security
practitioner and manager in the field of information security and business continuity planning. He has
written extensively, and he is a frequent public speaker on all aspects of information security and business
continuity planning.

Georges J. Jahchan, CISA, CISM, BS7799 Lead Auditor, has been in various personal computer-related
positions for over twenty five years, six of which were addressing gateway security and three as a security
officer in a university. He currently works as a senior security consultant in Levant with Computer
Associates.

Martin Johnson is senior manager of information systems assurance and advisory services with Ernst &
Young LLP.

Andy Jones, PhD, MBE, is a research group leader, Security Research Centre, BT Group Chief Technology
Office. An experienced military intelligence analyst and information technology security specialist, he
moved into research in information warfare and information security after completing 25 years service
with the British Army’s Intelligence Corps. He has experience as a project manager within the U.K.
Defense Evaluation and Research Agency (DERA) for security aspects of digitization of the battlefield
initiative, and he has gained considerable expertise on the criminal and terrorist aspects of information
security.

Ray Kaplan, CISSP, CISA, CISM, Qualified BS7799 Auditor Credentials, and CHSP (Certified HIPAA
Security Professional), is an information security consultant with Ray Kaplan and Associates in
Minneapolis, Minnesota. He has been a consultant and a frequent writer and speaker in information
security for over two decades.

Kenneth J. Knapp, PhD, is an assistant professor of management at the U.S. Air Force Academy,
Colorado. In 2005, he earned his doctorate in Management Information Systems at Auburn University,
Alabama. He has over 15 years of information technology and security experience in the Air Force. His
publications include Communications of the Association for Information Systems, Information Systems
Management, Information Systems Security, and Information Management & Computer Security.

Walter S. Kobus, Jr., CISSP, is the vice president of security consulting services with Total Enterprise
Security Solutions LLC. He has over 35 years experience in information systems with 15 years experience
in security, and he is a subject matter expert in several areas of information security, including
application security, security management practice, certification and accreditation, secure infrastructure,
and risk and compliance assessments. As a consultant, he has an extensive background in implementing
information security programs in large environments. He has been credited with the development of
several commercial software programs in accounting, military deployment, budgeting, marketing, and
several IT methodologies currently in practice in security and application development.

xxxvi

AU7495—Prelims—6/2/2007—18:02—VELU—14657—XML MODEL CRC12a – pp. 1–46.

Gerald L. Kovacich, PhD, CISSP, CFE, CPP, has over 37 years of industrial security, investigations,
information systems security, and information warfare experience in the U.S. government as a special
agent; in business as a technologist and manager for numerous technology-based, international
corporations as an ISSO, security, audit, and investigations manager; and as a consultant to U.S. and
foreign government agencies and corporations. He has also developed and managed several inter-
nationally based InfoSec programs for Fortune 500 corporations, and he managed several information
systems security organizations, including providing service and support for their information warfare
products and services.

Joe Kovara is CTO and the principal consultant of Certified Security Solutions Inc. He has more than 25
years in the security and IT industries with extensive experience in all aspects of information security and
operating systems and networks as well as in the development and practical application of new
technologies to a wide variety of applications and markets. He holds patents on self-configuring
computer systems and networks. Prior to joining CSS in 2001, he was CTO of CyberSafe Corporation.
He was a key contributor to CyberSafe’s growth and in bringing several enterprise-security products to
market and deploying them in mission-critical Fortune 100 environments. Prior to CyberSafe, he was a
principal with the security-consulting firm of Kaplan, Kovara, & Associates.

David C. Krehnke, CISSP, CISM, IAM, is a principal information security analyst for Northrop
Grumman Information Technology in Raleigh, North Carolina. He has more than 30 years experience
in assessment and implementation of information security technology, policy, practices, procedures, and
protection mechanisms in support of organizational objectives for various federal agencies and
government contractors. He has also served the (ISC)2 organization as a board member, vice president,
president, and program director responsible for test development.

Mollie E. Krehnke, CISSP, CHS-II, IAM, is a senior information security consultant for Insight Global,
Inc. in Raleigh, North Carolina. She and her husband, David Krehnke, are members of the inventor team
for the Workstation Lock and Alarm System (U.S. Patent Number 6, 014, 746). She has served as an
information security consultant for more than 15 years.

Kelly J. “KJ” Kuchta, CPP, CFE, is the president of Forensics Consulting Solutions in Phoenix, Arizona.
He is formerly an area leader for Meta Security Group and Ernst & Young’s Computer Forensics Services
Group in Phoenix, Arizona. He is an active member of the High Technology Crime Investigation
Association (HTCIA), Association of Certified Fraud Examiners (ACFE), the International Association
of Financial Crime Investigators (IAFCI), and the American Society of Industrial Security (ASIS). He
currently serves on the board of the ASIS Information Technology Security Council.

Paul Lambert is responsible for the development and implementation of Certicom’s product
strategy to meet and exceed current market demands, trends, and forecasts for cryptographic
security technologies. He is currently a government appointee to a technical advisory committee for
federal information processing and an active contributor to technical standards for such security
technologies as digital signatures and network, e-mail, and LAN security. He was previously at
Motorola where he served as a top security architect, designing the security architecture for a family
of products to protect Internet communications. Prior to Motorola, he was director of security
products at Oracle where he was responsible for the development and product management of core
security technologies for all Oracle products. He has published numerous papers on key manage-
ment and communication security, and he is the founder and co-chair of the IP security working
group in the Internet Engineering Task Force.

Larry R. Leibrock, PhD, is with eForensics Inc.

xxxvii

AU7495—Prelims—6/2/2007—18:02—VELU—14657—XML MODEL CRC12a – pp. 1–46.

Ross A. Leo, CISSP, is an information security professional for over 23 years with experience in a broad
range of enterprises. He is currently the director of information systems and the chief information
security officer at the University of Texas Medical Branch/Correctional Managed Care Division in
Galveston, Texas. He has worked internationally as a systems analyst and engineer, IT auditor, educator,
and security consultant for companies, including IBM, St. Luke’s Episcopal Hospital, Computer Sciences
Corporation, Coopers & Lybrand, and Rockwell International. Recently, he was the director of IT security
engineering and the chief security architect for Mission Control at the Johnson Space Centre. His
professional affiliations include (ISC)2, ASIS and HCCO, and he is a member of the IT Security
Curriculum Development and Advisory Board for Texas State Technical College. He is the editor of the
HIPAA Program Reference Handbook (Auerbach Publications, 2004).

Ian Lim, CISSP, is a senior consultant in Accenture’s global security consulting practice who has defined
and deployed security architectures for Fortune 100 companies as well as contributed to Accenture’s
global privacy and policy framework.

Bill Lipiczky has practiced in the information technology and security arena for over two decades,
beginning his career as a mainframe operator. As information technology and security evolved, he
evolved as well. His experience includes networking numerous operating systems (*NIX, NetWare, and
Windows) and networking hardware platforms. He is currently a principal in a security consulting and
management firm as well as a lead CISSP instructor for the (ISC)2.

David A. Litzau, CISSP, with a foundation in electronics and audio/visual, moved into the
computer sciences in 1994. He has been teaching information security in San Diego for the past
six years.

Perry G. Luzwick is the director of information assurance architectures at Northrop Grumman

Information Technology for information warfare, information assurance, critical infrastructure protec-
tion, and knowledge management. He served as a lieutenant colonel in the U.S. Air Force, and he was
Military Assistant to the Principal Deputy Assistant Secretary of Defense for Command, Control,
Communications, and Intelligence; Deputy Director for Defensive IO, IO Strategy, and Integration
Directorate; Chief, Information Assurance Architecture, Directorate for Engineering and Interoper-
ability, Defense Information Systems Agency (DISA); Deputy Chief, Current Operations and Chief,
Operations and Information Warfare Integration, Operations Directorate, DISA; Information Assurance
Action Officer, Information Assurance Division (J6K), the Joint Staff; and Chief, JCS, CINC, and Defense
Agency Communications-Computer Security Support, National Security Agency.

Franjo Majstor, CISSP, CCIE, is the EMEA senior technical director at CipherOptics Inc. where he is
responsible for driving to market the latest generation of data protection solutions. Previously, as
technical director EMEA at Fortinet, Inc., he was responsible for security products and solutions based
on the modern perimeter security architecture. He is also an external CISSP instructor at (ISC)2, and he
is a mentor and recognized lecturer of an ICT audit and security postgraduate study, joint program
between ULB, UCL, and Solvay Business School in Brussels, Belgium. As a member of several
professional associations, he is a frequently invited speaker at worldwide technical conferences on
network security topics. His public work references could be found on a private home page at
www.employees.org/wfranjo.

Thomas E. Marshall, PhD, is an associate professor of MIS, Department of Management, Auburn

University, Alabama. He is a CPA, and he has been a consultant in the area of accounting information
systems for over 20 years. His publications include Information & Management, Information Systems
Security, Information Management & Computer Security, Journal of Computer Information Systems, Journal
of End User Computing, Information Resource Management, and Journal of Database Management.

xxxviii

AU7495—Prelims—6/2/2007—18:02—VELU—14657—XML MODEL CRC12a – pp. 1–46.

Bruce R. Matthews, CISSP, has been managing embassy technical security programs for U.S. government
facilities worldwide for over 15 years. He is a security engineering officer with the U.S. Department of
State, Bureau of Diplomatic Security. With the British, he is examining a wide range of technical security
issues and how they impact IT security. As part of his work, he also conducts vulnerability assessments, IT
security investigations, and forensic analysis. In previous assignments, he was head of the Department of
State IT security training program and the chairman of the Security Standards Revision Committee for
the Overseas Security Policy Board (OSPB). He has been published in magazines such as Information
Security and State, and he is the author of Video Surveillance and Security Applications: A Manager’s Guide
to CCTV (Auerbach Publications, 2007).

George G. McBride, CISSP, CISM, is a director at Aon Consulting IT Risk Management organization in
Eatontown, New Jersey, and he has worked in the network security industry for more than twelve years.
He has spoken at conferences worldwide on topics such as penetration testing, risk assessments, and open
source security tools. He has consulted numerous Fortune 100 companies on projects, including network
architecture, application vulnerability assessments, and security organization and program development.
He has contributed to The Black Book on Corporate Security, hosted several Webcasts, and contributed to
several previous editions of the Information Security Management Handbook.

R. Scott McCoy, CPP, CISSP, CBCP, is the director of enterprise security for Xcel Energy where he is
responsible for corporate security, IT security, and business continuity. He has 22 years of security
experience, starting in 1984 in the U.S. Army, including four years on active duty as an explosive
ordnance disposal technician, 10 years of security management experience with the last eight years in the
electric and gas utility industry.

Samuel C. McClintock is a principal security consultant with Litton PRC, Raleigh, North Carolina.

Lowell Bruce McCulley, CISSP, has more than 30 years of professional experience in the information
systems industry. His security credentials are complemented by an extensive background in systems
development engineering that is primarily focused on critical systems along with experience in
production operations, training, and support roles.

Lynda L. McGhie, CISSP, CISM, is the information security officer (ISO)/risk manager for Wells Fargo
Bank, Private Client Services (PCS). She has over 25 years of information technology and information
security experience, specializing in risk management and compliance, security engineering and design,
business continuity planning (BCP) and crisis management, network security and identity management.
She is formerly the CISO for Delta Dental and Lockheed Martin Corporation. In her current role, she is
responsible for risk management and security for PCS within the Wells Fargo Corporation, and she has a
dotted line responsibility to the corporate CISO/IT security governance. She regularly publishes articles
on state of the art security topics/issues, and she is also a regular speaker for MISTI, ISSA, ISACA, and
other IT security venues.

Laurie Hill McQuillan, CISSP, has been a technology consultant for 25 years, providing IT support
services to commercial and federal government organizations. She is the vice president of KeyCrest
Enterprises, a national security consulting company. She teaches graduate-level classes on the uses of
technology for research and the impact of technology on culture. She is treasurer of the Northern
Virginia chapter of the Information Systems Security Association (ISSA) and a founding member of
CASPR, an international project that plans to publish Commonly Accepted Security Practices and
Recommendations.

Jeff Misrahi, CISSP, is an information security manager at a large data and news organization in
New York, where, among other tasks, he has responded to a plethora of client questionnaires and audit

xxxix

AU7495—Prelims—6/2/2007—18:02—VELU—14657—XML MODEL CRC12a – pp. 1–46.

requests. His experience includes managing information security and risk at both large and small
companies, as well as consulting. He is on the board of the New York Metro Chapter of the ISSA and can
be reached at [email protected].

James S. Mitts, CISSP, is a principal consultant with Vigilant Services Group who has over 18 years of
demonstrated ability in managing, planning, implementing, and controlling complex projects
involving numerous aspects of business continuity, disaster recovery, and information technology
and security.

Ron Moritz, CISSP, is director of the Technology Office at Finjan Software, where he serves as primary
technology visionary. As a key member of the senior management team interfacing between sales,
marketing, product management, and product development, he helps establish and maintain the
company’s technological standards and preserve the company’s leadership role as a developer of advanced
Internet security solutions. He was instrumental in the organization of Finjan’s Java Security Alliance,
and he established and currently chairs Finjan’s Technical Advisory Board. He has served in various
capacities, including president, with both the North Coast chapter of the ISSA and the Northeast Ohio
chapter of ISACA. He has lectured on Web security, mobile code security, computer ethics, intellectual
property rights, and business continuity and resumption planning. Over the past year, his presentations
on mobile code security have been well received at the European Security Forum (London), the FBI’s
InfraGuard Conference (Cleveland), CSI’s NetSec (San Antonio), MISTI’s Web-Sec Europe (London),
and RSA Data Security (San Francisco).

Dorsey Morrow, JD, CISSP, is operations manager and general counsel for the International Information
Systems Security Certification Consortium, Inc. (ISC)2. He has served as general counsel to numerous
information technology companies, and he also served as a judge. He is licensed to practice in Alabama,
Massachusetts, the 11th Federal Circuit, and the U.S. Supreme Court.

William Hugh Murray, CISSP, is an executive consultant for TruSecure Corporation and a senior lecturer
at the Naval Postgraduate School; he has more than fifty years experience in information technology and
more than thirty years in security. During more than twenty-five years with IBM, his management
responsibilities included development of access control programs, advising IBM customers on security,
and the articulation of the IBM security product plan. He is the author of the IBM publication,
Information System Security Controls and Procedures. He has made significant contributions to the
literature and the practice of information security. He is a popular speaker on such topics as
network security architecture, encryption, PKI, and secure electronic commerce. He is a founding
member of the International Committee to establish the Generally Accepted System Security Principles
(GASSP) as called for in the National Research Council’s Report, Computers at Risk. He is a founder and
board member of the Colloquium on Information System Security Education (CISSE). He has been
recognized as a founder of the systems audit field and by Information Security as a Pioneer in Computer
Security. In 1987, he received the Fitzgerald Memorial Award for leadership in data security. In 1989, he
received the Joseph J. Wasserman Award for contributions to security, audit, and control. In 1995, he
received a Lifetime Achievement Award from the Computer Security Institute. In 1999, he was enrolled in
the ISSA Hall of Fame in recognition of his outstanding contribution to the information security
community.

K. Narayanaswamy, PhD, is the chief technology officer and co-founder, Cs3, Inc. He is an accomplished
technologist who has successfully led the company’s research division since inception. He was the
principal investigator of several DARPA and NSF research projects that have resulted in the company’s
initial software product suite, and he leads the company’s current venture into DDoS and Internet
infrastructure technology.

xl

AU7495—Prelims—6/2/2007—18:02—VELU—14657—XML MODEL CRC12a – pp. 1–46.

Matt Nelson, CISSP, PMP, ITIL Foundation, has spent several years as a programmer, network manager,
and information technology director. He now does information security and business process consulting
for International Network Services.

Man Nguyen, CISSP, is a security consultant at Microsoft Corporation.

Felicia M. Nicastro, CISSP, CHSP, is a principal consultant with International Network Services (INS).
She has worked with various Fortune 500 companies in over the four years she has been with INS. Her
areas of expertise include security policies and procedures, security assessments and security architecture
planning, design, implementation, and operation. Prior to joining INS, she was a systems administrator
for the Associated Press, and she was responsible for UNIX and security administration.

Keith Pasley, CISSP, is a security professional with over 20 years experience designing and building
security architectures for both commercial and federal government. He has authored papers and taught
security classes, and he is currently working as a regional security practice director.

Christopher A. Pilewski, BS 7799 Lead Auditor, NSA IAM/IEM, CCSA, GIAC, CPA/E, FSWCE, FSLCE,
MCP, is a senior consultant for the international consulting and professional services firm Ajilon. He has
over sixteen years of professional experience in consulting, audit, security, networking technology, and
engineering. This experience spans compliance, audit, security, risk assessment and mitigation, business
process, technical controls, business continuity, technical project leadership, design, and integration of
network and information systems. Before joining Ajilon, he worked for consulting and audit firms as well
as flagship communications companies where he led a wide variety of projects ranging from compliance
efforts (Sarbanes-Oxley, HIPAA, VISA CISP, and others), audits, security assessments, implementation of
security systems, secure network architecture, network management systems, quality control/assurance,
protocol analysis, and technical marketing.

Ralph Spencer Poore, CFE, CISA, CISSP, CHS-III, CTM/CL, is the chief scientist at Innové LLC where he
provides security, privacy, and compliance consulting services, continuing a 30-plus year distinguished
career in information security as an inventor, author, consultant, CISO, CTO, educator, and
entrepreneur.

Mike R. Prevost is the DBsign product manager at Gradkell Systems, Inc., in Huntsville, Alabama.

Sean M. Price, CISSP, is an independent information security consultant located in the Washington,
D.C., area. He provides security consulting and engineering support for commercial and government
entities. His experience includes nine years as an electronics technician in metrology for the U.S. Air
Force. He is continually immersed in research and development activities for secure systems.

Anderson Ramos, CISSP, is an educational coordinator for Modulo Security, a leading information
security and risk management company in Latin America. He is recognized as one of the most important
professionals in Brazil and a key instructor for the country, having been responsible for training
hundreds of security officers. Since 1998, he has been involved with dozens of projects for the public and
private sector. A lead instructor for (ISC)2 since 2001, he has presented official CISSP Review Seminars in
several countries around the world. He served as a director of the Brazilian ISSA Chapter from 2004 to
2006. He possesses more than 20 certifications in the IT and security field, including the CISSP, CISA,
SSCP, CCSI/EC, MCSE and CNE.

Anita J. Reed, CPA, is currently an accounting doctoral student at the University of South Florida,
Tampa, and she has 19 years of public accounting experience.

xli

AU7495—Prelims—6/2/2007—18:02—VELU—14657—XML MODEL CRC12a – pp. 1–46.

David C. Rice, CISSP, recognized by the Department of Defense and industry as an information security
expert, has spent seven years working on highly sensitive national information security issues and
projects. He has held numerous professional certifications; developed and authored several configuration
guides, including Guide to Securing Microsoft Windows 2000 Active Directory, Guide to Securing Microsoft
Windows 2000 Schema, and Microsoft Windows 2000 Group Policy Reference; and won Government
Executive Magazine’s Technical Leadership Award. He is the founder and senior partner of
TantricSecurity, LLC, an information security consultancy for government and private industry. In
addition to his consultancy, research, and publications, he is an adjunct professor for the Information
Security Graduate Curriculum at James Madison University, Harrisonburg, Virginia.

George Richards, CPP, is an assistant professor of criminal justice at Edinboro University of

Pennsylvania. In addition to teaching criminal justice courses to undergraduates, he has an active
research agenda that focuses primarily on crime prevention and security-related issues. He has published
in several peer-reviewed and popular publications, among these being The Journal of Contemporary
Criminal Justice, Journal of Security Administration, and The American School Board Journal.

Steve A. Rodgers, CISSP, the co-founder of Security Professional Services, has been assisting clients in
securing their information assets for more than six years. He specializes in attack and penetration testing,
security policy and standards development, and security architecture design.

Marcus K. Rogers, PhD, CISSP, CCCI, is the chair of the Cyber Forensics Program in the Department of
Computer and Information Technology at Purdue University. He is an associate professor and also a
research faculty member at the Center for Education and Research in Information Assurance and
Security (CERIAS). He was a senior instructor for (ISC)2, the international body that certifies
information system security professionals (CISSP), is a member of the quality assurance board for
(ISC)2’s SCCP designation, and is chair of the Law, Compliance, and Investigation Domain of
International Common Body of Knowledge (CBK) committee. He is a former police detective who
worked in the area of fraud and computer crime investigations. He sits on the editorial board for several
professional journals, and he is a member of various national and international committees focusing on
digital forensic science and digital evidence. He is the author of numerous book chapters and journal
publications in the field of digital forensics and applied psychological analysis. His research interests
include applied cyber forensics, psychological digital crime scene analysis, and cyber terrorism.

Georgina R. Roselli is a member of the faculty at the College of Commerce and Finance at Villanova
University.

Ben Rothke, CISSP, CISM, is the director of Security Technology Implementation for AXA Technology
Services. He has over 15 years of industry experience in the area of information systems security and
privacy, and his areas of expertise are in risk management and mitigation, PKI, security and
privacy regulation, design and implementation of systems security, encryption, and security policy
development. Prior to joining AXA, he was with ThruPoint, Baltimore Technologies, Ernst & Young, and
Citicorp, and he has provided security solutions to many Fortune 500 companies. He is the author of
Computer Security—20 Things Every Employee Should Know (McGraw-Hill 2006), and a contributing
author to Network Security: The Complete Reference (Osborne) and the Information Security Management
Handbook (Auerbach). He writes a monthly security book review for Security Management, and he is a
former columnist for Information Security, Unix Review, and Solutions Integrator magazines. He is a co-
chairman (along with Warren Axelrod of Pershing) of the Information Security Policy Principles
Working Group for the GAISP Project, and he is on the Experts Panel for Information Shield and an
editorial board member for Information Systems Security. He is a member of ISSA, ISACA, ASIS, CSI and
InfraGard.

xlii

AU7495—Prelims—6/2/2007—18:02—VELU—14657—XML MODEL CRC12a – pp. 1–46.

Ty R. Sagalow is executive vice president and chief operating officer of American International Group
eBusiness Risk Solutions, the largest of Internet risk insurance organization. Over the past 18 years, he
has held several executive and legal positions within AIG.

Craig A. Schiller, CISSP-ISSMP, ISSAP, is the president of Hawkeye Security Training, LLC. He is the
primary author of the first Generally Accepted System Security Principles (GASSP). He has been a
contributing author to several editions of the Handbook of Information Security Management and a
contributing author to Data Security Management. He co-founded two ISSA U.S. regional chapters: the
Central Plains Chapter and the Texas Gulf Coast Chapter. He is a volunteer with the Police Reserve
Specialists unit of the Hillsboro Police Department in Oregon. He leads the unit’s Police-to-Business
High-Tech speakers’ initiative and assists with Internet forensics.

Thomas J. Schleppenbach is a senior information security advisor and security solutions and product
manager for Inacom Information Systems in Madison, Wisconsin. With more than 16 years of IT
experience, he provides information security and secure infrastructure design, and he acts in a strategic
role helping organizations plan and build information security programs. He also sits on the Western
Wisconsin Chapter of InfraGard planning committee, and he is the co-chair for the Wisconsin Kids
Improving Security (KIS) poster contest, working with schools and school districts to educate kids on
how to stay safe online.

Paul Serritella is a security architect at American International Group. He has worked extensively in the
areas of secure application design, encryption, and network security.

Ken M. Shaurette, CISSP, CISA, CISM, IAM, is an engagement manager in Technology Risk Manager
Services at Jefferson Wells, Inc. in Madison, Wisconsin. With over 25 total years of IT experience, he has
provided information security and audit advice and vision for companies building information security
programs for over 18 of those years. He is a founding member and past president of the Western
Wisconsin Chapter of InfraGard; is past president and current vice president of ISSA-Milwaukee Chapter
(International Systems Security Association); current president and founding member of ISSA-Madison
Chapter. He chairs the Milwaukee Area Technical College’s Security Specialist Curriculum Advisory
Committee, is an active committee member on Herzing College Madison’s Department of Homeland
Security Degree Program, a member of the Wisconsin Association of Computer Crime Investigators
(WACCI), a former chair of the HIPAA-COW (Collaborative of Wisconsin) Security Workgroup, and
past co-chair of the Wisconsin InfraGard KIS (Kids Improving Security) Poster Contest. In addition to all
that, he actually finds time to work.

Sanford Sherizen, PhD, CISSP, is president of Data Security Systems, Inc. in Natick, Massachusetts.

Brian Shorten, CISSP, CISA, has been involved in information security since 1986, working in financial
institutions and telecommunications companies. He has held positions as data protection officer and
business continuity manager. A member of the ISACA, the British Computer Society, and the Business
Continuity Institute, he writes and presents on various aspect of information security and business
continuity.

Carol A. Siegel, CISA, is the chief security officer of AmericanInternational Group. Siegel is a well-
known expert in the field of information security, and she has been in the field for more than ten
years.

Micah Silverman, CISSP and a Sun Certified Java programmer, is president of M*Power Internet
Services, Inc. With over 13 years of experience, he has written numerous articles for industry journals,
including Information Security Magazine, Dr. Dobbs Journal, Java Developers Journal, and Linux Journal.

xliii

AU7495—Prelims—6/2/2007—18:02—VELU—14657—XML MODEL CRC12a – pp. 1–46.

He consults for corporations to architect software using agile development methods, to ensure that good
security practices and policies are in place, and to train employees in the areas of information security
and software development.

Janice C. Sipior, PhD, is a member of the faculty at the College of Commerce and Finance at Villanova
University.

Valene Skerpac, CISSP, is past chairman of the IEEE Communications Society. Over the past 20 years,
she has held positions at IBM and entrepreneurial security companies. She is currently president of
iBiometrics, Inc.

Ed Skoudis, CISSP, is a senior security consultant with Intelguardians Network Intelligence. His expertise
includes hacker attacks and defenses, the information security industry, and computer privacy issues. He
has performed numerous security assessments, designed secure network architectures, and responded to
computer attacks for clients in the financial, high-technology, healthcare, and other industries. He is a
frequent speaker on issues associated with hacker tools and defenses, and he has published several articles
on these topics and Malware and Counter Hack. He is also the author of the popular Crack the Hacker
Challenge series that challenges information security professionals to learn from others’ mistakes.
Additionally, he conducted a demonstration of hacker techniques against financial institutions for the
U.S. Senate. His prior work experience includes Bell Communications Research (Bellcore), SAIC, Global
Integrity, and Predictive Systems.

Robert M. Slade, CISSP, is a data communications and security specialist from North Vancouver, British
Columbia, Canada. He has both formal training in data communications and exploration with the BBS
and network community, and he has done communications training for a number of international
commercial seminar firms. He is the author of Robert Slade’s Guide toComputer Viruses. He is the founder
of the DECUS Canada Education and Training SIG.

Timothy R. Stacey, CISSP, CISA, CISM, CBCP, PMP, is an independent senior consultant with over twenty
years of managerial and technical experience in system engineering and software development in a wide
range of real-time and scientific applications. His primary area of focus for the last twelve years has been in
the area of information security. His focus areas include IS audit, disaster recovery/business continuity
planning, security risk analysis, and business impact assessment. Prior to becoming an independent
consultant, he was a senior consultant with KPMG in its information risk management practice, a senior
information security consultant in the Shell Services International’s Global Information Security Team,
and a senior software engineer with Science Application International Corporation supporting NASA/JSC.

Bill Stackpole, CISSP, is the regional engagement manager of Trustworthy Computing Services for
Microsoft Corporation. He was a senior security consultant with Olympic Resource Management.

Stan Stahl, PhD, is the president of Citadel information Group, an information security management
consultancy. An information security pioneer, his career began nearly 25 years ago on a wide range of
advanced projects for the White House, various military branches, the National Security Agency, and
NASA. He serves as vice president of the Los Angeles Chapter of the Information System Security
Association, and he is on the Editorial Advisory Board of Continuity Insights, for whom he writes a
bimonthly information security column.

Steve Stanek is a Chicago-based writer specializing in technology issues.

Christopher Steinke, CISSP, is an information security consulting staff member at Lucent World Wide
Services, Dallas, Texas.

xliv

AU7495—Prelims—6/2/2007—18:02—VELU—14657—XML MODEL CRC12a – pp. 1–46.

Random documents with unrelated
content Scribd suggests to you:
was made. Here, again, as in the case of the “injector,” the
arrangement requisite to produce the effect is so simple that at first
blush the effect appears to be the result of some marvellous secret
power rather than the operation of a simple natural law, the effect of
the travelling scoop upon the water being exactly the same as if the
water were forced against a stationary scoop at a velocity equal to
that at which the train is travelling. The lowest speed at which the
apparatus works properly is something about 22 miles an hour. This
speed, however, brings it within the scope of fast goods trains, whilst
express trains can scoop up the water when travelling at 50 miles an
hour, and can pick up about 1,500 gallons in the length of the trough
—quarter of a mile. The speed of the train would not appear to have
much effect upon the water picked up in passing over a trough, as
although with a slower train less water would be raised per second,
yet the extra length of time spent in travelling over the trough would
compensate for the smaller amount of water raised per second. The
water supply-pipe is fixed inside the tender; it is slightly curved
throughout its entire length, and is expanded towards its upper end
to about ten times the area of the bottom, in order to reduce the
speed or force of the incoming stream, which is directed downwards
by the bent end or delivering mouth at the top of the pipe. To the
lower end of this pipe is fitted a movable dip-pipe, which is curved
forward in the direction of the motion of the tender, so as to act as a
species of scoop. This dip-pipe is rendered movable and adjustable
in various ways, with a view to its being drawn up clear of any
impediments, such as ballast heaps lying on the way, and also to
regulate the depth of immersion in the water of the feed-water
trough, the dip-pipe being capable of sliding up inside the feed-pipe
by a convenient arrangement of rods and levers.
In order that the dip-pipe may enter and leave the feed-trough
freely at each end, the rail surface at that part of the line is lowered
a few inches, a descending gradient at one end of the trough serving
to allow the dip-pipe to descend gradually into the trough, whilst a
rising gradient at the opposite end enables it to rise out of the
trough again, the intervening length of line between the two
gradients being level. To meet emergencies, Mr. Ramsbottom
provided a small ice-plough, to be used occasionally during severe
frost for the purpose of breaking up and removing any ice which
might form in the trough. This plough consisted of a small carriage
mounted on four wheels, and provided with an angular-inclined
perforated top, which worked its way under the ice on being pushed
along the bottom of the trough, and effectually broke it up and
discharged it over each side.
A very powerful class of broad-gauge saddle tank locomotives
was designed by Brunel for working the heavy coal traffic over the
severe gradients of the Vale of Neath Railway. These engines were
supported by six-coupled wheels of 4ft. 9in. diameter, the cylinders
being 18in. diameter, and the stroke 24in. The heating surface was
1,417.6 sq. ft.; the water capacity of tanks was 1,500 gallons. The
engines, which were fitted with Dubs’ wedge motion, were built by
the Vulcan Foundry Company, and weighed 50 tons in working order.
A noteworthy performance of one of these locomotives consisted in
hauling a train of 25 loaded broad-gauge trucks, each weighing 15
tons, the gross weight, including the engine, amounting to 425 tons.
This train travelled up a bank of 1 in 90 for a distance of 4½ miles.
Such a load on the gradient mentioned is equal to one of 1,275 tons
on the level, and in a general way we do not find engines hauling
trains of the latter weight upon our most level lines. The Vale of
Neath performance must, therefore, be regarded as an exceptional
locomotive feat. These engines were numbered 13, 14, and 15, and
not being provided with compensating beams between the wheels, it
is stated that one axle frequently carried 20 tons of the total weight.
During 1860 these three locomotives were, under the advice of Mr.
Harrison, rebuilt as tender engines, to reduce the weight on the
wheels, the excessive amount of which had been very destructive to
the permanent-way. The cost of the alterations to the engines and
the addition of the tenders was £700 each engine. About the same
time some of the other Vale of Neath six-wheels-coupled engines
were converted into four-wheels-coupled bogie locomotives.
 The locomotive now to be described had but a very shadowy
existence; it was rather a tentative essay to produce a steam
locomotive without the aid of a fire. The idea when proposed by Sir
John Fowler was not new, for more or less successful essays had
already been made on a small scale, with engines, the steam for
propelling which was generated in the same manner as in Fowler’s
locomotive.
In 1853 a railway was incorporated as the North Metropolitan;
the next year a new Act was obtained, and the title changed to the
Metropolitan. This authorised the construction of a railway from the
Great Western Railway at Paddington to the General Post Office;
powers were afterwards obtained to allow the City terminus to be in
Farringdon Street instead of at the Post Office. The Great Western
Railway subscribed £175,000 of the capital, and for the convenience
of that Company’s through traffic the Metropolitan was laid out on
the mixed-gauge, and when it was first opened it was worked on the
broad-gauge only, by the Great Western Railway—a most sensible
arrangement, and one which ought never to have been relinquished,
seeing how well adapted the wider vehicles were for conveying the
immense crowds that travel by every train on this line.
The Act of Incorporation specially provided that the line was to
be worked without annoyance from steam or fire. At first it was
proposed to convert the water into steam by means of red-hot bricks
placed around the boiler, and Mr. (afterwards Sir) John Fowler
designed such a locomotive, which was built by a Newcastle firm,
and tried on the Metropolitan Railway between Bishop’s Road and
Edgware Road Stations before the line was opened. The first trial
took place on Thursday, November 28th, 1861. The following is an
account of the trip:—“The engine was of considerable size, and it
was stated that it could run on the railway from the Great Western
at Paddington to Finsbury Pavement without allowing the escape of
steam from the engine or smoke from the fire. A few open trucks
were provided with seats, and when the gentlemen were seated, the
new engine propelled them under the covered way of the
Metropolitan Railway to the first station at the eastern side of the
Edgware Road, and back again to the Great Western Station, the
steam and smoke being shut off. The tunnel, or covered way, was
perfectly fresh and free from vapour or smoke. On the signal being
given to work the engine in the ordinary way, a cloud of smoke,
dust, and steam soon covered the train, and continued until it
emerged from the tunnel into the open air. The experiment was
perfectly successful, but it was understood that engines so
constructed would be rather more expensive to work than those
running in the ordinary way.” To work the Metropolitan Railway on
this system would have required the erection of immense boilers at
both ends of the line to heat the water for the locomotive, and also
furnaces for making the bricks red-hot, whilst the charging of the
locomotive boilers with hot water and the fire-boxes with hot bricks
would have occupied some considerable time at the end of each trip.
It is, of course, well known that the experiment was very far
from being “perfectly successful.” Indeed, “failure” would be a much
better definition of the hot-brick engine, since the proposed method
of working was not carried out. We understand the engine was sold
to Mr. Isaac Watt Boulton, the well-known purchaser of second-hand
locomotives, and for some time remained in his “railway museum”
before being finally scrapped. The Metropolitan Railway had,
consequently, upon the failure of the hot-brick engine, to fall back
upon the Great Western Railway for working the underground line,
until Sir John Fowler’s later design of engines, constructed by Beyer,
Peacock, and Co., were ready to work the traffic.
In 1862 Fletcher, Jennings, and Co., of Whitehaven, designed a
handy type of saddle tank engine for shunting purposes, etc. The
engine ran on four wheels, 3ft. 4in. diameter, the wheel base being
6ft. The cylinders were 10in. diameter, with 20in. stroke. Allan’s
straight link motion was employed, and was worked off the leading
axle (it will be understood that the four wheels were coupled). This
method of actuating the valves was not conducive to good working,
as, of course, if the coupling-rods worked slack the valve gear
motion became disorganised.
 Fig. 81 is a photograph of engine No. 75, of the Taff Vale Railway,
built at the Company’s Cardiff Works in 1860. The six-coupled
wheels were 4ft. 8in. diameter, the cylinders were 16in. diameter,
and the stroke was 24in. No. 75 weighed 32 tons in working order;
the steam pressure was 130 lbs. per sq. in. She was employed in the
heavy mineral traffic of the Taff Vale Railway, and from her design
well calculated to work over the heavy gradient of that system.

Fig. 81.—SIX-COUPLED MINERAL ENGINE, TAFF VALE

RWY., BUILT 1860
In 1862 the L. and S.W. Railway purchased some second-hand
engines from a contractor. They were built by Manning, Wardle, and
Co., Leeds, and comprised six-wheels-coupled saddle tank engines.
The wheels were 3ft. diameter; cylinders, 12in. by 18in. stroke;
wheel base, 10ft. 3in.; length over buffers, 21ft. 6in.; weight, empty,
14 tons 8 cwt., loaded, 16 tons 4 cwt. The fire-box was surmounted
by a safety valve enclosed within a high fluted pillar. The steam
pressure was 120lb. One of these engines is leased to the Lee-on-
the-Solent (Light) Railway, and may be seen working the traffic on
this little line, which, by the way, spends over twopence to earn each
penny of its gross income.
 Before leaving the London and South Western Railway and its
goods locomotives, it is as well to record the dimensions of the
“Meteor,” No. 57, constructed at Nine Elms in 1863 from the designs
of Mr. Beattie. The cylinders were 16½in. diameter, 22in. stroke; the
leading wheels were 3ft. 3in., and the coupled (D. and T.) wheels
5ft. diameter; the wheel base was 14ft., of which 8ft. 2½in. was
between the coupled wheels. The leading wheels were under the
boiler, and the front buffer beam was about 6ft. in advance of the
centre of this axle. An immense dome was fixed on the raised fire-
box; the safety valve was within an inverted urn-shaped case on the
boiler barrel. The weather-board had slight side-wings, and was
curved upwards at the top, and so formed an incipient cab. The fire-
box sloped from the tube-plate towards the foot-plate. The total
weight, in working order, was 32 tons 18 cwt., of which 11 tons 9
cwt. was on the leading, 11½ tons on the driving, and 9 tons 18
cwt. on the trailing axle. The tender was supported on six wheels,
3ft. 9¾in. diameter, and had a tank capacity of 1,950 gallons.
By a marvellous addition of a big head and a bigger tail (to say
nothing of various legs), the diminutive body of the East Kent
Railway had, in August, 1859, blossomed into the London, Chatham
and Dover Railway; and for this railway 24 locomotives were
supplied by various firms from Crampton’s designs. They were
numbered 3 to 26. The design was peculiar—a leading bogie having
wheels 3ft. 6in. diameter, and a base of 4ft., and four-coupled
wheels 5ft. 6in. diameter. The cylinders were outside, and had a
stroke of 22in., the diameter being 16in. As in the “London” and
other Crampton engines, the cylinders were placed about midway
between the smoke and fire-boxes, whilst the connecting-rods
actuated the rear pair of coupled wheels, so that in describing the
position of the wheels of these engines we should have to
enumerate them as “leading bogie,” “centre,” and “ driving.” A
compensation lever connected the centre and driving wheels.
Gooch’s valve gear was used. Like other engines of Crampton’s
design, this class was a failure, and within three or four years they
were rebuilt as six-wheel engines, with inside cylinders and outside
frames; some of them, as reconstructed without a bogie, are still in
active service on the London, Chatham and Dover Railway.
Before the grave faults inherent in the previously described class
of engines had been, fully appreciated, the London, Chatham, and
Dover Railway had arranged for a second batch of engines from
another of Crampton’s designs. These consisted of five engines
constructed by R. Stephenson and Co. in 1862. The locomotives in
question were worked on the principle patented by W. Bridges
Adams, and previously described in an earlier chapter—viz., an
intermediate driving shaft, coupled by outside rods to the driving
wheels, situated behind the fire-box. The cylinders were 16in.
diameter by 22in. stroke, and within the frames. The driving wheels
were 6ft. 6½in. diameter, and bogie wheels 4ft. 0½in. diameter.
Cudworth’s sloping fire-box, fitted with a longitudinal mid-feather,
was employed. The heating surface amounted to 1,200 sq. ft., made
up of 130 sq. ft. fire-box and 1,070 sq. ft. tubes, which were 2in.
diameter, 10ft. 10in. long, and 189 in number. The grate area was 26
sq. ft.
The engines in question were named, etc., as follows:—
Company’s No. Name. Builder’s No.
27 “Echo” 1381
28 “Coquette” 1382
29 “Flirt” 1383
30 “Flora” 1384
31 “Sylph” 1385
As remarked in describing the previous class, Crampton’s engines
were in this case also found to be unsuitable, so that the London,
Chatham and Dover Railway rebuilt the five engines, when the
intermediate driving shaft was provided with a pair of wheels, and
the engines became “four-coupled bogies.” The diameter of the
cylinders was increased to 17in.; the Cudworth fire-box was
dispensed with, and the heating surface reduced, the present
dimensions being—fire-box, 100 sq. ft.; tubes, 987 sq. ft.; grate
area, 16¼ sq. ft.; weight in working order: on bogie, 14 tons 12
cwt.; driving wheels, 14 tons 12 cwt.; and on trailing wheels, 10
tons; total, 38 tons 16 cwt.
 CHAPTER XII.
“Brougham,” Stockton and Darlington Railway—L. & N.W.R. engines at the 1862 Exhibition—Sinclair’s “Single”
engines for the G.E.R.—French locomotives on the G.E.R.—L. & S.W.R. tank engines, afterward converted to
tender engines—Conner’s 8ft. 2in. “Single” engine on the Caledonian Railway—The lilliputian “Tiny,” the
Crewe Works locomotive—“Dignity and Impudence”—Bridges Adams’ radial axle tank engines—His
springtyres— Account of the St. Helens Railway locomotive with these innovations—Broad-gauge engines for
the Metropolitan Railway—Rupture between the Great Western and Metropolitan —Sturrock to the rescue—
G.N. tender engines on the Metropolitan—Delivery of the Underground Company’s own engines—Great
Northern “condensing” locomotives—The Bissell bogie truck well advertised—End of the “hot-brick” engine—
Sturrock’s steam-tender engines on the G.N.R.—Sinclair’s tank engine with Bissell trucks—Fell’s system of
locomotive traction—Tried on the Cromford and High Peak line—Adopted on the Mount Cenis Railway—
Spooner’s locomotives for the Festiniog Railway—Fairlie’s double-bogie engines—The “Welsh Pony” and “Little
Wonder”—Fairlie’s combined trains and engines—Cudworth’s trailing bogie North London engines, a model
for tank locomotive constructors—Pryce’s designs for the North London Railway.
Fig. 82 illustrates the “Brougham,” No. 160, of the Stockton and Darlington Railway. This engine was
designed for hauling passenger trains. She was a bogie engine, as will be noticed by reference to the
illustration, and had four-coupled wheels 6ft. in diameter. The cylinders, placed outside, were 16in. in
diameter, with a stroke of 24in. The tender was on six wheels, and the tank was capable of carrying
1,400 gallons. No. 160 was constructed in 1860, not a very long time prior to the amalgamation with
the North Eastern Railway Company, by R. Stephenson and Co., of Newcastle, at a cost of £2,500.
The London and North Western Railway exhibited at the London International Exhibition of 1862 a
locomotive constructed at Wolverton from the designs of Mr. McConnell; the engine was built the
previous year, was numbered 373, and named “Caithness.” The cylinders were 18in. by 24in.; driving
wheels, 7ft. 7⅛in. diameter; L. and T., 4ft. 7½in.; steam pressure, 150lb.; wheel base, 18ft.; heating
surface (14 tubes 1⅞in. diameter, 9ft. 4in. long), 980.319 sq. ft.; fire-box, 242.339 sq. ft.; weight in
working order (engine and tender) 59 tons 14 cwt. A combustion chamber 2ft. 8in. long was provided.
Two other engines of this design were built, No. 372 “Delamere” and No. 272 “Maberley.” Apparently
these engines were not very successful, as we do not find accounts of their later performances.
In 1862 Fairbairn and Co. constructed for the Great Eastern Railway a class of “single” engines
designed by Mr. R. Sinclair. These locomotives had outside cylinders, 16 ft. by 24 in.; driving wheels, 7
ft. 3 in., and leading and trailing wheels, 3 ft. 9 in. diameter; heating surface, tubes (203, 1¾ in.
diameter), 957.6 sq. ft.; fire-box, 94.9 sq. ft.; grate area, 15.27 sq. ft.; weight, 32 tons, of which 13
tons 13 cwt. 1 qr. was on the driving axle. Gooch’s link motion was employed.

Fig. 82.—“BROUGHAM,” No. 160, STOCKTON AND DARLINGTON RAILWAY

 The design in question was of rather attractive appearance, the open splasher being an attractive
feature, as was also the cab—somewhat of an innovation 35 years ago. Mr. S. W. Johnson succeeded
Mr. Sinclair at the end of 1865 as Great Eastern Railway locomotive superintendent, and under the
régime of the former some of these engines were rebuilt with a leading bogie, and the diameter of the
cylinders was increased to 18 in. Another form of cab was introduced, the Salter safety valve on the
dome was removed, and one of Ramsbottom design placed on the flush top fire-box, which had
superseded the raised pattern as employed in this class of engine by Mr. Sinclair. One of the engines of
this class (No. 0295) was in active service as recently as July, 1894. In connection with this class of
engine a special circumstance needs mention—viz., that 16 of these locomotives were made—not “in
Germany,” but in the country of her foe; the French engineering firm with the German name of
Schneider, in 1865, contracting to supply the 16 locomotives at a less price than any English maker. This
event was certainly a curiosity in the economic history of this country’s trade. We import many articles;
let us hope, however, that foreign locomotives will not again be seen on English railways. There is some
consolation to be found in the statement that all the British locomotive builders were so full of orders at
the time that they practically refused to accept orders for the engines in question by tendering for them
at outside prices, so that consequently the order had to be given to a foreign firm.
In 1863 Beyer, Peacock and Co. commenced to construct a class of tank engines for the London and
South Western Railway from the designs of Mr. J. Beattie. The locomotives in question had outside
cylinders 16½in. by 20in. stroke; four coupled wheels, 5ft. 7in. diameter; and a pair of leading wheels,
3ft. 7¾in. diameter. The boiler contained 186 tubes, 1⅝in. diameter. The heating surface was made up
of tubes 715.17 sq. ft., and fire-box 80 sq. ft. The grate area was 14.2 sq. ft.
A lock-up safety valve was placed on the front ring of the boiler barrel, and two of Salter’s pattern on
the immense dome which surmounted the raised fire-box. The steam pressure was 130lb. The engine
weighed in working order 29 tons 17 cwt., of which 10½ tons was on the driving axle. We have already
stated that the engines were built as tanks, but Mr. W. Adams, who had succeeded Mr. J. Beattie as
locomotive superintendent of the London and South Western Railway, added tenders to some of their
engines in 1883. It is a common practice to rebuild tender engines as “tanks,” but the opposite practice
is somewhat of a novelty. The tenders were supported on six wheels, 3ft. 9¾in. diameter, and weighed
20¾ tons in working order, the water capacity being 1,950 gallons.
An engine that attracted considerable attention at the 1862 Exhibition was one built by Neilson and
Co. from the designs of Mr. B. Conner, locomotive superintendent of the Caledonian Railway (Fig. 83).
The engine in question had outside cylinders, 17¼in. diameter, with a stroke of 24in.; driving 8ft. 2in. in
diameter, with inside bearings and underhung springs. The trailing and leading wheels had outside
bearings. The engine had 1,172 sq. ft. of heating surface; the grate area was 13.9 sq. ft.; wheel base,
15ft. 8in.; weight, empty, 27¼ tons; in working order, 30 tons 13 cwt., of which 14 tons 11 cwt. was on
the driving axle.

Fig. 83.—CONNER’S 8ft. 2in. “SINGLE” ENGINE, CALEDONIAN RAILWAY (REBUILT)

Colburn describes the locomotive as a “fine, well-constructed engine, standing gracefully on its
wheels, large, yet compact, and qualified to run at any speed with ease and steadiness.” Nor can this
description be in any measure contradicted. For, until Stirling built his famous 8ft. 1in. “singles” for the
Great Northern Railway, Conner’s 8ft. 2in. Caledonian engines were far and away the most graceful
locomotives ever placed on the 4ft. 8½in. gauge. In general design, the engine was a modification of
the old Crewe pattern engine. The dome was, however, of rather a peculiar shape: it was placed on the
top of the raised fire-box. The driving axle was of cast steel, and the tyres of Krupp steel. The large
number of spokes in the driving wheels was noticeable, being at only 10in. centres at the rim of the
wheels. The slide-valves were provided with 1½in. lap. A great improvement was the provision of a cab,
and that of not disproportionate dimensions, considering the “year of grace” in which the engine was
constructed. Trains of nine carriages were hauled at an average speed of 40 miles an hour, with a coal
consumption of 2½lb. per mile; 14 loaded carriages were frequently taken up the terrible Beattock
bank, 10 miles in length, at 30 miles an hour.
The late Khedive of Egypt was so taken with the appearance of this engine when it was at the
Exhibition that he immediately ordered one for his own railway. He was searching for a locomotive to
convey him at 70 miles an hour, and Conner’s 8ft. 2in. single appeared to be the one most likely to fulfil
his requirements. Nor do we hear that he was in any way disappointed with his purchase.
It is interesting to know that the Caledonian Railway has still a specimen of this notable design
unscrapped—may it ever remain so. To prevent our appetite becoming vitiated with a galaxy of
Brobdingnagian locomotives, we will descend to the other end of the scale, and detail the Lilliputian
“Tiny,” as used in the Crewe locomotive works. The railway is of 18in. gauge, and was opened in May,
1862, for a length of three-eighths of a mile. In its course the engine traverses curves of 15ft. radius
each, no difficulty being found in going round these curves with loads of 12 to 15 tons, or in taking 7ft.
6in. wheel forgings or tyres on edge by means of trucks specially adapted for the purpose. This engine
has four-wheels-coupled; inside cylinders, 4¼in. diameter, and 6in. stroke; the wheels are 15in. in
diameter, on a base of 3ft. The total heating surface is about 42 sq. ft. A No. 2 Giffard’s injector
supplied the boiler with water; this precious liquid is stored in a saddle tank, with a capacity of 28
gallons. “Tiny,” when “right and tight and ready for action,” weighs only 2½ tons.
The duties of the Lilliputian engines consist in hauling materials to and from different parts of the
works, and as the 18in. rails are in most places laid parallel with the standard gauge lines, “Tiny” is also
called upon to fly shunt the trucks, etc., when necessary.
An engine of this type, the “Nipper,” forms with the giant “Cornwall” that well-known photographic
picture—the railway “Dignity and Impudence.”
Fig. 84 represents Sharp, Stewart, and Co.’s standard design of passenger engine of this period. The
“Albion” was delivered to the Cambrian Railway in May, 1863. She was an inside cylinder engine, with a
pair of leading wheels, and an enclosed Salter safety valve. Altogether, the “Albion” is a fair example of
locomotive practice 36 years ago.
We have on previous occasions referred to the improvements in locomotive construction introduced
by Mr. W. Bridges Adams, and we now have again to record a successful employment of his design. In
the first week of November, 1863, Mr. James Cross, locomotive engineer of the St. Helens Railway,
completed a tank locomotive, supported on eight wheels, the leading and trailing pairs of which were
fitted with the radial axle-boxes patented by Mr. W. B. Adams; whilst the four coupled wheels were
fitted with spring tyres, which were another invention of the same engineer.
 Fig. 84.—“ALBION,” CAMBRIAN RAILWAYS, 1863

The St. Helens Railway was famous—or, from an engineer’s point of view, we should say, perhaps,
infamous—for the severe gradients, sharp curves, and numerous points, crossings, and junctions. The
inclines were as steep as 1 in 35, 1 in 70, and 1 in 85, whilst the curves were constructed with radii of
300ft. and 500ft., and reverse or S curves were also more frequent than pleasant. The St. Helens
Railway was only 30 miles long, but within two miles of the St. Helens Station no less than 12 miles of
sidings were located. We do not mean to suggest that the whole line of railway was so thickly covered
with siding connections, but such were distributed over the remaining mileage of the railway in too
plentiful profusion. Here, then, was a length of railway containing the three great hindrances to smooth
and quick running, but the locomotive about to be described was so constructed as to successfully
overcome these impediments.
This engine had inside cylinders, 15in. diameter and 20in. stroke. The coupled wheels were 5ft. 1in.
in diameter, the rigid wheel base being 8ft., but as these wheels had spring tyres, each pair of wheels
was practically as free to traverse the curves as uncoupled wheels. Other dimensions were:—Heating
surface, 687 sq. ft.; grate area, 16.25 sq. ft.; total wheel base, 22ft.; weight in working order, on
leading wheels, 7 tons 15 cwt.; on driving, 11¾ tons; on rear coupled, 11¼ tons; on trailing, 10 tons,
including 4¼ tons water and 1¼ tons coal. Total weight, 40¾ tons.
The boiler contained 121 tubes, 10ft. 11in. long, and 1⅞in. diameter; steam pressure, 140lb.; water
capacity of tank, 950 gallons. The fire-grate was 5ft. long, and sloped from the door to the tube-plate.
The springs of the coupled wheels were connected by means of a compensation lever. The dome was
placed on the raised fire-box, and fitted with a screw-down safety valve; a second valve of the same
pattern was fixed on the boiler barrel. A roomy and well-enclosed cab, fitted with side windows,
thoroughly protected the enginemen.
Adams’ radial axle-boxes are, of course, still in use on the Great Northern Railway, London,
Chatham, and Dover Railway, and other lines, so that a detailed account here is not necessary, the
salient feature being that they are made with a radius, having its centre in the centre of the adjoining
axle, the axle-box guide-boxes being curved to fit. In the engine we are now describing the radius of
the boxes was 7ft., and the lateral play of the boxes was 4½in. on each side. The spring-pins were not
fixed on the top of the boxes, but were each fitted with a small roller to allow the boxes to freely
traverse. The axle-boxes weighed 3½ cwt. each.
It will be understood that when an engine fitted with these boxes enters a right-hand curve the
flanges of the leading wheels draw the boxes to the right, so that the engine itself remains a tangent to
the curve, whilst, since the axle-boxes are themselves curved, the effect is that the right-hand side
axles are brought nearer the rigid wheels, and consequently the radial wheels on the opposite side of
the engine further from the fixed wheels, the whole effect of the radial axle-boxes being that the trailing
and leading axles actually become radii of the curves being traversed, although the flanges continue
parallel to the rails.
Adams’ spring tyres require a more precise description, and before we describe them, readers may
perhaps be reminded that Adams had strong views on the subject of railway rolling stock wheels. He
enters rather fully into the matter in his book, “Roads and Rails,” especially in the chapter dealing with
“the mechanical causes of accidents.” In this, Adams maintains that the usual forms of wheels are in
reality rollers, and not wheels.
The spring tyres had been tried on the North London Railway, Eastern Counties, and on another
locomotive on the St. Helens Railway, before the engine now under review was constructed. Upon the
coupled wheels of the new locomotive for the latter railway, double spring hoops were employed, the
single form having been used in the three previously mentioned engines. The plan adopted was as
follows:—
“The tyres chosen were constructed with a deep rib in front; this was bored out, internally, to a
depth of ¾in., and to a conical section, and, of course, parallel to the tread. A flat edge, ⅜in. wide, was
thus left on either side.
“The springs, formed of tempered hoop steel, were placed on the inner surface of the tyres.
Corresponding curves were turned across the outer circumference of the wheels. The wheels were
forced into the cones containing the springs, and retained by three 1in. bolts, and a flat ring in the
groove at the back of the tyre, the effort of the spring tyres being to allow of a slight lateral motion in
running round curves and also to give a better grip of the rails, as the tyres, by reason of the weight
upon them being transmitted through the tyre springs, slightly flattened upon the rails, and so
presented a larger surface for adhesion between the tyres and rails.”
The following interesting account of the working of the radial axle and spring tyre locomotive on the
St. Helens Railway is extracted from a paper by Mr. J. Cross, the designer of the locomotive, and read
before the Institution of Civil Engineers. Mr. Cross stated that “the engine was completed in the first
week of November, 1863, and has since been running very regularly, taking its turn of duty with
passenger trains or coal trains, or as a shunting engine; and about the numerous works connected by
sharp curves with the St. Helens line. The motion round curves is free from all jerking, and on straight
lines the speed is more than 60 miles an hour; either end of the engine being first, without any train
behind to give steadiness; and the motion is so smooth that it has only been by taking the actual time
that the engineers have convinced themselves of the fact of the speed exceeding 40 miles an hour. It
was built to traverse curves of 200ft. radius. This it does with the greatest facility, and it has regularly
worked the passenger trains round a curve of 1,000ft. radius, going directly off the straight line by a
pair of facing points at a speed of more than 30 miles an hour, and it has gone round curves of 132ft.
radius. It has also run a train of 12 passenger carriages, weighted up to 100 tons, exclusive of its own
weight, at 60 miles an hour on the level. From the advantages it possesses over the ordinary mixed
engines for weighting the trailing coupled wheel, it, without difficulty, on a wet, slippery day, started,
and took this load up a gradient of 1 in 70, drawing seven of the carriages with a load weighing 72 tons
5 cwt., up a gradient of 1 in 36, round a curve of 440ft. radius; and coal trains of 250 tons are worked
over long gradients of 1 in 200 with the greatest ease.
“It is evident, then, that engines on this principle, affording facilities for the use of high power in
hilly countries, are peculiarly adapted for Metropolitan lines, where sharp curves are a necessity (being
equally safe whichever end is foremost), and are also well suited for light lines in India and the
Colonies. It may likewise be remarked that carriages and wagons on this principle would carry heavier
freights, with a saving in the proportion of dead weight, while their friction round curves would be less
than at present.”
The improvements adopted in the construction of this locomotive for the St. Helens Railway were so
successful that, as usual, other claimants, who appropriated the radial axle-boxes as their invention,
were soon contending with Adams and Cross as to who was entitled to the honour of introducing the
improvement.
 The first portion of the Metropolitan Railway was opened on January 18th, 1863, and the line was
then worked on the broad-gauge by the Great Western Railway for a percentage of the receipts. The
Great Western Railway provided the stations, staff, locomotives, and rolling stock.
Mr. D. Gooch, in 1862, designed a special class of tank engines for working the Metropolitan Railway.
They were six-wheel engines, the driving and trailing wheels being 6ft. diameter and coupled. The
cylinders were outside. A special form of fire-box and baffle-plate was employed, and tanks were
provided beneath the boiler barrel, into which the exhaust steam was discharged by means of a
reversing valve fitted to the bottom of the blast pipe. When in the open air, the waste steam escaped up
the chimney in the usual manner.
The first of these engines were named: Bee, Hornet, Locust, Gnat, Wasp, Mosquito, Bug, Khan,
Kaiser, Mogul, Shah, and Czar. Later ones were named after flowers and Great Western Railway officers.
A dispute arose between the two companies at the beginning of August, 1865, and immediately
developed into a complete rupture. The smaller quasi vassal railway, through the energy displayed by its
chief officers, successfully overcame the apparently insurmountable obstacles that beset it, and
consequently the Metropolitan Railway asserted its complete independence of the Great Western
Railway, and has since maintained it.
It was indeed a nine days’ wonder that the Metropolitan Railway was called upon to perform, for it
had to obtain from somewhere locomotives and carriages to work the underground line, commencing
on the morning of August 10th, 1863.
Mr. Sturrock, the locomotive superintendent of the Great Northern Railway, had at this time under
construction a class of condensing-tank engines that he had designed to work the Great Northern
Railway traffic over the Metropolitan Railway. The directors of the Metropolitan Railway in this
emergency applied to Mr. Sturrock for assistance, and by working day and night he managed to fit up
some Great Northern tender engines with a temporary condensing apparatus.
The difficulty was to provide some kind of condensing apparatus on the Great Northern tender
engines, it being necessary to use flexible connecting pipes between the engine and tender strong
enough to withstand the steam pressure, but Mr. Sturrock was successful enough to contrive the
necessary flexible pipes by which the exhaust steam was conveyed from the engine to the water-tank of
the tender, but these pipes very frequently burst, and all concerned were far from sorry when the
proper engines were delivered.
An order for eighteen had already been placed with a well-known Manchester firm of locomotive
builders by the Metropolitan Railway, Beyer, Peacock, and Co. building them from the designs of the late
Mr. (afterwards Sir) John Fowler.
The type is well known to London readers, the engines having side tanks, a leading bogie, the
wheels of which were 3ft. diameter, with a base of 4ft. The driving and trailing wheels (coupled) were
5ft 9in. diameter, their base being 8ft. 10in.; the total wheel base being 20ft. 9in., or to centre of bogie,
18ft. 9in. The cylinders were outside, slightly inclined from the horizontal, 17in. diameter, and 24in.
stroke. The grate area was 19 sq. ft. The fire-boxes had sloping grates, which were 6in. deeper at the
front than the back. The boiler barrel was 4ft. in diameter, and 10ft. 3in. long; it contained 166 tubes,
2in. diameter, the total heating surface being 1,014 sq. ft. The working pressure was nominally 130lb.
per sq. in., but when working through the tunnels, condensing the steam, and with the dampers closed,
a very much lower pressure resulted. The frames were inside, the dome (fitted with a Salter valve) was
on the boiler barrel, close to the smoke-box, a sand-box being also fixed on the boiler barrel at the back
of the dome.
The bogie truck was built of plate frames, and was on the Bissell system, turning on a centre-pin
fixed to the engine frame, at a radial distance of 6ft. 8in. from the centre of the truck. “Locomotive
Engineering” says that “this radial length ensures a nearly correct radiality of the bogie to curves of all
radii, the proper length of the radius to ensure exact radiality of the centre of the bogie for all curves
being 7ft. 2in., or 6in. more than the actual length—a difference which is, perhaps, of no great
importance in practice.”
 For the purpose of effectually condensing the exhaust steam the side tanks were only filled with
water to within 6in. of the top, and the steam was discharged upon the surface of the water, from a 7in.
pipe on each side—one to each tank. Into the mouth of these 7in. pipes a 4in. pipe was projected a
short distance, and the other end of the 4in. pipe was below the surface of the water, so that a portion
of the steam was discharged right into the water in the tanks, and agitated the water sufficiently to
prevent the surface of the water from becoming too hot, as would have been the case if the same
portion of the water had always been presented to the waste steam. The tanks held 1,000 gallons, and
at the end of a journey the water had become too warm to properly condense the exhaust, and it
therefore became necessary to quickly empty the tanks and to take in a fresh supply of cold water.
To expeditiously perform the former operation, each tank was provided with a pipe 7in. in diameter;
this led to a cast-iron valve-box being placed below the foot-plate. By means of a screw, worked from
the foot-plate, a 10in. valve was operated, and the water in the tanks could be discharged into the pits
below the engine in the course of some 60 seconds.
The following list gives the names and builders’ numbers of the first locomotives constructed for the
Metropolitan Railway:

Engine No. Name. Builder’s No. Engine No. Name. Builder’s N

1 Jupiter. 412 10 Cerberus. 421
2 Mars. 413 11 Lutona. 422
3 Juno. 414 12 Cyclops. 423
4 Mercury. 415 13 Daphne. 424
5 Apollo. 416 14 Dido. 425
6 Medusa. 417 15 Aurora. 426
7 Orion. 418 16 Achilles. 427
8 Pluto. 419 17 Ixion. 428
9 Minerva. 420 18 Hercules. 429

These engines were fitted with a very small coal bunker, only 18in. wide. Weight of engine in
working order: on bogie, 11 tons 3½ cwt.; driving, 15 tons 9½ cwt.; and trailing, 15 tons 10 cwt. Total
weight, 42 tons 3 cwt.
Mr. Sturrock’s engines for working the Great Northern trains over the Metropolitan Railway were
numbered 241 to 250, their leading dimensions being:—Cylinders (inside), 16½in. diameter, 22in.
stroke; leading and driving wheels (coupled), 5ft. 6in.; trailing wheels, 4ft. diameter; wheel base, L. to
D., 7ft. 6in.; D. to T., 11ft. 9in.; total, 19ft. 3in. Weight, empty, 32 tons 4 cwt. 1 qr.; in working order, 39
tons 12 cwt. 2 qrs.
These Great Northern Railway locomotives were fitted with Adams’ radial axle-boxes to the trailing
wheels, and commenced working at the end of October, 1865.
The patentee of the Bissell bogie truck did not intend to hide the light of his invention under a
bushel, for he advertised the improvement in a truly American style. The following advertisement was to
be found in the columns of the sober railway newspapers soon after the Metropolitan locomotives were
at work:—
“Important to Railway Directors, Engineers, and the Travelling public.
“No more accidents from engines running off the line (see Queen’s letter to Railway Directors
copied in the railway papers January 28th, 1866).
“The Bissell bogie, or safety truck, for locomotive engines, so much prized on American and
foreign railroads for the great safety and economy it affords on curved roadways, after
years of probationary trial in England, has at length been adopted by John Fowler, Esq.,
C.E., F.G.S., upon all the new engines, eighteen in number, now working on the
 Metropolitan Railway, and by Robert Sinclair, Esq., C.E., upon twenty new eight-wheeled
engines on the Great Eastern Railway, which may be seen daily. The royalty for the use of
the Bissell Patents has been reduced to £10 per engine, so that every engine requiring a
bogie underframe should be provided with the Bissell safety truck. Apply to——.”
Whilst on the subject of railway advertisements we take the opportunity to record the obituary
announcement of the tentative “hot-brick” engine, previously referred to, designed to work on the
Metropolitan Railway. It appeared in the railway newspapers during the early months of 1865, and was
to the following effect: “Metropolitan Railway. One locomotive engine for sale, either entire or in parts.
For particulars apply to the Locomotive Superintendent, Bishop’s Road, Paddington.”
Reference must here be made to Mr. Sturrock’s system of steam tenders, as adopted by him to work
the heavy coal and goods trains on the Great Northern Railway. In addition to the usual engine, the
pistons of a pair of cylinders, 12in. diameter, with a stroke of 17in. actuated the centre axle of the
tender, and the six tender wheels were coupled by outside rods. The tender wheels were 4ft. 6in.
diameter. The steam tenders weighed about 35 tons, with water and coal, and of this weight over 13
tons was on the driving wheels. After use in the tender cylinders, the exhaust steam was condensed in
the tender tank. Forty-six of these steam tenders were constructed, and some are still running, but as
simple tenders, the propelling apparatus having been done away with many years ago. Fig. 85a
represents a Great Northern engine fitted with one of Sturrock’s patent steam tenders.
Mr. Robert Sinclair, whilst locomotive superintendent of the Great Eastern Railway, only designed one
type of tank engine, and Neilson and Co. constructed the first of this class in 1864. Twenty of the class
were built, being originally intended to work the Enfield Town Branch, but in later years these engines
were used on the North Woolwich line. The engines (Fig. 86a) were supported by eight wheels, the
leading and trailing being 3ft. 7in. diameter, and the driving and back coupled 5ft. 6in. diameter. The
cylinders were outside, 15in. diameter, and 22in. stroke. The leading and trailing wheels were fitted with
the Bissell truck, referred to in the advertisement just quoted. So that although the whole wheel base
was 17ft. 4in., the rigid base—that of the coupled wheels—was only 6ft. The boiler was 13ft. 6in. long,
and the water was carried in the tanks beneath the boiler and between the frames. An enclosed cab
with front and rear spectacle plates was provided.

Fig. 85a.—A GREAT NORTHERN RAILWAY ENGINE, FITTED WITH ONE OF

STURROCK’S PATENT STEAM TENDERS.
This improvement so delighted the Great Eastern Railway drivers that they presented a testimonial
to Mr. R. Sinclair in May, 1864, in which they described him as the “inventor” of the weather-board or
“cab,” as fitted to locomotives. The tank engines in question weighed 38 tons 6 cwt. 3 qrs., of which
weight 20 tons 5 cwt. 2 qrs. was on the coupled wheels.
 Fig. 86a.—SINCLAIR’S DESIGN OF TANK ENGINE FOR THE EASTERN COUNTIES
RAILWAY
In January, 1863, Mr. J. B. Fell patented a locomotive designed for working over extremely steep
gradients. At that time there was a break 47 miles long in the continuity of the iron road communication
between France and Italy by the Mount Cenis route. This break has in later years been abolished by the
construction and working of the famous Mount Cenis tunnel. Brassey and Co. in 1863 proposed that
during the construction of the tunnel a temporary mountain railway worked on Fell’s system should be
built over the mountain. An experimental locomotive was, therefore, constructed at the Canada Works,
Birkenhead. This engine weighed 14½ tons loaded. The boiler was 2ft. 9in. diameter, and 7ft. 9½in.
long, and contained 100 tubes of 1½in. external diameter. The heating surface was 420 sq. ft., and the
grate area 6½ sq. ft. The engine had two sets of machinery—one for working the vertical wheels,
acting on the ordinary carrying rails, and the other actuated the special horizontal clutch wheels, which
were pressed against the centre rail. The outside cylinders which worked the four-coupled vertical
wheels, of 2ft. 3in. diameter, were 11¾in. diameter, the stroke being 18in. The horizontal coupled
wheels were 16in. diameter, with a base of 19in.; these were driven by inside cylinders 11in. diameter
and 10in. stroke. A pressure of 12 tons, actuated by means of a screw apparatus, could be applied to
the horizontal wheels.
By permission of the London and North Western Railway, an experimental railway, 800 yards long,
was laid down upon the Whalley Bridge Incline of the Cromford and High Peak Railway.
The gauge was 3ft. 7⅝in., and there were 180 yards of straight line on a gradient of 1 in 13.5, and
150 yards of curves, with radii of 2½ and 3½ chains, on a gradient of 1 in 12. The third rail upon this
line, to be clipped between the horizontal driving wheels of the engine, was laid on its side, 7½in.
above the other rails.
In the course of a series of experiments carried on from September, 1863, to February, 1864, the
engine, working up to a pressure of 120lb. to the square inch, never failed, with a maximum load of 30
tons, to take a load of 24 tons up the above inclines and round the curves. The outer cylinders working
on the four vertical wheels could only draw up, besides the weight of the engine, a loaded wagon
weighing seven tons; while the inside cylinders, acting upon the horizontal wheels, which pressed with
12 tons against the middle rail, enabled the engine to take up 24 tons on the same day and under the
same conditions. The inside cylinders alone were able to carry up the engine itself, round the curves,
and exhibited the power of taking up altogether 17 tons.
The results of the experiments on the High Peak Railway were considered so satisfactory that the
line up Mount Cenis was commenced without delay. The engine was not properly adapted for working
the mountain traffic, in consequence of the crowded and complicated nature of the machinery, and also
because the feed-oil dropped on to the horizontal wheels and lessened the bite on the centre rail. The
weight on the horizontal wheels was increased to 16 tons, and an additional pair of guide wheels acting
on the centre rail was provided at the trailing end of the engine, after the High Peak experiments.
 The Board of Trade was at that time so far interested in railway matters as to send out Captain Tyler,
one of its inspectors, to report on the Mount Cenis Railway. We extract from his report the following
account of the working of this engine on the mountain railway:—
“In the course of two days I took six trips with this engine up and down the experimental line,
carrying each time a load of 16 tons, in three wagons, including the weight of the wagons, and it
performed in the ascent 1,800 metres in 8⅛min., with a loss of 14lb. of steam and of 5⅓in. of water in
the gauge-glass, at steam pressure, varying between 92 and 125lb. to the square inch in the boiler, as
the average of all those experiments.
“The speed attained was in every case greater than that which it is proposed to run with the same
load with the express trains; and the average speed, as above given, was at the rate of 13⅓ kilometres
(or 8⅓ English miles) per hour, instead of 12 kilometres (or 7½ English miles) per hour, which is the
highest running speed allowed in the programme given to the French Government for this part of the
line.
“The weather was fine and calm, and the bearing rails were in first-rate order; but the middle rail, as
well as the horizontal wheels, were oily, and, therefore, in a condition very unfavourable for good
adhesion.”
A second engine was built on Fell’s system specially for working over the steep Mount Cenis Railway,
and in its construction several improvements, suggested by the shortcomings of the first engine, were
introduced.
The second engine was built partly of steel, and weighed 13 tons empty, and 16 tons 17 cwt. fully
loaded, afterwards increased to 17 tons 2 cwt. The boiler was 8ft. 4½in. long, and 3ft. 2in. in diameter,
and contained 158 tubes of 1½in. external diameter. Fire-box and tubes contained altogether 600
superficial feet of heating surface, and there were 10ft. of fire-grate area. There were only two
cylinders, with a diameter of 15in. and stroke of 16in., which worked both the four-coupled horizontal
and four-coupled vertical wheels, which were all 27in. in diameter. The wheel base of the vertical
wheels was 6ft 10in., and that of the horizontal wheels, 2ft. 4in. The maximum pressure in the boiler
was 120lb., and the effective pressure on the piston was 75lb. to the square inch.
Besides possessing a greater amount of boiler power, this engine travelled more steadily than No. 1,
its machinery was more easily attended to, and the pressure upon its horizontal wheels could be
regulated by the engine-driver at pleasure from the foot-plate. This pressure was applied through an
iron rod connected by means of right and left-handed screws, with a beam on each side of the middle
rail, and these beams acted upon volute springs which pressed the horizontal wheels against that rail.
The pressure employed during the experiments was 2½ tons on each horizontal wheel, or 10 tons
altogether; but the pressure actually provided for, and which when necessary was employed, was 6 tons
upon each, or 24 tons upon the four horizontal wheels.
The vertical wheels were worked indirectly by piston-rods from the front, and the horizontal wheels
directly by piston-rods from the back of the cylinders.
Having already given Captain Tyler’s account of his experiments with the first engine, we cannot do
better than reproduce his statement concerning the second of the Fell engines, built for the Mount Cenis
Railway.
Captain Tyler stated that with the new engine he “was able to take up 1,800 metres of the
experimental line with the same load as before, of 16 tons in three wagons, in 6¼ minutes, or at a
speed of 17¾ kilometres per hour, as against 12 kilometres per hour which it is proposed to run with
the express trains. The steam pressure in the boiler fell from 112lb. to 102½lb., and 3in. of water were
lost in the gauge-glass, the feed having been turned on during the latter period only of this experiment.
“The engine exerted in this instance, omitting the extra resistance from curves, about 177 horse-
power; or, adding 10 per cent. for the resistance from curves, 195 horse-power, or more than 12 horse-
power to each ton of its own weight, and nearly 60 horse-power in excess of what was required to take
the same load up the same gradient and curves at 12 kilometres per hour, as proposed in the
programme. I observed on the following day that 40lb. of steam-pressure in the boiler, or one-third of
the maximum pressure employed, was sufficient to move the engine alone up a gradient of 1 in 12½;
and the friction of carriages or wagons being proportionately much less than that of an engine, the
same engine ought, à fortiori, to be able to move a gross load of three times its own weight, or 48 tons,
at its greatest working pressure, up the same gradient.”
Having now given some details of locomotives constructed for working on a foreign steep grade
railway, it will not be out of place to describe the special forms of engines designed for the Welsh
narrow-gauge line, usually called the Festiniog Railway. The line has been open for a great number of
years, but up to June, 1863, had only been used for conveying slates from the quarries to the shipping
port. Horses were employed to haul the empty trucks up to the quarries, the loaded wagons running
down to Portmadoc by gravity.
The average gradient for 12½ miles was 1 in 92, the steepest 1 in 60. The radii of the curves ranged
between two and four chains. Unlike the Mount Cenis line just reviewed, the Festiniog Railway was
worked with locomotives depending solely on the adhesion of the carrying wheels, no central rail being
provided. The gauge was 1ft. 11½in.
The engines were designed by Mr. C. E. Spooner, the engineer of the railway. At first two were
constructed, England and Co. being the builders. These miniature iron horses (one was more correctly
called the “Welsh Pony”) had two pairs of coupled wheels, with a wheel base of 5ft. The cylinders,
which were outside the framing, were 8½in. in diameter, with a length of stroke of 12in., and they were
only 6in. above the rails.
The maximum working pressure of the steam was 200lb. to the square inch. Water was carried in
tanks surrounding the boilers, and coal in small four-wheel tenders.
The heaviest of these engines weighed 7½ tons in working order, and they cost £900 each. They
could take up, at 10 miles an hour, about 50 tons, including the weight of the carriages and trucks, but
exclusive of that of the engine and tender. They actually conveyed daily on the up journey an average
of 50 tons of goods and 100 passengers, besides parcels. Two hundred and sixty tons of slates were
taken down to Portmadoc daily. The engines were well adapted for convenience in starting and in
working at slow speeds, but their short wheel base and the weight overhanging the trailing wheels gave
them more or less of a jumping motion when running.
Safety guards, similar in form to snow ploughs, were afterwards added in front of the engines,
behind the tenders, and under the platforms of the brake-vans, in consequence of their being so near to
the rails.
After a few years’ experience of these four-wheel locomotives, the directors of the Festiniog Railway
determined to experiment with an engine constructed on Fairlie’s double-bogie system, and the “Little
Wonder” was constructed. In February, 1870, several trials were made with this engine, when a train of
72 wagons, of a total length of 648ft., and of a gross weight, including the engine, of 206 tons 2 qrs.,
was drawn up an incline of 1 in 85 at a speed of five miles an hour, the steam pressure being 200lb. per
square inch. The “Welsh Pony’s” best performance in these trials upon the same gradient, but with a
pressure of 150lb., consisted in drawing 26 wagons, the gross load of which, with engine, amounted to
73 tons 16 cwt. Tabulated, the result of these trials were as follows:—
Total
Frictional
resistance. Gravity.
resistance.
lbs. per ton lbs. per ton.
lbs. per ton.
gross.
“Little Wonder” 40 26.3 13.7
“Welsh Pony” with 150lbs steam 51.4 26.3 25.1
” ” 130lbs steam 44.5 26.3 18.21

The general arrangements of the “Little Wonder” may be described as follows. The boiler was
double, having two fire-boxes united back to back with two distinct barrels and sets of flue-tubes, and
consequently a chimney at each end. A bogie was placed under each barrel, and each bogie had two
pairs of wheels coupled together, worked independently by a pair of steam-cylinders to each bogie.
Thus a total wheel base of 19ft. 1in. in length was covered by the bogies; each bogie had a 5ft. wheel
base, and the distance between the centres of the bogies was 14ft. 1in. The four cylinders were 8³/
₁₆in. in diameter, and had a stroke of 13in.; the wheels were 2ft. 4in. in diameter. The combined grate
area was 11 sq. ft., and the heating surface 730 sq. ft. Fairlie’s system of double engines soon came
into repute for working steep gradients, and many very powerful engines were and are still constructed
on his system for use on foreign railways. Fairlie, in conjunction with Samuels, adapted his system to a
species of combined locomotive and carriage, and, in 1869, one was constructed for working on the
London, Chatham, and Dover Railway between Swanley Junction and Sevenoaks. Seven passenger
compartments were provided in this vehicle, accommodation comprising seats for 16 first-class and 50
second-class passengers; its total length was 43ft., and weight, empty, 13½ tons. The leading end was
supported by the engine bogie, and the trailing end by an ordinary bogie truck. Curves of only 50ft.
radius were easily passed over by the combination vehicle.
Leaving Fairlie and his combinations, both of locomotives and carriages, and also of double
locomotives, we now glance at a class of tank engines designed by Cudworth for working the trains
between Cannon Street and Charing Cross upon the opening of the former terminus in 1866. These
engines were seven in number, and were constructed at the Canada Works. They were of the “coupled
in front” pattern, with a trailing bogie. The cylinders were inside, 15in. diameter and 20in. stroke. The
coupled wheels were 5ft. 6in. diameter. Outside frames were employed, and also compensation beams
both to the coupled and bogie wheels. The coal bunker, with water-tank under, was of exceptional
length. It was always a puzzle to the writer as to how a stout driver could manage to squeeze through
the narrow entrances to the foot-plate, especially as these apertures were situate at the side of the fire-
box; but evidently the “trick was done” by following the axiom, “Where there’s a will there’s a way,” and
doubtless the drivers, if asked, would have replied, “It’s very easy if you only know the way.” These
South Eastern Railway locomotives were numbered 235 to 241.
Mr. Wm. Gowan, locomotive superintendent of the Great North of Scotland Railway, designed a class
of engine, which Neilson and Co. constructed. The design was stated to be that of a “goods”
locomotive, but upon examination we find the engines in question to be no other than the popular four-
coupled behind, with a leading bogie and outside cylinders. The latter were arranged in a horizontal
position immediately below the frames. The coupled wheels were 5ft. 6½in. diameter, with underhung
springs connected by means of an equalising lever-beam. The bogie wheels were 3ft. in diameter, with
a base of 6ft. Inside bearings were supplied to the bogie axles. The boiler barrel measured 10ft. 10⅛in.
between the tube-plates, its external diameter was 4ft. 1in., and it contained 206 tubes of 1¾in.
diameter. The engine was fitted with D. K. Clarke’s system of smoke-consuming apparatus, previously
described. The fire-box was of the raised pattern, and the steam dome was placed on it. The engine
weighed 39 tons 13 cwt., and the tender 27 tons, in working order.
In general appearance this “goods” engine resembled in a remarkable degree the London and South
Western Railway express passenger engines as built by Mr. Adams. The tender was carried on six
wheels.
Fig. 85b represents Beattie’s standard design of goods engine for the L. and S.W.R. in 1866, the
wheels were 5ft. 1in. diameter, the cylinders being inside, and having a diameter of 17in., the stroke
24in. Beyer, Peacock and Co. were the builders. Fig. 86b represents an engine of this class as rebuilt
some years later at Nine Elms Works.
In 1868 Mr. W. Adams placed upon the North London Railway the first locomotive constructed from a
design which has, in its broad features and general outline, ever since been a model of simplicity,
attractiveness, and utility, showing, as the design does, what engines constructed to work important
local traffic should be like.
 Fig. 85b.—BEATTIE’S STANDARD GOODS ENGINE, L. & S.W.R., 1866
In its original form there were some points that need alteration, as they certainly spoilt the general
symmetrical effect of an otherwise artistic appearance. We may as well allude to these defects at once,
and then proceed to detail the locomotive.
The first of such blots on the design was the placing of a cylindrical sand-box on the top of the boiler
barrel, between the chimney and the dome. To show that such a position for this useful appendage was
not necessary, we mention that only the driving wheels were supplied with sand from this unsightly
excrescence, the supply of sand for the trailing wheels (for use when running bunker in front) being
placed in an unobtrusive position. If the latter sand-boxes could thus be located, why was it necessary
to place that for the leading wheels in so conspicuous a position? This example of awkward location of
so useful an adjunct is further emphasised when we remember that these engines run just as frequently
bunker first as chimney first. Further, in consequence of the position of this sand-box, the rod for
working the sand valves was carried along the top of the boiler barrel, several inches above its surface,
thus still more detracting from the symmetry of the design. The other feature we wish to allude to, is
the shape of the dome cover, the whole of which was of a needlessly ugly contour. Then, again, in later
years an enclosed cab was added, the back and front of which, being of sheet-iron, extending to the
extreme of the coal bunker, and with no return sides, has given a rather toy-like appearance to these
otherwise fine locomotives. We are glad to be able to mention that when these engines were rebuilt,
the objectionable sand-box was removed, and a more pleasing form of steam dome provided, but this
improvement was in a great measure negatived by the black enamelled iron which is now used for the
cover in place of the bright brass formerly employed for the purpose.

Fig. 86.—BEATTIE’S GOODS ENGINE, L. & S.W.R., REBUILT

Having thus mentioned the defects in appearance, rather than utility, of the North London Railway
passenger tanks (Fig. 87), we can proceed to do justice to this really fine class of engines designed by
Mr. Adams.
The outside cylinders were 17in. diameter, and the stroke was 24in. The driving and trailing wheels
(coupled) were 5ft. 3in. diameter, the bogie wheels being 2ft. 9in. diameter. The heating surface was
1,015 sq. feet. The boiler was 4ft. 1in. diameter, and contained 200 tubes of 1¾in. diameter. A good
feature in the design was the high steam pressure employed—viz., 160lb. per sq. in.—and there can be
no doubt that much of the success of this class of engine can be traced to the use of so high a pressure
of steam at a time—29 years ago—when other lines were using a much lower pressure. Indeed, to-day
it is only necessary to watch a North London and any of several other railway companies’ trains starting
side by side, and it will be observed that the North London generally gets away first; these engines are,
in fact, capital at starting, and soon attain a high rate of speed.

Fig. 87.—ADAMS’S PASSENGER TANK ENGINE, N.L.R., AS REBUILT BY MR. PRYCE

The weight was as follows:—
Empty. Loaded.
tons cwt. tons cwt.
On bogie wheels 15 14 14 14½
On driving wheels 11 11 14 5
On trailing wheels 11 7 14 12½
Total 38 12 43 12

Fig. 88.—PRYCE’S 6-COUPLED TANK GOODS ENGINE, NORTH LONDON RAILWAY

It will be observed that, when empty, the bogie axles supported 19½ cwt. more of the gross weight
than when the engine was in working order.
The wheel base of the bogie was 5ft. 8in. The coupled wheels have underhung springs connected by
a compensation beam. India-rubber springs are used in connection with the hanging of the springs, and
also to guide the bogie, etc., and it was found that such springs answered the use to which they were
put in a most admirable manner.
 In all the new engines that have lately been built, and when rebuilding old engines of this type, the
cylinders have been increased to 17½in. diameter, and other things considerably modified in detail.

Fig. 89.—LOCOMOTIVE AND TRAVELLING CRANE, N.L.R.

Mr. Pryce has also built 24 powerful six-wheel tank engines (Fig. 88) for dealing with the N.L.R.
goods traffic. These engines are very efficient. They have outside cylinders 17in. diameter, 24in. stroke,
and 4ft. 4in. coupled wheels. Boiler pressure, 160lb. per sq. in. Weight in working order, 45 tons 9 cwt.,
all available for adhesion. The total wheel base is 11ft. 4in.; consequently, they take curves easily.
The coal consumption of these engines was very satisfactory. The trains of the North London Railway
consist of twelve vehicles, weighing, empty, 90 tons 14 cwt., and loaded 112 tons 6 cwt., but the coal
consumption, with very frequent stoppages, only averaged 30.28lb. per mile.
Fig. 89 represents the combined saddle-tank locomotive and crane belonging to the North London
Railway, as recently rebuilt by Mr. Pryce.
 CHAPTER XIII.
Beattie’s express engines—Kendall’s three-cylinder engine for the Blythe
and Tyne Railway—Heavy engines for the Metropolitan and St. John’s
Wood Railway—Sold to the Taff Vale Railway—“The most powerful
locomotive in the world” for sale—“Jinks’s Babies”—The “Areo-steam”
locomotive on the Lancashire and Yorkshire Railway—Tank engines on
the Furness Railway—Patrick Stirling’s world-famous “8ft. singles” for
the G.W.R.—Webb’s “Precedents” for the L. and N.W.R.—The “John
Ramsbottom” —“The Firefly,” an engine that has “played many parts”—
J. Stirling’s 7ft. coupled engines on the G. and S.W.R.—Stirling’s
reversing apparatus—Watkin’s express engines for the S.E.R.—
Stroudley’s “Grosvenor,” L.B. and S.C.R.—The era of “compounds”—W.
F. Webb’s first compound locomotive—Bowen-Cooke’s views on the
subject—The “Experiment”—7ft. 1in. compounds—“Queen
Empress”—“Black Prince”—Wordsell compounds—Midland coupled
expresses—Stroudley’s “Gladstone” class—The “General Managers” on
the North Eastern—N.B.R locomotive, “No. 592”—Holmes’s “633” class
—Great Eastern 7ft. coupled—Holden’s liquid fuel locomotives—Serve
tubes in locomotives—Sacre’s 7ft. 6in. “Singles.”
Fig. 90 represents the “Python,” one of J. Beattie’s four-coupled
express engines, constructed for the L. and S.W.R. The cylinders
were outside, 17in. diameter by 22in. stroke. The coupled wheels
were 7ft. 1in. diameter, and the leading wheels 4ft. diameter. The
heating surface was 1,102 sq. ft. Weight of engine in working order,
35 tons 11 cwt. For some years this class of engine was the
favourite express engine on the L. and S.W.R.
 Fig. 90.—“PYTHON,” A 7ft. 1in. COUPLED EXPRESS
ENGINE, LONDON AND SOUTH WESTERN
RAILWAY
Locomotive engineers have always one great difficulty to provide
for—viz., the extra power required to start locomotives, especially on
steep inclines, and as such grades are particularly en évidence on
the mineral lines, it is not surprising to find Mr. W. Kendall, of Percy
Main, Northumberland, patenting a locomotive designed to
overcome the defects just indicated. The patent is dated October
26th, 1867. The engine was of the three-cylinder type, with one
inside and two outside cylinders. When running on a level road only
the inside cylinder was used, but for starting or ascending inclines
the power of all three was brought into use, the whole arrangement
of the power being actuated by the reversing gear apparatus. By a
peculiar adaptation of the lap of the valves, a small quantity of
steam was admitted to the valves of the outside cylinders when
these cylinders were not working, for the purpose of lubrication. The
engine in question was built at the Percy Main Works of the Blythe
and Tyne Railway. She was of the “four-coupled behind” type, with a
single pair of leading wheels. The inside cylinder was connected in
the usual manner to the cranked axle of the centre wheels, the
outside cylinders actuating the trailing pairs of wheels. Without
diagrams it is rather difficult to explain the method employed to
prevent the pistons, etc., of the outside cylinders from reciprocating,
but shortly it may be stated that the connecting-rod was divided into
two pieces, and at the joint each end fitted into an enclosed link.
When disconnected, that portion of the rod coupled to the wheels
which was in the link merely travelled up and down the link, whilst
the part connected with the piston, etc., was at rest. By means of a
screw gear this latter portion of the connecting-rod was lowered in
the link, and engaged with the other part of the rod, which was
coupled to the wheels, and so the outside cylinders were brought
into action. If required, the outside cylinders could be used
independently of the one inside cylinder, so that the engine could be
a one, two, or three cylinder locomotive. Separate regulators were
provided for the inside and outside cylinders, but the handles were
coupled together, so that, if required, one movement actuated the
admission of steam to all the cylinders. To prevent too strong a
blast, the driver could, by the operation of a ball valve, discharge the
exhaust steam from the outside cylinders into the atmosphere by
means of a pipe in front of the engine. On the other hand, the whole
of the exhaust from the three cylinders could be discharged up the
chimney in the usual manner if preferred.
Upon April 13th, 1868, the Metropolitan and St. John’s Wood
Railway was opened for traffic. The line branches from the
Metropolitan Railway at Baker Street, and was worked by the
Metropolitan Company. The gradients on the short line are very
severe, and it was not considered advisable to attempt to work the
railway by the usual type of engine employed on the underground
line; so Mr Burnett, the then locomotive superintendent of the
Metropolitan Railway, designed a special class of engine for the St.
John’s Wood Railway. These were constructed by the Worcester
Engine Company, and were numbered 34 to 38. They were provided
with six coupled wheels of 4ft. diameter, with outside bearings; the
cylinders were 20in. diameter, with a 24in. stroke; they were placed
within the frames at 2ft. 2in. centres. The wheel base of these
powerful locomotives was divided as follows:—L. to D., 6ft. 10in.; D.
to T., 7ft. 2in. The boiler was 11ft. long, and 4ft. 3in. diameter, and
contained 176 tubes of 2in. diameter.
The fire-boxes were exceptionally large, the measurements
being: Length, outside 7ft. 1in., inside 6ft. 6in.; width, outside 4ft.,
inside 3ft. 6in. The depth was 5ft. 5in. in front, sloping to 3ft. 11in.
at back. The steam pressure was 140lb.; heating surface, 1,165 sq.
ft.; grate area, 22½ sq. ft. The water capacity of the tanks was
1,000 gallons.
These mammoth engines weighed 46 tons in working order, and
it was soon discovered that they were far too powerful for working
the light traffic over the St John’s Wood line, the ordinary type of
Metropolitan locomotives being quite capable of successfully working
the trains over these inclines. So, in 1873, when the Taff Vale
Railway was in urgent need of some powerful engines for hauling
the heavy coal trains over the Penarth Dock lines, the Metropolitan
Railway succeeded in disposing of these five engines to the South
Wales Company, and they can still be seen employed on work more
adapted to their construction than was that of hauling light
passenger trains on the St. John’s Wood Railway.
It is evident that both the patentee and builders of the “double-
bogie” locomotives had a very exalted opinion of the capabilities of
these peculiar engines. In December, 1870, G. England and Co. were
advertising for sale by private tender to the best bidder “the most
powerful locomotive at present known upon any railway in the
United Kingdom, irrespective of gauge.”
This “most powerful” locomotive was constructed for the 4ft.
8½in. gauge on Fairlie’s double-bogie system. She had four
cylinders, 15in. diameter and 22in. stroke, eight wheels, all drivers of
4ft. 6in. diameter, and with steel tyres.
 Amongst other useful features claimed for this “most powerful”
locomotive, we read that she “would take a load up an incline at a
speed exceeding that of any other engine at present known, and
would round the sharpest curves with ease.”
“Jinks’s Babies” consisted of a batch of ten engines constructed
towards the end of 1871, and early in 1872. They had outside
cylinders, 17in. diameter and 30in. stroke, with a leading bogie and
four coupled wheels of 7ft. diameter; they had, perhaps, as good a
right to the title “most powerful” as the Fairlie engine just
mentioned.
Be this as it may, however, “Jinks’s Babies” were not successful.
They were built at the Stockton and Darlington Locomotive Works,
at Darlington, and originally numbered 238 to 240, etc., and upon
the consolidation of the North Eastern Railway were renumbered
1238 to 1240, etc. They were rebuilt by Mr. Fletcher as six-wheel
engines, the bogie giving place to a single pair of leading wheels,
and the stroke of the pistons was reduced from 30in. to 26in. Even
after this metamorphosis, “Jinks’s Babies” could not be truthfully
described as successful locomotives. Amongst other peculiarities the
circular valves should be enumerated. The steam pressure was
140lb. per sq. in.
In 1871 the Lancashire and Yorkshire Railway fitted up an engine
with an apparatus said to have been invented by Mr. Richard Eaton,
but called “Warsop’s Aero-Steam system,” by means of which a
continuous supply of heated air was forced into the bottom of the
boiler, so causing the water to be continually agitated, and thereby
preventing incrustation of the metal, as well as more quickly
generating steam, and last—but far from least—economising the
fuel. The engine experimented upon was a six-coupled goods, No.
369, with cylinders 15in. by 24in., 5ft. wheels, and working at a
pressure of 130lb. per sq. in. An air pump, single acting, 6in.
diameter by 2ft. stroke, with piston and metallic rings, driven from
one of the main cross-heads, was secured to the framework of the
engine in the place originally occupied by the feed-pump. The
compressed air passed along a pipe 1½in. in diameter, 6ft. long, to a
coil of 1½in. lap-welded iron pipe, within the smoke-box, 61ft. in
length, so arranged as to avoid contact with the blast pipe or the
ashes deposited in the smoke-box by the action of the blast. After
traversing the coil, the expanded air became heated to a
temperature nearly as high as that of the waste gases, and thus
ranging between 500 degrees and 800 degrees, or 850 degrees
Fahr., lifted the self-acting valve, and entered the perforated
distributing pipe within the boiler, and was constantly passing in jets
through the water to the steam space, whence the combined powers
of steam and air proceeded to the cylinders to carry out their duty. A
very simple apparatus was used when desirable to stop compression,
by keeping the inlet valve open when steam was shut off; otherwise
an undue proportion of air would enter the boiler, and impede the
feed-water injectors.
At the same time, occasions arose where a judicious use of the
air injection was made with great advantage, even with steam shut
off. It is stated that “on March 21st, 1872, there was a heavy fall of
snow, and the driver of No. 369 had to make the most of his
resources. In coming down Rainford bank he had but 100lb. of
steam at Balcarres siding, with steam shut off. He allowed the air
pump to continue work, and in 400 yards his gauge rose to 140,
when he opened his regulator again to mount the incline with his
heavy load, and so successfully gained the summit.” The annexed
table shows the working of engine No. 369, with and without the
apparatus, and also of an exactly similar engine, No. 38, employed
on the same length of line, and hauling the same trains. No. 38 was
not fitted with the apparatus.
Coal Average lbs.
Engine. Miles run.
consumed. per mile.
Tons. cwt.
369 (without apparatus) 21,948 403 6 42.92
369 (with apparatus) 27,934 472 10 37.89
38 (without apparatus) 28,053 550 10 43.95
 Although the above glowing statement is made about this
invention, which was fitted to no less than six engines, and tried for
a period of about five years, it was not found to be commercially
successful, the power consumed in working the pump, and the cost
of repairs running away with the economy supposed to have been
gained in the original experiment.
About this time the Furness Railway introduced a powerful design
of six-coupled tank engines. The cylinders were: Inside, 18in.
diameter and 24in. stroke; heating surface tubes, 1,048 sq. ft.; fire-
box, 96 sq. ft.; grate area, 15 sq. ft. The frames were “inside.” The
side tanks were capable of containing 1,000 gallons of water.
Weight in working order: L., 13 tons 13 cwt.; D., 16 tons 6 cwt.;
T., 14 tons 15 cwt.; total, 44 tons 14 cwt. On the level this class of
engine hauled 372 tons at 20 miles an hour, and up an incline of 1 in
80 a load of 367 tons was drawn at 11¾ miles an hour. The steam
pressure was 145lb., and the coal consumption 40.16lb. per mile.
The name of Patrick Stirling, the late locomotive superintendent
of the Great Northern Railway, will long be remembered and held in
high honour amongst those of his confrères, consequent upon his
successful design of 1870, in which year he built the first of his now
world-famous 8ft. 1in. singles, a type of locomotive which
immediately leaped into public favour, which for elegance and
simplicity of design it is not saying too much in stating that no
modern engine has surpassed or is likely to surpass. These engines
soon showed the travelling public that really express speed could be
safely indulged in for continuous runs of great length without fear of
accident or failure. Indeed, modern express speed can date its
foundation from the introduction of these engines. The Great
Northern Railway undoubtedly owes its popularity and fame as the
“express” route to the successful running of Patrick Stirling’s 8ft. 1in.
outside cylinder “single” engines.
The following may be accepted as a correct description of the
earlier type of this locomotive design. Later engines of the same
class have, in common with the development of locomotive design,
Welcome to our website – the ideal destination for book lovers and
knowledge seekers. With a mission to inspire endlessly, we offer a
vast collection of books, ranging from classic literary works to
specialized publications, self-development books, and children's
literature. Each book is a new journey of discovery, expanding
knowledge and enriching the soul of the reade

Our website is not just a platform for buying books, but a bridge
connecting readers to the timeless values of culture and wisdom. With
an elegant, user-friendly interface and an intelligent search system,
we are committed to providing a quick and convenient shopping
experience. Additionally, our special promotions and home delivery
services ensure that you save time and fully enjoy the joy of reading.

Let us accompany you on the journey of exploring knowledge and

personal growth!

ebooknice.com