About Charles Cresson Wood

About Charles Cresson Wood

Recipient of Computer Security Institute’s Lifetime Achievement Award

Charles Cresson Wood, Esq. JD, MBA, MSE, CISSP, CISM, CISA, CGEIT, CIPP/US is an author, researcher, attorney, and management consultant based in Mendocino, California (www.infosecurityinfrastructure.com). In the information security and privacy field on a full-time basis since 1979, he has worked as an information security management consultant at SRI International (formerly Stanford Research Institute), as well as lead network security consultant at Bank of America. He has done information security consulting work with over 125 organizations, many of them Fortune 500 companies, including a significant number of financial institutions and high-tech companies. His consulting work has taken him to over twenty different countries around the world.

He is noted for his ability to integrate competing objectives (like ease-of-use, speed, flexibility and security) in customized and practical compromises that are acceptable to all parties involved. Acknowledging that information security is multi-jurisdictional, multi-disciplinary, multi-departmental, and multi-organizational, he is additionally noted for his ability to synthesize a large number of complex considerations and then to document these in information security architectures, information security requirement statements, risk assessments, project plans, policy statements, and other clear and action-oriented documents.

Charles has published over 375 articles and six books in the information security and privacy field. His latest book is entitled Corporate Directors & Officers Legal Duties for Information Security and Privacy: A Turn-Key Compliance Audit Process (www.dutiesaudit.com). He is best known for his book entitled Information Security Policies Made Easy (which is now in its 14th edition), which is available on this web site. He is also the author of the book entitled Information Security Roles and Responsibilities Made Easy, which is additionally available on this same site. He has been undertaking a variety of integrative efforts, such furthering the conversation about harmonized information security and privacy laws and regulations across all countries. For example, he was a coauthor of an article appearing in the American Bar Association’s journal entitled Sci-Tech Lawyer, entitled “Why It’s Now Time for an Internationally-Harmonized Regime for Information Security and Privacy” (April 2018).

He is a licensed California attorney, and has a JD degree (in law) from St. Francis School of Law. He holds an MBA in financial information systems and a BSE in accounting from the Wharton School of Business at the University of Pennsylvania. He also holds an MSE in computer science from the Moore School of Engineering at the University of Pennsylvania. He has also passed the Certified Public Accountant (CPA) examination in California, but is not certified to practice as a CPA, nor does he hold himself out as a CPA. He is a Certified Information Security Manager (CISM), a Certified Information Systems Auditor (CISA), and a Certified Information Systems Security Professional (CISSP). He is also Certified in the Governance of Enterprise Information Technology (CGEIT) and is a Certified Information Privacy Professional (CIPP/US).  He has additionally received the Lifetime Achievement Award from the Computer Security Institute for his “sincere dedication to the computer security profession.”

Here is a sampling of the over 375 security related articles by Charles Cresson Wood:

“Researchers Must Disclose All Sponsors And Potential Conflicts,”
Computer Security Alert, No. 197, March 2000; Publisher:Computer Security Institute, San Francisco, CA. [pub. no.220]
“Integrated Approach Includes Information Security,”
Security, pp. 43-44,February 2000; Publisher: Cahners, Des Plains, IL. [pub. no.219]

“Get Data Safety Policies In Place,” American Banker, 11 February 2000, p. 7;Publisher: American Banker, New York, NY.[pub. no. 218]
“All Internet Personal Data Gathering Techniques Must Be Disclosed,”
Computer Security Alert, No. 196,
February 2000; Publisher: Computer SecurityInstitute, San Francisco, CA. [pub.no. 217]

“The Information Security Profession: Evolutionary Career Paths,” Information Security, November 1999;Publisher: published by ICSA.net, Norwood, MA. [pub. no. 214]

“Disclosures Of Private Information Without Data Subject Consent,” Computer Security Alert, No. 193, November 1999; Publisher: Computer Security Institute, San Francisco, CA. [pub. no.212]

“Termination Of Outsourcing Contracts For Security Violations,” Computer Security Alert, No. 191, September 1999; Publisher:Computer Security Institute, San Francisco, CA. [pub. no. 210]

“Top Ten Impediments To Implementing An Information Security Policy,” Information Security, September 1999, Publisher: Information Security, Norwood, MA (cover story). [pub. no.209]
“A Functional Comparison Of Tandem Data Replication Software Packages,”
an extensive independent report prepared for customers and prospects, August 1999; Publisher: Compaq Corporation, Cupertino,CA. [pub. no. 207]

“Subjects Given Opportunity To Block Private Information Disclosures,”Computer Security Alert, No. 189, June 1999; Publisher: Computer Security Institute, San Francisco, CA. [pub.no. 205]

“Use Of Personal Digital Assistants, Hand-Held Computers, And Smart Phones For Corporate Business Information,” Computer Security Alert, No. 186, March 1999; Publisher: Computer Security Institute,
San Francisco, CA. [pub. no.202]

“All Systems Access Privileges Cease When Workers Terminate,” Computer Security Alert, No. 185, February 1999; Publisher: Computer Security Institute, San Francisco, CA. [pub. no.202]

“Non-Compliance And Disciplinary Action,” Computer Security Alert, No. 182, November 1998; Publisher: Computer Security Institute, San Francisco, CA. [pub.no. 198]

“Convenience Versus Multi-Factor User Authentication,” Computer Security Alert, No. 181, October 1998; Publisher: Computer Security Institute, San Francisco, CA. [pub. no.196]

“Twelve New Vulnerabilities Introduced by Internet Commerce,” Information Security Bulletin, September 1998 (volume 3, issue 6, cover story), Publisher: Chi Publishing Ltd., London, England. [pub. no.195]

“All Telephone Transactions Require Positive Caller Identification,” Computer Security Alert, No. 179, August 1998; Publisher: Computer Security Institute,San Francisco, CA. [pub. no.193]

“TheTruth About Masquerading and Spoofing,” Network Magazine, February 1998; Publisher: Miller Freeman,San Francisco, CA. [pub. no.183]


“Unauthorized Information Disclosure and Loss of Stock Options,” Computer Security Alert, No. 173, December 1997; Publisher: Computer Security Institute, San Francisco, CA. [pub. no.185]

“Managing Perceptions About Internet Electronic Commerce Security,” Computer Security, Audit & Control, February 1997; Publisher: Management Advisory Services Publications, Wellesley Hills,MA. [pub. no. 165]

“Information Security: Are We Winning the Game?” Computer Fraud &Security Bulletin, January 1997;
Publisher: Elsevier Science Technology,Oxford, England. [pub. no.162]

“Encryption for Files Left on Anonymous FTP Servers,” Computer SecurityAlert, No. 163, October 1996; Publisher: Computer Security Institute, SanFrancisco, CA. [pub. no.159]

“Encryption Systems Must Include Key Escrow,” Computer Security Alert, No. 157, April 1996; Publisher: Computer Security Institute, San Francisco, CA. [pub.no. 152]

“Cryptography Plays Central Role in Future Electronic Commerce,” March 1996, pp. 9-10, Computer Fraud & Security Bulletin; Publisher: Elsevier Science Technology, Oxford, England. [pub. no.151]

“Users Must Not Attempt to Eradicate Viruses,” Computer Security Alert, No. 156, March 1996; Publisher:Computer Security Institute, San Francisco, CA. [pub. no.150]

“EDPAudit Must Be Independent of Information Security,” Computer Security Alert, No. 155, February1996; Publisher: Computer Security Institute, SanFrancisco, CA. [pub. no.147]

“Reliance on Information Downloaded From Internet,” Computer Security Alert, No. 153, December 1995; Publisher:Computer Security Institute, SanFrancisco, CA. [pub. no.145]

“When to Report Computer Crimes to Law Enforcement,” Computer Security Alert, No. 151, October 1995; Publisher: Computer Security Institute, SanFrancisco, CA. [pub. no.141]

“New Intellectual Property and the Need for Information Security,” ComputerFraud & Security Bulletin, September 1995, pp. 18-19; Publisher: Elsevier Science Ltd., Oxford, England. [pub.no. 139]

“Require Approval for Official Statements Posted to the Internet,” Computer Security
Alert, No. 149, August 1995; Publisher: Computer Security Institute, San Francisco, CA. [pub. no.136]

“Internet Anarchy and the Effectiveness of Laws,” Computerworld, 12 June1995. Expanded version also appears as “Need for Worldwide Internet Laws,” inComputer Fraud & Security Bulletin, p.10, July 1995, Elsevier Science Publishers, Oxford, England. [pub. no.133]

“ISO9000 and Information Security,” Computers & Security, vol. 14, no. 4,pp. 287-288, October 1995; Publisher: Elsevier Science Publishers, Oxford,England (co-author Karen Snow). [pub.no. 131]

“WhySATAN Should Not Have Been Distributed As It Was,” Computer Security Alert,No. 146, May 1995; Publisher: Computer Security Institute, San Francisco, CA.[pub. no. 128]

“Destroy Archived Electronic Mail Periodically,” Computer Security Alert, No. 142, January 1995; Publisher:Computer Security Institute, San Francisco, CA. [pub. no.124]

“Wireless Network Security,” Proceedings of Wireless Datacom ’94 Conference held in Washington, DC, 6-8 December 1994;Publisher: Business Communications Review,Hinsdale, IL. [pub. no.122]

“Fifty Ways to Secure Dial-Up Communications,” Computers & Security, May 1994, vol. 13, no. 3, pp. 209-215; Publisher: Elsevier Advanced Technology, Oxford, England. [pub. no.118]

“Identity Token Usage at American Commercial Banks,” Computer Fraud & Security Bulletin, March 1995; Publisher:Elsevier Science Publishers, Oxford England, pp. 14-16. [pub. no.114]

“Security Problems in Collaborative Computing,” Network World, October 1994; Publisher: International Data Group, Framingham,MA. [pub. no. 113]“The Newest Threat to Information Security: Open Book Management,” EDPACS, August 1994; Publisher: WarrenGorham Lamont, Boston,MA. [pub. no. 110]

“Principles of Secure Information Systems Design with Groupware Examples,” Proceedings of the Groupware ’92 Conference, held in San Jose, California 3-5 August 1992; Publisher: Morgan Kaufmann Publishers, San Mateo, CA. [pub. no. 75]“A Strategy for Developing Information Security Documents,”
Journal of Information Systems Security, vol. 1, issue 2,Summer 1992, pp. 71-78; Publisher: Auerbach Publishers, New
York, NY (co-author: Juhani Saari). [pub. no. 68]

“Using Information Security to Achieve Competitive Advantage,” Proceedings of the 18th Annual CSI Conference, Miami, Florida, November 11-15, 1991; Publisher: Computer Security Institute, San Francisco, California.[pub. no. 58]“Data Dictionaries and Information Security,” Proceedings of SECURICOM ’84 International Conference, Cannes, France,29 February – 2 March 1984, pp. 55-63; Publisher: SEDEP, Paris,
France. [pub. no. 24

“International Barriers to Information Flows,” SRI International Business Intelligence Report, Report #1057, March 1981; Publisher: SRI International, Menlo Park, CA. [pub. no. 10]

“Computer Crime: Criminal Justice Resource Manual,” with Parker, Donn B., Publisher: U.S. Government Printing Office, Washington, DC; prepared for U.S. Department of Justice; order no. 1979-311-379/1710,
1979. [pub. no. 1]

Books Written by Charles Cresson Wood:

  • Information Security Policies Made Easy [a book of 1000+ already-written policies provided in both hardcopy and CD-ROM], AND in it’s 9th edition, 2002; Publisher: NetIQ Corporation, San Jose, CA, USA; ISBN# 1-881585-09-3.
  • Information Security Roles & Responsibilities Made Easy provides practical, step-by-step instructions on how to develop specific information security roles and responsibilities.It includes 40 different job descriptions, 24 organizational mission statements, 15 alternative reporting relationships, and the most comprehensive set of already-written information security roles & responsibilities documents available
    anywhere. Publisher: NetIQ Corporation, San Jose, USA; ISBN# 1-881585-08-5.
  • Best Practices in Internet Commerce Security [derived from a survey of Internet merchants, Internet service providers (ISPs), Internet commerce hosting firms, Internet Trusted
    Third Parties (TTPs), and Internet commerce software vendors], 1998; Publisher: NetIQ Corporation, San Jose, CA, USA; ISBN#1-881585-05-0.
  • How to Handle Internet Electronic Commerce Security: Risks,Controls & Product Guide [a guide for the design and specification of Internet security measures], released in 1996; Publisher: NetIQ Corporation, San Jose, CA, USA; ISBN#1-881585-03-4.
  • Effective Information Security Management [a book of tools and techniques for dealing with information security problems], 1991; Publisher: Elsevier Advanced Technology, Oxford,England;ISBN#1-85617-070-5.
  • Computer Security: A Comprehensive Controls Checklist [a book detailing standard control practices — particularly useful for audits and reviews], 1987; Publisher: John Wiley & Sons, New York, NY, USA; ISBN#O-471-84795-X.

Consulting Services Include:

  • Information systems risk analysis and EDP audits
  • Enterprise-wide information security policy development
  • Organizational infrastructure for information security
  • Customized security solutions for cutting-edge application systems
  • Security design reviews for Internet commerce merchants and banks
  • Network security architecture compilation and documentation
  • Expert witness testimony and strategy for computer crime trials
  • Training and awareness program development and presentation

For more information about information
security consulting services visit
Infosecurity Infrastructure Inc.

As a matter of policy, Mr. Wood does not accept referral fees, marketing finder’s fees, sales commissions, or any other financial remuneration for mentioning information security products or services to clients. In this way he can be truly independent and make recommendations, which are unquestionably in the best interests of consultingclients.