THE SCOPE OF THE HANDBOOK IS LIMITED TO INFORMATION SECURITY, THE PREVENTION OF INFORMATION FROM BEING DISCLOSED TO AN UNAUTHORIZED RECIPIENT. THE INTERNAL ADUITOR MUST HELP MANAGEMENT ENSURE THAT ITS CONFIDENTIAL INFORMATION IS PROTECTED. THE HANDBOOK PRESENTS AN ANALYSIS OF INFORMATION-SECURITY EXPOSURES AND DISCUSSES ALTERNATIVE CONTROLS, SOLUTIONS, AND AUDIT APPROACHES. THE BOOK NOTES THAT (1) AN ORGANIZATION'S INFORMATION-SECURITY PROGRAM IS BASED ON ITS IDENTIFICATION AND CLASSIFICATION SYSTEM AND REQUIRES THE INVOLVEMENT OF ALL EMPLOYEES, (2) THE CLASSIFICATION CATEGORY DETERMINES HOW MUCH PROTECTION THE INFORMATION WILL BE AFFORDED, AND (3) SECURITY CONTROLS AND PROCEDURES MUST BE CONSISTENT WITH THE VALUE OF THE INFORMATION BEING PROTECTED, IT IS POINTED OUT THAT DATA SECURITY MUST BE PROPERLY INTEGRATED INTO A COMPANY'S TOTAL INFORMATION-SECURITY PROGRAM FOR THE PROGRAM TO BE EFFECTIVE. THE BOOK INCLUDES AN INFORMATION-SECURITY AUDIT GUIDE AND EVALUATION TABLE FOR CONDUCTING AUDITS, AS WELL AS 20 CHECKLISTS WHICH ORGANIZATIONS CAN USE TO DEVELOP INFORMATION-SECURITY PROGRAMS OF THEIR OWN. TABLES, FOOTNOTES, AND A BIBLIOGRAPHY OF ABOUT 40 REFERENCES ARE INCLUDED, AS WELL AS A POCKET CHECKLIST FOR INFORMATION SECURITY. (PRG)