[ISN] REVIEW: "The Information Systems Security Officer's Guide"

From: mea culpa (jerichoat_private)
Date: Wed Nov 25 1998 - 13:07:53 PST

  • Next message: mea culpa: "[ISN] 'PC BODYGUARD' Wins 'Hacker's Challenge' Contest at COMDEX Fall"

    From: "Rob Slade, doting grandpa of Ryan and Trevor" <rsladeat_private>
    BKISSOGD.RVW   981009
    "The Information Systems Security Officer's Guide", Gerald L.
    Kovacich, 1998, 0-7506-9896-9
    %A   Gerald L. Kovacich
    %C   225 Wildwood Street, Woburn, MA  01801
    %D   1998
    %G   0-7506-9896-9
    %I   Butterworth-Heinemann/CRC Press/Digital Press
    %O   800-366-BOOK fax: 800-446-6520 liz.mccarthyat_private
    %P   172 p.
    %T   "The Information Systems Security Officer's Guide"
    This book is not a list of those technical things that an information
    systems security (or InfoSec) officer (or ISSO) ought to know, but a guide
    to the process of acquiring and using that data.  This is a guide to the
    ISSO career: what it is, how to train for it, how to do it, and how to
    tell if you are doing a good job. 
    Chapter one repeats the adage that the world is changing.  Unfortunately,
    this truism does not lead to much advise beyond the need to keep up with
    the technology.  In the random assortment of waves and trends that are
    mentioned, some important points are missed.  For example, along with the
    need to know something about your justice system (which is mentioned) and
    the rise of the Internet (which is mentioned), the fact that attacks over
    the Internet can come from anywhere, and that a knowledge of other justice
    systems may be needed for a prosecution that involves testimony from
    different countries and law enforcement agencies, is not mentioned.  The
    position of the ISSO within a company is outlined in chapter two.  Most of
    this material is more focussed than in chapter one, concentrating on
    corporate politics.  One rather important aspect that does not get any
    space is the production and maintenance of a security policy, and the
    games that may have to be played around it.  The company side is somewhat
    extended in chapter three by building a simulated corporation to use as a
    test case.  However, few of the items addressed in the chapter have an
    awful lot of security involvement.  One very definitely does, and is
    missed: the subcontractors of the simulated organization know and use a
    vital proprietary process, but no mention is made of ensuring that these
    contractors are sufficiently guarding *their* data. 
    Chapter four outlines a career development plan, but it boils down to
    "have a degree, get experience, attend conferences, and read other stuff." 
    The most useful information provided is on the Certified Information
    Systems Security Professional (CISSP) designation and contact data for
    some of the professional groups.  As the book itself states, you probably
    have already attended a job interview or two in your time, so the advice
    in chapter five is likely redundant.  It certainly isn't extensive. 
    Chapter six's list of duties has two major problems.  One is that there is
    no overall structure for the material, so it is hard to place into a
    context of priorities and tasks to be accomplished.  The second is that
    the outline assumes one size fits all jobs.  The text assumes the ISSO
    will be responsible for management of a team of InfoSec staff: only the
    largest of corporations have multiple security personnel, let alone a
    manager dedicated to them.  The outline of business plans in chapter seven
    follows the usual style not only in format, but also in not providing any
    really solid information about what is to be done.  Chapter eight's
    discussion of building an InfoSec organization basically repeats political
    advice from chapter two and job descriptions from chapter four.  The look
    at InfoSec functions again repeats content from chapters two and six,
    although chapter nine does finally take a brief look at policies. 
    Chapter ten introduces metrics in order to measure the performance of the
    InfoSec department.  Most of the examples used deal with the
    administration of security, rather than measures of actual protection.
    There is a rehash of planning, with an emphasis on annual reviews, in
    chapter eleven.  A brief review of current security concerns finishes off
    the book in chapter twelve. 
    While this book is not intended to address the technical side of security,
    there is no reason that it couldn't be based on real and hard data.  An
    overview of data security positions that do exist, the numbers of such
    positions, the courses actually available, and what the incumbents
    actually do would have added immensely to the value of the book.  This
    volume does address a gap in the security literature, and it is important
    to know the business and managerial side of the security maven's job, but
    this work does not explain it very well. 
    copyright Robert M. Slade, 1998 BKISSOGD.RVW 981009
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:12:26 PDT