[ISN] REVIEW: "Information Security Policies, Procedures, and Standards", Thomas R. Peltier

From: InfoSec News (isnat_private)
Date: Wed Dec 04 2002 - 22:50:27 PST

  • Next message: InfoSec News: "[ISN] Does Cybercrime Still Pay?"

    Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" <rsladeat_private>
    BKISPPAS.RVW   20020923
    [You could let C4I.org get the credit from Amazon.  - WK  :)
    http://www.amazon.com/exec/obidos/ASIN/0849311373/c4iorg ]
    "Information Security Policies, Procedures, and Standards", Thomas R.
    Peltier, 2002, 0-8493-1137-3
    %A   Thomas R. Peltier
    %C   920 Mercer Street, Windsor, ON   N9A 7C2
    %D   2002
    %G   0-8493-1137-3
    %I   Auerbach Publications
    %O   U$69.95 +1-800-950-1216 auerbachat_private ordersat_private
    %O  http://www.amazon.com/exec/obidos/ASIN/0849311373/robsladesinterne
    %P   297 p.
    %T   "Information Security Policies, Procedures, and Standards"
    Chapter one provides vague meanderings about information protection
    fundamentals.  The author's opinion about how to write is given in
    chapter two.  In the ultimate triumph of style over substance, this
    drafting advice is given before any examination of actual policy
    development.  Chapter three defines policy and some related topics
    with lots of verbiage and overly lengthy examples.  There are lots of
    sample mission statements in chapter four, although it is not really
    apparent why we are talking about this particular topic.  The
    structure of chapter five, dealing with standards, is very confused,
    and the purpose of the examples given is unclear.  (There is also an
    extremely odd assertion that standards, which are by definition rigid,
    must be "flexible.")  We are given more writing advice, supposedly in
    aid of procedures, in chapter six.  Chapter seven talks about
    information classification for a few paragraphs and then lays out a
    thirty page example.  Random security thoughts and banal training
    ideas make up the security awareness program in chapter eight. 
    Generic project management advice is in chapter nine.  Chapter ten
    contains suggested topics for a security policy.  What the book said
    is repeated in chapter eleven.
    The appendices include a very short sample policy, and a policy
    development checklist.
    Barman's "Writing Information Security Policies" (cf. BKWRINSP.RVW)
    provides far better advice on both the process and the topics to be
    covered in creating a security policy.  Even "Information Security
    Policies Made Easy" (cf. BKISPME.RVW) is better, for all that people
    tend to misuse it.  Peltier's book provides little of use to the
    harried security manager.
    copyright Robert M. Slade, 2002   BKISPPAS.RVW   20020923
    rsladeat_private  rsladeat_private  sladeat_private p1at_private
    Find book info victoria.tc.ca/techrev/ or sun.soci.niu.edu/~rslade/
    Upcoming (ISC)^2 CISSP CBK review seminars (+1-888-333-4458):
        December 16, 2002   December 20, 2002   San Francisco, CA
        February 10, 2003   February 14, 2003   St. Louis, MO
        March 31, 2003      April 4, 2003       Indianapolis, IN
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Thu Dec 05 2002 - 02:01:25 PST