[ISN] REVIEW: "Securing Business Information", F. Christian Byrnes/Dale Kutnick

From: InfoSec News (isnat_private)
Date: Thu Jan 09 2003 - 01:41:10 PST

  • Next message: InfoSec News: "[ISN] Army Unveils Menacing Truck at Auto Show"

    Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" <rsladeat_private>
    BKSEBUIN.RVW   20020916
    "Securing Business Information", F. Christian Byrnes/Dale Kutnick,
    2002, 0-201-76735-X, U$39.99/C$59.95
    %A   F. Christian Byrnes
    %A   Dale Kutnick
    %C   P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario  M3C 2T8
    %D   2002
    %G   0-201-76735-X
    %I   Addison-Wesley Publishing Co.
    %O   U$39.99/C$59.95 416-447-5101 fax: 416-443-0948
    %O  http://www.amazon.com/exec/obidos/ASIN/020176735X/robsladesinterne
    %P   237 p.
    %T   "Securing Business Information: Strategies to Protect the
          Enterprise and Its Network"
    The preface addresses how to keep data secure in a distributed
    environment.  Chapter one tells us that the first thing to do is
    prepare the organization for changes, then that the first thing to do
    is to write a policy, then that the first thing to do is get a strong
    base of support among the executives, then that the first thing to do
    is market the idea to executives and users, then that the first thing
    to do is to build an effective organizational structure.  The material
    meanders through a kind of utopian view of what a mission statement
    and organization chart should be before settling into a promotion of
    political and marketing campaign strategies to sell security to the
    executives.  The asset identification portion of risk analysis is
    covered in chapter two.  A multi-dimensional and not-quite-orthogonal
    set of domains for classifying resources is overly complex, but may
    help you to identify holdings that are generally unregarded.  At first
    chapter three seems to be proceeding with risk analysis, but then it
    veers into policies (if you consider benchmarks equivalent to
    policies).  Similarly, chapter four seems to start out with risk
    analysis, and then moves to safeguards, and then moves into business
    impact analysis.  Risk analysis *finally* gets a (somewhat incomplete)
    explanation in chapter five, which then moves on to cost/benefit
    analysis, then cultural (political) considerations.  Chapter six
    suggests that you rank, select, and market the necessary projects
    identified by the analysis.  Small companies may wish to shorten the
    process by doing the above four times over, states chapter seven. 
    Chapter eight recommends having a strategy for changing technology.  A
    grab bag of security technologies is in chapter nine, which is
    particularly poor in regard to viruses.  Chapter ten provides two
    fictional "case studies," and eleven lists the followup projects from
    them.  Role-based access control is promoted in chapter twelve, while
    chapter thirteen does the same for "single sign-on."
    "Pitiful" is the only word that can be used to describe the
    Yet another book that attempts to provide a quick review of all of
    security--and fails.
    copyright Robert M. Slade, 2002   BKSEBUIN.RVW   20020916
    rsladeat_private  rsladeat_private  sladeat_private p1at_private
    Find book info victoria.tc.ca/techrev/ or sun.soci.niu.edu/~rslade/
    Upcoming (ISC)^2 CISSP CBK review seminars (+1-888-333-4458):
        February 10, 2003   February 14, 2003   St. Louis, MO
        March 31, 2003      April 4, 2003       Indianapolis, IN
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Thu Jan 09 2003 - 03:49:05 PST