From: "Rob Slade, doting grandpa of Ryan and Trevor" <rslade@sprint.ca>
BKISSOGD.RVW 981009
"The Information Systems Security Officer's Guide", Gerald L.
Kovacich, 1998, 0-7506-9896-9
%A Gerald L. Kovacich
%C 225 Wildwood Street, Woburn, MA 01801
%D 1998
%G 0-7506-9896-9
%I Butterworth-Heinemann/CRC Press/Digital Press
%O 800-366-BOOK fax: 800-446-6520 liz.mccarthy@repp.com
%P 172 p.
%T "The Information Systems Security Officer's Guide"
This book is not a list of those technical things that an information
systems security (or InfoSec) officer (or ISSO) ought to know, but a guide
to the process of acquiring and using that data. This is a guide to the
ISSO career: what it is, how to train for it, how to do it, and how to
tell if you are doing a good job.
Chapter one repeats the adage that the world is changing. Unfortunately,
this truism does not lead to much advise beyond the need to keep up with
the technology. In the random assortment of waves and trends that are
mentioned, some important points are missed. For example, along with the
need to know something about your justice system (which is mentioned) and
the rise of the Internet (which is mentioned), the fact that attacks over
the Internet can come from anywhere, and that a knowledge of other justice
systems may be needed for a prosecution that involves testimony from
different countries and law enforcement agencies, is not mentioned. The
position of the ISSO within a company is outlined in chapter two. Most of
this material is more focussed than in chapter one, concentrating on
corporate politics. One rather important aspect that does not get any
space is the production and maintenance of a security policy, and the
games that may have to be played around it. The company side is somewhat
extended in chapter three by building a simulated corporation to use as a
test case. However, few of the items addressed in the chapter have an
awful lot of security involvement. One very definitely does, and is
missed: the subcontractors of the simulated organization know and use a
vital proprietary process, but no mention is made of ensuring that these
contractors are sufficiently guarding *their* data.
Chapter four outlines a career development plan, but it boils down to
"have a degree, get experience, attend conferences, and read other stuff."
The most useful information provided is on the Certified Information
Systems Security Professional (CISSP) designation and contact data for
some of the professional groups. As the book itself states, you probably
have already attended a job interview or two in your time, so the advice
in chapter five is likely redundant. It certainly isn't extensive.
Chapter six's list of duties has two major problems. One is that there is
no overall structure for the material, so it is hard to place into a
context of priorities and tasks to be accomplished. The second is that
the outline assumes one size fits all jobs. The text assumes the ISSO
will be responsible for management of a team of InfoSec staff: only the
largest of corporations have multiple security personnel, let alone a
manager dedicated to them. The outline of business plans in chapter seven
follows the usual style not only in format, but also in not providing any
really solid information about what is to be done. Chapter eight's
discussion of building an InfoSec organization basically repeats political
advice from chapter two and job descriptions from chapter four. The look
at InfoSec functions again repeats content from chapters two and six,
although chapter nine does finally take a brief look at policies.
Chapter ten introduces metrics in order to measure the performance of the
InfoSec department. Most of the examples used deal with the
administration of security, rather than measures of actual protection.
There is a rehash of planning, with an emphasis on annual reviews, in
chapter eleven. A brief review of current security concerns finishes off
the book in chapter twelve.
While this book is not intended to address the technical side of security,
there is no reason that it couldn't be based on real and hard data. An
overview of data security positions that do exist, the numbers of such
positions, the courses actually available, and what the incumbents
actually do would have added immensely to the value of the book. This
volume does address a gap in the security literature, and it is important
to know the business and managerial side of the security maven's job, but
this work does not explain it very well.
copyright Robert M. Slade, 1998 BKISSOGD.RVW 981009
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
Received on Tue Dec 8 09:00:05 1998