REVIEW: "Writing Information Security Policies", Scott Barman
- BKWRINSP.RVW 20020601
"Writing Information Security Policies", Scott Barman, 2002,
%A Scott Barman scott@... www.barman.ws/wisp
%C 201 W. 103rd Street, Indianapolis, IN 46290
%I Macmillan Computer Publishing (MCP)/New Riders
%O U$34.99/C$52.95/UK#27.50 800-858-7674 317-581-3743 info@...
%P 216 p.
%T "Writing Information Security Policies"
Until recently, the classic resource for those charged with writing
security policies was "Information Security Policies Made Easy" (cf.
BKISPME.RVW). Trouble was, that book made it a little bit too easy:
the format encouraged people to use pieces without modification, and
one size, in the security field, definitely does not fit all. This
book, however, takes the opposite approach. While still aimed at the
non-technical manager responsible for producing the policy, it uses
minimal examples, concentrating on the process of policy formation.
Part one looks at starting the process. Chapter one defines what
policies are and why they are important, and outlines the first steps
needed to proceed. A good, broad outline of what your company should
have in the way of a policy comes in chapter two. Finally, the
responsibilities of different departments; their activities and roles;
are presented in chapter three.
Part two covers the main body of security policy development. Chapter
four starts out with physical security. As noted above, readers will
have to go beyond the example policies given in the text, but these
samples do provide a reasonable guide for what the final items should
look like. Authentication and network security is dealt with in
chapter five, although the telecommunications material is quite
limited. Some of this lack is made up in chapter six's review of
Internet policy, which goes beyond firewalls to examine training,
applications, e-commerce, and other areas. Email use has a set of
special requirements separate from those of the net, and these are
addressed in chapter seven. Unfortunately, as with all too many
works, the review of malware policies, in chapter eight, is weaker
than the rest of the book. (Does the example policy to use "all means
to prevent the spread of computer viruses" mean that you can't use
Microsoft products? And why, in this day and age of "fast burner"
email viruses, is a signature update every thirty days deemed
sufficient?) The limited technical background also contributes to the
frailty of chapter nine's overview of encryption. Some policies are
too broad, while there are missing areas that may need to be
addressed, depending upon industry and operations. Chapter ten has
very solid coverage of application development policies, which are all
too often neglected in other works.
Part three is concerned with maintaining the policies. Chapter eleven
seems slightly off topic, as it deals with acceptable use policies.
However, chapter twelve looks at the roles and responsibilities
involved in compliance and enforcement. A short precis of the policy
review process ends the book in chapter thirteen.
While not a panacea, this book is clear, well written, and helpful.
There is valuable advice packed into few enough pages that a manager
should be able to read it on a cross-country plane trip.
copyright Robert M. Slade, 2002 BKWRINSP.RVW 20020601
====================== (quote inserted randomly by Pegasus Mailer)
rslade@... rslade@... slade@... p1@...
Every exit is an entry somewhere else. - Tom Stoppard
http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade