Loading ...
Sorry, an error occurred while loading the content.

REVIEW: "Writing Information Security Policies", Scott Barman

Expand Messages
  • Rob, grandpa of Ryan, Trevor, Devon & Ha
    BKWRINSP.RVW 20020601 Writing Information Security Policies , Scott Barman, 2002, 1-57870-264-X, U$34.99/C$52.95/UK#27.50 %A Scott Barman scott@barman.ws
    Message 1 of 1 , Jul 22, 2002
      BKWRINSP.RVW 20020601

      "Writing Information Security Policies", Scott Barman, 2002,
      1-57870-264-X, U$34.99/C$52.95/UK#27.50
      %A Scott Barman scott@... www.barman.ws/wisp
      %C 201 W. 103rd Street, Indianapolis, IN 46290
      %D 2002
      %G 1-57870-264-X
      %I Macmillan Computer Publishing (MCP)/New Riders
      %O U$34.99/C$52.95/UK#27.50 800-858-7674 317-581-3743 info@...
      %P 216 p.
      %T "Writing Information Security Policies"

      Until recently, the classic resource for those charged with writing
      security policies was "Information Security Policies Made Easy" (cf.
      BKISPME.RVW). Trouble was, that book made it a little bit too easy:
      the format encouraged people to use pieces without modification, and
      one size, in the security field, definitely does not fit all. This
      book, however, takes the opposite approach. While still aimed at the
      non-technical manager responsible for producing the policy, it uses
      minimal examples, concentrating on the process of policy formation.

      Part one looks at starting the process. Chapter one defines what
      policies are and why they are important, and outlines the first steps
      needed to proceed. A good, broad outline of what your company should
      have in the way of a policy comes in chapter two. Finally, the
      responsibilities of different departments; their activities and roles;
      are presented in chapter three.

      Part two covers the main body of security policy development. Chapter
      four starts out with physical security. As noted above, readers will
      have to go beyond the example policies given in the text, but these
      samples do provide a reasonable guide for what the final items should
      look like. Authentication and network security is dealt with in
      chapter five, although the telecommunications material is quite
      limited. Some of this lack is made up in chapter six's review of
      Internet policy, which goes beyond firewalls to examine training,
      applications, e-commerce, and other areas. Email use has a set of
      special requirements separate from those of the net, and these are
      addressed in chapter seven. Unfortunately, as with all too many
      works, the review of malware policies, in chapter eight, is weaker
      than the rest of the book. (Does the example policy to use "all means
      to prevent the spread of computer viruses" mean that you can't use
      Microsoft products? And why, in this day and age of "fast burner"
      email viruses, is a signature update every thirty days deemed
      sufficient?) The limited technical background also contributes to the
      frailty of chapter nine's overview of encryption. Some policies are
      too broad, while there are missing areas that may need to be
      addressed, depending upon industry and operations. Chapter ten has
      very solid coverage of application development policies, which are all
      too often neglected in other works.

      Part three is concerned with maintaining the policies. Chapter eleven
      seems slightly off topic, as it deals with acceptable use policies.
      However, chapter twelve looks at the roles and responsibilities
      involved in compliance and enforcement. A short precis of the policy
      review process ends the book in chapter thirteen.

      While not a panacea, this book is clear, well written, and helpful.
      There is valuable advice packed into few enough pages that a manager
      should be able to read it on a cross-country plane trip.

      copyright Robert M. Slade, 2002 BKWRINSP.RVW 20020601

      ====================== (quote inserted randomly by Pegasus Mailer)
      rslade@... rslade@... slade@... p1@...
      Every exit is an entry somewhere else. - Tom Stoppard
      http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade
    Your message has been successfully submitted and would be delivered to recipients shortly.