Loading ...
Sorry, an error occurred while loading the content.

REVIEW: "Managing Information Security Risks", Christopher Alberts/Audrey Dorofee

Expand Messages
  • Rob, grandpa of Ryan, Trevor, Devon & Ha
    BKMISROA.RVW 20020826 Managing Information Security Risks , Christopher Alberts/Audrey Dorofee, 2003, 0-321-11886-3, U$54.99/C$85.99 %A Christopher
    Message 1 of 1 , Oct 24 9:00 AM
    • 0 Attachment
      BKMISROA.RVW 20020826

      "Managing Information Security Risks", Christopher Alberts/Audrey
      Dorofee, 2003, 0-321-11886-3, U$54.99/C$85.99
      %A Christopher Alberts
      %A Audrey Dorofee
      %C P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8
      %D 2003
      %G 0-321-11886-3
      %I Addison-Wesley Publishing Co.
      %O U$54.99/C$85.99 416-447-5101 fax: 416-443-0948
      %P 471 p.
      %T "Managing Information Security Risks: The OCTAVE Approach"

      Part one is an introduction to risks and risk evaluation. Chapter one
      is a generic, and not particularly clearly written, outline of a basic
      risk analysis process. The OCTAVE (Operationally Critical Threat,
      Asset, and Vulnerability Evaluation) process is described in chapter
      two, along with various principles, factors (called attributes), and
      three phases of outputs (or deliverables) of the process.

      Part two presents more details of the method. Chapter three runs
      through the outcomes and attributes again, but in a confusing fashion.
      "Preparing for OCTAVE," in chapter four, is a fairly generic outline
      of preparation for any kind of planning. Chapter five begins a list
      of the individual processes of OCTAVE, but essentially says that the
      company should identify assets, threats and vulnerabilities. The
      creation of threat profiles, in chapter six, is the first part of the
      process that actually presents details and tools that might help in
      risk analysis. Chapter seven suggests that you identify key
      components of an asset, but, again, does not offer a specific process
      for doing so. Evaluating selected components, in chapter eight, seems
      to be merely subdividing asset threat analysis. Risk analysis is
      vaguely and briefly covered in chapter nine. Chapters ten and eleven
      contain pedestrian advice about developing a protection strategy.

      Part three talks about variations to OCTAVE. Chapter twelve discusses
      the tailoring of OCTAVE, but since OCTAVE itself is rather vague, it
      is difficult to understand the options for alteration. Chapter
      thirteen asserts that OCTAVE is suitable for a variety of situations:
      since the process is so generic this is probably true. Chapter
      fourteen recommends reviewing or redoing an OCTAVE assessment from
      time to time--just like any risk analysis.

      Appendix B lists a variety of worksheets for risk analysis which could
      be quite useful.

      This book is written in such a nebulous manner that it is difficult to
      day whether OCTAVE is an obscure method, or whether it is simply
      poorly explained.

      copyright Robert M. Slade, 2002 BKMISROA.RVW 20020826

      ====================== (quote inserted randomly by Pegasus Mailer)
      rslade@... rslade@... slade@... p1@...
      I have found that many organizations want change,
      but nobody wants to do anything differently. - Jeffrey Pfeffer
      http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade
    Your message has been successfully submitted and would be delivered to recipients shortly.