"Information Assurance", Joseph G. Boyce/Dan W. Jennings, 2002,
%A Joseph G. Boyce
%A Dan W. Jennings
%C 2000 Corporate Blvd. NW, Boca Raton, FL 33431
%I Butterworth-Heinemann/CRC Press/Digital Press
%O U$44.99 800-272-7737 http://www.bh.com/bh/ dp-catalog@...
%P 261 p.
%T "Information Assurance: Managing Organizational IT Security
The preface states that this book is distinct because 1) it covers
concepts and principles (although how this could be a distinctive is
somewhat lost on me: many of the chapters relate directly to six of
the ten CBK [Common Body of Knowledge] domains), 2) it promotes a
defence in depth strategy (hardly unusual in general security works),
3) it attempts to counter the perception of an antagonism between
security and operations (fairly conventional), and 4) it points out
resources for added information (and how is that unique?)
Part one covers the foundational concepts of an organizational IA
(Information Assurance) program. Chapter one defines IA in a way that
makes it basically the same as any kind of information systems
security, and offers vague thoughts on the importance of information.
There is a brief review of some basic security concepts (as well as
some that are not quite central) in chapter two. Defence in depth is
also defined at this point: rather idiosyncratically, it is specified
to be in opposition to "security by obscurity" and perimeter defence.
Part two is supposed to look at determining the organization's current
IA posture. Chapter three purports to help ascertain an IA baseline,
but is really just a list of possible security technologies.
determining security priorities, in chapter four, talks about data and
resource classification, but much of it is vague philosophy, rather
than practical advice. While summarized in tables rather than text,
chapter five's material on IA posture is just plain, old risk
Part three is presumed to help establish a defence in depth strategy.
There is a basic introduction to policies in chapter six. IA
management, in chapter seven, is primarily more suited to system
administration. Chapter eight's look at IA architecture covers
subjects and objects, but has no security models. The text does
review threats and various security technologies, and,very strangely,
assumes that the OSI (Open Systems Interconnection) network model can
be used as a security structure. Operational security administration,
in chapter nine, recycles random concepts that have been presented
earlier. Configuration management is held to be software change
control, and chapter nine also concentrates on "emergency" changes.
Chapter eleven's review of the system development life cycle is terse.
Chapter twelve, on contingency planning, is extremely terse, and
suggests that you have a backup, UPS (Uninterruptable Power Supply)
and a disaster recovery plan. The material on training, in chapter
thirteen, is both generic and short. Policy compliance oversight is
limited to intrusion detection systems, audit logs, and virus
scanning, in chapter fourteen. Chapter fifteen's look at incident
response is basic and brief. Finally, chapter sixteen examines IA
reporting--and suggests that you have a structure for it.
This work is yet another attempt at a generic security guide. It has
no distinctives. In fact, there are simple security guides for home
users that do a better job of explaining the structure, process, and
copyright Robert M. Slade, 2002 BKIAMOIS.RVW 20021012
rslade@... rslade@... slade@... p1@...
Find book info victoria.tc.ca/techrev/ or sun.soci.niu.edu/~rslade/
Upcoming (ISC)^2 CISSP CBK review seminars (+1-888-333-4458):
November 25, 2002 November 29,2002 Toronto, ON, Canada
December 16, 2002 December 20,2002 San Francisco, CA
February 10, 2003 February 14, 2003 St. Louis, MO