Loading ...
Sorry, an error occurred while loading the content.

REVIEW: "Enterprise Information Security", Peter Gregory

Expand Messages
  • Rob, grandpa of Ryan, Trevor, Devon & Ha
    BKENINSE.RVW 20020916 Enterprise Information Security , Peter Gregory, 2003, 0-273-66157-4, C$19.99/UK#156.99 %A Peter Gregory
    Message 1 of 1 , Jan 3, 2003
      BKENINSE.RVW 20020916

      "Enterprise Information Security", Peter Gregory, 2003, 0-273-66157-4,
      %A Peter Gregory peter.gregory@...
      %C London, UK
      %D 2003
      %G 0-273-66157-4
      %I Prentice Hall/Financial Times
      %O C$19.99/UK#156.99 +1-201-236-7139 fax: +1-201-236-7131
      %O http://www.amazon.com/exec/obidos/ASIN/0273661574/robsladesinterne
      %P 145 p.
      %T "Enterprise Information Security: Information security for
      non-technical decision makers"

      The executive summary states that this book is intended to present
      information security to executives. The introduction certainly shows
      that it isn't intended for technical people, who would ask what the
      difference was between access over the Internet and remote access, or
      a network using TCP/IP and the Internet.

      Chapter one asserts that the events of September 11, 2001 woke
      executives up to the importance of security. (Yeah, right.) However,
      there is a good analysis of the reasons that the Code Red/Nimda worm
      was successful. The definition of a threat, in chapter two, is pretty
      bad, and the definitions of various types of malicious software are
      really bad. The section on hacking lists a variety of attacks (heavy
      on social engineering), the "hacker profiles" concentrate on system
      exploits, there is a random list of security problems, and then an
      surprisingly good definition of vulnerability. Authentication and
      authorization are reasonably handled, but confused with extraneous
      details in chapter three. Access control is equated with firewalls,
      and the discussion of cryptography is all right but full of minor
      errors. (RC 2 and RC 4 have been compromised, Skipjack has been
      released for limited review, a digital signature does need a key but
      not necessarily an additional password, the loss of a key is not
      sufficient to repudiate a digital signature, and the ping-of-death
      does not compromise integrity.) The material on antivirus protection
      refers only to scanning, and the material on audit deals only with
      logs. Chapter four is supposed to be about policies, but actually
      concentrates on procedures, containing random thoughts and many gaps.
      People are the weak link in security, we are told in chapter five,
      and, as with other sections it uses non-standard terms in the
      discussion. More haphazard thoughts are in chapter six, while chapter
      seven has a poor definition of privacy and a grab bag of topics. In
      chapter eight a casual list of topics seem to be indiscriminately
      assigned to the standard important/urgent quadrant chart.

      OK, this is not intended for professionals; it is intended for
      managers. But, even if we give full reign to the usual jokes -- those
      who can't, do; those who are incapable of mastering anything, go into
      management -- it's still bad form to deliberately mislead them this

      copyright Robert M. Slade, 2002 BKENINSE.RVW 20020916

      rslade@... rslade@... slade@... p1@...
      Find book info victoria.tc.ca/techrev/ or sun.soci.niu.edu/~rslade/
      Upcoming (ISC)^2 CISSP CBK review seminars (+1-888-333-4458):
      February 10, 2003 February 14, 2003 St. Louis, MO
      March 31, 2003 April 4, 2003 Indianapolis, IN
    Your message has been successfully submitted and would be delivered to recipients shortly.