REVIEW: "Enterprise Information Security", Peter Gregory
- BKENINSE.RVW 20020916
"Enterprise Information Security", Peter Gregory, 2003, 0-273-66157-4,
%A Peter Gregory peter.gregory@...
%C London, UK
%I Prentice Hall/Financial Times
%O C$19.99/UK#156.99 +1-201-236-7139 fax: +1-201-236-7131
%P 145 p.
%T "Enterprise Information Security: Information security for
non-technical decision makers"
The executive summary states that this book is intended to present
information security to executives. The introduction certainly shows
that it isn't intended for technical people, who would ask what the
difference was between access over the Internet and remote access, or
a network using TCP/IP and the Internet.
Chapter one asserts that the events of September 11, 2001 woke
executives up to the importance of security. (Yeah, right.) However,
there is a good analysis of the reasons that the Code Red/Nimda worm
was successful. The definition of a threat, in chapter two, is pretty
bad, and the definitions of various types of malicious software are
really bad. The section on hacking lists a variety of attacks (heavy
on social engineering), the "hacker profiles" concentrate on system
exploits, there is a random list of security problems, and then an
surprisingly good definition of vulnerability. Authentication and
authorization are reasonably handled, but confused with extraneous
details in chapter three. Access control is equated with firewalls,
and the discussion of cryptography is all right but full of minor
errors. (RC 2 and RC 4 have been compromised, Skipjack has been
released for limited review, a digital signature does need a key but
not necessarily an additional password, the loss of a key is not
sufficient to repudiate a digital signature, and the ping-of-death
does not compromise integrity.) The material on antivirus protection
refers only to scanning, and the material on audit deals only with
logs. Chapter four is supposed to be about policies, but actually
concentrates on procedures, containing random thoughts and many gaps.
People are the weak link in security, we are told in chapter five,
and, as with other sections it uses non-standard terms in the
discussion. More haphazard thoughts are in chapter six, while chapter
seven has a poor definition of privacy and a grab bag of topics. In
chapter eight a casual list of topics seem to be indiscriminately
assigned to the standard important/urgent quadrant chart.
OK, this is not intended for professionals; it is intended for
managers. But, even if we give full reign to the usual jokes -- those
who can't, do; those who are incapable of mastering anything, go into
management -- it's still bad form to deliberately mislead them this
copyright Robert M. Slade, 2002 BKENINSE.RVW 20020916
rslade@... rslade@... slade@... p1@...
Find book info victoria.tc.ca/techrev/ or sun.soci.niu.edu/~rslade/
Upcoming (ISC)^2 CISSP CBK review seminars (+1-888-333-4458):
February 10, 2003 February 14, 2003 St. Louis, MO
March 31, 2003 April 4, 2003 Indianapolis, IN