Loading ...
Sorry, an error occurred while loading the content.

REVIEW: "Mission Critical Security Planner", Eric Greenberg

Expand Messages
  • Rob, grandpa of Ryan, Trevor, Devon & Ha
    BKMSCRSP.RVW 20030330 Mission Critical Security Planner , Eric Greenberg, 2003, 0-471-21165-6, U$35.00/C$54.95/UK#25.95 %A Eric Greenberg %C 5353 Dundas
    Message 1 of 1 , Jun 3, 2003
    • 0 Attachment
      BKMSCRSP.RVW 20030330

      "Mission Critical Security Planner", Eric Greenberg, 2003,
      0-471-21165-6, U$35.00/C$54.95/UK#25.95
      %A Eric Greenberg
      %C 5353 Dundas Street West, 4th Floor, Etobicoke, ON M9B 6H8
      %D 2003
      %G 0-471-21165-6
      %I John Wiley & Sons, Inc.
      %O U$35.00/C$54.95/UK#25.95 416-236-4433 fax: 416-236-4448
      %O http://www.amazon.com/exec/obidos/ASIN/0471211656/robsladesinterne
      http://www.amazon.co.uk/exec/obidos/ASIN/0471211656/robsladesinte-21
      %O http://www.amazon.ca/exec/obidos/ASIN/0471211656/robsladesin03-20
      %P 416 p.
      %T "Mission Critical Security Planner"

      In the introduction, Greenberg claims that his book provides guidance
      on how to do quantitative security planning without calculations
      (which sounds somewhat self-contradictory) using a new technique he
      calls impact analysis (which doesn't sound too different from business
      impact analysis). A technical background is said to be unnecessary,
      the process is worksheet based, and the target audience is security
      managers.

      Chapter one says that protecting information is not exact (a statement
      that doesn't seem to fit well with the worksheet approach). Random
      security topics include planning, intruders, and a risk analysis
      example which is, ironically in view of the introduction, more
      computationally intensive than most. An overview of planning, in
      chapter two, majors on the minors. Policies are not discussed until
      twenty five pages into the material, and then the emphasis is on very
      specific areas like exit (termination of employment) procedures,
      leaving huge topics uncovered. Twenty eight security elements are
      listed, and all are important, but almost all are either over-vague or
      over-specific.

      Chapters three and four introduce the worksheets themselves. Sixteen
      topic areas have four sheets each, dealing with the technical,
      lifecycle, business, and "selling to management" aspects of the
      themes, while other domains may have only a single sheet. The
      questions listed may be helpful as reminders to address certain
      aspects which are often overlooked, but the odd and arbitrary
      structure is confusing, and the real work is definitely left as an
      exercise to the reader.

      A description and analysis of PKI (Public Key Infrastructure), in
      chapter five, is vague and weak, and contains much unrelated material.
      Chapter six is a recap of the book, along with a simple list of
      threats.

      While the advice in the book is not wrong or misleading, and many
      important and useful points are buried throughout, poor organization,
      a lack of consistent depth, and gaps in topical coverage ensure that
      the text would only poorly repay the investment of time spent studying
      it. Certainly it should not be used as a major guide to structure the
      security planning process.

      copyright Robert M. Slade, 2003 BKMSCRSP.RVW 20030330


      ====================== (quote inserted randomly by Pegasus Mailer)
      rslade@... rslade@... slade@... p1@...
      And the tubby beard went on.
      http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade
    Your message has been successfully submitted and would be delivered to recipients shortly.