"Mission Critical Security Planner", Eric Greenberg, 2003,
%A Eric Greenberg
%C 5353 Dundas Street West, 4th Floor, Etobicoke, ON M9B 6H8
%I John Wiley & Sons, Inc.
%O U$35.00/C$54.95/UK#25.95 416-236-4433 fax: 416-236-4448
%P 416 p.
%T "Mission Critical Security Planner"
In the introduction, Greenberg claims that his book provides guidance
on how to do quantitative security planning without calculations
(which sounds somewhat self-contradictory) using a new technique he
calls impact analysis (which doesn't sound too different from business
impact analysis). A technical background is said to be unnecessary,
the process is worksheet based, and the target audience is security
Chapter one says that protecting information is not exact (a statement
that doesn't seem to fit well with the worksheet approach). Random
security topics include planning, intruders, and a risk analysis
example which is, ironically in view of the introduction, more
computationally intensive than most. An overview of planning, in
chapter two, majors on the minors. Policies are not discussed until
twenty five pages into the material, and then the emphasis is on very
specific areas like exit (termination of employment) procedures,
leaving huge topics uncovered. Twenty eight security elements are
listed, and all are important, but almost all are either over-vague or
Chapters three and four introduce the worksheets themselves. Sixteen
topic areas have four sheets each, dealing with the technical,
lifecycle, business, and "selling to management" aspects of the
themes, while other domains may have only a single sheet. The
questions listed may be helpful as reminders to address certain
aspects which are often overlooked, but the odd and arbitrary
structure is confusing, and the real work is definitely left as an
exercise to the reader.
A description and analysis of PKI (Public Key Infrastructure), in
chapter five, is vague and weak, and contains much unrelated material.
Chapter six is a recap of the book, along with a simple list of
While the advice in the book is not wrong or misleading, and many
important and useful points are buried throughout, poor organization,
a lack of consistent depth, and gaps in topical coverage ensure that
the text would only poorly repay the investment of time spent studying
it. Certainly it should not be used as a major guide to structure the
security planning process.
copyright Robert M. Slade, 2003 BKMSCRSP.RVW 20030330
====================== (quote inserted randomly by Pegasus Mailer)
rslade@... rslade@... slade@... p1@...
And the tubby beard went on.