REVIEW: "Principles of Information Security", Michael E. Whitman/Herbert J. Mattord
- BKPRINSC.RVW 20040531
"Principles of Information Security", Michael E. Whitman/Herbert J.
Mattord, 2003, 0-619-06318-1
%A Michael E. Whitman
%A Herbert J. Mattord
%C 25 Thomson Place, Boston, MA 02210
%I Thomson Learning Inc.
%O U$67.95/C$93.17 www.course.com
%P 532 p.
%T "Principles of Information Security"
The introduction, in chapter one, seems to be a compilation of
security views from a variety of sources. While this could be
interesting for the experienced professional, the lack of structure
and guidance is likely to confuse the beginning student, the audience
at which the book is aimed. Each chapter starts with a fictional
scenario: the stories do very little to add to the understanding of
the topic. Review questions and exercises at the end of the chapters
are generally either simplistic or open-ended. Chapter two lists
various types of threats and attacks: classifications and groupings
are unclear and are likely to lead students into erroneous assumptions
about the different exploits. Most of the textual material on legal
and ethical issues, in chapter three, deals with (primarily old) US
laws. Actually, a substantial portion of the chapter is given over to
screenshots of numerous computer related agencies and organizations.
Risk management is broken into two chapters, four, which gives a
pedestrian but not bad overview of analysis and assessment, and five,
which is another unstructured amalgam of topics, some of which should
have been covered in four. Chapter six is a wandering discussion of
policy, spending a lot of space listing the NIST (US National
Institutes of Standards and Technology) guides. Business continuity
planning, in chapter seven, concentrates on incident response, and has
an odd mention of the involvement of law enforcement. Chapter eight
lists network security tools and also has simplistic coverage of
cryptography, extended with an appendix that gets the mathematics of
asymmetric encryption mostly right, but the implementation seriously
wrong. Physical security is dealt with reasonably well in chapter
nine, although the fire suppression content may be confusing. Generic
project planning advice is in chapter ten. Chapter eleven's review of
personnel security lists job titles, security related certifications,
and some general principles. Security maintenance, in chapter twelve,
is limited to patch and change management as well as risk re-
assessment advice that probably should have been included with chapter
An introductory security text need not contain the depth, or even
breadth, of a reference for professionals. However, this one could
use a lot more structure in the presentation of the content, and more
than a little care with facts and implications.
copyright Robert M. Slade, 2004 BKPRINSC.RVW 20040531
====================== (quote inserted randomly by Pegasus Mailer)
rslade@... slade@... rslade@...
Some people think I am naive and apathetic.
I simply don't know what they mean, and I really don't care.
http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade