Loading ...
Sorry, an error occurred while loading the content.

REVIEW: "A Practical Guide to Managing Information Security", Steve Purser

Expand Messages
  • Rob, grandpa of Ryan, Trevor, Devon & Ha
    BKPGTMIS.RVW 20040514 A Practical Guide to Managing Information Security , Steve Purser, 2004, 1-58053-702-2, C$120.50 %A Steve Purser %C 685 Canton
    Message 1 of 1 , Oct 11, 2004
    • 0 Attachment
      BKPGTMIS.RVW 20040514

      "A Practical Guide to Managing Information Security", Steve Purser,
      2004, 1-58053-702-2, C$120.50
      %A Steve Purser
      %C 685 Canton St., Norwood, MA 02062
      %D 2004
      %G 1-58053-702-2
      %I Artech House/Horizon
      %O C$120.50 800-225-9977 fax: 617-769-6334 artech@...
      %O http://www.amazon.com/exec/obidos/ASIN/1580537022/robsladesinterne
      http://www.amazon.co.uk/exec/obidos/ASIN/1580537022/robsladesinte-21
      %O http://www.amazon.ca/exec/obidos/ASIN/1580537022/robsladesin03-20
      %P 259 p.
      %T "A Practical Guide to Managing Information Security"

      After years of reviewing security books there were a number of red
      warning flags in the preface: the perception that a book was needed to
      address the "entire" subject of security, an insistence on a
      "pragmatic" and management oriented approach, and the use of a
      "fictitious but realistic case study" to support the arguments in the
      work. The final omen came in the author's bio on the back cover: he's
      a banker.

      Chapter one is a vague statement that the information technology world
      is getting riskier, but states outright the irresponsible notion that
      it is better to provide a less secure product to customers as long as
      that reduces your "time to market." This is backed up by a great deal
      of waffling managementspeak that boils down to the idea that we have
      to learn to work faster *and* cheaper *and* better *and* smarter. The
      footnotes and references intended to demonstrate that this is a
      scholarly and researched effort are, instead, a grab bag of varying
      origin and quality, indicating that the author isn't really familiar
      with security literature, and used whatever he happened to read. A
      few security information sources and generic advice on planning is in
      chapter two. The taxonomy of technical tools, in chapter three,
      contains no entries for accounting, application development,
      operations, physical security, assurance, or business continuity, thus
      indicating the enormous gaps in this work. The artificial structure
      imposed on the list works against an integrated view of the tools:
      Purser obviously doesn't understand intrusion detection divisions, or
      that host-based and net-based systems both provide details--but of
      differing views.

      In chapter four, Purser obviously thinks that he is giving us new
      insight into security assessment, when all that is really being
      delivered is a generic project planning cycle. Similarly, chapter
      five deals with business and threat analysis. A vague review of
      policy documents is in chapter six. Chapter seven takes on that
      wonderful buzzphrase, "process re-engineering," having almost nothing
      to do with security at all. A planning cycle comes up again when
      chapter eight supposedly looks at security architecture. Chapter nine
      covers security training, in an overly formal way.

      This book adds almost nothing to the existing security literature,
      except for a lot of management directed verbiage.

      copyright Robert M. Slade, 2004 BKPGTMIS.RVW 20040514


      ====================== (quote inserted randomly by Pegasus Mailer)
      rslade@... slade@... rslade@...
      The simple fact that nobody understands you is not to be taken as
      proof that you are an artist
      http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade
    Your message has been successfully submitted and would be delivered to recipients shortly.