Loading ...
Sorry, an error occurred while loading the content.

REVIEW: "The Security Risk Assessment Handbook", Douglas J. Landoll

Expand Messages
  • Rob, grandpa of Ryan, Trevor, Devon & Ha
    BKSCRAHB.RVW 20060919 The Security Risk Assessment Handbook , Douglas J. Landoll, 2006, 0-8493-2998-1 %A Douglas J. Landoll %C 920 Mercer Street,
    Message 1 of 1 , Nov 15, 2006
      BKSCRAHB.RVW 20060919

      "The Security Risk Assessment Handbook", Douglas J. Landoll, 2006,
      %A Douglas J. Landoll
      %C 920 Mercer Street, Windsor, ON N9A 7C2
      %D 2006
      %G 0-8493-2998-1
      %I Auerbach Publications
      %O +1-800-950-1216 auerbach@... orders@...
      %O http://www.amazon.com/exec/obidos/ASIN/0849329981/robsladesinterne
      %O http://www.amazon.ca/exec/obidos/ASIN/0849329981/robsladesin03-20
      %O Audience a Tech 2 Writing 1 (see revfaq.htm for explanation)
      %P 473 p.
      %T "The Security Risk Assessment Handbook"

      Chapter one is an introduction. Landoll's text is initially rather
      preachy and biased. The first couple of sections appear to take the
      position that industry has failed in its responsibility to secure
      information systems, and therefore (the United States federal)
      government has had to take charge. He then lists (although does not
      describe in any detail) various security frameworks and guidelines,
      and argues that, simply on the basis of a lack of congruence between
      these documents, "best practices" are a myth. His conclusion, that
      risk-based security planning is better, seems oddly gleeful in the
      context of such an otherwise dour piece of writing.

      Unfortunately, the author does not seem to do any better with risk-
      based security planning, right off the top. We are told (on page
      four) that "the establishment of an information security program is
      not the topic of this book. The topic of this book is how to perform
      and review an information security program," which statement(s) must
      surely rank highly in terms of self-contradiction and confusion.

      Were the reader to quit after this inauspicious, muddled, and verbose
      beginning, however, it would be to miss a work of some value. Within
      pages, Landoll clarifies the rationale for, and types of, risk
      assessment, as well as explaining the purpose of this volume in light
      of other existing assessment tools and documents. (To his credit,
      where other authors tend to denigrate alternative references, Landoll
      notes their respective strengths, and then states the extension that
      his book provides.)

      It is frustrating to attempt a single assessment of the book. The
      text has value, but also annoyances. Chapter two provides a useful
      guide to the basic components of the risk assessment process (which
      forms the structure for much of the rest of the book). At the same
      time, where Landoll has been using the business-oriented breakdown of
      control types (into administrative, technical, and physical), when
      discussing safeguards he suddenly switches to the categories of
      preventive, detective, corrective, et cetera, that are more familiar
      to those in the government and military. (Interestingly, for someone
      from a strongly governmental background, Landoll does not fill out the
      list with recovery, compensating, deterrent, and directive.) In
      addition, when reviewing the concept of residual risk, two new terms
      of "static" and "dynamic" risk are introduced. Although the terms are
      poorly defined, "static" seems simply to refer to residual risk, while
      "dynamic" appears to mean nothing more than risk itself. Therefore,
      these two new entries provide no distinct value to the discourse, and
      only serve to confuse the issues.

      Again, chapter three covers the vital topic of the definition of
      objectives and scope of a risk assessment project. When discussing
      the "customer" for a review, "Risk Assessment Method" and "Objective
      Review" seem to be presented as potential clients. While the question
      of quality of work would certainly appear to be a legitimate concern
      in dealing with project extent, Landoll includes a great deal of
      material relevant only to the final report, such as grammatical
      correctness and visually pleasing presentation. On the other hand,
      there is a good deal of very practical content addressing issues of
      realistic scope and reasonable budgeting. The preparation phase is
      covered in chapter four, dealing both with practical issues such as
      letters of introduction, more esoteric concerns of system and asset
      criticality, and also reviewing a number of methodologies and
      approaches to risk assessment (although primarily at a conceptual

      Chapter five starts a string of chapters on various types of data
      collection. It leads off with general discussions on the topic,
      examining questions of sampling and related issues. (Landoll is not
      always careful about explaining terms before starting to use them:
      neither the index nor any part of the text notes that the RIIOT
      method, which is used extensively in the chapter, is merely an acronym
      for the phases of review, interview, inspect, observe, and test.) The
      gathering of data on administrative safeguards, in chapter six, has
      good checklists of items to assess, and uses the RIIOT format to
      structure the areas and phases of the elements to consider. (There is
      a rather odd reluctance to discuss policy, and an even stranger
      overemphasis on two-man controls.) Moving into technical
      countermeasures, chapter seven starts off with a section on attacks
      and controls. There are very odd errors in the text: the distinction
      between SPAM (the Hormel food product) and spam (bulk unsolicited
      commercial or fraudulent messages) may be subtle but every security
      specialist should know it and yet Landoll uses SPAM throughout. The
      section on antivirus protection is weak, cross-references are spotty,
      and Landoll uses an old (and generally abandoned) type of firewall
      (session-level, which is an amalgamation of stateful and circuit-level
      proxy). Intriguingly, authentication is not addressed with technical
      controls, but (rather weakly) with physical protection, in chapter
      eight. Most of the discussion of physical security outlines
      particular safeguards, and there is little deliberation on risk
      assessment or the factors that can influence it. (For example,
      various power supply alternatives are discussed, including the rather
      esoteric flywheel generator, but the idea of requesting information
      from the utility on past power outages doesn't seem to have occurred
      to the author.)

      Chapter nine does turn to security risk analysis, briefly, but with
      some helpful pointers for the evaluation process. Risk mitigation, in
      chapter ten, looks rather tersely at choice of controls, and does an
      oddly complicated review of cost/benefit analysis. Styles for
      different types of reports resulting from risk assessment are outlined
      in chapter eleven. Chapter twelve presents a fairly standard look at
      project management (with extra emphasis on reporting). Chapter
      thirteen lists, but does not adequately describe, various risk
      assessment methodologies.

      Despite the weaknesses, oddities, and gaps in the book, it does
      provide a decent overall guide, and some very useful practical
      suggestions. It is not quite complete in all areas, and therefore
      likely unsuitable as the sole source of advice on the risk assessment
      process for the novice, although the newcomer would not go far wrong
      in following the counsel of this work. The experienced security or
      risk assessment professional will still find valuable recommendations
      and advice. For anyone in the security or risk analysis field, the
      book is well worth considering.

      copyright Robert M. Slade, 2006 BKSCRAHB.RVW 20060919

      ====================== (quote inserted randomly by Pegasus Mailer)
      rslade@... slade@... rslade@...
      Bodily exercise, when compulsory, does no harm to the body; but
      knowledge which is acquired under compulsion obtains no hold on
      the mind. - Plato, The Republic
      Dictionary of Information Security www.syngress.com/catalog/?pid=4150
    Your message has been successfully submitted and would be delivered to recipients shortly.