REVIEW: "IT Governance", Alan Calder/Steve Watkins
- BKITGVRN.RVW 20061007
"IT Governance", Alan Calder/Steve Watkins, 2005, 0-7494-4394-4,
%A Alan Calder
%A Steve Watkins
%C 120 Pentonville Rd, London, UK, N1 9JN
%I Kogan Page Ltd.
%O U$84.57/C$93.89 +44-020-7278-0433 kpinfo@...
%O Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P 368 p.
%T "IT Governance: A Managers Guide to Data Security and BS 7799/
The introduction states that this book is intended for business
managers, board members, and other senior executives, rather than IT
Chapter one, preaching about the rationale behind information
security, reiterates the material given in the introduction.
Management and reporting regulations for the UK (the Combined Code)
and the US (Sarbanes-Oxley) are discussed in chapter two. Chapter
three is supposed to outline and explain the BS (British Standard)
7799, and while it does recommend designing your own information
security management system, much space is devoted to promoting sales
of the BS 7799 standard through the authors' Websites. More vague
encouragement to produce a security management system is given in
Chapter five contains a limited and generic deliberation on high-level
security policies. Similarly terse overviews are given in subsequent
chapters for risk (six), assets (eight), human resources (nine,
concentrating on hiring), and physical security (in ten, and, for some
reason, addressed specifically at equipment in eleven). Chapter seven
seems oddly out of place in this series, looking at access
requirements for partners, contractors, clients, and other outsiders.
There are a number of odd inclusions in the work that seem
misclassified. Chapter twelve titularly combines the two issues of
communications and operations security (in reality only talking about
operations). Malware and backups are examined (tersely, erroneously,
and insufficiently) in thirteen while fourteen looks at networks and
media. An undefined topic of "information exchange" makes for a
confusing chapter fifteen, with a grab bag of trivia about e-commerce
filling out sixteen. An odd acceptable use policy for email and Web
use is in chapter seventeen.
An incomplete list of procedures for issuing and reviewing access is
in chapter eighteen. Chapter nineteen has very spotty coverage of
network access controls, implying that encryption is always present in
a virtual private network (VPN: it isn't, VPNs are defined more by
management than confidentiality), there is no discussion of the
different types of firewalls, and intrusion detection is limited to
those with network-based sensors. Access to the operating system is
reviewed in chapter twenty, and applications in twenty-one (with an
odd inclusion of mobile or remote computing).
Chapter twenty-two is a nominal look at applications development. A
vague and fragmentary overview of cryptography makes up twenty three.
Application development appears again in chapter twenty-four, along
with some pondering about access to operating system files. (The
authors actually admit, in the text, that there is no necessary
relation between the two topics.) Audit logs and incident response
are examined in twenty-five, a brief look at business continuity
planning is in twenty-six, lengthy advice to adhere to relevant (UK)
laws is in twenty-seven, and chapter twenty-eight suggests that you
use outlines from the authors' Website to prepare for a BS 7799 audit.
The text has a Web component to it, and this is referred to in a
number of places in the work. However, it should also be noted that
this Web component is also promoted, in the publication, as a general
security management portal (unrelated to the book), and it is, in
fact, the Website of the consultancy run by one of the authors. The
files available on the site do not deliver the promised information:
first, the files, when you do get to download them, lack any
indication as to type, and when you finally find out which file format
they are (mostly PDFs, with a few XLSs) the contents are generally of
the marketing brochure level, advising you to buy further materials
from the site.
The book is extremely verbose, with a turgid style that makes
excessive use of business buzzwords. In addition, points are repeated
many times in different places with minor variations in wording or
emphasis. The central content could have been provided in a much
shorter work (which would probably have been easier to read). (Given
the targeted audience at the executive level, one would think that a
shorter work would have been more appropriate.)
Senior managers do not have to know all the technical details,
granted. Even so, the level of technical information provided is
inconsistent, and the quality is often suspect. It is probably more
important that the structure of the book makes no sense either in
technical or in management terms: the various subjects are dealt with
in a random fashion that will provide the reader with no understanding
of either the base technical concepts or the interdependencies between
different classes and types of controls.
While many senior managers may have desperate need of some kind of
guidance in regard to the management of security within information
systems, this work is probably not going to provide it. The subtitle,
in particular, is misleading: there is a great deal of interest in BS
7799 and ISO 17799 but, aside from mentioning sections of the
standards relating to the topics under discussion, there is really no
information about the standards themselves.
copyright Robert M. Slade, 2006 BKITGVRN.RVW 20061007
====================== (quote inserted randomly by Pegasus Mailer)
rslade@... slade@... rslade@...
The things that count most in life, usually can't be counted.
Dictionary of Information Security www.syngress.com/catalog/?pid=4150