REVIEW: "Information Security Architecture", Jan Killmeyer
- BKINSEAR.RVW 20070125
"Information Security Architecture", Jan Killmeyer, 2006,
%A Jan Killmeyer
%C 920 Mercer Street, Windsor, ON N9A 7C2
%I Auerbach Publications
%O +1-800-950-1216 auerbach@... orders@...
%O Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P 393 p.
%T "Information Security Architecture"
The preface to the book seems to indicate an intent to provide a
taxonomy of security activities under eight (mostly management
related) "components": infrastructure, policy, risk assessment,
training, compliance, monitoring, incident response, and business
continuity. (Those who follow the development of security frameworks
will notice a strong correlation to the COSO [Committee of Sponsoring
Organizations of the Treadway Commission] structure.) The "Executive
Summary" basically does the same thing, at greater length
(concentrating on the threats to information), and seems to have been
lifted from the first edition of the book with incomplete
modifications: the illustrations refer to the original five
components, and there is a reference to a now non-existent chapter
Chapter one, on information security architecture, defines it as the
mechanism for ensuring that all users know what they are responsible
for in terms of protecting resources, which would seem to put it
squarely in the "design" camp. (This perspective would seem to be
consistent with the statement that an architecture has "components.")
The remainder of the material reinforces the idea of a managed plan
for implementing security. Infrastructure, in chapter two, is
addressed primarily in terms of the roles of people within the
enterprise, and a repeat (from chapter one) of several pages of text
(and an illustration) outlining the security plan. The elements of a
security policy, and pointers to sample constituents listed in the
appendices, are given in chapter three. Aspects of risk analysis is
mixed with information on random security controls in chapter four.
Chapter five says the usual things about security awareness and
training programs. Compliance, in chapter six, is primarily concerned
with audits. Chapter seven lists some of the problems you may
encounter in creating a security program, many of which are related to
a lack of management support. A high-level overview of the structures
and reports of incident response makes up chapter eight. A final
admonition to manage security is given in chapter nine.
The book doesn't really talk about information security architecture.
There is a general outline of the basic aspects of a security program,
although the details have numerous gaps. There are a great many such
general security overview texts, and therefore this volume does not
address either a specific audience, nor does it contribute anything
meaningful to the security literature.
copyright Robert M. Slade, 2007 BKINSEAR.RVW 20070125
====================== (quote inserted randomly by Pegasus Mailer)
rslade@... slade@... rslade@...
Charm is a way of getting the answer yes without having asked any
clear question. - Albert Camus
Dictionary of Information Security www.syngress.com/catalog/?pid=4150