Loading ...
Sorry, an error occurred while loading the content.

REVIEW: "Enterprise Information Security and Privacy", C. Warren Axelrod/Jennifer L. Bayuk,Daniel Schutzer

Expand Messages
  • Rob, grandpa of Ryan, Trevor, Devon & Han
    BKEISCPR.RVW 20101023 Enterprise Information Security and Privacy , C. Warren Axelrod/Jennifer L. Bayuk,Daniel Schutzer, 2009, 978-1-59693-190-9, U$99.00 %E
    Message 1 of 1 , Apr 27, 2011
    • 0 Attachment
      BKEISCPR.RVW 20101023

      "Enterprise Information Security and Privacy", C. Warren
      Axelrod/Jennifer L. Bayuk,Daniel Schutzer, 2009, 978-1-59693-190-9,
      %E C. Warren Axelrod Warren.Axelrod@...
      %E Jennifer L. Bayuk www.bayuk.com
      %E Daniel Schutzer Dan.Schutzer@...
      %C 685 Canton St., Norwood, MA 02062
      %D 2009
      %G 978-1-59693-190-9 1-59693-190-6
      %I Artech House/Horizon
      %O U$99.00 800-225-9977 fax: +1-617-769-6334 artech@...
      %O http://www.amazon.com/exec/obidos/ASIN/1596931906/robsladesinterne
      %O http://www.amazon.ca/exec/obidos/ASIN/1596931906/robsladesin03-20
      %O Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
      %P 231 p.
      %T "Enterprise Information Security and Privacy"

      The authors of this collection of papers were told to examine and
      challenge current and traditional approaches to information security
      and suggest alternatives overcoming noted deficiencies.

      Part one looks at history and trends. Chapter one traces privacy
      attitudes and legislation in the United States over the past century,
      and suggests that privacy and information security are related. Data
      protection should be supported by a defined, multi-factor, holistic
      security system, says chapter two. (As the editorial comment notes,
      this is hardly surprisng news to security professionals.) Security
      faces pressure from operational concerns, and chapter three states
      that security departments that help the business rather than hindering
      (in other words, planning security properly) are more likely to
      succeed. Chapter four notes that information classification based
      solely upon confidentiality concerns is limited, but the suggested
      structure still relates only to that aspect. The article singularly
      fails to examine any possible form of multilateral classification
      scheme, incorporating integrity and availability issues. Chapter five
      delves into human factors, which are vitally important to security,
      but limits the discussion to privacy, which is already pretty human.

      That piece finishes off with some examination of risk, although it
      doesn't say much about human factors in risk, but I suppose makes a
      nice lead in to the fact that part two is concerned with risk. Donn
      Parker makes his usual contrarian argument against risk-based security
      in chapter six. The author of chapter seven notes this objection, but
      claims that it is only applicable if you fail to account for all the
      proper factors (totally missing Parker's point that you can never know
      all the factors). A hodge-podge of legal topics goes into chapter
      eight, but the emphasis (if there is any) seems to be on new
      "compliance" standards such as the Payment Card Industry Data Security
      Standard (PCI-DSS or just PCI). Chapter nine takes a brief and
      focussed look at the most important changes in the telecommunications

      Part three turns to specific idustries: finance, energy,
      transportation, and academia. Chapter ten lists US financial
      regulations, and then offers vague suggestions of new regulations. A
      number of questions about the security of enegery providers or
      infrastructure are raised in chapter eleven, but there are few
      answers. In terms of transport, chapter twelve mentions SCADA
      (Supervisory Control And Data Aquisition) systems and alarm sensors.
      Chapter thirteen doesn't really appear to examine academia: the "case
      studies" may be formal, but are really just reports of malware similar
      to those in the general user population.

      If the authors were supposed to present new ideas for security, they
      have failed. There is nothing wrong with any of the pieces contained
      in the book, but they are simply "more of the same."

      copyright, Robert M. Slade 2011 BKEISCPR.RVW 20101023

      ====================== (quote inserted randomly by Pegasus Mailer)
      rslade@... slade@... rslade@...
      Few persons care to study logic, because everybody conceives
      himself to be proficient enough in the art of reasoning already.
      But I observe that this satisfaction is limited to one's own
      ratiocination, and does not extend to that of other men.
      - Charles S. Peirce (1839-1914), The Fixation of Belief (1877)
      victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links
    Your message has been successfully submitted and would be delivered to recipients shortly.