Management of Information Security 
asked by ronmiller on November 8, 2006 6:38 AM
Designed for senior and graduate-level business and information systems students who want to learn the management aspects of information security.
Reviews
0%
0%
Did I tell you the book was boring?
The authors spend too much time providing the "how to" on developing paperwork (paper-tiger) security programs and nothing on the implementation of real security measures.
They borrow whole chapters out of books written by some guy -- Charles Cresson Wood -- heck, just buy that guy's book instead.
They introduce each chapter with a cursory view of "the threat" yet spend no time explaining how it applies to the chapter.
They do ensure that the reader understands the importance of "making sure your CISO is high enough up the management chain to be effective." Chapter after chapter after chapter!!!!
I've seen better strategic planning in a comic book.
The authors spend too much time providing the "how to" on developing paperwork (paper-tiger) security programs and nothing on the implementation of real security measures.
They borrow whole chapters out of books written by some guy -- Charles Cresson Wood -- heck, just buy that guy's book instead.
They introduce each chapter with a cursory view of "the threat" yet spend no time explaining how it applies to the chapter.
They do ensure that the reader understands the importance of "making sure your CISO is high enough up the management chain to be effective." Chapter after chapter after chapter!!!!
I've seen better strategic planning in a comic book.
reviewed by heavymetal on November 13, 2006 6:13 PM
0%
0%
If you're looking to get down into the nitty-gritty of infosec, for ways and methods of securing networks and systems, then this probably isn't the book you need. This is a textbook and so it overs a fairly high level viewpoint, even philosophical approach, to infosec. The granualarity just isn't there for the practising person to gain much from this in a substantive way.
That said, the book does provide a readable and useful overview of all aspects of the infosec planning and administration process. Each chapter has questions yet no answers. Chapters include:
Introduction to the management of info sec
Planning for infosec
Planning for contingencies
Information security policy
Developing the security program
Security Management models and practices
Risk Management: identifying and assessning risk
RIsk Management: Assessing and controlling risk
Protectiion Mechanisms
Personnel and security
Law and Ethics
Information Security Project management (the weakest chapter in the book...meant as an introduction)
While the authors won't tell you how to configure a firewall for example, they will teach you who, how and why this must be done and what must be done to guide and support decisions like this in an organizational environment. This book is about top down security management. It teaches you to use policy, procedures, people, programs, projects and planning in a three dimenional security matrix: confidentiality, integrity, availability, security, transmission, processing, policy, technology and education/training with regard to people, data, hardware, software and procedures, all within the methodology of the secSDLC. So it is a philsophical journey thorugh the heart of the matter written by two guys who obviously know and enjoy their subject.
This books is well written and has a number inserts highlighting differrent things like different types of attacks, concepts like human firewalls and such that enhance the readability while leading a connection to reality that threatens to become a little tenuous when dealing with much abstraction.
SO, a good textbook. I used it for a subject I took and found it useful. WHile it may be a little dry at times, due to the technical nature of the material, if you are serious about learning information security then the need to be consistently entertained is probably just a little alien to your nature anyway. This book will give you an excellent grounding in the things you should be condisering and doing when planning, analyzing, designing, implementing and managing and maintaining infosec.
An excellent addition and support for the material presented in the book- as referred by the authors- is bunch of free materials published by the National Institute of Standards and Technology, found at the computer security resource center. These include papers such as SP 800-12, SP 800-14, and so forth. The website is http://csrc.nist.gov/publications/nistpubs/ It is important to check this out if you are serious about infosec. This book is a good starting point for deliving deeper into that world.
That said, the book does provide a readable and useful overview of all aspects of the infosec planning and administration process. Each chapter has questions yet no answers. Chapters include:
Introduction to the management of info sec
Planning for infosec
Planning for contingencies
Information security policy
Developing the security program
Security Management models and practices
Risk Management: identifying and assessning risk
RIsk Management: Assessing and controlling risk
Protectiion Mechanisms
Personnel and security
Law and Ethics
Information Security Project management (the weakest chapter in the book...meant as an introduction)
While the authors won't tell you how to configure a firewall for example, they will teach you who, how and why this must be done and what must be done to guide and support decisions like this in an organizational environment. This book is about top down security management. It teaches you to use policy, procedures, people, programs, projects and planning in a three dimenional security matrix: confidentiality, integrity, availability, security, transmission, processing, policy, technology and education/training with regard to people, data, hardware, software and procedures, all within the methodology of the secSDLC. So it is a philsophical journey thorugh the heart of the matter written by two guys who obviously know and enjoy their subject.
This books is well written and has a number inserts highlighting differrent things like different types of attacks, concepts like human firewalls and such that enhance the readability while leading a connection to reality that threatens to become a little tenuous when dealing with much abstraction.
SO, a good textbook. I used it for a subject I took and found it useful. WHile it may be a little dry at times, due to the technical nature of the material, if you are serious about learning information security then the need to be consistently entertained is probably just a little alien to your nature anyway. This book will give you an excellent grounding in the things you should be condisering and doing when planning, analyzing, designing, implementing and managing and maintaining infosec.
An excellent addition and support for the material presented in the book- as referred by the authors- is bunch of free materials published by the National Institute of Standards and Technology, found at the computer security resource center. These include papers such as SP 800-12, SP 800-14, and so forth. The website is http://csrc.nist.gov/publications/nistpubs/ It is important to check this out if you are serious about infosec. This book is a good starting point for deliving deeper into that world.
reviewed by caramel on November 28, 2006 10:07 PM