REVIEW: "Securing Business Information", F. Christian Byrnes/Dale Kutnick

[InfoSec News <isn () c4i org>]

Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" <rslade () sprint ca>

BKSEBUIN.RVW   20020916

"Securing Business Information", F. Christian Byrnes/Dale Kutnick,
2002, 0-201-76735-X, U$39.99/C$59.95
%A   F. Christian Byrnes
%A   Dale Kutnick
%C   P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario  M3C 2T8
%D   2002
%G   0-201-76735-X
%I   Addison-Wesley Publishing Co.
%O   U$39.99/C$59.95 416-447-5101 fax: 416-443-0948
%O  http://www.amazon.com/exec/obidos/ASIN/020176735X/robsladesinterne
%P   237 p.
%T   "Securing Business Information: Strategies to Protect the
      Enterprise and Its Network"

The preface addresses how to keep data secure in a distributed
environment.  Chapter one tells us that the first thing to do is
prepare the organization for changes, then that the first thing to do
is to write a policy, then that the first thing to do is get a strong
base of support among the executives, then that the first thing to do
is market the idea to executives and users, then that the first thing
to do is to build an effective organizational structure.  The material
meanders through a kind of utopian view of what a mission statement
and organization chart should be before settling into a promotion of
political and marketing campaign strategies to sell security to the
executives.  The asset identification portion of risk analysis is
covered in chapter two.  A multi-dimensional and not-quite-orthogonal
set of domains for classifying resources is overly complex, but may
help you to identify holdings that are generally unregarded.  At first
chapter three seems to be proceeding with risk analysis, but then it
veers into policies (if you consider benchmarks equivalent to
policies).  Similarly, chapter four seems to start out with risk
analysis, and then moves to safeguards, and then moves into business
impact analysis.  Risk analysis *finally* gets a (somewhat incomplete)
explanation in chapter five, which then moves on to cost/benefit
analysis, then cultural (political) considerations.  Chapter six
suggests that you rank, select, and market the necessary projects
identified by the analysis.  Small companies may wish to shorten the
process by doing the above four times over, states chapter seven. 
Chapter eight recommends having a strategy for changing technology.  A
grab bag of security technologies is in chapter nine, which is
particularly poor in regard to viruses.  Chapter ten provides two
fictional "case studies," and eleven lists the followup projects from
them.  Role-based access control is promoted in chapter twelve, while
chapter thirteen does the same for "single sign-on."

"Pitiful" is the only word that can be used to describe the
bibliography.

Yet another book that attempts to provide a quick review of all of
security--and fails.

copyright Robert M. Slade, 2002   BKSEBUIN.RVW   20020916

-- 
======================
rslade () vcn bc ca  rslade () sprint ca  slade () victoria tc ca p1 () canada com
Find book info victoria.tc.ca/techrev/ or sun.soci.niu.edu/~rslade/
Upcoming (ISC)^2 CISSP CBK review seminars (+1-888-333-4458):
    February 10, 2003   February 14, 2003   St. Louis, MO
    March 31, 2003      April 4, 2003       Indianapolis, IN




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.