Writing Information Security Policies

Author: Scott Barman
List Price: $34.99
Our Price: Click to see the latest and low price
ISBN: 157870264X
Publisher: Que (09 November, 2001)
Edition: Paperback
Sales Rank: 26,691
Average Customer Rating: 4.57 out of 5

Buy now directly from Amazon.com - Purchase this book, safely and securely from the largest book dealer on the Internet, Amazon.com

Customer Reviews

Rating: 4 out of 5
Not thorough or rigorous, but a good set of secpol topics
Security policies are not security, and will not provide any protection. However, as the well-known formulation has it: security is a process. An organization does not "have" security, rather they participate in the process of security. Barnum explains that security policies are a component of the planning aspect of the security process, and as such can provide three advantages. The first is to insure security interoperability across an organization. The second advantage is the visibility given to the policy by management's participation in it, which provides a greater impetus for implementation. The third is to mitigate liability, presumably by the legal value of the policy, and the advantages to security that a policy-driven approach proves. Another reason mentioned is that for some organizations, policy documentation is needed for iso900x compliance. Unstated is the assumption that a security policy might result in greater security. After all, even with all the other purported advantages, a security policy is presumptively about making security better.

At 216 pages, "Writing Information Security Policies" seems just the right size to touch all the bases, but not enough for a home run in the subject area. Good worklike effort, but the diversity of subject matter, and a lack of focus and internal theoretical structure robs the work of providing insightful organizational direction, though it still pays dividends, and is ultimately very worth reading.

The book is divided into three sections. The first is titled "Starting the policy process," and includes such issues as policy needs and roles and responsibilities in the policy process. The second section is writing the security policies in the topical areas. The third is on maintaining policies, including acceptable use and compliance and enforcement. In the first section, the discussion includes such items as:

1. Identification of assets
2. Data security
3. Backups and archives
4. Intellectual property rights
5. Incident response and forensics

It is clear from these topics that though the title of the book is Information Security Policies, a more accurate one might be Information and Communication Technology Security Policies, as it is networks and software systems which are the focus throughout.

As far as real-world recommendations and a more serious framework for security policies at highly secured organizations, the reader will have to search elsewhere. However, this book amply suits the need for a series of more conversational approaches to a variety of ICT security policies and subject areas. Also of use are the distinctions between policy, procedure, and implementation, found scattered throughout this book, though unfortunately not strictly adhered to. And though the sample administrative policies found in the appendix are nowhere complete, there are helpful policy formulations throughout. In the second section, the seven major areas of discussion that offer the heart of the book are more of a topical arrangement, than any hierarchical or conceptual approach. They include security policy concerned with the following subject areas:

1. Physical
2. Authentication and network
3. Internet
4. Email
5. Viruses, worms, and Trojan horses
6. Encryption
7. Software development

There is enough that is badly worded and poorly organized in the book, but it is of real benefit--both on its own merits, and because there is little information of this kind available to practitioners and those managers who might want something that is more than a simple set of forms, but is less than a week-long course in security policy.

Rating: 5 out of 5
Brings best practices to small companies
What makes this book an important addition to the IT security body of knowledge is that it makes a case for, and shows how to, create and implement IT security policies in small-to-medium enterprises.

The book itself is a short, somewhat superficial, treatment of IT security policies. It has strengths and weaknesses:

STRENGTHS: It makes a compelling business case for having IT security policies, then leads you through the creation of the more common ones. This material is augmented by the book's accompanying web site that provides all of the sample policies in Appendix C in HTML format (most modern word processing programs, such as MS Word can convert this to their native format without losing any of the embedded styles). Note that the URL given in the book has changed, but it is still active and automatically redirects you to the new URL.

In addition, the book touches on important topics that you may not think of if you're attempting to develop policies on your own. For example, intellectual property rights, law enforcement issues and forensics. These are touched upon, but will raise your awareness of their importance.

WEAKNESSES: The actual development and maintenance of policies is almost an afterthought. Moreover, I thought that a structured approach to threat and vulnerability assessments should have been covered (to be fair, the author discusses major threats on practically every page). I also felt that the policies should have been linked to processes, which is the hallmark of a well written policy, and the importance of clearly defining roles and responsibilities should have been highlighted. I recommend that readers also get a copy of Steve Pages " Achieving 100% Compliance of Policies and Procedures" (ISBN 1929065493) to supplement this book. Page's book is focused solely on policies and procedures development, and will fill in the gaps left in this book.

Overall, this book deserves recognition for raising awareness of the importance of IT security policies to small companies. It also deserves credit for sticking to the fundamentals (cited weaknesses notwithstanding), without overwhelming small enterprise IT professionals who are probably wearing many hats besides IT security. For that audience this book shows the way, and earns my praise.

Rating: 5 out of 5
The right book at the right time
Network administration is only 10% of my job, which means the task of creating a security policy for our 40-user systems integration company needed to take a proportional amount of my time and energy. This book provides a lot of helpful examples, and really gives you what you need to get started. The length is appropriate, the language fits both technical and non-technical audiences, and the organization makes sense. It has definitely saved me considerable time and energy.

Similar Products

· Building an Information Security Awareness Program
· Information Security Risk Analysis
· Information Security Policies, Procedures, and Standards: Guidelines for Effective Information Security Management
· The CERT Guide to System and Network Security Practices
· Information Security Management Handbook, Fourth Edition, Volume I
Return To Main Computer Book IndexSearch Our Entire Computer Book Catalog

©1997 - 2006 CentraSoft.Com | Privacy Policy | Terms Of Use
Products  |  Order  |  Downloads  |  Testimonials  |  F.A.Q. / Support  |  Contact Us

ColdFusion MX, and Dreamweaver are registered trademarks of Adobe Corporation.
Adobe Corp. in no way endorses or is affiliated with Centrasoft Corp.