BKIAMOIS.RVW 20021012 "Information Assurance", Joseph G. Boyce/Dan W. Jennings, 2002, 0-7506-7327-3, U$44.99 %A Joseph G. Boyce %A Dan W. Jennings %C 2000 Corporate Blvd. NW, Boca Raton, FL 33431 %D 2002 %G 0-7506-7327-3 %I Butterworth-Heinemann/CRC Press/Digital Press %O U$44.99 800-272-7737 http://www.bh.com/bh/ dp-catalog@bh.com %P 261 p. %T "Information Assurance: Managing Organizational IT Security Risks" The preface states that this book is distinct because 1) it covers concepts and principles (although how this could be a distinctive is somewhat lost on me: many of the chapters relate directly to six of the ten CBK [Common Body of Knowledge] domains), 2) it promotes a defence in depth strategy (hardly unusual in general security works), 3) it attempts to counter the perception of an antagonism between security and operations (fairly conventional), and 4) it points out resources for added information (and how is that unique?) Part one covers the foundational concepts of an organizational IA (Information Assurance) program. Chapter one defines IA in a way that makes it basically the same as any kind of information systems security, and offers vague thoughts on the importance of information. There is a brief review of some basic security concepts (as well as some that are not quite central) in chapter two. Defence in depth is also defined at this point: rather idiosyncratically, it is specified to be in opposition to "security by obscurity" and perimeter defence. Part two is supposed to look at determining the organization's current IA posture. Chapter three purports to help ascertain an IA baseline, but is really just a list of possible security technologies. determining security priorities, in chapter four, talks about data and resource classification, but much of it is vague philosophy, rather than practical advice. While summarized in tables rather than text, chapter five's material on IA posture is just plain, old risk analysis. Part three is presumed to help establish a defence in depth strategy. There is a basic introduction to policies in chapter six. IA management, in chapter seven, is primarily more suited to system administration. Chapter eight's look at IA architecture covers subjects and objects, but has no security models. The text does review threats and various security technologies, and,very strangely, assumes that the OSI (Open Systems Interconnection) network model can be used as a security structure. Operational security administration, in chapter nine, recycles random concepts that have been presented earlier. Configuration management is held to be software change control, and chapter nine also concentrates on "emergency" changes. Chapter eleven's review of the system development life cycle is terse. Chapter twelve, on contingency planning, is extremely terse, and suggests that you have a backup, UPS (Uninterruptable Power Supply) and a disaster recovery plan. The material on training, in chapter thirteen, is both generic and short. Policy compliance oversight is limited to intrusion detection systems, audit logs, and virus scanning, in chapter fourteen. Chapter fifteen's look at incident response is basic and brief. Finally, chapter sixteen examines IA reporting--and suggests that you have a structure for it. This work is yet another attempt at a generic security guide. It has no distinctives. In fact, there are simple security guides for home users that do a better job of explaining the structure, process, and technologies. copyright Robert M. Slade, 2002 BKIAMOIS.RVW 20021012