BKINSCMH.RVW 20030323 "Information Security Management Handbook", Harold F. Tipton/Micki Krause, 2000, 0-8493-9829-0/0-8493-0800-3/0-8493-1127-6/0-8493-1518-2 %E Harold F. Tipton haltip@ix.netcom.com %E Micki Krause Micki.Krause@isc2.org %C 2000 Corporate Blvd. NW, Boca Raton, FL 33431 %D 2000 %G 0-8493-9829-0, 0-8493-0800-3, 0-8493-1127-6, 0-8493-1518-2 %I Auerbach Publications %O U$155.00 800-272-7737 auerbach@wgl.com slinton@crcpress.com %O available separately 0-8493-9829-0 $95.00 0-8493-0800-3 $59.95 Volume 1 http://www.amazon.com/exec/obidos/ASIN/0849398290/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0849398290/robsladesinte-21 http://www.amazon.ca/exec/obidos/ASIN/0849398290/robsladesin03-20 Volume 2 http://www.amazon.com/exec/obidos/ASIN/0849308003/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0849308003/robsladesinte-21 http://www.amazon.ca/exec/obidos/ASIN/0849308003/robsladesin03-20 Volume 3 http://www.amazon.com/exec/obidos/ASIN/0849311276/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0849311276/robsladesinte-21 http://www.amazon.ca/exec/obidos/ASIN/0849311276/robsladesin03-20 Volume 4 http://www.amazon.com/exec/obidos/ASIN/0849315182/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0849315182/robsladesinte-21 http://www.amazon.ca/exec/obidos/ASIN/0849315182/robsladesin03-20 CD-ROM version http://www.amazon.com/exec/obidos/ASIN/0849315786/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0849315786/robsladesinte-21 http://www.amazon.ca/exec/obidos/ASIN/0849315786/robsladesin03-20 %P 4 vol., 711 p., 626 p., 848 p., 864 p. %T "Information Security Management Handbook, Fourth Edition" As an overview for the CISSP (Certified Information System Security Professional) CBK (Common Body of Knowledge), this work covers a vast range of topics. The CBK, and the book, is divided into ten domains, covering access control systems, telecommunications, security management, systems development, cryptography, security architecture, operations security, business continuity, law and ethics, and physical security. The text provides some excellent articles, some of which are general but detailed overviews, and others that address particular problems or new technologies. However, even with fifty nine articles and over thirteen hundred pages there are gaps, some surprisingly basic. The quality of the articles can vary widely. The first essay, on biometrics, provides an admirable review of the subject, as well as some solid, practical, and useful detail information. The next paper is a rather odd treatment of single sign-on, addressing the concepts well, but in a disjointed manner that makes reading or studying difficult. Following those comes a paper ostensibly dealing with securing connections to external networks. It collates some generic and vague descriptions of a variety of topics, none of which are particularly informative or reliable. (A two-page section on computer viruses contains numerous glaring and significant errors. Personally, I continue to find it appalling that general security texts deal so poorly with this topic.) Other areas covered (in the first two volumes) are firewalls (terse), perimeter security for the Internet (again, but this time with excellent technical information on TCP/IP specifics), extranets (doctrinaire), firewall management (very useful for planning), the OSI (Open Systems Interconnections) network layer security model (questionable utility), the OSI transport layer security model (not much better), application layer security (interesting but undetailed), communications and security protocols (broad overview, concise but fills in some common gaps), security awareness training (reasonable points for success), security architecture (brief but basic), IPsec (good overview), risk analysis (thorough but perhaps a trifle pedantic), trade secret protection (an interesting twist), information security for healthcare (a tad verbose and US-centric), security for object-oriented databases (listing proposals), fundamentals of cryptography (very clear explanations of the math involved), key management (great review of principles, and amusing anecdotes from history of the *wrong* ways to manage keys), Kerberos (extensive coverage of both details and concepts), PKI (Public Key Infrastructure, a quick guide to the basics), microcomputer and LAN security (good concepts, overly optimistic, oddities in details), trapping intruders (quick concepts), Java security (quick basics), business continuity planning (a new process), restoration after disaster (general review), computer crime investigation (good coverage of many aspects), Internet ethics (emphasis on privacy), jurisdictional issues (miscellaneous), intrusion detection (concepts and evaluation points), single sign-on (opinion this time), authentication services (concepts and amusing overview), email security (concept review), ATM (Asynchronous Transfer Mode) security (without really discussing security), remote access (background fundamentals), sniffers (concepts and details), enclaves (firewalls within), IPsec (good details), penetration testing (very basic policies), policy (some good points but quite random), the security business case (opinion), PeopleSoft security (as for any major database), World Wide Web application security (reiteration of general security planning with a few Web specifics), common system design flaws (an important set), data warehouses (standard system development advice with limited security relevance), PKI (simplistic), introduction to encryption (a good one), new models for cryptography application (useful for planning), cryptanalysis (decent review of terminology), message authentication (detailed), UNIX security (concepts and tools), hacker tools (not very detailed), malicious code (theoretical and incomplete), business impact assessment (after Y2K), computer crime investigation (document everything), computer incident response teams (CIRTs, vague), intrusion detection (vague and repetitious), and operational forensics (retain evidence and data). Observant readers will have noted a fair amount of duplication in that list. In fact, the reiteration of content is worse than appears here, since many topics rely on others, and certain basic ideas (Kerberos operations, the Diffie-Hellman public key system, and risk management, for three examples) recur in a variety of other discussions, with differing levels of detail. As in any work this size a number of outright bizarre mistakes have occurred, like the table showing the file structure of an authentication database, which has been swapped with the structural diagram of a completely different authentication system. This is the closest thing there is to a textbook for the CISSP exam. It is fairly easy to see which sections have been reproduced in the ISC(2) (International Information System Security Certification Consortium) course (in some cases complete down to specific errors). Intriguingly, there are sections of the course that previously were covered by the third edition, and which do not appear in any significant form in this work. (An example is the discussion of the standard formal security models, such as Bell-La Padula and Clark-Wilson.) It should be noted that there is a significant difference in character between the volumes. The first volume deals with topics that are closer to the heart of security, and the essays are generally more valuable to the practitioner. Later volumes two contain papers over a wider range of subjects, many of which have little or no relevance to security beyond fundamental concerns that are well covered elsewhere. Book one will be useful to the CISSP candidate and any specialty security worker: book two and beyond may be of interest to a narrower group of senior security executives and theorists, and, ironically, a wider audience of those interested in newer technologies in general. However, it should be noted that some pieces in the later volumes do cover basic topics, such as cryptography and malware, that are missing from the first. The quantity of good information that is contained in the work is definitely worth the price, but there could easily be a wholesale pruning of deadwood. copyright Robert M. Slade, 2001 - 2003 BKINSCMH.RVW 20030323