BKINSCMN.RVW 20020628 "Information Security Management", Gurpreet Dhillon, 2001, 1-878289-78-0, U$69.95 %A Gurpreet Dhillon %C 1331 E. Chocolate Ave., Hershey PA 17033-1117 %D 2001 %G 1-878289-78-0 %I Idea Group Publishing %O U$69.95 800-345-4332 fax: 717-533-8661 cust@idea-group.com %P 184 p. %T "Information Security Management: Global Challenges in the New Millennium" This is a collection of essays by different authors. The preface, however, states that the intention was to bring together diverse views and yet to "build an argument." What the argument, or central thesis, of the work is, has not been stated. Chapter one is supposed to set forth the new challenges to information security, but ends up telling us, at great length, that "the times they are a-changin." (Extracting further information from the academic-speak is not made any easier by the many grammatical oddities and awkward constructions.) Policy is central to security, and so it is no surprise to see it as the topic of chapter two. What is astounding is the fact that so much is wrong with this paper that it is hard to know where to start. Everything seems to be backwards. It is stated that an audit should be done as the prelude to policy development, by how can you conduct an audit with no policy to measure compliance against? Again, the essay says that the procedures in place will form the policy, whereas it should be the policy that guides development of procedures. A simplistic discussion of ethics makes up chapter three. There really isn't any analysis: after a few facile presentations of both sides of a variety of issues the author just asserts that X is or is not moral. Chapter four is supposed to argue that ethical policies build trust and trust promotes e-commerce, but instead actually just lists a number of random security topics. A look at "cyber terrorism," in chapter five, seems to consist only of listing Web sites for known terrorist organizations. Prescription fraud is never rigorously defined, so it is hard to say whether the technical measures proposed in chapter six are relevant or not. Chapter seven tells us (surprise, surprise) that disaster recovery planning is often done inadequately, or left undone. A discussion of development models, in chapter eight, seems to be so abstract that it is of no digital use. Internet and e-business security touches on some miscellaneous subjects in chapter nine. The author obviously thinks Compliance Monitoring for Anomaly Detection (CMAD, with some kind of trademark symbol appended to it) is vitally important, but chapter ten's explanation seems to just describe another type of statistical change measurement. Chapter eleven vaguely discusses some of the security issues involved with the use of agent or mobile software. The final chapter lists some "motherhood" security principles. One of the interesting, and disturbing, aspects of the book is that each paper is accompanied by a bibliography of sources, but almost none of the standard security reference works in the various fields addressed are cited. How can you discuss, for example, computer ethics without having read Deborah Johnson's (cf. BKCMPETH.RVW) works? Compilation works tend to be hard to pin down, and to vary in quality and usefulness. This work has a remarkable consistency, in that the items included are all vague, uninteresting to the professional, and unhelpful to the practitioner. copyright Robert M. Slade, 2002 BKINSCMN.RVW 20020628