BKISPTGE.RVW 20020823 "Information Security", Donald L. Pipkin, 2000, 0-13-017323-1, U$39.99/C$60.00 %A Donald L. Pipkin %C One Lake St., Upper Saddle River, NJ 07458 %D 2000 %G 0-13-017323-1 %I Prentice Hall %O U$39.99/C$60.00 +1-201-236-7139 fax: +1-201-236-7131 %P 364 p. %T "Information Security: Protecting the Global Enterprise" It takes quite a while to figure out what Pipkin is trying to do in this book. Ultimately, there is coverage of some of the important basic concepts involved in information security. However, the text as a whole is both confused and confusing. The prologue tells us that business is changing and chaotic, and that information is of prime importance. The introduction takes a quick run through a few of the basic security concepts, with an emphasis on business continuity planning. Phase one of the book is entitled "Inspection," but the prologue lists some items of concern in risk analysis. Chapter one, called "Resource Inventory," is concerned with data classification. It touches on, but does not really discuss, the orthogonal nature of classification schemes when confidentiality, availability, and integrity must be considered. The material is sparse, and, while there are some indications of forward references to later chapters, those chapters do not get down to practical details either. Chapters two to six begin to examine the concepts of threats (concentrating, very poorly, on malicious software), loss analysis (many examples, little of substance), vulnerabilities, safeguards, and assessment. Phase two, on protection, seems to be trying to expand chapter five, but really just repeats prior material. Concepts touched on include access, identification, authentication, authorization, and accountability. Mixed in are the not-quite-related topics of availability, accuracy, confidentiality, and administration. Phase three looks at intrusion detection, with chapters on intrusion types, methods, process, and detection methods. It isn't very useful. Phase four reviews incident response, but rather vaguely. Phase five concerns the post-mortem reflection. The chapter on documentation has some useful material on the contents of after-action reports, but the rest of the content is unfocussed and generic. It is not quite true to say that the book is unstructured: it has a structure, but either does not follow it, or does not usefully employ it. Those without a security background will find it hard to build a useful or working framework from the material in this book. Those with such a background will eventually find that the parts of the book do fit neatly, if not logically, into the common framework. However, those with such a background will have no need for this work. copyright Robert M. Slade, 2002 BKISPTGE.RVW 20020823