BKISSOGD.RVW 981009 "The Information Systems Security Officer's Guide", Gerald L. Kovacich, 1998, 0-7506-9896-9 %A Gerald L. Kovacich %C 225 Wildwood Street, Woburn, MA 01801 %D 1998 %G 0-7506-9896-9 %I Butterworth-Heinemann/CRC Press/Digital Press %O 800-366-BOOK fax: 800-446-6520 liz.mccarthy@repp.com %P 172 p. %T "The Information Systems Security Officer's Guide" This book is not a list of those technical things that an information systems security (or InfoSec) officer (or ISSO) ought to know, but a guide to the process of acquiring and using that data. This is a guide to the ISSO career: what it is, how to train for it, how to do it, and how to tell if you are doing a good job. Chapter one repeats the adage that the world is changing. Unfortunately, this truism does not lead to much advise beyond the need to keep up with the technology. In the random assortment of waves and trends that are mentioned, some important points are missed. For example, along with the need to know something about your justice system (which is mentioned) and the rise of the Internet (which is mentioned), the fact that attacks over the Internet can come from anywhere, and that a knowledge of other justice systems may be needed for a prosecution that involves testimony from different countries and law enforcement agencies, is not mentioned. The position of the ISSO within a company is outlined in chapter two. Most of this material is more focussed than in chapter one, concentrating on corporate politics. One rather important aspect that does not get any space is the production and maintenance of a security policy, and the games that may have to be played around it. The company side is somewhat extended in chapter three by building a simulated corporation to use as a test case. However, few of the items addressed in the chapter have an awful lot of security involvement. One very definitely does, and is missed: the subcontractors of the simulated organization know and use a vital proprietary process, but no mention is made of ensuring that these contractors are sufficiently guarding *their* data. Chapter four outlines a career development plan, but it boils down to "have a degree, get experience, attend conferences, and read other stuff." The most useful information provided is on the Certified Information Systems Security Professional (CISSP) designation and contact data for some of the professional groups. As the book itself states, you probably have already attended a job interview or two in your time, so the advice in chapter five is likely redundant. It certainly isn't extensive. Chapter six's list of duties has two major problems. One is that there is no overall structure for the material, so it is hard to place into a context of priorities and tasks to be accomplished. The second is that the outline assumes one size fits all jobs. The text assumes the ISSO will be responsible for management of a team of InfoSec staff: only the largest of corporations have multiple security personnel, let alone a manager dedicated to them. The outline of business plans in chapter seven follows the usual style not only in format, but also in not providing any really solid information about what is to be done. Chapter eight's discussion of building an InfoSec organization basically repeats political advice from chapter two and job descriptions from chapter four. The look at InfoSec functions again repeats content from chapters two and six, although chapter nine does finally take a brief look at policies. Chapter ten introduces metrics in order to measure the performance of the InfoSec department. Most of the examples used deal with the administration of security, rather than measures of actual protection. There is a rehash of planning, with an emphasis on annual reviews, in chapter eleven. A brief review of current security concerns finishes off the book in chapter twelve. While this book is not intended to address the technical side of security, there is no reason that it couldn't be based on real and hard data. An overview of data security positions that do exist, the numbers of such positions, the courses actually available, and what the incumbents actually do would have added immensely to the value of the book. This volume does address a gap in the security literature, and it is important to know the business and managerial side of the security maven's job, but this work does not explain it very well. copyright Robert M. Slade, 1998 BKISSOGD.RVW 981009