BKITGVRN.RVW 20061007 "IT Governance", Alan Calder/Steve Watkins, 2005, 0-7494-4394-4, U$84.57/C$93.89 %A Alan Calder %A Steve Watkins %C 120 Pentonville Rd, London, UK, N1 9JN %D 2005 %G 0-7494-4394-4 %I Kogan Page Ltd. %O U$84.57/C$93.89 +44-020-7278-0433 kpinfo@kogan-page.co.uk %O http://www.amazon.com/exec/obidos/ASIN/0749443944/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0749443944/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0749443944/robsladesin03-20 %O Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation) %P 368 p. %T "IT Governance: A Managers Guide to Data Security and BS 7799/ ISO 17799" The introduction states that this book is intended for business managers, board members, and other senior executives, rather than IT specialists. Chapter one, preaching about the rationale behind information security, reiterates the material given in the introduction. Management and reporting regulations for the UK (the Combined Code) and the US (Sarbanes-Oxley) are discussed in chapter two. Chapter three is supposed to outline and explain the BS (British Standard) 7799, and while it does recommend designing your own information security management system, much space is devoted to promoting sales of the BS 7799 standard through the authors' Websites. More vague encouragement to produce a security management system is given in chapter four. Chapter five contains a limited and generic deliberation on high-level security policies. Similarly terse overviews are given in subsequent chapters for risk (six), assets (eight), human resources (nine, concentrating on hiring), and physical security (in ten, and, for some reason, addressed specifically at equipment in eleven). Chapter seven seems oddly out of place in this series, looking at access requirements for partners, contractors, clients, and other outsiders. There are a number of odd inclusions in the work that seem misclassified. Chapter twelve titularly combines the two issues of communications and operations security (in reality only talking about operations). Malware and backups are examined (tersely, erroneously, and insufficiently) in thirteen while fourteen looks at networks and media. An undefined topic of "information exchange" makes for a confusing chapter fifteen, with a grab bag of trivia about e-commerce filling out sixteen. An odd acceptable use policy for email and Web use is in chapter seventeen. An incomplete list of procedures for issuing and reviewing access is in chapter eighteen. Chapter nineteen has very spotty coverage of network access controls, implying that encryption is always present in a virtual private network (VPN: it isn't, VPNs are defined more by management than confidentiality), there is no discussion of the different types of firewalls, and intrusion detection is limited to those with network-based sensors. Access to the operating system is reviewed in chapter twenty, and applications in twenty-one (with an odd inclusion of mobile or remote computing). Chapter twenty-two is a nominal look at applications development. A vague and fragmentary overview of cryptography makes up twenty three. Application development appears again in chapter twenty-four, along with some pondering about access to operating system files. (The authors actually admit, in the text, that there is no necessary relation between the two topics.) Audit logs and incident response are examined in twenty-five, a brief look at business continuity planning is in twenty-six, lengthy advice to adhere to relevant (UK) laws is in twenty-seven, and chapter twenty-eight suggests that you use outlines from the authors' Website to prepare for a BS 7799 audit. The text has a Web component to it, and this is referred to in a number of places in the work. However, it should also be noted that this Web component is also promoted, in the publication, as a general security management portal (unrelated to the book), and it is, in fact, the Website of the consultancy run by one of the authors. The files available on the site do not deliver the promised information: first, the files, when you do get to download them, lack any indication as to type, and when you finally find out which file format they are (mostly PDFs, with a few XLSs) the contents are generally of the marketing brochure level, advising you to buy further materials from the site. The book is extremely verbose, with a turgid style that makes excessive use of business buzzwords. In addition, points are repeated many times in different places with minor variations in wording or emphasis. The central content could have been provided in a much shorter work (which would probably have been easier to read). (Given the targeted audience at the executive level, one would think that a shorter work would have been more appropriate.) Senior managers do not have to know all the technical details, granted. Even so, the level of technical information provided is inconsistent, and the quality is often suspect. It is probably more important that the structure of the book makes no sense either in technical or in management terms: the various subjects are dealt with in a random fashion that will provide the reader with no understanding of either the base technical concepts or the interdependencies between different classes and types of controls. While many senior managers may have desperate need of some kind of guidance in regard to the management of security within information systems, this work is probably not going to provide it. The subtitle, in particular, is misleading: there is a great deal of interest in BS 7799 and ISO 17799 but, aside from mentioning sections of the standards relating to the topics under discussion, there is really no information about the standards themselves. copyright Robert M. Slade, 2006 BKITGVRN.RVW 20061007