BKMSCRSP.RVW 20030330 "Mission Critical Security Planner", Eric Greenberg, 2003, 0-471-21165-6, U$35.00/C$54.95/UK#25.95 %A Eric Greenberg %C 5353 Dundas Street West, 4th Floor, Etobicoke, ON M9B 6H8 %D 2003 %G 0-471-21165-6 %I John Wiley & Sons, Inc. %O U$35.00/C$54.95/UK#25.95 416-236-4433 fax: 416-236-4448 %O http://www.amazon.com/exec/obidos/ASIN/0471211656/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0471211656/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0471211656/robsladesin03-20 %P 416 p. %T "Mission Critical Security Planner" In the introduction, Greenberg claims that his book provides guidance on how to do quantitative security planning without calculations (which sounds somewhat self-contradictory) using a new technique he calls impact analysis (which doesn't sound too different from business impact analysis). A technical background is said to be unnecessary, the process is worksheet based, and the target audience is security managers. Chapter one says that protecting information is not exact (a statement that doesn't seem to fit well with the worksheet approach). Random security topics include planning, intruders, and a risk analysis example which is, ironically in view of the introduction, more computationally intensive than most. An overview of planning, in chapter two, majors on the minors. Policies are not discussed until twenty five pages into the material, and then the emphasis is on very specific areas like exit (termination of employment) procedures, leaving huge topics uncovered. Twenty eight security elements are listed, and all are important, but almost all are either over-vague or over-specific. Chapters three and four introduce the worksheets themselves. Sixteen topic areas have four sheets each, dealing with the technical, lifecycle, business, and "selling to management" aspects of the themes, while other domains may have only a single sheet. The questions listed may be helpful as reminders to address certain aspects which are often overlooked, but the odd and arbitrary structure is confusing, and the real work is definitely left as an exercise to the reader. A description and analysis of PKI (Public Key Infrastructure), in chapter five, is vague and weak, and contains much unrelated material. Chapter six is a recap of the book, along with a simple list of threats. While the advice in the book is not wrong or misleading, and many important and useful points are buried throughout, poor organization, a lack of consistent depth, and gaps in topical coverage ensure that the text would only poorly repay the investment of time spent studying it. Certainly it should not be used as a major guide to structure the security planning process. copyright Robert M. Slade, 2003 BKMSCRSP.RVW 20030330