BKWRINSP.RVW 20020601 "Writing Information Security Policies", Scott Barman, 2002, 1-57870-264-X, U$34.99/C$52.95/UK#27.50 %A Scott Barman scott@barman.ws www.barman.ws/wisp %C 201 W. 103rd Street, Indianapolis, IN 46290 %D 2002 %G 1-57870-264-X %I Macmillan Computer Publishing (MCP)/New Riders %O U$34.99/C$52.95/UK#27.50 800-858-7674 317-581-3743 info@mcp.com %O http://www.amazon.com/exec/obidos/ASIN/157870264X/robsladesinterne %P 216 p. %T "Writing Information Security Policies" Until recently, the classic resource for those charged with writing security policies was "Information Security Policies Made Easy" (cf. BKISPME.RVW). Trouble was, that book made it a little bit too easy: the format encouraged people to use pieces without modification, and one size, in the security field, definitely does not fit all. This book, however, takes the opposite approach. While still aimed at the non-technical manager responsible for producing the policy, it uses minimal examples, concentrating on the process of policy formation. Part one looks at starting the process. Chapter one defines what policies are and why they are important, and outlines the first steps needed to proceed. A good, broad outline of what your company should have in the way of a policy comes in chapter two. Finally, the responsibilities of different departments; their activities and roles; are presented in chapter three. Part two covers the main body of security policy development. Chapter four starts out with physical security. As noted above, readers will have to go beyond the example policies given in the text, but these samples do provide a reasonable guide for what the final items should look like. Authentication and network security is dealt with in chapter five, although the telecommunications material is quite limited. Some of this lack is made up in chapter six's review of Internet policy, which goes beyond firewalls to examine training, applications, e-commerce, and other areas. Email use has a set of special requirements separate from those of the net, and these are addressed in chapter seven. Unfortunately, as with all too many works, the review of malware policies, in chapter eight, is weaker than the rest of the book. (Does the example policy to use "all means to prevent the spread of computer viruses" mean that you can't use Microsoft products? And why, in this day and age of "fast burner" email viruses, is a signature update every thirty days deemed sufficient?) The limited technical background also contributes to the frailty of chapter nine's overview of encryption. Some policies are too broad, while there are missing areas that may need to be addressed, depending upon industry and operations. Chapter ten has very solid coverage of application development policies, which are all too often neglected in other works. Part three is concerned with maintaining the policies. Chapter eleven seems slightly off topic, as it deals with acceptable use policies. However, chapter twelve looks at the roles and responsibilities involved in compliance and enforcement. A short precis of the policy review process ends the book in chapter thirteen. While not a panacea, this book is clear, well written, and helpful. There is valuable advice packed into few enough pages that a manager should be able to read it on a cross-country plane trip. copyright Robert M. Slade, 2002 BKWRINSP.RVW 20020601