[ISN] Book Review: The CISO Handbook: A Practical Guide to Securing Your Company

InfoSec News isn at c4i.org
Mon Nov 7 03:09:31 EST 2005


http://books.slashdot.org/books/05/11/04/039222.shtml

[ http://www.amazon.com/exec/obidos/ASIN/0849319528/c4iorg  - WK]

Author: Michael Gentile, Ronald Collette, Thomas August 
Pages: 314 
Publisher: Auerbach Publications 
Rating: 9 
Reviewer: Ben Rothke 
ISBN: 0849319528 
Summary: A most practical guide 

The CISO Handbook: A Practical Guide to Securing Your Company lives up
to its title as being a practical guide to security. The book is
antithetical approach to the products equal security approach, and
takes a pragmatic approach to security.

The authors have extensive real-world experience and approach
information security from a holistic perspective. They clearly
understand what it takes to build an information security program. One
of the biggest mistakes in security is that it is seen as plug and
play. Buy a security product, install in, and like magic, you have
this thing called data security. But that only works in the world of
product brochures and marketing material, not in the real world. The
book does not approach security from a plug and play perspective, but
as an endeavor that requires a multi-year effort to come to fruition.

The five chapters deal with security from its true source, namely that
of risk. The chapters are: Assess, Plan, Design, Execute and Report.  
These five areas encompass all of information security and those firms
that have built an information security infrastructure all done it by
focusing on these five areas.

The first area, Access, is all about risk management. Many companies
will purchase security products without even knowing what their
specific risks are, and have often not performed a comprehensive risk
analysis. Without a comprehensive risk analysis, any security product
will simply operate in a vacuum. The benefits of a risk assessment and
analysis are that they ensure that an organization is worrying about
the right things and dealing with real, as opposed to perceived
threats. The ultimate outcome of a risk analysis should be to see if
the organization can benefit from the security product.

Chapter 1 ends with an assessment checklist of various areas that go
into a risk assessment. One of the questions in the checklist that you
likely will not see anywhere else is "describe the political climate
at your company". Too many security people think only about the
technology and neglect the political implications of a security
system. Not taking into consideration the politics is a surefire way
to potentially doom a project. Similar questions detailed in the
checklist will give the reader a good feel for how secure their
organization truly is; as opposed to the often perceived view of being
much more secure.

Chapter 2 is aptly titled Plan. The planning phase is meant to combine
the issues of assessment and to integrate options to mitigate those
risks. The way in which a specific security technology or methodology
is implemented is dependent on the organization. Rather than using a
cookie-cutter approach, effective planning ensures that the security
technologies chosen support your security program. Far too many
organizations make the mistake of simply buying products without
giving enough consideration into the myriad details of how they will
be deployed, managed and used.

Chapter 2 emphasizes the need for planning, and the book as a whole
emphasizes the need for the use of a methodology when dealing with
information security. For many security technologies, the challenges
of are not so much with the technology, but rather with ensuring that
the technology meets business requirements, is scalable and reliable,
etc.

Building a comprehensive information security program is likely to be
more complex than previous experience of typical IT projects. As well
as project management, technical and operational aspects, there are
many policy, legal and security issues which must be taken into
consideration. By following a structured methodology based on
practical experience, many of the potential traps and pitfalls can be
avoided. The risks to the business and the project are reduced and
those that remain are quantified at an early stage.

The planning checklist at the end of chapter 2 will helps by ensuring
that the solutions identified are deployed in the context of a well
designed information security program. It can also be used as a
wake-up call to management that often seriously underestimates the
amount of time and manpower required to create an effective
information security program.

One of the added benefits of planning is that it makes it much easier
to integrate new regulatory requirements into the security program. A
well-planned network can retrofit new requirements much more quickly
and efficiently. This is a critical need given the increasing amount
of new regulations that will come into play in the coming years, in
addition to current regulations such as HIPAA, Sarbanes-Oxley and much
more.

Chapters 3, 4 and 5 progress in a similar manner with the topics of
Design, Execute, and Report. Each chapter details the essentials of
the topic and shows how it is critical to the efficacy of an
successful information security program.

What the reader may find missing from the book is particulars of the
various security technologies. But that is the very function of the
book, to show that information security is not primarily about the
products, rather the underlying infrastructure on which those products
reside on. Any product that is not deployed in a methodology similar
to that of The CISO Handbook is likely to find itself lacking. The
product might be there and hum along; but the security that it
provides will likely be negligible.

The uniqueness of The CISO Handbook is that is shows how to design and
implement an effective security program based on real world scenarios,
as opposed to product reviews and vendor evaluations.

The CISO Handbook: A Practical Guide to Securing Your Company is
indeed a most practical guide, as its title suggests. It is quite
helpful to anyone in a security organization, whether they are the
CISO, system administrator, or in a different capacity.





More information about the ISN mailing list