Customer Reviews

Information Security Architecture: An Integrated Approach to Security in the Organization

5 star:		(4)
4 star:		(1)
3 star:		(0)
2 star:		(1)
1 star:		(3)

 

 

This was a great reference to start an Information Security Architecture project. There are many guidelines, procedures and forms that take the guess work out of the administration of such a project. The book is great at keeping you on track with your security objectives. I have found that it is so easy with such large projects to lose sight of the objectives. Security is not only technical assessments of the network and operating components but also a combination of management and administration of personnel, policies and procedures and continuous application of pressure to meeting the security requirements of an organization. This book provides excellent value for the price.

I have worked with Jan with our security project & the company I work for has really benefited from the knowledge and expertise from Jan's book. In addition, we have used the structure she illustrates in "Information Security Architecture" for implementing our company's Security Project and it is well underway due to Jan's helpful contribution. I recommend this to anyone who will be working to lay the groundwork for Security purposes. This is a valuable piece of information - Great work Jan!

Architecture is the art and science of designing buildings and other structures. Using some creative license, it also encompasses the design of any entity, including information systems and their security components. But while no one would build a building without an architect, IT departments routinely design computer systems without considering the security architecture, instead believing that firewalls and other devices are quick and durable fixes.

Nothing could be further from the truth. In Information Security Architecture, author Jan Killmeyer Tudor shows that an effective and comprehensive information security infrastructure is best developed within the framework of an information security architecture (ISA), given today's distributed nature of client/server computing. In the past, when systems were closed and proprietary, security wasn't as compelling a need as it is in today's open systems.

The book covers important ISA issues such as the nature of the organization, policies and standards, baselines and risk assessment, awareness and training, compliance, and more. An underlying message is that these components must work in concert to form a cohesive ISA. Hardware and software are ineffective if they are not integrated into the ISA.

A dominant theme throughout is that implementing security technologies requires an understanding not only of the technologies' return on investment to the organization but also of the risks and vulnerabilities related to these technologies. This ISA methodology gives security professionals an excellent method for achieving just that.

Given how important policy is to an ISA, the book has several appendices that include policies, procedures, and work plans. These provide a fine foundation upon which to build a security architecture.

There is so much involved in implementing security effectively throughout an organization. Without detailed experience it is easy to get lost in the midst of it all. Jan Tudor's book provides an organized thought process to the tasks at hand when implementing security in an integrated approach. This book provides a good combination of management, administration and technical implementations to security. The checklists, templates and forms eliminate the need to start an ISA project from scratch. This book is highly recommended and practical if you are going to take on such a project.

As a Certified Information Systems Security Professional, I can definitively state that this book does not cover everything that needs to be covered or in any depth whatsoever. I got this book based on the glowing reviews I found here, and I'm at a loss as to why these reviews would have recommended it.

The most aggrevating part about this book is the subtitle "An Integrated Approach to Security in the Organization." The book not only lacks effective security integration techniques, it doesn't seem to address the entire organization where it tries its half-hearted integration.

I am a CSS student with the College of North Atlantic, St.John's
, Newfoundland. I think that Jan Tudor has put together the "manual" for security within the buisness structure. I am amazed at the debt and scope of this book as there is no stone unturned and information technology people would be at a loss not to read and understand just how security or the lack of it can make or break a buisness, large or small.A true work of art, thanks Jan.

Architecture books seems to be one of the "in" titles now and the upcoming releases and are badly needed. However, this book does not provide a thorough treatment of the topic.

The first two chapters begin well and if the remainder of the book had drilled into the issues, it would be superb, but such is not the case. Instead the result is an overview of much of the information security topic area.

It is a good book for non-security IT professionals and perhaps useful in an introductory course as a text, but inadequate for in-depth work in infrastructure design.

At the same time, this book is far superior to Held & Hundley's Security Architectures whichs dwells on Cisco PIX and router configurations and fails to consider how those pieces fit into a larger IT and IS architecture.

I question the security background of any of those who read this book and gave it a good review. The author's approach security leaves huge gaps and what is covered is written in a simplistic form... probably because the author only understands a small amount of the topic she is writing about.

I question the author's own ability to secure an environment, and she should probably not be teaching others.

Book itself.
Tried to identify target audience and failed.
Executive summary does not help: 'The first section of this book
-- "Information Security Architecture" -- is designed to give the reader
an understanding of the necessity for and requirements of an integrated plan.'

Deducing: architecture is "an integrated plan".

Major concern is rather pompous title, while, in fact, book is about IS governance.
"Architecture" claim, IMO, is groundless;
"WHY AN ARCHITECTURE" section does not provide convincing explanation.
It might have been OK to do that back at times of 1st edition, ~2K,
when everything architecture was immature. Things have changed since.

Hence, rating: sans claiming architecture overarching scale,
it might turn out as decent governance guide.

[BTW, Reasonably good book on governance: KRAG BROTBY (ISBN 0470131187),
if you are looking for one.]

Editorial work.
More and more often good texts are spoiled by poor editorial work.
This book is no exception: terms are used before they are defined
(ex.: component owner;
there is a reference to the 1st edition: are we suppose to read that one first?).

Did someone proofread this: "individual responsible for the firewall product
should have been identified in the security organization and infrastructure"?
2 possibilities:
- if it sounds OK, then you might not be right person for editing;
- maybe, indeed, in the military personnel is infrastructure.

This is, of course, my very subjective opinion of architect, ISSP.