Customer Reviews

Information Security Policies Made Easy, Version 10

5 star:		(4)
4 star:		(2)
3 star:		(0)
2 star:		(0)
1 star:		(0)

 

 

In technology, books are often obsolete shortly after publication. Given the dynamic nature of technology, very few technology books can stand the test of time and remain relevant for a few years, let alone a decade after their original printing. Some of those rare titles that seem timeless include Applied Cryptography by Bruce Schneier, Security Engineering: A Guide to Building Dependable Distributed Systems by Ross Anderson, and the book I'll review here, Information Security Policies Made Easy, Version 10. Information Security Policies Made Easy (ISPME) is one of the most important information security books available for those who are serious about creating a comprehensive set of information systems security policies.

The importance of effective information security policies cannot be overemphasized, as they are the foundation toward implementing information security and ensuring the security of the people, systems, and networks within an organization. If an organization lacks security policies, they cannot inform employees and users of their specific security responsibilities. Policies define acceptable system use and user behavior, and those policies must be in place before they can be enforced.

Version 10 of ISPME contains more than 1350 pre-written security policies that can be used as a framework for the creation of a comprehensive set of information security policies. The book comes with a CD-ROM that includes every policy. The beauty of ISPME is that it removes the huge burden and time required to create a global set of security policies. With ISPME, you can immediately begin exploring the myriad policies required for information security.

One of the biggest mistakes you could make, however, when using ISPME, is to implement a policy too quickly, without deciding specifically how those policies with be selected, developed, deployed, maintained, and enforced. With that, Chapter 2 provides an orientation to the information security policy writing and development process. The books states that while it may be tempting to immediately start cutting and pasting policies together, it is crucial to understand both what the policies do and what you want to accomplish with them before you begin. If that is done, the subsequent policy writing tasks will be much more efficient and focused.

At 501 pages, Chapter 3 comprises the bulk of the book and contains the all of the specific policies. These policies are divided into 10 separate domains that are mapped to the ISO-17799 standard. This organization scheme makes it makes it easy to create a gap-analysis of your current policies against the ISO-17799 standard. This is helpful since many organizations are now embracing ISO-17799.

Each of the policies contain the individual policy itself and a detailed commentary on why the policy is specifically needed. Each policy also has a cross-reference to related policies and an indication of the audience (management, technical, end-user) and the security environment (low, medium, high) for which it is written.

Chapters 4 - 20 contain various high-level policies in areas such as mobile computing, data classification, email, Web security, and more. These 18 chapters are complete security policy documents that can be implemented with little customization.

The book contains 15 appendixes, which include secondary information such as awareness-raising methods, checklists, memos, and next steps to take.

The CD-ROM that is included contains the entire set of polices in HTML, Word, and PDF formats. It also includes two documents that map the policies in the book against HIPAA and Sarbanes-Oxley.

Organizations that take information security seriously will likely have used ISPME in its previous versions. But for those that have not yet taken the plunge, ISPME is a valuable tool that can be utilized to create a comprehensive set of information security policies in a cost- and time-effective manner. For those building corporate or organizational security policies, ISPME is clearly the definitive reference.

I keep books in two places, a small shelf near my computer that I can reach and a large bookshelf across the room. This book deserves a place on the small shelf within arm's reach.

Version 10 builds on the previous work and includes ISO 17799 outline format, policy coverage maps for Sarbanes-Oxley and coverage of the latest issues (technical, legal and regulatory.) I particularly appreciate the section on policy awareness. This is one of the biggest problems you run into.


If you are a manager, before you ever make a decision, or approve a policy, look the topic up, there is a good chance you will see something you didn't think of.

Let me give you an example, our company used to have a fairly long Non-Diclosure Agreement (NDA) prepared by our attorney for a specific purpose. However, we decided to create a simpler, general purpose NDA for all 1099 contractors. The lawyer created it and before I approved it I checked it against the book. I found three items that really should have been in our NDA that we would have missed, thank you Mr. Wood!

If you are a techie, do you need this book? Sure, because everything we do as a techie or engineer has liability implications for the company. Each topic is very clear, concise, and well thought out. It takes a few seconds to look it up, about two minutes to read the section and that investment is well worth your time.

Yes, this is an expensive book; however, it is worth the investment, every organization should have at least one copy. S.

Book is a very good resource on information security policies; however, I was disappointed that this book did not match ISO 17799 version 2005 it only matched the 2000 version. I would wait for the next version of the book for updated material matches for ISO 17799 v2005. The authors should have provided updates via CD ROM or download to support this necessary update to this version they have not. You would seem to think at $795.00 a pop for the book and CDROM you would get better support on the material in the book. Also pay close attention to the license uses of the security policies..

I once consulted for an organization that wanted to develop and publish from the ground up, their official "rules of behavior" policy document. When I was engaged the organization's Information Technology Management Team had already spent 14 months trying to write and agree on this document. This book would have given them the essence of a good "rules of behavior" document in about five minutes.

Yes, it's expensive. But think of it more like you hired a highly paid information security consultant for, er, half a day? Kind of puts the price into its proper perspective.

If you write/review/audit security policies and procedures for a living, your library should include a copy of this book.

This book is well organized and easy to use. The entire book comes on a CD that is searchable. Policies can be copy/pasted and edited for use or reference. This is a great resource for corporate security officers, and information security consultants alike.

If you are responsible for creating/reviewing policies in your organization, you owe it to yourself to get this book.

While you may know what you want to say, this book crystallizes that knowledge into simple, legally-defensible policies that are ready-made for inclusion in a policy document.