Customer Reviews

The Information Systems Security Officer's Guide: Establishing and Managing an Information Protection Program

5 star:		(14)
4 star:		(1)
3 star:		(2)
2 star:		(3)
1 star:		(2)

 

 

This book is the Boy Scout Senior Patrol Leader's handbook for Information Security Officers. " On my honor, I will do my best, to do my duty, to my corporation and profession...." It is a short book-I read it in an evening-that tries to be a complete guide to a very complex profession. Following this merit badge guidebook approach, the entire subject of risk is covered in 3 pages, and CP/DR is covered in just over 2. It just doesn't contain enough text to be the sole reference book for any single aspect of the job, but it does have some useful information that I'm not aware of in any other text. It is process and organizationally organized, and does not deal with technology at all.

My favorite chapter is the second one, "Understanding the Business and Management Environment." With a background in social science and significant experience in multi-cultural situations, the author is uniquely qualified to help an information security practitioner operate effectively within what is essentially an alien culture.

A question that I'm frequently asked, and I see often in infosec forums, is "What do I do to get into the security business?" Chapter 4 provides excellent advice on creating a career path, followed by Chapter 5 which contains suggestions on finding a new job. I recommend these chapters to anyone who is looking to break into this field, or who wants to advance their career.

If you have managed to find yourself a leadership role in infosec, and are wondering what you should do next, the chapter on creating security plans should be helpful. The chapter on establishing an infosec program is also helpful, and contains some excellent job descriptions for different infosec positions. This is hardly stimulating reading, but if you are an ISSO, your choice is to find usable boilerplate like this, or make it up yourself.

The author approaches the subject from a single point of view. All of the examples are drawn around a single hypothetical corporation, and it is obvious that the author has a law enforcement orientation. An infocop approach like this is not necessarily successful within every corporate culture, nor does everyone who is responsible for an information security program think of their role in corporate criminal justice terms.

I do think that anyone running an information security program would benefit from this book-or anyone who wants to work towards such a position. If you like org charts and job descriptions, you'll probably feel comfortable with it. For those who are not ISSOs, or those who just looking for an introductory guide to security, this is not the ideal text. For those who are ISSOs, or otherwise responsible for infosec programs, Thomas Wradlow's book, "The Process of Network Security," is a meatier and more sophisticated book that covers much of the same subject matter at a lower price. I recommend that anyone responsible for creating or implementing infosec programs get both books.

I found this book a real disappointment. More about planning your career in this area than actually the practicalities of doing the job.

If you are looking to grow as a security professional, this book can definately help you. Regardless of if your just getting started in the industry or if you have 20 years under your belt, you will learn something from this author. It discusses everything from marketing yourself, getting hired, planning, hiring staff, performing risk management, classifying your information, doing metrics analysis and of course how to deal with people and politics in your "ISSO" position. A definate must have for anyone looking to manage an Information Security program for an organization.

Having both a law enforcement and private sector background, I appreciated the premise of Dr. Kovacich's book as it related to the Information Security Officer's duties and challenges. His approach will enable the reader to better understand the corporate environment concerning, not only the management process involved in protecting information, but also the importance of communicating and interacting with the organization in a way that people feel motivated to develop and maintain a successful and effective InfoSec program. The book discusses important management tenets and procedures which demonstrates the authors insight and experience in dealing with "real world " InfoSec issues. This book is easy reading and provides a clear understanding of the information security functions by taking the reader through the business and management environment and at the same time stressing a very important point that is often overlooked, i.e., an awareness and expectation that change is constant. I've recommended this book to those who are currently in the information security business and anyone who is attempting to pursue a career in this field. This book would be an ideal supplement to a variety of college courses and/or seminars pertaining to business and information technology.

Greater than I expected. Well thoughtout and organized; written in simple, clear language; good advice and guidelines for the new ISSO; excellent examples of using management techniques and tools for establishing an effective InfoSec program; forward looking, expecially the chapter on 21st Century Challenges for the ISSO. This is a one-of-a-kind book for the InfoSec professional and a must reading by all people interested in an InfoSec career. Even the experienced ISSO can find great value in this book. If an ISSO followed the guidance offered, success is almost a certainty. A book that should be adopted for required study in business management, computer science, and information security courses.

I personally think this book (actually having read it impartially) is not good for any Information Security professional, corporate or government (IA, IAM, IASO, ISSO, ect), but, if you had to place it in any category I guess it would be in the business management end of communication compliance (maybe for a Policy Compliance Officer). Also I really think that some of the other reviewers here must have been working to promote this book. I unfortunately say this because the author creates entirely too many unique and extremely complex management policy theories on communication development, which frankly gets way off the subject of INFOSEC, and even has him chasing his own tail in the narrated scenarios. The author even goes so far as to concoct and create possibly 20-30 new acronyms (as if you didn't have enough already as a real INFOSEC professional), which almost became a little comedic by the end of the book, especially when hearing even the author try recap each chapter and make each new theory tie into another new theory. Although I'm sure the author is a very distinguished professional in his own right, I unfortunately found this book weak to incorporate into any of my perceived Information Security plans. Do yourself a favor and skip this one and move onto the next, and make sure the books you choose on this topic do not try to reinvent the wheel.

For years, we being trying to define InfoSec. Is it Legal, is it IT, is it Audit. What are the roles and how can InfoSec value be measured. Kavacich lays out the responsibilities; strategic, tactical, and annual plans; security programs; functions; and metrics. Any manager who works in this field should read it.

This book had the potential to be great. But in the end does not deliver.

About 40% of the book is Gerald Kovacich cutting and pasting from other books he and others have written.

I did not like the organization of the book, and felt it lacked direction.

The footnotes were repetitive often, and Kovacich is constantly footnoting and referencing other books he has written.

This guide is a very comprehensive introduction to everything an information system security officer should know, plan and do. It contains valuable information for personal marketing. It is an easy understandable book with lots of factual information - my favourite tutorial of the year.

There's simply nothing useful in this book. One would have to have never heard of the Internet or the Web, and never to have worked anywhere, to benefit from it. The author repeats infosec and management bromides ad nauseum, waves the bloody flag of 9/11 to puff up the importance of the field, and introduces new acronyms faster than the Pentagon.

It's also frequently incomprehensible, due to the author's poor control of English grammar.

If you're in infosec, don't let your bosses read this -- they may think you're as full of hot air as Kovacich.

Also note that at least 3 of the 5 star reviews below are by sometime coauthors of Kovacich.