Customer Reviews

Principles and Practice of Information Security

5 star:		(3)
4 star:		(0)
3 star:		(0)
2 star:		(0)
1 star:		(0)

 

 

This book is a must read for the corporate "C" Level. It covers risk abatement, strategies, and tactics to maintain the security of your corporate information as well as your customers and employees information. As a few companies have recently sustained damages in the hundreds of millions from attacks on their security - this book may have prompted them to close a few "loop holes" that allowed the breeches.

Regards

Scott L
www.vision3llc.com

This book is short (good!) and full of information. The coverage seems very complete. The authors are careful not to get too involved in the details of the technology (also good, since said details will be obsolete in a year).

Instead they explain what security issues are significant, what the associated risks are, and what kind of cost effective responses are available. The emphasis throughout is on cost-effective responses: perfection is unaffordable, but not having a security policy is unacceptable. Volonino and Robinson focus on striking a middle ground.

I also liked their top down approach to IT security: 1) get high level commitment 2) lay out appropriate policies (& make sure everyone has signed off) 3) develop corresponding procedures 4) then, decide what mix of hardware, software, & network tools best implement those procedures. This starts with the people (most security problems can be traced back to human err) and avoids "vendor-driven security", which is seldom optimal for a specific situation. My favorite factoid from the book is that the quality of the security at a company is directly proportional to the rank of the chief security officer, i.e. to how seriously the company takes security.

All in all, "Principles and Practice of Information Security" is a very good place to start if you want to get a handle on IT security. And I think it will also function well as a way to review how balanced and thorough your existing security plans are.

This was a wonderfully concise, readable and intelligent book on the characterization and management of all the issues surrounding information security. Rather than focusing on the bits and bytes, this book identifies, explains and suggests how to go about managing issues related to Information Security.

There is a particularly good and unique discussion of the legal implications surrounding information security management/mis-management. This is an area that is increasingly important for everyone who touches a system with any kind of business information. Sometimes we don't always appreciate all of the implications associated with access to business information. Included are invaluable citations of related case law, statutes and legal precedents. After reading this book, I can't imagine not having read it! I will continue to encourage my management, colleagues and reports to read it for a compulsory grounding in the implications of the information that they are handling.

I found this book to be an invaluable companion volume for preparation for the CISSP. After reading this book, I developed a clear information security intuition that made many of the CISSP study questions easier to answer.

Paul Mundell
Symantec Corporation