Securing Business Information: Strategies to Protect the Enterprise and Its Network [Hardcover]

Chrisitan F. Byrnes (Author), Dale Kutnick (Author)

Book Description

Series: IT Best Practices | Publication Date: January 30, 2002

Securing Business Information addresses one of today's most critical IT challenges: keeping enterprise data secure in a widely distributed, Internet-centric environment. Drawing upon advanced research and consulting at META Group, it introduces a comprehensive, six-part process for implementing the highest practical level of information security throughout the enterprise. The authors cover every step involved in maximizing information security. Begin by preparing the enterprise for a major security initiative, identifying appropriate roles for each staff member, and effectively marketing security within the enterprise. Learn how to organize "security domains," assess tolerable levels of risk for each, complete baseline security analyses, derive guiding policies based on what you've learned, and implement the improvements you've identified. Coverage also includes: evaluating the enforcement of existing security policies, identifying gaps, and setting priorities for remediation. Part of the Intel Press IT Best Practices Series, focused on identifying and sharing best-practice strategies for delivering Internet-based solutions that meet key business challenges. For every IT executive, manager, administrator and professional concerned with enterprise information security.

Editorial Reviews

From the Back Cover

Securing Business Information provides an approach to security that is derived from numerous successful implementations. The Enterprise Security Plan (ESP) is a six-step process for tailoring enterprise security techniques to the needs of your business.

This book will guide you through these steps to secure your computing infrastructure within the constraints of normal business operations, resources, and today's technology:

• Prepare the enterprise, starting with the staff and their roles.
• Organize a group of security domains and assess the tolerable amount of risk for each.
• Complete a baseline security analysis and derive a set of guiding policies.
• Determine how security policies are being enforced throughout the enterprise.
• Identify gaps and set priorities.
• Plan the projects to implement an appropriately secure enterprise.

020176735XB12132001

About the Author

F. CHRISTIAN BYRNES leads Meta Group's security coverage. He is the author of Security in Enterprise Computing: A Practical Guide. In recognition of his expertise in intellectual property concerns, he was appointed to the US Congress advisory committee that produced an extensive report to guide congress in planning future laws. Mr. Byrnes was CEO at Centrax Corporation, a security software vendor acquired by CyberSafe.

Dale Kutnick is the cofounder, CEO, and chairman of the board of META group, overseeing all of the company's research and analytical activities. Prior to cofounding META Group in 1989, Mr. Kutnick was executive vice president of research at Gartner Group. Previously, he was executive director and a principal at Yankee Group, and a principal at Battery Ventures, a venture capital firm.

020176735XAB05062002

See all Editorial Reviews

Product Details

• Hardcover: 256 pages
• Publisher: Addison-Wesley Professional; 1st edition (January 30, 2002)
• Language: English
• ISBN-10: 020176735X
• ISBN-13: 978-0201767353
• Product Dimensions: 9.6 x 7.6 x 0.7 inches
• Shipping Weight: 1.3 pounds
• Average Customer Review: 4.0 out of 5 stars  See all reviews (3 customer reviews)
• Amazon Best Sellers Rank: #4,563,055 in Books (See Top 100 in Books)

More About the Author

Discover books, learn about writers, read author blogs, and more.

Customer Reviews

Most Helpful Customer Reviews

3 of 3 people found the following review helpful:

5.0 out of 5 stars Cookbook approach that makes a complex task manageable, March 19, 2002

By 

Linda Zarate "IT Ops Consultant" (Azusa, CA United States) - See all my reviews

This review is from: Securing Business Information: Strategies to Protect the Enterprise and Its Network (Hardcover)

Of all the security books I've read this one stands out as the best for two reasons: (1) it lays out what is needed and the steps to take to develop an enterprise security policy in a clear, logical sequence, and (2) there no gaps in the proposed process. Indeed, it appears that the authors had 'due diligence' as their foremost principle when they wrote this book. In addition their experience is evident by the way they approach the subject and tie it together.

The approach is straightforward: initiate, assess, gather requirements, perform a gap analysis, develop a baseline and implement. What makes the approach unique is the 'divide and conquer technique that partitions the business into security domains. This has benefits beyond decomposing the complexities of enterprise security into manageable pieces - it can also be linked into enterprise problem management and business continuity planning processes because you're forced to examine your resources and systems, and to prioritize them according to their criticality. I also liked the discussion of policies, which discussed the merits of identity-based and role-based approaches, and included excellent advice on policy auditing. One strong point about this section was the treatment of finding documented *and* undocumented policies. This material is applicable to anyone who is involved in policies and procedures development, regardless of whether or not it's related to security. I also especially liked the chapter on trust modeling. This is one area where I learned much from the book.

I've only touched upon key elements of this book. A review of the table of contents will reveal that it's complete and filled with case studies and important discussions of technologies that can be employed to create an effective enterprise security posture. This book is obviously applicable to security specialists, but is also useful to business continuity planners, service delivery practitioners and service providers. It is, to date, the best book on security from among the 20 I've read, that I've come across. It's also a complete recipe for a successful development and implementation of enterprise security policies, processes and procedures.

1 of 1 people found the following review helpful:

4.0 out of 5 stars How to make security a mindset rather than an afterthought, December 13, 2002

By 

Charles Ashbacher (Marion, Iowa United States) - See all my reviews
(TOP 500 REVIEWER)    (VINE VOICE)    (HALL OF FAME REVIEWER)   

This review is from: Securing Business Information: Strategies to Protect the Enterprise and Its Network (Hardcover)

The security of a business is truly dependent on everyone, from the head of the organization down to the cleaners. While many, if not most, people are focusing on the security of the IT department against external threats, certainly with justification, many of the security breaches do not involve external attacks. The published statistics vary as to the actual percentages, but they are consistent in claiming that a large percentage, if not the majority, of IT security problems are of internal origin. Furthermore, there is a great deal of dumpster diving that takes place between organizations. Millions of dollars spent on securing the computer system can be wasted if someone drops key information in a garbage can to be picked up and used by a competitor.
With all of these problems, the only way that an organization can keep its secrets is to adopt a policy that applies to all employees and is well-defined, effective and rigidly enforced. The authors of this book set down such a policy, with varying levels of restrictions, depending on the quality of the information. Many of the steps they use in constructing a security policy are similar to those used to build software:

* Organize security by resource and domains, which is similar to the segmentation of tasks in software.
* Complete the baseline security analysis, which is similar to the determination of the market for the software.
* Complete the requirements, which is equivalent to the definition of the software specifications.
* Identify gaps and prioritize needs, which is equivalent to setting priorities on software features.
* Selecting and planning the projects, which is equivalent to setting down the software life cycle plan.
* Security technologies, which is similar to determining what tools to use in the software construction.
* Security follow-up projects, which is equivalent to doing a software post-mortem.

Chapters that describe two case histories, role-based authorization, single sign-on access restriction, and preparing the organization for security are also included. The authors point out that security is a state of mind and not simply of those that are paranoid. There are a lot of unscrupulous people in the world and we must all do everything that is sensibly possible to protect the property of our organizations. This will only continue to become more of an issue as the assets of businesses become more and more informational rather than structural.
This book is one that all managers should read. It explains in detail the reasons for a security policy and how to implement an effective one without alienating the employees and customers.

3.0 out of 5 stars Marketing Approach to Enterprise Security, May 27, 2003

By 

Ma, Tien Jui (Taipei Taiwan) - See all my reviews
(REAL NAME)   

Amazon Verified Purchase

This review is from: Securing Business Information: Strategies to Protect the Enterprise and Its Network (Hardcover)

The authors took a unique "marketing approach" to enterprise security. I believe it is correct in theory, yet difficult in practice. The reason: unless security is at a "strategic" position in your company/industry (that is, doing security good will let you beat competitor ...), you can't get users' attention! And a marketing campaign with little attention can't get you anywhere.