Customer Reviews

Securing Business Information: Strategies to Protect the Enterprise and Its Network (IT Best Practices series)

5 star:		(1)
4 star:		(1)
3 star:		(1)
2 star:		(0)
1 star:		(0)

 

 

Of all the security books I've read this one stands out as the best for two reasons: (1) it lays out what is needed and the steps to take to develop an enterprise security policy in a clear, logical sequence, and (2) there no gaps in the proposed process. Indeed, it appears that the authors had 'due diligence' as their foremost principle when they wrote this book. In addition their experience is evident by the way they approach the subject and tie it together.

The approach is straightforward: initiate, assess, gather requirements, perform a gap analysis, develop a baseline and implement. What makes the approach unique is the 'divide and conquer technique that partitions the business into security domains. This has benefits beyond decomposing the complexities of enterprise security into manageable pieces - it can also be linked into enterprise problem management and business continuity planning processes because you're forced to examine your resources and systems, and to prioritize them according to their criticality. I also liked the discussion of policies, which discussed the merits of identity-based and role-based approaches, and included excellent advice on policy auditing. One strong point about this section was the treatment of finding documented *and* undocumented policies. This material is applicable to anyone who is involved in policies and procedures development, regardless of whether or not it's related to security. I also especially liked the chapter on trust modeling. This is one area where I learned much from the book.

I've only touched upon key elements of this book. A review of the table of contents will reveal that it's complete and filled with case studies and important discussions of technologies that can be employed to create an effective enterprise security posture. This book is obviously applicable to security specialists, but is also useful to business continuity planners, service delivery practitioners and service providers. It is, to date, the best book on security from among the 20 I've read, that I've come across. It's also a complete recipe for a successful development and implementation of enterprise security policies, processes and procedures.

The security of a business is truly dependent on everyone, from the head of the organization down to the cleaners. While many, if not most, people are focusing on the security of the IT department against external threats, certainly with justification, many of the security breaches do not involve external attacks. The published statistics vary as to the actual percentages, but they are consistent in claiming that a large percentage, if not the majority, of IT security problems are of internal origin. Furthermore, there is a great deal of dumpster diving that takes place between organizations. Millions of dollars spent on securing the computer system can be wasted if someone drops key information in a garbage can to be picked up and used by a competitor.
With all of these problems, the only way that an organization can keep its secrets is to adopt a policy that applies to all employees and is well-defined, effective and rigidly enforced. The authors of this book set down such a policy, with varying levels of restrictions, depending on the quality of the information. Many of the steps they use in constructing a security policy are similar to those used to build software:

* Organize security by resource and domains, which is similar to the segmentation of tasks in software.
* Complete the baseline security analysis, which is similar to the determination of the market for the software.
* Complete the requirements, which is equivalent to the definition of the software specifications.
* Identify gaps and prioritize needs, which is equivalent to setting priorities on software features.
* Selecting and planning the projects, which is equivalent to setting down the software life cycle plan.
* Security technologies, which is similar to determining what tools to use in the software construction.
* Security follow-up projects, which is equivalent to doing a software post-mortem.

Chapters that describe two case histories, role-based authorization, single sign-on access restriction, and preparing the organization for security are also included. The authors point out that security is a state of mind and not simply of those that are paranoid. There are a lot of unscrupulous people in the world and we must all do everything that is sensibly possible to protect the property of our organizations. This will only continue to become more of an issue as the assets of businesses become more and more informational rather than structural.
This book is one that all managers should read. It explains in detail the reasons for a security policy and how to implement an effective one without alienating the employees and customers.

The authors took a unique "marketing approach" to enterprise security. I believe it is correct in theory, yet difficult in practice. The reason: unless security is at a "strategic" position in your company/industry (that is, doing security good will let you beat competitor ...), you can't get users' attention! And a marketing campaign with little attention can't get you anywhere.