Customer Reviews

The Security Policy Cookbook: A Guide for IT and Security Professionals

5 star:		(0)
4 star:		(1)
3 star:		(0)
2 star:		(0)
1 star:		(2)

 

 

In mid-August, I received a copy of The Security Policy Cookbook: A Guide for IT and Security Professionals. As someone who has seen his fair share of information security policies and is on the Information Security Policy Expert Panel, my initial thought was that this is not an original work.

Before I even got to the content, the author notes his acceptance into the Marquis Who's Who is his bio. I wrote in `What's What with the Who's Who?' that Marquis, like most who's who firms accept nearly everyone who applies, including serial killers. Most of the who's who organizations are in it for the money with zero concern for the so-called honorees. Security professionals looking to advance themselves will find no value in having their names in a who's who, and could in fact be showing their naiveté by promoting their inclusion.

In the book, various policies are detailed, yet lack a sense of cohesiveness. It is as the policies were simply thrown together in a haphazard manner, which is indeed evident in this book. Not the text of the policies are not ineffective, rather the cut and paste approach, which the author did, and advocates, is a surefire way to ensure that information policies won't work. Policy creation is just one part of an effective security policy project, and focusing strictly on the text of the policies is simply inadequate.

Of the books 32 chapters, 20 were direct copies from State of Texas Department of Information Resources (DIR) Guidelines, Checklists & Templates. This book seems to follow the same course of action `How To Become The Worlds No. 1 Hacker' took, copy the content without attribution. For a complete list of the chapters and sources, see the listing at Attrition.

The DIR wants their templates to be used for the greater good, but with attribution. According to their Link Policy, "they shall not misinform users about the origin or ownership of DIR content. Certain information on DIR may be trademarked, service-marked, or otherwise protected as intellectual property. Protected intellectual property must be used in accordance with state and federal laws and must reflect the proper ownership of the intellectual property".

The Security Policy Cookbook is proof that we live in an era where content is effortless to obtain. Googling information security policy with filetype:pdf results in over 17,000 hits. That is a lot of content in which to freely use. The corollary is that those who try to claim such content as their own will just as easily be found.

Many people write books for the fame. Yet that fame turns into infamy when it is discovered that the author is a plagiarist.

`The Security Policy Cookbook' and like it `How To Become The Worlds No. 1 Hacker' were both self-published, and therefore lack the editorial scrutiny which is to be expected from an established publishing house.

Richard O'Hanley, Publisher at CRC Press in the IT, Business & Security Group, notes that he has seen plagiarism as a steadily escalating problem. So much so, that they frequently run manuscripts through a plagiarism checker. O'Hanley said "it seems that just as people expect web content to be free, they expect to be able to use it freely as well, without concern for rights and attribution. The ease with which people can cut-and-paste from multiple sources only exacerbates the problem".

For those that want to write books on security, there is plenty of opportunity and numerous publishing houses that desperately want good content. Of course, such an approach takes time and effort. But the industry does reward such efforts.

Attempting to bypass those practices via plagiarism, especially in an industry where ethics and trust are paramount, ultimately begs the question: what was he thinking?.

If the Author can do it, I can do it to..

[...]

In the book, various policies are detailed, yet lack a sense of cohesiveness. It is as the policies were simply thrown together in a haphazard manner, which is indeed evident in this book. Not the text of the policies are not ineffective, rather the cut and paste approach, which the author did, and advocates, is a surefire way to ensure that information policies won't work. Policy creation is just one part of an effective security policy project, and focusing strictly on the text of the policies is simply inadequate.

Of the books 32 chapters, 20 were direct copies from State of Texas Department of Information Resources (DIR) Guidelines, Checklists & Templates. This book seems to follow the same course of action How To Become The Worlds No. 1 Hacker took, copy the content without attribution. For a complete list of the chapters and sources, see the listing at Attrition.

[...]

And copied from that site...

When Dr. Jahangiri was asked about the plagiarism, his e-mail response contained more interesting information along with more questions. He first responded that in the last 10 years, he had developed various policies for clients before saying that he subcontracted other companies in different countries to develop those documents. This makes it unclear if he and/or his company created the policies or if they were subcontracted from a third-party.

Jahangiri goes on to say that he purchased a set of policy templates in 2005 from a foreign company while he was busy on other engagements. He claims the set of documents included in that batch are the same ones found at the Texas Department of Information Resources and that he has the rights to use those purchased items. However, this claim seems bogus as some of the policies that were used had been published as early as 2002. Either the company he bought them from plagiarized, and he did not verify the material he received, or his claim is an outright lie.

Regardless of why, selling a book with 141 pages of security policies that are freely available on the Internet without disclosing where they came from (e.g., he hired a company to draft them, he collected them from the Internet) is fraud. Charging $49.95 for a print book of public material, and having the audacity to charge $150 for an electronic version is far from ethical.

I am currently in the process of updating our polices and this book has been a life saver. It may not be 1000 pages like some of the other books on policy but it is clear and concise just as policies should be. The author also has a web site where you can download the templates that are shown in the book. A real time saver...

I have also read his Live Hacking book and that too is very concise. I look forward to his next book.