Customer Reviews

Writing Information Security Policies

5 star:		(7)
4 star:		(3)
3 star:		(0)
2 star:		(1)
1 star:		(0)

 

 

Security policies are not security, and will not provide any protection. However, as the well-known formulation has it: security is a process. An organization does not "have" security, rather they participate in the process of security. Barnum explains that security policies are a component of the planning aspect of the security process, and as such can provide three advantages. The first is to insure security interoperability across an organization. The second advantage is the visibility given to the policy by management's participation in it, which provides a greater impetus for implementation. The third is to mitigate liability, presumably by the legal value of the policy, and the advantages to security that a policy-driven approach proves. Another reason mentioned is that for some organizations, policy documentation is needed for iso900x compliance. Unstated is the assumption that a security policy might result in greater security. After all, even with all the other purported advantages, a security policy is presumptively about making security better.

At 216 pages, "Writing Information Security Policies" seems just the right size to touch all the bases, but not enough for a home run in the subject area. Good worklike effort, but the diversity of subject matter, and a lack of focus and internal theoretical structure robs the work of providing insightful organizational direction, though it still pays dividends, and is ultimately very worth reading.

The book is divided into three sections. The first is titled "Starting the policy process," and includes such issues as policy needs and roles and responsibilities in the policy process. The second section is writing the security policies in the topical areas. The third is on maintaining policies, including acceptable use and compliance and enforcement. In the first section, the discussion includes such items as:

1. Identification of assets
2. Data security
3. Backups and archives
4. Intellectual property rights
5. Incident response and forensics

It is clear from these topics that though the title of the book is Information Security Policies, a more accurate one might be Information and Communication Technology Security Policies, as it is networks and software systems which are the focus throughout.

As far as real-world recommendations and a more serious framework for security policies at highly secured organizations, the reader will have to search elsewhere. However, this book amply suits the need for a series of more conversational approaches to a variety of ICT security policies and subject areas. Also of use are the distinctions between policy, procedure, and implementation, found scattered throughout this book, though unfortunately not strictly adhered to. And though the sample administrative policies found in the appendix are nowhere complete, there are helpful policy formulations throughout. In the second section, the seven major areas of discussion that offer the heart of the book are more of a topical arrangement, than any hierarchical or conceptual approach. They include security policy concerned with the following subject areas:

1. Physical
2. Authentication and network
3. Internet
4. Email
5. Viruses, worms, and Trojan horses
6. Encryption
7. Software development

There is enough that is badly worded and poorly organized in the book, but it is of real benefit--both on its own merits, and because there is little information of this kind available to practitioners and those managers who might want something that is more than a simple set of forms, but is less than a week-long course in security policy.

It is difficult to find a book on security or a security consultant which wouldn't tell you that an information security policy is a mandatory requirement for any security-conscious organization. However it is even more difficult to write a meaningful and working security policy document which makes sense or to find someone qualified to do that from both business and technical viewpoints. While Scott Barman's book doesn't help you with finding qualified staff or consultants, it can help you become one. In about 200 pages the author manages to explain the need for information security policies, tells you how to approach this animal and shows how to define and write policies. There is no much technical details in this book - and that's the best part of it. Technical details change very often; good business and security practices don't. With this book the author starts at the very beginning ("Why do I need a security policy?") and goes on to actually helping you write one for your organization, system, or network. With sample policies which you can use, and with a good index of resources in the appendix this book is a good choice if you need to understand and/or define information security policies.

What makes this book an important addition to the IT security body of knowledge is that it makes a case for, and shows how to, create and implement IT security policies in small-to-medium enterprises.

The book itself is a short, somewhat superficial, treatment of IT security policies. It has strengths and weaknesses:

STRENGTHS: It makes a compelling business case for having IT security policies, then leads you through the creation of the more common ones. This material is augmented by the book's accompanying web site that provides all of the sample policies in Appendix C in HTML format (most modern word processing programs, such as MS Word can convert this to their native format without losing any of the embedded styles). Note that the URL given in the book has changed, but it is still active and automatically redirects you to the new URL.

In addition, the book touches on important topics that you may not think of if you're attempting to develop policies on your own. For example, intellectual property rights, law enforcement issues and forensics. These are touched upon, but will raise your awareness of their importance.

WEAKNESSES: The actual development and maintenance of policies is almost an afterthought. Moreover, I thought that a structured approach to threat and vulnerability assessments should have been covered (to be fair, the author discusses major threats on practically every page). I also felt that the policies should have been linked to processes, which is the hallmark of a well written policy, and the importance of clearly defining roles and responsibilities should have been highlighted. I recommend that readers also get a copy of Steve Pages " Achieving 100% Compliance of Policies and Procedures" (ISBN 1929065493) to supplement this book. Page's book is focused solely on policies and procedures development, and will fill in the gaps left in this book.

Overall, this book deserves recognition for raising awareness of the importance of IT security policies to small companies. It also deserves credit for sticking to the fundamentals (cited weaknesses notwithstanding), without overwhelming small enterprise IT professionals who are probably wearing many hats besides IT security. For that audience this book shows the way, and earns my praise.

Network administration is only 10% of my job, which means the task of creating a security policy for our 40-user systems integration company needed to take a proportional amount of my time and energy. This book provides a lot of helpful examples, and really gives you what you need to get started. The length is appropriate, the language fits both technical and non-technical audiences, and the organization makes sense. It has definitely saved me considerable time and energy.

Like so many IT workers, I chafed under standards when I was a developer. The pressure to create the code as fast as possible seemed to leave little time for neatness or written explanations of what was done. However, not all of that was my fault. Given the time frame for development, reading standards and writing to them simply meant more overtime, which gave me the excuse to delay or ignore them.
The same thing applies to security standards, as to most developers; they seem to be the product of a paranoid mind. Well, like all things, even paranoia has its uses, as the events of September 11 in New York made obvious. It is to the benefits of both management and workers to write detailed security policies and then mandate that they be followed. No one knows what value company secrets may have and as the disclosures of people searching the garbage at Microsoft for company secrets points out, a casual reference or slip of paper can be worth millions.
The contents of this book fall into the category of obvious, yet often neglected necessities. Many companies have nebulous, piecemeal policies that allow so much latitude that they are essentially worthless. The value of writing policies that are both practically and legally enforceable gives everyone clear guidelines for their behavior. Which is really all anyone can ask for. When policies are set and clearly noted as being mandatory, people naturally have initial objections. However, after some time and they realize the degree of protection they provide, everyone realizes that they are better off with them.
Barman sets down the reasons for such policies and the value that they provide. He also gives many examples of policies that have been effectively used and covers most of the situations that arise on a daily basis. M y free spirit attitude was altered by the soundness of his arguments in favor of putting realistic restrictions on how information is stored and moved from point to point. This is one of those books that should be in the back pocket of any manager who really wants to cover that part of their anatomy.

much better price on amazon than in the school book store and with free shipping, it makes it completely worth doing.

I am a senior engineer for network security operations. I read Scott Barman's "Writing Information Security Policies" (WISP) to learn more about the first element of enterprise protection. (This refers to the planning process. Planning is followed by protection, detection, and response.) Although my network security monitoring duties focus on detection and assisting clients with response, security policies still play crucial roles. Thanks to Scott's book, I now have a practical and timely reference to recommend to clients developing security policies.

WISP may occupy only 200 pages, but its strict focus on security policy development ensures plenty of useful information in a small form factor. The author demonstrates sound knowledge of the technical aspects of information security. This strong foundation helps me trust his policy recommendations.

Several concepts made a positive impression, and made me rethink my own company's security posture. These included the idea that software licenses are an asset, subject to depreciation. Corporate information may be assigned to owners, thereby ensuring accountability. "Security communicators" help bridge the chasm between users and staff. Including security responsibilities in every employee's job description emphasizes the human element of enterprise protection. Statements made by users in Usenet archives reflect the organization, and should be handled carefully. A final novel topic involved "duress passwords," entered by employees suffering some form of physical coercion.

I have few negative comments for WISP. I wish the author had included more complete sample policies in the appendices. Perhaps he will post others to his web site? Scott also defers certain aspects of security planning to "procedures" documents. I wonder if he may have a "Writing Information Security Procedures" book in the works?

I highly recommend those tasked with writing information security policies read WISP. Thanks to its low page count and high value content, you will be glad to have it as a reference.

(Disclaimer: I received a review copy from the publisher.)

Marcus Ranum, father of the firewall, defines a firewall as "the implementation of your Internet security policy". Ranum states that if you haven't got a security policy, you haven't got a firewall. Instead, you've got a thing that's sort of doing something, but you don't know what it's trying to do because no one has told you what it should do. Ranum's observation is supported by the fact that while computer security is not so new, the publication of Writing Information Security Policies didn't happen until late 2001.

In many ways, information security policies are like fiber (fiber the grain, not the telecommunications medium); we all agree that it is necessary and beneficial, but only a small number of people actually take action on it. One of the many reasons why information security is in dire straits is that these policies are generally not given the value they deserve. On the whole, for information security to be effective, it must be given the same level of importance and corporate high-level attention as policies about sexual harassment. Organizations have sexual harassment policies because they can't afford the bad publicity and the risks and costs involved with litigation.

By way of example, in any Fortune 500 company, an employee who misappropriates the email system to send sexually or racially harassing email is nearly guaranteed a pink slip; however, if that same employee shares the password to his email account, there is a much higher level of tolerance. In fact, one is hard pressed to find a case where an employee has been terminated for such an information security offense. Information security policies must be treated with the same level of importance as sexual harassment policies in order for any company to achieve effective information security.

Scott Barman has done a wonderful job of writing a succinct book that addresses all the vital areas where security policies are required in an organization. The book explores the various caveats of information technology (physical security, authentication and network security, Internet, encryption, etc.) and concisely details appropriate policies for each technology domain. Security policies are typically not exciting reading, but Barman spices up the text with many real-world scenarios from his experience in the field.

Barman starts on the right foot when he advocates performing a risk assessment and audit. He notes that a risk assessment is crucial to an effective information security infrastructure, and the only way to understand your infrastructure is to perform a full risk assessment and audit. By performing the assessment, information security policy writers can obtain a greater understanding of the reach of information technology within their organization.

At fewer than 200 pages, Writing Information Security Policies is a concise work that will provide valuable assistance to anyone starting information security policy endeavors. The only thing missing is a CD-ROM or companion Web site in which to download many of the well-written policy texts in the book. Aside from that omission, the book is a great way to jump-start an information security policy initiative and should be required reading for anyone who wants to ensure real security in their company.

It remains to be seen how many companies will indeed take the necessary steps to create their own set of information security policies. Despite the caliber of this book, its sales rank on Amazon.com was only 64,202 as of January 7, 2002.

This book is good if you want to start policy-writing project or want to do PhD in policy writing. In today fast moving world, you want best practices for the most commonly used polices, which you could review and quickly deploy.

I think "Best Practices Information Security Policy Manual" by PacificIS is better choice. It is simple, direct and of right size i.e. 50+ pages, it is ready to use in word format. As you know, if my organization publishes a policy manual of 700 plus pages no one will read. Other very useful resource is Charles Cresson's Information Policy Made Easy with 1300 policies on 725 pages. However, I find it more difficult to select from 1300 polices which are more of academic nature. It also requires lot of editing and customization. I would love to follow it if my company assigns me a project of 3-month just to write a policy.

Excellent book summarizing the details involved in writing security policies. Great starting point for anyone tasked with writing or reviewing security policies and procedures.