The Information Systems Security Officer's Guide: Establishing and Managing an Information Protection Program (Paperback)

~ Gerald L. Kovacich CFE CPP CISSP (Author) "The objective of this chapter is to provide the reader with a basic understanding of the changing environment in which the information systems security officer..." (more)
Key Phrases: audit report analyses, noncompliance inquiries, user access control systems, Strategic Business Plan, United States, Tactical Business Plan (more...)

Editorial Reviews

Review

Regardless of where you are in the security hierarchy, this is the definitive text for learning what it takes to be an effective information systems security officer (ISSO). The book paints an excellent portrait of an ISSO's duties, challenges, and working environments. It includes everything from how to handle new technologies and threats to how to perform information-security duties in a national-security environment.

Using situations found in actual workplaces, the author leads readers through the process of building an effective corporate information assets protection program (CIAPP) through the fictitious International Widget Corporation. One of the most interesting chapters deals with establishing a metrics-management system, which provides the basics for creating a CIAPP. Metrics management will help ISSOs identify areas needing improvement and methodologies for tracking resource costs and usage.

A chapter on investigative support for high-tech crime is germane to today's ISSOs. The author emphasizes the importance of policies that dictate when an investigation will be done internally or when it will involve law enforcement and, in the latter case, what kind of staff support to provide.

Information warfare, information operations, and information assurance also receive their due in this book. Understanding these concepts is critical to competing in a global environment.

This is a very effective presentation of a broad range of information about a critical security function. It should find a place on the desk of all infosec professionals. - Security Management --This text refers to an alternate Paperback edition.

Book Description

Clearly addresses the growing need to protect information and information systems in the global marketplace --This text refers to an alternate Paperback edition.

See all Editorial Reviews

Product Details

• Paperback: 192 pages
• Publisher: Butterworth-Heinemann; Underlined edition (May 18, 1998)
• Language: English
• ISBN-10: 0750698969
• ISBN-13: 978-0750698962
• Product Dimensions: 9.3 x 6.1 x 0.8 inches
• Shipping Weight: 8.8 ounces (View shipping rates and policies)
• Average Customer Review: 4.0 out of 5 stars  See all reviews (22 customer reviews)
• Amazon.com Sales Rank: #1,297,769 in Books (See Bestsellers in Books)

Customer Reviews

Most Helpful Customer Reviews

30 of 30 people found the following review helpful:

3.0 out of 5 stars Must have for ISSOs or ISSO wannabees, February 11, 2001

By	J. G. Heiser (Sunninghill, Berks) - See all my reviews (REAL NAME)

This book is the Boy Scout Senior Patrol Leader's handbook for Information Security Officers. " On my honor, I will do my best, to do my duty, to my corporation and profession...." It is a short book-I read it in an evening-that tries to be a complete guide to a very complex profession. Following this merit badge guidebook approach, the entire subject of risk is covered in 3 pages, and CP/DR is covered in just over 2. It just doesn't contain enough text to be the sole reference book for any single aspect of the job, but it does have some useful information that I'm not aware of in any other text. It is process and organizationally organized, and does not deal with technology at all.

My favorite chapter is the second one, "Understanding the Business and Management Environment." With a background in social science and significant experience in multi-cultural situations, the author is uniquely qualified to help an information security practitioner operate effectively within what is essentially an alien culture.

A question that I'm frequently asked, and I see often in infosec forums, is "What do I do to get into the security business?" Chapter 4 provides excellent advice on creating a career path, followed by Chapter 5 which contains suggestions on finding a new job. I recommend these chapters to anyone who is looking to break into this field, or who wants to advance their career.

If you have managed to find yourself a leadership role in infosec, and are wondering what you should do next, the chapter on creating security plans should be helpful. The chapter on establishing an infosec program is also helpful, and contains some excellent job descriptions for different infosec positions. This is hardly stimulating reading, but if you are an ISSO, your choice is to find usable boilerplate like this, or make it up yourself.

The author approaches the subject from a single point of view. All of the examples are drawn around a single hypothetical corporation, and it is obvious that the author has a law enforcement orientation. An infocop approach like this is not necessarily successful within every corporate culture, nor does everyone who is responsible for an information security program think of their role in corporate criminal justice terms.

I do think that anyone running an information security program would benefit from this book-or anyone who wants to work towards such a position. If you like org charts and job descriptions, you'll probably feel comfortable with it. For those who are not ISSOs, or those who just looking for an introductory guide to security, this is not the ideal text. For those who are ISSOs, or otherwise responsible for infosec programs, Thomas Wradlow's book, "The Process of Network Security," is a meatier and more sophisticated book that covers much of the same subject matter at a lower price. I recommend that anyone responsible for creating or implementing infosec programs get both books.

11 of 12 people found the following review helpful:

2.0 out of 5 stars Dissapointing, June 28, 2000

By A Customer

I found this book a real disappointment. More about planning your career in this area than actually the practicalities of doing the job.

9 of 10 people found the following review helpful:

5.0 out of 5 stars Covers all the bases, May 12, 2000

By	Memory Guy (New York, NY, USA) - See all my reviews

If you are looking to grow as a security professional, this book can definately help you. Regardless of if your just getting started in the industry or if you have 20 years under your belt, you will learn something from this author. It discusses everything from marketing yourself, getting hired, planning, hiring staff, performing risk management, classifying your information, doing metrics analysis and of course how to deal with people and politics in your "ISSO" position. A definate must have for anyone looking to manage an Information Security program for an organization.