Writing Information Security Policies First Edition

much better price on amazon than in the school book store and with free shipping, it makes it completely worth doing.

Marcus Ranum, father of the firewall, defines a firewall as "the implementation of your Internet security policy". Ranum states that if you haven't got a security policy, you haven't got a firewall. Instead, you've got a thing that's sort of doing something, but you don't know what it's trying to do because no one has told you what it should do. Ranum's observation is supported by the fact that while computer security is not so new, the publication of Writing Information Security Policies didn't happen until late 2001.In many ways, information security policies are like fiber (fiber the grain, not the telecommunications medium); we all agree that it is necessary and beneficial, but only a small number of people actually take action on it. One of the many reasons why information security is in dire straits is that these policies are generally not given the value they deserve. On the whole, for information security to be effective, it must be given the same level of importance and corporate high-level attention as policies about sexual harassment. Organizations have sexual harassment policies because they can't afford the bad publicity and the risks and costs involved with litigation.By way of example, in any Fortune 500 company, an employee who misappropriates the email system to send sexually or racially harassing email is nearly guaranteed a pink slip; however, if that same employee shares the password to his email account, there is a much higher level of tolerance. In fact, one is hard pressed to find a case where an employee has been terminated for such an information security offense. Information security policies must be treated with the same level of importance as sexual harassment policies in order for any company to achieve effective information security.Scott Barman has done a wonderful job of writing a succinct book that addresses all the vital areas where security policies are required in an organization. The book explores the various caveats of information technology (physical security, authentication and network security, Internet, encryption, etc.) and concisely details appropriate policies for each technology domain. Security policies are typically not exciting reading, but Barman spices up the text with many real-world scenarios from his experience in the field.Barman starts on the right foot when he advocates performing a risk assessment and audit. He notes that a risk assessment is crucial to an effective information security infrastructure, and the only way to understand your infrastructure is to perform a full risk assessment and audit. By performing the assessment, information security policy writers can obtain a greater understanding of the reach of information technology within their organization.At fewer than 200 pages, Writing Information Security Policies is a concise work that will provide valuable assistance to anyone starting information security policy endeavors. The only thing missing is a CD-ROM or companion Web site in which to download many of the well-written policy texts in the book. Aside from that omission, the book is a great way to jump-start an information security policy initiative and should be required reading for anyone who wants to ensure real security in their company.It remains to be seen how many companies will indeed take the necessary steps to create their own set of information security policies. Despite the caliber of this book, its sales rank on Amazon.com was only 64,202 as of January 7, 2002.

What makes this book an important addition to the IT security body of knowledge is that it makes a case for, and shows how to, create and implement IT security policies in small-to-medium enterprises.The book itself is a short, somewhat superficial, treatment of IT security policies. It has strengths and weaknesses:STRENGTHS: It makes a compelling business case for having IT security policies, then leads you through the creation of the more common ones. This material is augmented by the book's accompanying web site that provides all of the sample policies in Appendix C in HTML format (most modern word processing programs, such as MS Word can convert this to their native format without losing any of the embedded styles). Note that the URL given in the book has changed, but it is still active and automatically redirects you to the new URL.In addition, the book touches on important topics that you may not think of if you're attempting to develop policies on your own. For example, intellectual property rights, law enforcement issues and forensics. These are touched upon, but will raise your awareness of their importance.WEAKNESSES: The actual development and maintenance of policies is almost an afterthought. Moreover, I thought that a structured approach to threat and vulnerability assessments should have been covered (to be fair, the author discusses major threats on practically every page). I also felt that the policies should have been linked to processes, which is the hallmark of a well written policy, and the importance of clearly defining roles and responsibilities should have been highlighted. I recommend that readers also get a copy of Steve Pages " Achieving 100% Compliance of Policies and Procedures" (ISBN 1929065493) to supplement this book. Page's book is focused solely on policies and procedures development, and will fill in the gaps left in this book.Overall, this book deserves recognition for raising awareness of the importance of IT security policies to small companies. It also deserves credit for sticking to the fundamentals (cited weaknesses notwithstanding), without overwhelming small enterprise IT professionals who are probably wearing many hats besides IT security. For that audience this book shows the way, and earns my praise.

This book contains "thou shalt" statements. Really? Tacky. I have secondhand embarrassment if anyone has ever actually used some of the advice in this pointless book. there are better options.

It is difficult to find a book on security or a security consultant which wouldn't tell you that an information security policy is a mandatory requirement for any security-conscious organization. However it is even more difficult to write a meaningful and working security policy document which makes sense or to find someone qualified to do that from both business and technical viewpoints. While Scott Barman's book doesn't help you with finding qualified staff or consultants, it can help you become one. In about 200 pages the author manages to explain the need for information security policies, tells you how to approach this animal and shows how to define and write policies. There is no much technical details in this book - and that's the best part of it. Technical details change very often; good business and security practices don't. With this book the author starts at the very beginning ("Why do I need a security policy?") and goes on to actually helping you write one for your organization, system, or network. With sample policies which you can use, and with a good index of resources in the appendix this book is a good choice if you need to understand and/or define information security policies.