Wednesday, February 25, 2009

Book Review: Information Systems Security-Security Management, Metrics, Frameworks and Best Practices

Sunit Belapure, an I.S. Professional working with one of the top three IT Consulting Firms in the world has posted his views on book titled " Information Systems Security: Security Management, Metrics, Frameworks and Best Practices by Nina Godbole.

“I only went out for a walk and finally concluded to stay out till sundown, for going out, I found, was really going in” - John Muir

While reading this book, a reader gets engrossed into the subject and cannot be able to leave the book without completing the chapter / domain, till the last word of the book.

Information Security is not a new era now-a-days, but very little awareness is observed in the professionals. One of the reasons could be, there are not many books on Information Security written by Indian authors and published in India, so that the material is available to the IS Practitioners as well to the aspirants at a reasonable price. Although this book is published in India, the efforts are made thinking the global scenario by the author to produce a book for the study of sedimentary successions in the field is commendable.

Although the topic ‘Information Security” a pervasive one, an author is successful to make a fairly comprehensive book interesting with the help of 38 Chapters, divided into 7 domains.
Part 1 – Introduction (6 Chapters) Part 2 – Physical and Environmental Security (4 Chapters) Part 3 – Network Security and Logical Access Control (7 Chapters) Part 4 – Application Security (4 Chapters) Part 5 – Models, Frameworks and Metrics for Security (7 Chapters) Part 6 – Privacy (4 Chapters) Part 7 – Security Best Practices (6 Chapters)

Each chapter in the book is arranged cogently and clearly. The chapter begins with “Learning Objectives” and ends with “Summary” and “Review questions”. “Further Reading” at the beneath of each chapter opens the wealth of knowledge to the reader.

Describing the concepts graphically is one of the strength of this book, with 250(+) figures, along with 50(+) tables and 175(+) vignettes. This makes the book useful to have conceptual understanding for aspirants who are keen to build the career in Information Security Field and also for the speakers / presenters (Teaching Professionals)

Introduction (100 Pages) – Part I begins with the History, Basics and impact of globalization of Information Systems and ends with gaining the understanding about InfoSec Risk Analysis. The reader gets charged and involved in the book while going through Security in Mobile and Wireless Computing at the start (i.e. into the Introduction section). Similarly inclusion of complex topic like LDAP, a topic in itself, has been handled by explaining it in a concise manner from security perspective.

Physical and Environmental Security (65 Pages) – After creating a good background about Information Security, the author took the reader in Part II, about “Overview of Physical Security”. The chapter titled as “Perimeter Security” explains about protecting external boundaries of the organization. The reader will enjoy while going through the last two chapters about Biometrics – One chapter on Controls and the next on Issues and Challenges.
Network Security and Logical Access Control (145 Pages) – The technocrats as well as aspirants will love this section while touring into technology forest. Separate chapters dedicated on Network Fundamentals, Cryptography, Intrusion Detection Systems, Firewalls, Virtual Private Network and Wireless Networks, maintained the flow of the section and have been given full coverage about subject of the book (i.e. Information Security)

Application Security (83 Pages) – Apart from the security perspectives about Business Applications, Databases and Operating Systems, well explained in the separate chapters, awesome efforts found to cover Email Security in a dedicated chapter, a topic which is always ignored and/or given less importance in Information Security domain.

Models, Frameworks and Metrics for Security (135 Pages) – Going through this section is comprehensive education about the various frameworks, models, standards and methodologies like ITIL, IA-CMM, BASEL II, OCTAVE and OSSTMM. An author has devoted separate chapters on ISO 27001, SSE-CMM and COBIT, COSO and SAS 70, which are widely adopted and practiced in the industry. The reader will also get an overview about laws and legal frameworks (IT Act, Sarbanes-Oxley, GLBA, HIPAA and FISMA) in the last chapter of this section.

Privacy (181 Pages) – The Author is clear in the vision while adding a separate section named as Privacy, is nothing but “Data Privacy”. Fundamentals, Business Challenges and Technological Impacts are covered in the separate chapters. Last chapter focuses on Web Services and Privacy from the viewpoint of security and privacy aspects in the Internet and SOA (Service Oriented Architecture) – discussed in detail.

Security Best Practices (217 Pages) – Other than Staffing, BCP/DRP and Asset Management, the reader will get a separate chapter on Privacy Best Practices and Ethical Issues/concerns about Intellectual Property, in this section. “Auditing for Security” chapter explains entire components of an IS Audit domain – Process based Audit as well as Tool based Audit.

The author has given a consideration about the mobility of an individual, which is an integral part of business, encased a CD with the book. Apart from the tradition of including the entire book on the CD which could be redundant effort, the companion CD contains 37 appendices and 17 case illustrations. The appendices contain checklists and guidelines, which will help readers reinforce the understanding the concepts. Appendix E explains ISO 27001 and ISO 17799 vis-à-vis SAS 70 control objectives and controls. The author has also provided an insight for mapping the contents of the book with all the appendices and the details of Training Program which facilitates the reader to conduct workshops and/or seminars on Security and Privacy.

Conclusion – The author has well utilized her entire knowledge base and enriched experience into this book. Including case illustrations and appendices on a CD will be very much appreciated by the readers; especially the practicing professionals in the Information Security domain. This book can be used by the aspirants as a text book for various university courses and certifications (e.g. CISA / CISSP / CIPP and many more) as well as an addition of this book on the bookshelf could be a very good reference for the practitioners.

About reviewer - Sunit Belapure (CISA, ISO 27001 Lead Auditor and CEH) is I.S. Professional working with one of the top three IT Consulting Firms in the world. He is also a member of ISACA and was recognized for his contribution as a CISA coordinator during 2003-2004 in the local chapter situated in Pune, Maharashtra, India

Please visit below mentioned links for more information:
http://wileyindiablog.blogspot.com/2008/12/information-systems-security-security.html