Writing Information Security Policies (Landmark)

List Price: $34.99 Discount Price: $14.99

Customer Reviews:

Not thorough or rigorous, but a good set of secpol topics [Posted on 2002-07-21]
Security policies are not security, and will not provide any protection. However, as the well-known formulation has it: security is a process. An organization does not "have" security, rather they participate in the process of security. Barnum explains that security policies are a component of the planning aspect of the security process, and as such can provide three advantages. The first is to insure security interoperability across an organization. The second advantage is the visibility given to the policy by management's participation in it, which provides a greater impetus for implementation. The third is to mitigate liability, presumably by the legal value of the policy, and the advantages to security that a policy-driven approach proves. Another reason mentioned is that for some organizations, policy documentation is needed for iso900x compliance. Unstated is the assumption that a security policy might result in greater security. After all, even with all the other purported advantages, a security policy is presumptively about making security better.

At 216 pages, "Writing Information Security Policies" seems just the right size to touch all the bases, but not enough for a home run in the subject area. Good worklike effort, but the diversity of subject matter, and a lack of focus and internal theoretical structure robs the work of providing insightful organizational direction, though it still pays dividends, and is ultimately very worth reading.

The book is divided into three sections. The first is titled "Starting the policy process," and includes such issues as policy needs and roles and responsibilities in the policy process. The second section is writing the security policies in the topical areas. The third is on maintaining policies, including acceptable use and compliance and enforcement. In the first section, the discussion includes such items as:

1. Identification of assets
2. Data security
3. Backups and archives
4. Intellectual property rights
5. Incident response and forensics

It is clear from these topics that though the title of the book is Information Security Policies, a more accurate one might be Information and Communication Technology Security Policies, as it is networks and software systems which are the focus throughout.

As far as real-world recommendations and a more serious framework for security policies at highly secured organizations, the reader will have to search elsewhere. However, this book amply suits the need for a series of more conversational approaches to a variety of ICT security policies and subject areas. Also of use are the distinctions between policy, procedure, and implementation, found scattered throughout this book, though unfortunately not strictly adhered to. And though the sample administrative policies found in the appendix are nowhere complete, there are helpful policy formulations throughout. In the second section, the seven major areas of discussion that offer the heart of the book are more of a topical arrangement, than any hierarchical or conceptual approach. They include security policy concerned with the following subject areas:

1. Physical
2. Authentication and network
3. Internet
4. Email
5. Viruses, worms, and Trojan horses
6. Encryption
7. Software development

There is enough that is badly worded and poorly organized in the book, but it is of real benefit--both on its own merits, and because there is little information of this kind available to practitioners and those managers who might want something that is more than a simple set of forms, but is less than a week-long course in security policy.

Good if you want to reinvent the wheel! [Posted on 2004-04-25]
This book is good if you want to start policy-writing project or want to do PhD in policy writing. In today fast moving world, you want best practices for the most commonly used polices, which you could review and quickly deploy.

I think "Best Practices Information Security Policy Manual" by PacificIS is better choice. It is simple, direct and of right size i.e. 50+ pages, it is ready to use in word format. As you know, if my organization publishes a policy manual of 700 plus pages no one will read. Other very useful resource is Charles Cresson's Information Policy Made Easy with 1300 policies on 725 pages. However, I find it more difficult to select from 1300 polices which are more of academic nature. It also requires lot of editing and customization. I would love to follow it if my company assigns me a project of 3-month just to write a policy.

Best Condition, Timely Service [Posted on 2005-08-04]
My book was in new condition, and I received my book, hassle free, in my postal box!!! It also arrived when I expected it to!

Writing Security Policies [Posted on 2007-12-31]
Excellent book summarizing the details involved in writing security policies. Great starting point for anyone tasked with writing or reviewing security policies and procedures.

Amazon is better [Posted on 2008-02-12]
much better price on amazon than in the school book store and with free shipping, it makes it completely worth doing.

Click here for more details and discount information...