Administrators, more technically savvy than their managers, have started to secure the networks in a way they see as appropriate. When management catches up to the notion that security is important, system administrators have already altered the goals and business practices. Although they may be grateful to these people for keeping the network secure, their efforts do not account for all assets and business requirements Finally, someone decides it is time to write a security policy. Management is told of the necessity of the policy document, and they support its development. A manager or administrator is assigned to the task and told to come up with something, and fast! Once security policies are written, they must be treated as living documents. As technology and business requirements change, the policy must be updated to reflect the new environment--at least one review per year. Additionally, policies must include provisions for security awareness and enforcement while not impeding corporate goals. This book serves as a guide to writing and maintaining these all-important security policies.

Amazon.com® Reader Reviews (Ranked by Helpfulness)

Average Amazon.com® Rating:  Based on 11 Ratings

Not thorough or rigorous, but a good set of secpol topics - 2002-07-21
Reviewer Rating:
Security policies are not security, and will not provide any protection. However, as the well-known formulation has it: security is a process. An organization does not "have" security, rather they participate in the process of security. Barnum explains that security policies are a component of the planning aspect of the security process, and as such can provide three advantages. The first is to insure security interoperability across an organization. The second advantage is the visibility given to the policy by management's participation in it, which provides a greater impetus for implementation. The third is to mitigate liability, presumably by the legal value of the policy, and the advantages to security that a policy-driven approach proves. Another reason mentioned is that for some organizations, policy documentation is needed for iso900x compliance. Unstated is the assumption that a security policy might result in greater security. After all, even with all the other purported advantages, a security policy is presumptively about making security better.

At 216 pages, "Writing Information Security Policies" seems just the right size to touch all the bases, but not enough for a home run in the subject area. Good worklike effort, but the diversity of subject matter, and a lack of focus and internal theoretical structure robs the work of providing insightful organizational direction, though it still pays dividends, and is ultimately very worth reading.

The book is divided into three sections. The first is titled "Starting the policy process," and includes such issues as policy needs and roles and responsibilities in the policy process. The second section is writing the security policies in the topical areas. The third is on maintaining policies, including acceptable use and compliance and enforcement. In the first section, the discussion includes such items as:

1. Identification of assets
2. Data security
3. Backups and archives
4. Intellectual property rights
5. Incident response and forensics

It is clear from these topics that though the title of the book is Information Security Policies, a more accurate one might be Information and Communication Technology Security Policies, as it is networks and software systems which are the focus throughout.

As far as real-world recommendations and a more serious framework for security policies at highly secured organizations, the reader will have to search elsewhere. However, this book amply suits the need for a series of more conversational approaches to a variety of ICT security policies and subject areas. Also of use are the distinctions between policy, procedure, and implementation, found scattered throughout this book, though unfortunately not strictly adhered to. And though the sample administrative policies found in the appendix are nowhere complete, there are helpful policy formulations throughout. In the second section, the seven major areas of discussion that offer the heart of the book are more of a topical arrangement, than any hierarchical or conceptual approach. They include security policy concerned with the following subject areas:

1. Physical
2. Authentication and network
3. Internet
4. Email
5. Viruses, worms, and Trojan horses
6. Encryption
7. Software development

There is enough that is badly worded and poorly organized in the book, but it is of real benefit--both on its own merits, and because there is little information of this kind available to practitioners and those managers who might want something that is more than a simple set of forms, but is less than a week-long course in security policy.

Good if you want to reinvent the wheel! - 2004-04-25
Reviewer Rating:
This book is good if you want to start policy-writing project or want to do PhD in policy writing. In today fast moving world, you want best practices for the most commonly used polices, which you could review and quickly deploy.

I think "Best Practices Information Security Policy Manual" by PacificIS is better choice. It is simple, direct and of right size i.e. 50+ pages, it is ready to use in word format. As you know, if my organization publishes a policy manual of 700 plus pages no one will read. Other very useful resource is Charles Cresson's Information Policy Made Easy with 1300 policies on 725 pages. However, I find it more difficult to select from 1300 polices which are more of academic nature. It also requires lot of editing and customization. I would love to follow it if my company assigns me a project of 3-month just to write a policy.

Amazon is better - 2008-02-12
Reviewer Rating:
much better price on amazon than in the school book store and with free shipping, it makes it completely worth doing.

Writing Security Policies - 2007-12-31
Reviewer Rating:
Excellent book summarizing the details involved in writing security policies. Great starting point for anyone tasked with writing or reviewing security policies and procedures.

Best Condition, Timely Service - 2005-08-03
Reviewer Rating:
My book was in new condition, and I received my book, hassle free, in my postal box!!! It also arrived when I expected it to!

Browse Similar Topics

Top Level Categories:
Networking

Sub-Categories:
Networking > Security