BKENINSE.RVW 20020916 "Enterprise Information Security", Peter Gregory, 2003, 0-273-66157-4, C$19.99/UK#156.99 %A Peter Gregory peter.gregory@hartgregorygroup.com %C London, UK %D 2003 %G 0-273-66157-4 %I Prentice Hall/Financial Times %O C$19.99/UK#156.99 +1-201-236-7139 fax: +1-201-236-7131 %O http://www.amazon.com/exec/obidos/ASIN/0273661574/robsladesinterne %P 145 p. %T "Enterprise Information Security: Information security for non-technical decision makers" The executive summary states that this book is intended to present information security to executives. The introduction certainly shows that it isn't intended for technical people, who would ask what the difference was between access over the Internet and remote access, or a network using TCP/IP and the Internet. Chapter one asserts that the events of September 11, 2001 woke executives up to the importance of security. (Yeah, right.) However, there is a good analysis of the reasons that the Code Red/Nimda worm was successful. The definition of a threat, in chapter two, is pretty bad, and the definitions of various types of malicious software are really bad. The section on hacking lists a variety of attacks (heavy on social engineering), the "hacker profiles" concentrate on system exploits, there is a random list of security problems, and then an surprisingly good definition of vulnerability. Authentication and authorization are reasonably handled, but confused with extraneous details in chapter three. Access control is equated with firewalls, and the discussion of cryptography is all right but full of minor errors. (RC 2 and RC 4 have been compromised, Skipjack has been released for limited review, a digital signature does need a key but not necessarily an additional password, the loss of a key is not sufficient to repudiate a digital signature, and the ping-of-death does not compromise integrity.) The material on antivirus protection refers only to scanning, and the material on audit deals only with logs. Chapter four is supposed to be about policies, but actually concentrates on procedures, containing random thoughts and many gaps. People are the weak link in security, we are told in chapter five, and, as with other sections it uses non-standard terms in the discussion. More haphazard thoughts are in chapter six, while chapter seven has a poor definition of privacy and a grab bag of topics. In chapter eight a casual list of topics seem to be indiscriminately assigned to the standard important/urgent quadrant chart. OK, this is not intended for professionals; it is intended for managers. But, even if we give full reign to the usual jokes -- those who can't, do; those who are incapable of mastering anything, go into management -- it's still bad form to deliberately mislead them this way. copyright Robert M. Slade, 2002 BKENINSE.RVW 20020916