BKPRINSC.RVW 20040531 "Principles of Information Security", Michael E. Whitman/Herbert J. Mattord, 2003, 0-619-06318-1 %A Michael E. Whitman %A Herbert J. Mattord %C 25 Thomson Place, Boston, MA 02210 %D 2003 %G 0-619-06318-1 %I Thomson Learning Inc. %O U$67.95/C$93.17 www.course.com %O http://www.amazon.com/exec/obidos/ASIN/0619063181/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0619063181/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0619063181/robsladesin03-20 %P 532 p. %T "Principles of Information Security" The introduction, in chapter one, seems to be a compilation of security views from a variety of sources. While this could be interesting for the experienced professional, the lack of structure and guidance is likely to confuse the beginning student, the audience at which the book is aimed. Each chapter starts with a fictional scenario: the stories do very little to add to the understanding of the topic. Review questions and exercises at the end of the chapters are generally either simplistic or open-ended. Chapter two lists various types of threats and attacks: classifications and groupings are unclear and are likely to lead students into erroneous assumptions about the different exploits. Most of the textual material on legal and ethical issues, in chapter three, deals with (primarily old) US laws. Actually, a substantial portion of the chapter is given over to screenshots of numerous computer related agencies and organizations. Risk management is broken into two chapters, four, which gives a pedestrian but not bad overview of analysis and assessment, and five, which is another unstructured amalgam of topics, some of which should have been covered in four. Chapter six is a wandering discussion of policy, spending a lot of space listing the NIST (US National Institutes of Standards and Technology) guides. Business continuity planning, in chapter seven, concentrates on incident response, and has an odd mention of the involvement of law enforcement. Chapter eight lists network security tools and also has simplistic coverage of cryptography, extended with an appendix that gets the mathematics of asymmetric encryption mostly right, but the implementation seriously wrong. Physical security is dealt with reasonably well in chapter nine, although the fire suppression content may be confusing. Generic project planning advice is in chapter ten. Chapter eleven's review of personnel security lists job titles, security related certifications, and some general principles. Security maintenance, in chapter twelve, is limited to patch and change management as well as risk re- assessment advice that probably should have been included with chapter four. An introductory security text need not contain the depth, or even breadth, of a reference for professionals. However, this one could use a lot more structure in the presentation of the content, and more than a little care with facts and implications. copyright Robert M. Slade, 2004 BKPRINSC.RVW 20040531