Administrators, more technically savvy than their managers, have started to secure the networks in a way they see as appropriate. When management catches up to the notion that security is important, system administrators have already altered the goals and business practices. Although they may be grateful to these people for keeping the network secure, their efforts do not account for all assets and business requirements Finally, someone decides it is time to write a security policy. Management is told of the necessity of the policy document, and they support its development. A manager or administrator is assigned to the task and told to come up with something, and fast! Once security policies are written, they must be treated as living documents. As technology and business requirements change, the policy must be updated to reflect the new environment--at least one review per year. Additionally, policies must include provisions for security awareness and enforcement while not impeding corporate goals. This book serves as a guide to writing and maintaining these all-important security policies.

Average Customer Review: ( 11 customer reviews )
Write an online review and share your thoughts with other customers.

At 216 pages, "Writing Information Security Policies" seems just the right size to touch all the bases, but not enough for a home run in the subject area. Good worklike effort, but the diversity of subject matter, and a lack of focus and internal theoretical structure robs the work of providing insightful organizational direction, though it still pays dividends, and is ultimately very worth reading.

The book is divided into three sections. The first is titled "Starting the policy process," and includes such issues as policy needs and roles and responsibilities in the policy process. The second section is writing the security policies in the topical areas. The third is on maintaining policies, including acceptable use and compliance and enforcement. In the first section, the discussion includes such items as:

1. Identification of assets
2. Data security
3. Backups and archives
4. Intellectual property rights
5. Incident response and forensics

It is clear from these topics that though the title of the book is Information Security Policies, a more accurate one might be Information and Communication Technology Security Policies, as it is networks and software systems which are the focus throughout.

As far as real-world recommendations and a more serious framework for security policies at highly secured organizations, the reader will have to search elsewhere. However, this book amply suits the need for a series of more conversational approaches to a variety of ICT security policies and subject areas. Also of use are the distinctions between policy, procedure, and implementation, found scattered throughout this book, though unfortunately not strictly adhered to. And though the sample administrative policies found in the appendix are nowhere complete, there are helpful policy formulations throughout. In the second section, the seven major areas of discussion that offer the heart of the book are more of a topical arrangement, than any hierarchical or conceptual approach. They include security policy concerned with the following subject areas:

1. Physical
2. Authentication and network
3. Internet
4. Email
5. Viruses, worms, and Trojan horses
6. Encryption
7. Software development

There is enough that is badly worded and poorly organized in the book, but it is of real benefit--both on its own merits, and because there is little information of this kind available to practitioners and those managers who might want something that is more than a simple set of forms, but is less than a week-long course in security policy.

17 of 17 found the following review helpful:

Get it (now read why)Jan 31, 2002
By E. Danielyan
It is difficult to find a book on security or a security consultant which wouldn't tell you that an information security policy is a mandatory requirement for any security-conscious organization. However it is even more difficult to write a meaningful and working security policy document which makes sense or to find someone qualified to do that from both business and technical viewpoints. While Scott Barman's book doesn't help you with finding qualified staff or consultants, it can help you become one. In about 200 pages the author manages to explain the need for information security policies, tells you how to approach this animal and shows how to define and write policies. There is no much technical details in this book - and that's the best part of it. Technical details change very often; good business and security practices don't. With this book the author starts at the very beginning ("Why do I need a security policy?") and goes on to actually helping you write one for your organization, system, or network. With sample policies which you can use, and with a good index of resources in the appendix this book is a good choice if you need to understand and/or define information security policies.

11 of 11 found the following review helpful:

Brings best practices to small companiesJul 05, 2002
By Mike Tarrani "Jazz Drummer"
What makes this book an important addition to the IT security body of knowledge is that it makes a case for, and shows how to, create and implement IT security policies in small-to-medium enterprises.

The book itself is a short, somewhat superficial, treatment of IT security policies. It has strengths and weaknesses:

STRENGTHS: It makes a compelling business case for having IT security policies, then leads you through the creation of the more common ones. This material is augmented by the book's accompanying web site that provides all of the sample policies in Appendix C in HTML format (most modern word processing programs, such as MS Word can convert this to their native format without losing any of the embedded styles). Note that the URL given in the book has changed, but it is still active and automatically redirects you to the new URL.

In addition, the book touches on important topics that you may not think of if you're attempting to develop policies on your own. For example, intellectual property rights, law enforcement issues and forensics. These are touched upon, but will raise your awareness of their importance.

WEAKNESSES: The actual development and maintenance of policies is almost an afterthought. Moreover, I thought that a structured approach to threat and vulnerability assessments should have been covered (to be fair, the author discusses major threats on practically every page). I also felt that the policies should have been linked to processes, which is the hallmark of a well written policy, and the importance of clearly defining roles and responsibilities should have been highlighted. I recommend that readers also get a copy of Steve Pages " Achieving 100% Compliance of Policies and Procedures" (ISBN 1929065493) to supplement this book. Page's book is focused solely on policies and procedures development, and will fill in the gaps left in this book.

Overall, this book deserves recognition for raising awareness of the importance of IT security policies to small companies. It also deserves credit for sticking to the fundamentals (cited weaknesses notwithstanding), without overwhelming small enterprise IT professionals who are probably wearing many hats besides IT security. For that audience this book shows the way, and earns my praise.

7 of 7 found the following review helpful:

The right book at the right timeJun 04, 2002
By J. Robinson "misfit815"
Network administration is only 10% of my job, which means the task of creating a security policy for our 40-user systems integration company needed to take a proportional amount of my time and energy. This book provides a lot of helpful examples, and really gives you what you need to get started. The length is appropriate, the language fits both technical and non-technical audiences, and the organization makes sense. It has definitely saved me considerable time and energy.

2 of 2 found the following review helpful:

Good advice on filling a modern necessityDec 08, 2001
By Charles Ashbacher
Like so many IT workers, I chafed under standards when I was a developer. The pressure to create the code as fast as possible seemed to leave little time for neatness or written explanations of what was done. However, not all of that was my fault. Given the time frame for development, reading standards and writing to them simply meant more overtime, which gave me the excuse to delay or ignore them.
The same thing applies to security standards, as to most developers; they seem to be the product of a paranoid mind. Well, like all things, even paranoia has its uses, as the events of September 11 in New York made obvious. It is to the benefits of both management and workers to write detailed security policies and then mandate that they be followed. No one knows what value company secrets may have and as the disclosures of people searching the garbage at Microsoft for company secrets points out, a casual reference or slip of paper can be worth millions.
The contents of this book fall into the category of obvious, yet often neglected necessities. Many companies have nebulous, piecemeal policies that allow so much latitude that they are essentially worthless. The value of writing policies that are both practically and legally enforceable gives everyone clear guidelines for their behavior. Which is really all anyone can ask for. When policies are set and clearly noted as being mandatory, people naturally have initial objections. However, after some time and they realize the degree of protection they provide, everyone realizes that they are better off with them.
Barman sets down the reasons for such policies and the value that they provide. He also gives many examples of policies that have been effectively used and covers most of the situations that arise on a daily basis. M y free spirit attitude was altered by the soundness of his arguments in favor of putting realistic restrictions on how information is stored and moved from point to point. This is one of those books that should be in the back pocket of any manager who really wants to cover that part of their anatomy.

See all 11 customer reviews on Amazon.com