***** The Basics of Information Security. By Jason Andress. Syngress, www.syngress.com; 208 pages; $29.95.
This is a thin book on a broad and deep topic, which gave me pause initially, but as it turns out, the book is thoughtfully written and will definitely be useful for educating managers and security professionals who need to broaden their thinking beyond physical security. It provides a dozen pages or so on each of the big topics in computer network security.
The chapter on operating system security has suggestions that will be useful for securing home computers as well as business networks. It’s scary to think of how vulnerable most home computers are. Often the most painful but critical aspect of information security for users is the password. How many companies require employees to use long complex passwords that are not written down but need to be changed often? The author suggests that password management software can be used to solve this dilemma in some situations.
The book touches on physical security as it relates to information security. Of course, physical security is necessary to protect information stored digitally.
Another issue has to do with detection. One interesting comparison between prevention and detection is not mentioned in the book, however. A network security system can afford to not prevent all intrusions, but it absolutely must detect significant intrusions.
This book won’t give you everything you need to know for incident handling or certification, but it can serve as a first step in a manager’s education in computer network security.
Reviewer: Gordon Mitchell, Ph.D., CPP, is an ASIS member and former chapter chair. He operates Future Focus, a Seattle firm that provides computer forensic investigations and network incident response.