Best Damn IT Security Management Book Period

***** Best Damn IT Security Management Book Period. By Bryan Cunningham, et al; published by Syngress, www.syngress.com (Web); 900 pages; $59.95.

While this text might offer the seasoned IT security professional an interesting read, it is not a good overall reference, and it is not for the commercial or government security practitioner.

In its first two pages, the book jumps into vulnerabilities, CVE IDs, IE, WMF, QTS, and BMP overflows. (If you did not understand these acronyms, this book is not a way for you to learn about them.)

The book omits a thorough examination of methods for evaluating an IT system’s security. The text only discusses one of many options, and it’s one of little use to most readers: the INFOSEC Evaluation Methodology, developed in the 1990s by the National Security Agency (NSA) and designed especially for intelligence systems. To be relevant to the majority of IT security professionals, the book should have discussed the National Institute of Standards and Technologies (NIST) standards, Common Criteria product evaluations, and the ISO/IEC 27000 series. These are either given a couple of sentences or not mentioned at all.

Other issues covered in this book are of interest, but because the information is not easy to find, the book cannot serve as a reference for an IT manager, CISO, ISSO, or CSO. Some of the Web site addresses provided for outside reference, like a report related to INFOSEC, did not work.

This book was written by 15 contributors, including managers, lawyers, practitioners, hackers, and administrators from the commercial and government sectors, so it holds an abundance of concepts, viewpoints, and resources. Some of the content is interesting and provides the reader with information on tools, regulations, laws, checklists, reports, and references. That said, I do not recommend purchasing this book.

Reviewer: James Litchko is president and CEO of Litchko & Associates in Kensington, Maryland. He is a member of the ASIS councils on Information Technology Security and Privacy and Personnel Information.