The cover of The Security Risk Assessment Handbook has a picture of a clock on it, which is ironic because it is about time that someone gave security professionals an effective, single-reference handbook for security risk assessments.
Author Douglas J. Landoll begins with an excellent introduction that lays out the reader's imminent journey in an explanative manner that is informative to newcomer and expert alike. Each of the 13 chapters that follow exhibits the same richness and clarity.
The brief initial chapter offers a specific menu-like description of the rest of the handbook, clarifying the book's focus. This is important because most people will likely read this book cover-to-cover first. Eventually it will become a reference to be used when a particular component needs to be addressed.
The subsequent chapters run through the normal risk assessment stages, beginning with project definition, in easy-to-read, easy-to-understand phases. While accessible, the text is not dry; the author has a talent for bringing the reader into the analysis. It's almost as if the reader were in training, rather than just looking at words on a page.
Data gathering is broken down into four chapters: general, administrative, technical, and physical - which can help a reader whose skills lie more heavily in one of those domains than another. Furthermore, data sampling is well covered, as is the RIIOT (Review/Interview/Inspect/Observe/Test) approach to data gathering.
The book also offers interesting discussions on threats, vulnerabilities, and countermeasures that are informative and detailed. Landoll identifies and defines them clearly and completely.
Readers should not mistake the lack of complexity for a lack of depth. The author is experienced in information security from the perspective of both government and business. He holds CISSP (Certified Information Systems Security Professional) and CISA (Certified Information Systems Auditor) designations, and an M.B.A. from the University of Texas at Austin.
Readers may find that some design issues with visuals are problematic; for example, bullet points blend into one section or another. Diagrams, though, are understandable, relevant, and placed appropriately throughout the book.
The reader will also find that the relatively few sidebars are informative. There is also the occasional snippet of humor.
Overall, the book is extremely well done and comprehensive. The index is thorough as well.
The book is published by CRC, and can be purchased from the publisher's Web site (www.crcpress.com) for $79.95.
Review by Derek Knights, CPP, CISSP, senior security governance specialist at Sun Life Financial, Toronto, Ontario, Canada.