***** A Practical Guide to Security Assessments.
By Sudhanshu Kairab; published by Auerbach Publications, 800/272-7737 (phone), www.crcpress.com (Web); 498 pages; $79.95.
Perhaps nothing is as fundamental to protection as a solid security assessment, since an organization’s protection program largely derives from the result of such an evaluation. For anyone conducting an information-security assessment, this book is an excellent reference that will set an organization’s security on the right track.
Organizations do not function in a vacuum. They must balance and navigate business processes and interdependencies, the Internet, distributed systems, and legislation and regulation, just to name a few factors that influence their environment and posture. Security assessments must take into account all of these, the author of this book says.
Generally, the author explains, security assessment involves understanding critical business processes, quantifying risks, and implementing cost-effective measures to minimize risk. To the extent that mission-critical functions depend on technology, the information security program must ensure that relevant data is secure and practices are performed in a secure manner.
With ten years of experience in audit and security, this author has mastered his subject, but he is not mired in the past. Advice is specific and tangible. For example, the author explains how to best achieve management buy-in up front, which involves keeping managers involved in the assessment process and soliciting their feedback.
A chapter describing the concept of a “risk score” and a method that links risk to cost (thus quantifying return on investment) deserves special consideration. The risk score is a numerical representation that quantifies the level of risk and its potential impact weighed against the controls in place to mitigate that risk. Charts are provided for readers to calculate their own risk scores. Given the always-competitive fight for funding, a final report containing recommendations based on ROI may prove helpful in winning over management.
To simplify the risk-scoring process, the author has dedicated about half of this 500-page book to appendices that proceed step by step through the methodology. The checklists, which contain questions and guidelines, are themselves well worth the price of this excellent work.
Reviewer: John Gargiulo, a lifetime CPP, is a part-time security consultant and the former director of security for Reuters America, where he served for 18 years. He retired as a lieutenant from the New York Police Department after 24 years of service. He is a member of ASIS International.