***** Risk Management for Computer Security: Protecting Your Network and Information Assets.
By Andy Jones and Debi Ashenden; published by Elsevier Butterworth-Heinemann; available from ASIS International, Item #1633, 703/519-6200 (phone), www.asisonline.org (Web); 274 pages; $40 (ASIS Members; $44 (nonmembers).
Pick up any security publication nowadays and you’re sure to see an article on the convergence of traditional corporate security with the more technical world of information systems security. Without extensive computer experience, it can be difficult to understand the threats to and vulnerabilities of automated information systems. Consequently, there is justifiable concern that the specialized knowledge required for information systems security will force organizations that are converging their security operations to place physical security under the control of the IT department.
Risk Management for Computer Security is a lifeline for embattled physical security professionals, as it demonstrates that it is possible to manage the security of information systems without a strong computer background. In clearly written, detailed, and jargon-free prose, it presents the security issues surrounding information systems using the concepts and terminology of the security management profession. It is not a computer book about security. It is a security book about computers. The authors show that IT security is just another security function, not a whole new discipline requiring new talents, terminology, and practices.
The first section introduces a risk-management approach, while following sections discuss threat assessments, vulnerability assessments, risk assessments, the tools and types of risk assessment, and future directions. Most comprehensive is the section on threat assessments, an excellent primer for students of security no matter their specialty.
The authors’ credentials—which complement each other nicely—add significant authority to this work. Debi Ashenden is a senior research fellow in information assurance at Cranfield Royal Military College in the United Kingdom. She lectures on topics related to IT security, information systems, and risk assessment. Dr. Andrew Jones of the University of Glamorgan, also in the United Kingdom, has 30 years’ experience in military intelligence, information warfare, business security, and criminal and civil investigations. He now lectures on information security and computer crime. Ashenden and Jones have contributed a worthy entry for anyone’s security library.
Reviewer: Ross Johnson, CPP, is a retired Canadian Forces Intelligence Officer working for an offshore-drilling company in Houston. He is the membership chairperson for the Houston Chapter of ASIS International and a member of the ASIS Oil, Gas, and Chemical Industry Security Council.