Security Risk Assessment and Control. By Tony Burns-Howell, Pierre Cordier, and Therese Eriksson; published by Perpetuity Press, www.perpetuitypress.com (Web); 100 pages; £25.
Considering the impressive backgrounds of the authors, this publication had the potential to be an indispensable handbook for security practitioners. It misses that opportunity by shortchanging both audiences it tries to address: novices and experienced professionals. It underserves novices by lacking detail in its mere 100 pages; it falls short for seasoned practitioners because some of the text is too confusing to be used as a ready "aide-mémoire" as the authors intended.
The book had its genesis in an assignment to conduct a risk assessment on an (unnamed) international telecommunications company. The authors try to bring the reader into the process, but gaps interrupt a smooth narrative flow. One suspects overly aggressive editing, the result being that the book is neither easy nor enjoyable to read.
No doubt initial drafts of chapters in this book contained much more information. By paring the work down to double as an aide-mémoire, much that is needed was lost. Again, this may be a function of excess editing. For example, in section one, the authors refer to a case study about improper access to an IT system that will be addressed in section five. It's not there. It's not in the book at all. Similarly, it is likely that detailed information that would have made the text useful for novices was excised in editing as well.
The book does have bright spots. Some sections are excellent, and flow charts are clear and informative. There's just not enough of this type of material. For example, nearly a quarter of the short book is devoted to document templates. But the type is too small for them to be effectively photocopied. If the reader is expected to create his or her own templates from these designs, the material is redundant because these templates are described earlier in the book. Readers are left with the suspicion that the 23 pages are padding. These pages would have been much better served by containing explanatory detail tied to the main text.
Reviewer: Derek Knights, CPP, CISSP (Certified Information Systems Security Professional), is an internal consultant on security, risk assessment, and investigations with Ontario Power Generation, Inc., in Toronto, Ontario, Canada. He is a member of ASIS International.