BKCISOGG.RVW 20051119 "Governance Guidebook", Fred Cohen, 2005, 1-878109-34-0 %A Fred Cohen http://all.net %D 2005 %G 1-878109-34-0 %I ASP Press %O http://www.amazon.com/exec/obidos/ASIN/1878109340/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/1878109340/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/1878109340/robsladesin03-20 %O Audience a+ Tech 1 Writing 2 (see revfaq.htm for explanation) %P 204 p. %T "Governance Guidebook" The very short section one of the Governance Guidebook explains that it is intended for the CISO (Chief Information Security Officer) of a large concern. Which is to say that the reader should be experienced in security and the management thereof. At that point one wonders what such a work would entail: presumably such a person would already know pretty much anything you could put into a book. This introduction then goes on to detail the organization of the guidebook. Section two is an overview of the structure of a security plan or protection strategy. It also notes that the illustrations in this section of the text are very busy and cluttered, but that careful study will make the situation clearer. All of this is true. This is definitely not your standard security textbook. It is extremely demanding of the reader, but will amply repay the effort put into using the volume. And I say "using," rather than merely "reading": this is a tome that requires application. Bed- time reading it is not. This is not a primer to be read quickly in one sitting. The illustrations are dense, and so is the text, but dense with meaning and import. This is a work to be worked through, a page or even a paragraph at a time. And then, when you are finished, work through it again. If you are a CISO it won't teach you anything--but it will remind you of things, practices, and procedures that have possibly been forgotten in the press of other urgencies. This volume becomes, therefore, an aide memoire for the strategic planning of information protection. This is not to say that there are no details provided. Section three, entitled "Drill Down," provides greater depth to a number of the areas (one example is an intriguing use of the human life span to address personnel and human resources issues). The content does not deal with specific technical areas of security, but does provide a very solid overview of security management--or, if you prefer, governance. This is a handy and useful guide for those in the CISO position. It is destined to become well-thumbed, dirty, and dog-eared, over time. Those who are not yet into a CISO job will not recognize all of the value in its pages, yet. However, those who aspire to the calling would do well to get a start on learning from it. copyright Robert M. Slade, 2005 BKCISOGG.RVW 20051119