BKINSEAR.RVW 20070125 "Information Security Architecture", Jan Killmeyer, 2006, 0-8493-1549-2 %A Jan Killmeyer %C 920 Mercer Street, Windsor, ON N9A 7C2 %D 2006 %G 0-8493-1549-2 %I Auerbach Publications %O +1-800-950-1216 auerbach@wgl.com orders@crcpress.com %O http://www.amazon.com/exec/obidos/ASIN/0849315492/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0849315492/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0849315492/robsladesin03-20 %O Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation) %P 393 p. %T "Information Security Architecture" The preface to the book seems to indicate an intent to provide a taxonomy of security activities under eight (mostly management related) "components": infrastructure, policy, risk assessment, training, compliance, monitoring, incident response, and business continuity. (Those who follow the development of security frameworks will notice a strong correlation to the COSO [Committee of Sponsoring Organizations of the Treadway Commission] structure.) The "Executive Summary" basically does the same thing, at greater length (concentrating on the threats to information), and seems to have been lifted from the first edition of the book with incomplete modifications: the illustrations refer to the original five components, and there is a reference to a now non-existent chapter twelve. Chapter one, on information security architecture, defines it as the mechanism for ensuring that all users know what they are responsible for in terms of protecting resources, which would seem to put it squarely in the "design" camp. (This perspective would seem to be consistent with the statement that an architecture has "components.") The remainder of the material reinforces the idea of a managed plan for implementing security. Infrastructure, in chapter two, is addressed primarily in terms of the roles of people within the enterprise, and a repeat (from chapter one) of several pages of text (and an illustration) outlining the security plan. The elements of a security policy, and pointers to sample constituents listed in the appendices, are given in chapter three. Aspects of risk analysis is mixed with information on random security controls in chapter four. Chapter five says the usual things about security awareness and training programs. Compliance, in chapter six, is primarily concerned with audits. Chapter seven lists some of the problems you may encounter in creating a security program, many of which are related to a lack of management support. A high-level overview of the structures and reports of incident response makes up chapter eight. A final admonition to manage security is given in chapter nine. The book doesn't really talk about information security architecture. There is a general outline of the basic aspects of a security program, although the details have numerous gaps. There are a great many such general security overview texts, and therefore this volume does not address either a specific audience, nor does it contribute anything meaningful to the security literature. copyright Robert M. Slade, 2007 BKINSEAR.RVW 20070125