BKOSINSC.RVW 20041210 "Outsourcing Information Security", C. Warren Axelrod, 2004, 1-58053-531-3, U$85.00/C$119.50 %A C. Warren Axelrod %C 685 Canton St., Norwood, MA 02062 %D 2004 %G 1-58053-531-3 %I Artech House/Horizon %O U$85.00/C$119.50 800-225-9977 artech@artech-house.com %O http://www.amazon.com/exec/obidos/ASIN/1580535313/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/1580535313/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/1580535313/robsladesin03-20 %O tl a rl 1 tc 1 ta 3 tv 2 wq 2 %P 248 p. %T "Outsourcing Information Security" The author states that he intends to raise issues involved in outsourcing security in such as way that those working through the process will not neglect important areas of concern. Chapter one reviews reasons for outsourcing. Lists of threats and vulnerabilities, in general, are given in chapter two. Costs are examined in chapter three, as a basic discussion of justification for outsourcing. Chapter four looks at risks that might be associated with outsourcing. Various types of costs, such as intangible, subjective, and indirect, are contemplated in chapter five, and costs related to different stages of the evaluation process in chapter six. Chapter seven investigates a number of issues surrounding the development of requirements for system or project development. The first chapter that actually seems to talk in detail about security outsourcing, rather than just outsourcing itself, is chapter eight, which goes through the ten domains of the CISSP (Certified Information Systems Security Professional) CBK (Common Body of Knowledge) (and some subdomains), determining which of them are particularly appropriate for outsourcing, and which are not. Chapter nine outlines the outsourcing process as a sequence of steps. Axelrod has provided a very solid and useful framework for dealing with the many areas that need to be considered if outsourcing is sought. Very little is directly relevant to the security function itself, but that may simply expand the market for the book. It is probably futile to expect that any more guidance could have been provided, since the possiblities are so immense, but the summary given here still leaves the potential outsourcer with an enormous amount of work to do. copyright Robert M. Slade, 2004 BKOSINSC.RVW 20041210