BKSACSNI.RVW 20040721 "Security Assessment", Greg Miles et al, 2004, 1-932266-96-8, U$69.95/C$89.95 %A Greg Miles gmiles@securityhorizon.com %A Russ Rogers rrogers@securityhorizon.com %A Ed Fuller %A Matthew Paul Hoagberg %A Ted Dykstra %C 800 Hingham Street, Rockland, MA 02370 %D 2004 %G 1-932266-96-8 %I Syngress Media, Inc. %O U$69.95/C$89.95 781-681-5151 fax: 781-681-3585 www.syngress.com %O http://www.amazon.com/exec/obidos/ASIN/1932266968/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/1932266968/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/1932266968/robsladesin03-20 %P 429 p. %T "Security Assessment: Case Studies for Implementing the NSA IAM" The introduction tries to explain the NSA (National Security Agency) IAM (Information Assurance Methodology), but is so heavily larded with (management) buzzwords that no clear concept emerges. The indications are that the book is primarily aimed at those who have taken one of the IAM courses, although there is an explicit statement that the material can be used by untrained professionals and also by the "customers" who are undergoing an assessment. Chapter one describes IAM in words that make it seem very similar to such tools as CoBIT (ISACA's Control Objectives for Information Technology tool), ISO 17799, and the NIST (the US National Institute of Standards and Technology) self-assessment guide. However, almost all of the chapter is devoted to a promotion of sharp negotiation of the scope of an IAM contract, from the vendor perspective. Chapter two reiterates the need to control customer expectations and define contract objectives. (There is more jargon, and also the use of idiosyncratic and undefined acronyms like PASV [Pre-Assessment Site Visit].) The Organizational Information Criticality Matrix (OICM) described in chapter three is a kind of simplistic business impact analysis. In chapter four, system information criticality and the System Criticality Matrix (SCM) are said to be more detailed than the OICM. Defining system boundaries is acknowledged to be difficult, but neither the explanation nor the examples used are of any help in clarifying the issue. Both the text and the tables used in the "case study" are extremely confusing in regard to the relation between entries in the OICM and the SCM. The system security environment, described in chapter five, is what most people would know as corporate culture: the general attitudes and behaviours common to an institution. The book suggests finding and using the CONOPS (concept of operations) documentation while admitting that it may not be found in most commercial enterprises. (The authors don't explain that this is basically identical to the common policy and procedures manuals, although they do eventually get around to mentioning these texts.) The TAP (Technical Assessment Plan) is actually just a specific format for a detailed contract, so we have to go through all of that type of editorial comment again, without really getting much information about the recommended TAP structure. Chapter seven involves the assessment itself, and generally deals with administrative details--and making sure that the customer does not modify the scope of the contract. The eighteen basic information security models get listed, although this seems to be almost an afterthought, rather than the core of the IAM itself. Findings, the report of the assessment results, are described in chapter eight. A sixteen page example does little more than provide a format. The close out report, in chapter nine, is a final sales meeting with the customer. The final report is given in a different, and more general, format in chapter ten. Cleanup work and followup sales of consulting are discussed in chapter eleven. The constant repetition of very basic ideas and the turgid and buzzword-laden text make this work far longer than is justified by the information provided. In addition, the extreme emphasis on the viewpoint of a vendor trying to sell a contract (and protect himself from doing any unbillable work) is a severe limitation on the audience for this tome. Essential components of the IAM model and process do not seem to hold any central place in the book, and the reader discovers them almost by accident, and despite of the writing rather than because of it. copyright Robert M. Slade, 2004 BKSACSNI.RVW 20040721