BKSCRAHB.RVW 20060919 "The Security Risk Assessment Handbook", Douglas J. Landoll, 2006, 0-8493-2998-1 %A Douglas J. Landoll %C 920 Mercer Street, Windsor, ON N9A 7C2 %D 2006 %G 0-8493-2998-1 %I Auerbach Publications %O +1-800-950-1216 auerbach@wgl.com orders@crcpress.com %O http://www.amazon.com/exec/obidos/ASIN/0849329981/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0849329981/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0849329981/robsladesin03-20 %O Audience a Tech 2 Writing 1 (see revfaq.htm for explanation) %P 473 p. %T "The Security Risk Assessment Handbook" Chapter one is an introduction. Landoll's text is initially rather preachy and biased. The first couple of sections appear to take the position that industry has failed in its responsibility to secure information systems, and therefore (the United States federal) government has had to take charge. He then lists (although does not describe in any detail) various security frameworks and guidelines, and argues that, simply on the basis of a lack of congruence between these documents, "best practices" are a myth. His conclusion, that risk-based security planning is better, seems oddly gleeful in the context of such an otherwise dour piece of writing. Unfortunately, the author does not seem to do any better with risk- based security planning, right off the top. We are told (on page four) that "the establishment of an information security program is not the topic of this book. The topic of this book is how to perform and review an information security program," which statement(s) must surely rank highly in terms of self-contradiction and confusion. Were the reader to quit after this inauspicious, muddled, and verbose beginning, however, it would be to miss a work of some value. Within pages, Landoll clarifies the rationale for, and types of, risk assessment, as well as explaining the purpose of this volume in light of other existing assessment tools and documents. (To his credit, where other authors tend to denigrate alternative references, Landoll notes their respective strengths, and then states the extension that his book provides.) It is frustrating to attempt a single assessment of the book. The text has value, but also annoyances. Chapter two provides a useful guide to the basic components of the risk assessment process (which forms the structure for much of the rest of the book). At the same time, where Landoll has been using the business-oriented breakdown of control types (into administrative, technical, and physical), when discussing safeguards he suddenly switches to the categories of preventive, detective, corrective, et cetera, that are more familiar to those in the government and military. (Interestingly, for someone from a strongly governmental background, Landoll does not fill out the list with recovery, compensating, deterrent, and directive.) In addition, when reviewing the concept of residual risk, two new terms of "static" and "dynamic" risk are introduced. Although the terms are poorly defined, "static" seems simply to refer to residual risk, while "dynamic" appears to mean nothing more than risk itself. Therefore, these two new entries provide no distinct value to the discourse, and only serve to confuse the issues. Again, chapter three covers the vital topic of the definition of objectives and scope of a risk assessment project. When discussing the "customer" for a review, "Risk Assessment Method" and "Objective Review" seem to be presented as potential clients. While the question of quality of work would certainly appear to be a legitimate concern in dealing with project extent, Landoll includes a great deal of material relevant only to the final report, such as grammatical correctness and visually pleasing presentation. On the other hand, there is a good deal of very practical content addressing issues of realistic scope and reasonable budgeting. The preparation phase is covered in chapter four, dealing both with practical issues such as letters of introduction, more esoteric concerns of system and asset criticality, and also reviewing a number of methodologies and approaches to risk assessment (although primarily at a conceptual level). Chapter five starts a string of chapters on various types of data collection. It leads off with general discussions on the topic, examining questions of sampling and related issues. (Landoll is not always careful about explaining terms before starting to use them: neither the index nor any part of the text notes that the RIIOT method, which is used extensively in the chapter, is merely an acronym for the phases of review, interview, inspect, observe, and test.) The gathering of data on administrative safeguards, in chapter six, has good checklists of items to assess, and uses the RIIOT format to structure the areas and phases of the elements to consider. (There is a rather odd reluctance to discuss policy, and an even stranger overemphasis on two-man controls.) Moving into technical countermeasures, chapter seven starts off with a section on attacks and controls. There are very odd errors in the text: the distinction between SPAM (the Hormel food product) and spam (bulk unsolicited commercial or fraudulent messages) may be subtle but every security specialist should know it and yet Landoll uses SPAM throughout. The section on antivirus protection is weak, cross-references are spotty, and Landoll uses an old (and generally abandoned) type of firewall (session-level, which is an amalgamation of stateful and circuit-level proxy). Intriguingly, authentication is not addressed with technical controls, but (rather weakly) with physical protection, in chapter eight. Most of the discussion of physical security outlines particular safeguards, and there is little deliberation on risk assessment or the factors that can influence it. (For example, various power supply alternatives are discussed, including the rather esoteric flywheel generator, but the idea of requesting information from the utility on past power outages doesn't seem to have occurred to the author.) Chapter nine does turn to security risk analysis, briefly, but with some helpful pointers for the evaluation process. Risk mitigation, in chapter ten, looks rather tersely at choice of controls, and does an oddly complicated review of cost/benefit analysis. Styles for different types of reports resulting from risk assessment are outlined in chapter eleven. Chapter twelve presents a fairly standard look at project management (with extra emphasis on reporting). Chapter thirteen lists, but does not adequately describe, various risk assessment methodologies. Despite the weaknesses, oddities, and gaps in the book, it does provide a decent overall guide, and some very useful practical suggestions. It is not quite complete in all areas, and therefore likely unsuitable as the sole source of advice on the risk assessment process for the novice, although the newcomer would not go far wrong in following the counsel of this work. The experienced security or risk assessment professional will still find valuable recommendations and advice. For anyone in the security or risk analysis field, the book is well worth considering. copyright Robert M. Slade, 2006 BKSCRAHB.RVW 20060919