BKSEBUIN.RVW 20020916 "Securing Business Information", F. Christian Byrnes/Dale Kutnick, 2002, 0-201-76735-X, U$39.99/C$59.95 %A F. Christian Byrnes %A Dale Kutnick %C P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8 %D 2002 %G 0-201-76735-X %I Addison-Wesley Publishing Co. %O U$39.99/C$59.95 416-447-5101 fax: 416-443-0948 %O http://www.amazon.com/exec/obidos/ASIN/020176735X/robsladesinterne %P 237 p. %T "Securing Business Information: Strategies to Protect the Enterprise and Its Network" The preface addresses how to keep data secure in a distributed environment. Chapter one tells us that the first thing to do is prepare the organization for changes, then that the first thing to do is to write a policy, then that the first thing to do is get a strong base of support among the executives, then that the first thing to do is market the idea to executives and users, then that the first thing to do is to build an effective organizational structure. The material meanders through a kind of utopian view of what a mission statement and organization chart should be before settling into a promotion of political and marketing campaign strategies to sell security to the executives. The asset identification portion of risk analysis is covered in chapter two. A multi-dimensional and not-quite-orthogonal set of domains for classifying resources is overly complex, but may help you to identify holdings that are generally unregarded. At first chapter three seems to be proceeding with risk analysis, but then it veers into policies (if you consider benchmarks equivalent to policies). Similarly, chapter four seems to start out with risk analysis, and then moves to safeguards, and then moves into business impact analysis. Risk analysis *finally* gets a (somewhat incomplete) explanation in chapter five, which then moves on to cost/benefit analysis, then cultural (political) considerations. Chapter six suggests that you rank, select, and market the necessary projects identified by the analysis. Small companies may wish to shorten the process by doing the above four times over, states chapter seven. Chapter eight recommends having a strategy for changing technology. A grab bag of security technologies is in chapter nine, which is particularly poor in regard to viruses. Chapter ten provides two fictional "case studies," and eleven lists the followup projects from them. Role-based access control is promoted in chapter twelve, while chapter thirteen does the same for "single sign-on." "Pitiful" is the only word that can be used to describe the bibliography. Yet another book that attempts to provide a quick review of all of security--and fails. copyright Robert M. Slade, 2002 BKSEBUIN.RVW 20020916