Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security CISSP-Discussion
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[CISSP-D] REVIEW: "The CISO Handbook", Mike Gentile/Ron Collette/Tom Aug

from [Rob, grandpa of Ryan, Trevor, Devon & Hannah] Network Security [Permanent Link]
Subject: [CISSP-D] REVIEW: "The CISO Handbook", Mike Gentile/Ron Collette/Tom August
Date: Thu, 22 Jun 2006 10:47:30 -0800 
BKCISOHB.RVW   20060520

"The CISO Handbook", Mike Gentile/Ron Collette/Tom August, 2006,
0-8493-1952-8, U$69.95/C$89.95
%A   Mike Gentile
%A   Ron Collette
%A   Tom August
%C   920 Mercer Street, Windsor, ON   N9A 7C2
%D   2006
%G   0-8493-1952-8
%I   Auerbach Publications
%O   U$69.95/C$89.95 800-950-1216 auerbach@wgl.com orders@crcpress.com
%O  http://www.amazon.com/exec/obidos/ASIN/0849319528/robsladesinterne
  http://www.amazon.co.uk/exec/obidos/ASIN/0849319528/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0849319528/robsladesin03-20
%O   Audience i Tech 1 Writing 2 (see revfaq.htm for explanation)
%P   322 p.
%T   "The CISO Handbook: A Practical Guide to Securing Your Company"

The introduction states that there are generally two kinds of books on
the security shelf--the "hack to secure" tomes and the exam
preparation guides.  (It may sometimes seem like the literature is
restricted to those kinds of texts, although I would add a third that
seems to be all too prevalent: poorly executed security management
works.  However, I fully sympathize with the authors' disdain for the
"hacking" books, as well as their reasoning of the limited value of
such manuals.)  The authors also describe a standard structure for
each chapter, as well as an overall design of the publication,
following a fairly standard project management framework.

Chapter one covers assessment.  While this may not be a big surprise
to those with the slightest familiarity with project management
fundamentals, the authors provide a very complete description of the
information that will be useful in appraising any situation in which
you may find yourself.  (The writing is generally clear and easy
enough to read, but the point of the examples and illustrations is not
always obvious or even intelligible.  In some cases it seems the
desire to entertain has overwhelmed exegetical utility.)  A very
complete checklist is given at the end of the chapter.  Planning, in
chapter two, does not fare as well.  Much of the material reiterates
the importance of obtaining information, or outlines organizational
structures, personnel, and skills.  (Rather ironically, the
recommendations assume a fairly large corporation, budget, and staff,
which was one of the complaints the authors made, in the introduction,
about other security books.)  Design is a difficult project to nail
down, but chapter three doesn't really even try.  Various aspects of
security management, such as policy components, promotion to the rest
of the company, and security reviews, are the major substance dealt
with (some of the topics multiple times).  Project management is
covered in chapter four.  Very detailed and complete project
management, directed at creating a specific design and implementation,
but applicable to any kind of project.  (It is somewhat telling that
the end-of-chapter checklists, which have been getting shorter, vanish
entirely here.)  Since the overall thread of the book has been to move
through the phases of a large project, one could expect that the title
of chapter five, "Reporting," refers to a report back to management on
progress or completion.  Not so: marketing of security to the
enterprise, which has been a thread all the way through the book, now
gets a chapter all its own.  Chapter six repeats the outline of the
book we received in the introduction.

A work addressed to the CISO (Chief Information Security Officer) can
be expected to be primarily concerned with management issues. 
However, with the exception of chapter one, very little in the book
could not be equally applicable to any C-level executive.  (It is
interesting to note that, of the references, only two deal with
security, twenty-seven are business books.)  Indeed, even though
Charles Sennewald wrote "Effective Security Management" (cf.
BKEFSCMN.RVW) for those dealing with physical security, there is more
practical advice for senior information security management in it than
in "The CISO Handbook."

While the authors have outlined definite structures for the chapters,
these patterns are not always easy to determine or follow.  I
frequently found myself lost in the chapters, and while I could
eventually realize where I was in the formation, the inconsistency and
multiplicity of header formats certainly did not help matters any.

Still, the work does have significant value.  Those who rise through
the ranks of computer security frequently lack management experience
and knowledge, and this addresses, in some detail, the necessary
skills.  Not as directly, perhaps, as Fred Cohen in the "Governance
Guidebook" (cf. BKCISOGG.RVW), but usefully nonetheless.

copyright Robert M. Slade, 2006   BKCISOHB.RVW   20060520


======================  (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca     slade@victoria.tc.ca     rslade@computercrime.org
This is primarily an investigative unit and I don't think we
should get sidetracked into the finer details of technology.
                                 - Chief Superintendent Len Hynds
                          head of the UK National Hi-Tech Crime Unit
Dictionary Information Security     www.syngress.com/catalog/?pid=4150
http://victoria.tc.ca/techrev/rms.htm


------------------------ Yahoo! Groups Sponsor --------------------~--> 
Check out the new improvements in Yahoo! Groups email.
http://us.click.yahoo.com/6pRQfA/fOaOAA/yQLSAA/kgFolB/TM
--------------------------------------------------------------------~-> 

 
Yahoo! Groups Links

<*> To visit your group on the web, go to:
    http://groups.yahoo.com/group/CISSP-Discuss/

<*> To unsubscribe from this group, send an email to:
    CISSP-Discuss-unsubscribe@yahoogroups.com

<*> Your use of Yahoo! Groups is subject to:
    http://docs.yahoo.com/info/terms/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [CISSP-D] REVIEW: "The CISO Handbook", Mike Gentile/Ron Collette/Tom August, Rob, grandpa of Ryan, Trevor, Devon & Hannah <=
Previous by Date:  [CISSP-D] Re: Sign off, Rob
Next by Date:  [CISSP-D] REVIEW: "How to Break Web Software", Mike Andrews/James A. Whittaker, Rob, grandpa of Ryan, Trevor, Devon & Hannah
Previous by Thread:  [CISSP-D] REVIEW: "Information Security and Employee Behaviour", Angus McIlwraith, Rob, grandpa of Ryan, Trevor, Devon & Hannah
Next by Thread:  [CISSP-D] REVIEW: "How to Break Web Software", Mike Andrews/James A. Whittaker, Rob, grandpa of Ryan, Trevor, Devon & Hannah
Indexes:  [Date] [Thread] [Top] [All Lists]