The Virtual Bookcase for browsing and sharing reviews of books. New to this site? Read the welcome page first.

The Virtual Bookcase Home
Recent reviews
Collected book news
Welcome to this site
Add your own book

Book details of 'Security Assessment: Case Studies for Implementing the NSA IAM'

Cover of Security Assessment: Case Studies for Implementing the NSA IAM
TitleSecurity Assessment: Case Studies for Implementing the NSA IAM
Author(s)Russ Rogers, Greg Miles, Ed Fuller, Ted Dykstra
ISBN1932266968
LanguageEnglish
PublishedJanuary 2004
PublisherSyngress
Web links for this book
Search at Bookcrossing.com
Wikipedia booksources
Shop for this book
At Amazon.com
At Amazon.co.uk

Back to shelf Computer security
Amazon.com info for Security Assessment: Case Studies for Implementing the NSA IAM

Score:

Vote for this book

The Virtual Bookcase Reviews of 'Security Assessment: Case Studies for Implementing the NSA IAM':

Reviewer Rob Slade wrote:
The introduction tries to explain the NSA (National Security Agency) IAM (Information Assurance Methodology), but is so heavily larded with (management) buzzwords that no clear concept emerges. The indications are that the book is primarily aimed at those who have taken one of the IAM courses, although there is an explicit statement that the material can be used by untrained professionals and also by the "customers" who are undergoing an assessment. Chapter one describes IAM in words that make it seem very similar to such tools as CoBIT (ISACA's Control Objectives for Information Technology tool), ISO 17799, and the NIST (the US National Institute of Standards and Technology) self-assessment guide. However, almost all of the chapter is devoted to a promotion of sharp negotiation of the scope of an IAM contract, from the vendor perspective. Chapter two reiterates the need to control customer expectations and define contract objectives. (There is more jargon, and also the use of idiosyncratic and undefined acronyms like PASV [Pre-Assessment Site Visit].) The Organizational Information Criticality Matrix (OICM) described in chapter three is a kind of simplistic business impact analysis. In chapter four, system information criticality and the System Criticality Matrix (SCM) are said to be more detailed than the OICM. Defining system boundaries is acknowledged to be difficult, but neither the explanation nor the examples used are of any help in clarifying the issue. Both the text and the tables used in the "case study" are extremely confusing in regard to the relation between entries in the OICM and the SCM. The system security environment, described in chapter five, is what most people would know as corporate culture: the general attitudes and behaviours common to an institution. The book suggests finding and using the CONOPS (concept of operations) documentation while admitting that it may not be found in most commercial enterprises. (The authors don't explain that this is basically identical to the common policy and procedures manuals, although they do eventually get around to mentioning these texts.) The TAP (Technical Assessment Plan) is actually just a specific format for a detailed contract, so we have to go through all of that type of editorial comment again, without really getting much information about the recommended TAP structure. Chapter seven involves the assessment itself, and generally deals with administrative details--and making sure that the customer does not modify the scope of the contract. The eighteen basic information security models get listed, although this seems to be almost an afterthought, rather than the core of the IAM itself. Findings, the report of the assessment results, are described in chapter eight. A sixteen page example does little more than provide a format. The close out report, in chapter nine, is a final sales meeting with the customer. The final report is given in a different, and more general, format in chapter ten. Cleanup work and followup sales of consulting are discussed in chapter eleven. The constant repetition of very basic ideas and the turgid and buzzword-laden text make this work far longer than is justified by the information provided. In addition, the extreme emphasis on the viewpoint of a vendor trying to sell a contract (and protect himself from doing any unbillable work) is a severe limitation on the audience for this tome. Essential components of the IAM model and process do not seem to hold any central place in the book, and the reader discovers them almost by accident, and despite of the writing rather than because of it. copyright Robert M. Slade, 2004
Add my review for Security Assessment: Case Studies for Implementing the NSA IAM

Book description:

The National Security Agency's INFOSEC Assessment Methodology (IAM) provides guidelines for performing an analysis of how information is handled within an organization: looking at the systems that store, transfer, and process information. It also analyzes the impact to an organization if there is a loss of integrity, confidentiality, or availability. This book shows how to do a complete security assessment based on the NSA's guidelines. This book focuses on providing a detailed organizational information technology security assessment using case studies. The Methodology used for the assessment is based on the National Security Agency's (NSA) INFOSEC Assessment Methodology (IAM). Examples will be given dealing with issues related to military organizations, medical issues, critical infrastructure (power generation, etc.). The book is intended to provide an educational and entertaining analysis of an organization, showing the steps of the assessment and the challenges faced during it. It will also provide examples, sample templates, and sample deliverables that readers can take with them to help them be better prepared and make the methodology easier to implement.

Search The Virtual Bookcase

Enter a title word, author name or ISBN.

The shelves in The Virtual Bookcase

Arts and architecture (25)
Biography (24)
Business and Management (119)
Cars and driving (53)
Cartoons (45)
Children's books (179)
Computer (475)
Computer history/fun (111)
Computer networks (382)
Computer programming (215)
Computer security (269)
Cook books (89)
Fantasy (154)
Fiction (446)
Health and body (70)
History (135)
Hobby (37)
Horror (65)
Humorous books (52)
Literature (57)
Operating systems (94)
Outdoor camping (162)
Outdoors (236)
Politics (83)
Privacy (61)
Psychology (55)
Religion (17)
Science (113)
Science Fiction (156)
Self-help books (55)
Technology (12)
Travel guides (307)
War and weapons (29)
World Wide Web (211)
Zen (5)
Other books (88)
Mailing list
Subscribe to booktalk, the discussion list about books at The Virtual Bookcase.
Enter your e-mail address to subscribe (you will receive an e-mail to confirm your subscription):
The Virtual Bookcase is created and maintained by Koos van den Hout. Contact e-mail webmaster@virtualbookcase.com.
Site credits
Copyright © 2000-2008 Koos van den Hout / The Virtual Bookcase Copyright and privacy statement