The Virtual Bookcase Reviews of 'Information Security: Protecting the Global Enterprise':
Reviewer Rob Slade wrote:
It takes quite a while to figure out what Pipkin is trying to do in
this book. Ultimately, there is coverage of some of the important
basic concepts involved in information security. However, the text as
a whole is both confused and confusing.
The prologue tells us that business is changing and chaotic, and that
information is of prime importance. The introduction takes a quick
run through a few of the basic security concepts, with an emphasis on
business continuity planning.
Phase one of the book is entitled "Inspection," but the prologue lists
some items of concern in risk analysis. Chapter one, called "Resource
Inventory," is concerned with data classification. It touches on, but
does not really discuss, the orthogonal nature of classification
schemes when confidentiality, availability, and integrity must be
considered. The material is sparse, and, while there are some
indications of forward references to later chapters, those chapters do
not get down to practical details either. Chapters two to six begin
to examine the concepts of threats (concentrating, very poorly, on
malicious software), loss analysis (many examples, little of
substance), vulnerabilities, safeguards, and assessment.
Phase two, on protection, seems to be trying to expand chapter five,
but really just repeats prior material. Concepts touched on include
access, identification, authentication, authorization, and
accountability. Mixed in are the not-quite-related topics of
availability, accuracy, confidentiality, and administration.
Phase three looks at intrusion detection, with chapters on intrusion
types, methods, process, and detection methods. It isn't very useful.
Phase four reviews incident response, but rather vaguely.
Phase five concerns the post-mortem reflection. The chapter on
documentation has some useful material on the contents of after-action
reports, but the rest of the content is unfocussed and generic.
It is not quite true to say that the book is unstructured: it has a
structure, but either does not follow it, or does not usefully employ
it. Those without a security background will find it hard to build a
useful or working framework from the material in this book. Those
with such a background will eventually find that the parts of the book
do fit neatly, if not logically, into the common framework. However,
those with such a background will have no need for this work.
copyright Robert M. Slade, 2002
Add my review for Information Security: Protecting the Global Enterprise