Thursday, 30 July 2009

Book Review: Computer Security

Computer Security
20 Things Every Employee Should Know
The Employee Handbook for Securing the Workplace

by Ben Rothke, CISSP
Paperback: 48 pages
Publisher: McGraw-Hill Osborne; 2nd Ed.
ISBN-10: 0072262826
ISBN-13: 978-0072262827

Rothke has assembled a wealth of good advice, guidance, rules, cautions and precautions, from over 15 years of experience in the fields of security and privacy of information systems, and done a very good job of distilling this into his mostly excellent little book. The Second Edition includes information about the latest trends in:
  • phishing and spyware
  • identity theft
  • viruses and malware
  • remote access threats
  • instant messaging
  • handheld devices
  • social engineering tactics
...all of this while retaining its healthy focus on good practice and common sense, as well as the necessity of getting everyone in the enterprise "on-board" with the corporate security strategy - the essential backbone of the various interconnected policies, physical infrastructure, and human interfaces.

In the introductory chapter, Mr Rothke describes how an effective security policy is based on the three "fundamental security principles" of Confidentiality, Integrity, and Availability - traditionally presented in this slightly illogical order so as to facilitate the use of the acronym, "CIA". This device, of rounding off your message with three bullets, is used effectively throughout the rest of the piece, helping digestion.

There is a lot to recommend the presentation of the material in this form. Perhaps one American reviewer is right, who on suggests buying this slim volume "by the boxload". On the other hand, it's difficult to ignore the fact, evidenced by the "Real Name" badge, that said reviewer just happens to be called "Joy Rothke"!

Certainly this is an easy, quick and rewarding read. If you are responsible for your corporate network security, it might be just the ticket to get people signing up to your strategy, taking responsibility for their online and other related activities. It reads well, presents a shedload of familiar scenarios, some amusing, some cringeworthy. Most importantly, it is written in plain and easily understood language, refreshingly clear of management speak.

Having said that, there is also a sense among certain writers that "Lists can be lazy journalism", and in this book there does appear to have been a bit of stretching here, a bit of padding there, just to deform the content into 20 similarly formatted, self-contained, 2-page chapters, each ending with three bullet points and a "quote". While the bullets often echo those from earlier chapters, most of the "quotes" are unattributed - presumably these are the author's own; they just restate the chapter heading as a sound bite.

One last niggle: surely the introductory statement, "The importance of a security strategy cannot be underestimated", should have been corrected by now? Please Mr Rothke, let's have "overestimated", or better still "overstated", in the Third Edition.

Amusingly, the listing for the First Edition gives every appearance of a well-hacked site, the author being listed variously as "Ben Rothke", "Samuele Ghelfi", and "Kathy Ivens". Laugh? I nearly did!

Computer Security: 20 Things Every Employee Should Know - available now at a coffee table near you.

1 comment:

  1. Hello:
    I found this while Googling myself. Ben is my brother, but I also think his book is very useful--and I represent the left-brained side of the family.