Computing Reviews
Today's Issue Hot Topics Search Browse Recommended My Account Log In
Review Help
Search
Building a comprehensive IT security program : practical guidelines and best practices
Wittkop J., Apress, New York, NY, 2016. 195 pp. Type: Book (978-1-484220-52-8)
Date Reviewed: May 23 2017

Security is similar to insurance. One buys insurance as a hedge against a severe, unexpected event. One buys a security system or implements a security program for the same reason. People have implemented security programs since recorded history began, and probably before that. In today’s world, the most recent frontier is the Internet. When networks began to be used by increasingly large numbers of people in the 1980s, there was no malware in existence. The primary concern was someone gaining access to information via physical means or wiretaps. The growth of the Internet and widely distributed processing power led bad actors to develop malicious software, initially viruses and worms that simply penetrated networks to show off or to cause damage. With the growth of the Internet’s importance and connection to it by major corporations, especially those doing financial transactions, the bad actors increased in sophistication, developing malware to invade organizations to destroy or steal data, or to take systems hostage by encrypting the target’s data, and then demanding ransom to free it. Even though these developments were advancing, many companies viewed IT security as being of lesser importance--a real, ongoing overhead cost for something that might not happen. In other words, they did not model the monetary exposure and level of risk of a cyber-attack, necessary inputs to deciding what to implement. The result would be partially effective defenses. Companies such as Target, eBay, and others learned, to their chagrin, what could happen when they were attacked and data belonging to them or their customers were stolen.

The author points out, in a book full of common sense based on his extensive work in the area, that security, including IT security, is a business problem, not just one of technology, and that security practices must be integrated with business processes to be effective. He notes that people are often the weakest link in a security system, either through ignorance of proper practices, or when they bypass a security process because it is inconvenient to use, or because a skilled agent persuades someone to divulge information that permits access, such as a password, or because someone clicks a link that lets bad software enter the corporate network.

The book methodically lays out the problem and solutions. Beginning with the need to protect critical assets, the author proceeds to describe a model for assessing the cost of a security failure. It is very important, as noted earlier, to address why security must be integrated with business processes and incident response planning. It is also important to note how people contribute to security failures, making processes work by assigning accountability, or moving to a new paradigm, for example, proactive instead of reactive security. The author’s frustration with the present situation being quite apparent, the book concludes with newly available approaches, such as collaboration both among companies and with governments.

This is an excellent book that covers all of the relevant topics needed for implementing a successful security program. The author clearly understands both security and business issues and explains the need for senior management involvement and how a security process must complement the overall business process. Numerous examples of actual attacks and their effects very well illustrate the concepts presented. The writing is clear and readable for nontechnical people. I highly recommend it to anyone interested in cyber security.

More reviews about this item: Amazon

Reviewer:  G. R. Mayforth Review #: CR145289 (1708-0529)
Bookmark and Share
  Reviewer Selected
 
 
Security and Protection (K.6.5 )
 
 
Business (J.1 ... )
 
 
Security (K.4.4 ... )
 
Would you recommend this review?
yes
no
Other reviews under "Security and Protection": Date
CIRCAL and the representation of communication, concurrency, and time
Milne G. ACM Transactions on Programming Languages and Systems 7(2): 270-298, 1985. Type: Article
Oct 1 1985
Computer security risk management
Palmer I., Potter G., Van Nostrand Reinhold Co., New York, NY, 1989. Type: Book (9780442302900)
Apr 1 1991
Computers at risk
, National Academy Press, Washington, DC, 1991. Type: Book (9780309043885)
Oct 1 1991
more...

E-Mail This Printer-Friendly
Send Your Comments
Contact Us
Reproduction in whole or in part without permission is prohibited.   Copyright 1999-2024 ThinkLoud®
Terms of Use
| Privacy Policy