or
Sign in to turn on 1-Click ordering.
Trade in Yours
For a 0.25 Gift Card
Trade in
More Buying Choices
Have one to sell? Sell yours here
Sorry, this item is not available in
Image not available for
Colour:
Image not available

 
Tell the Publisher!
Id like to read this book on Kindle

Don't have a Kindle? Get your Kindle here, or download a FREE Kindle Reading App.

Writing Information Security Policies (Landmark) [Paperback]

Scott Barman
5.0 out of 5 stars  See all reviews (1 customer review)
Price: 27.50 & FREE Delivery in the UK. Details
o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o
Only 1 left in stock (more on the way).
Dispatched from and sold by Amazon. Gift-wrap available.
Want it tomorrow, 12 July? Choose Express delivery at checkout. Details

Formats

Amazon Price New from Used from
Paperback 27.50  
Trade In this Item for up to 0.25
Trade in Writing Information Security Policies (Landmark) for an Amazon Gift Card of up to 0.25, which you can then spend on millions of items across the site. Trade-in values may vary (terms apply). Learn more

Book Description

2 Nov 2001 157870264X 978-1578702640 1

Administrators, more technically savvy than their managers, have started to secure the networks in a way they see as appropriate. When management catches up to the notion that security is important, system administrators have already altered the goals and business practices. Although they may be grateful to these people for keeping the network secure, their efforts do not account for all assets and business requirements Finally, someone decides it is time to write a security policy. Management is told of the necessity of the policy document, and they support its development. A manager or administrator is assigned to the task and told to come up with something, and fast! Once security policies are written, they must be treated as living documents. As technology and business requirements change, the policy must be updated to reflect the new environment--at least one review per year. Additionally, policies must include provisions for security awareness and enforcement while not impeding corporate goals. This book serves as a guide to writing and maintaining these all-important security policies.


Special Offers and Product Promotions

  • Spend 30 and get Norton 360 21.0 - 3 Computers, 1 Year 2014 for 24.99. Here's how (terms and conditions apply)

Frequently Bought Together

Writing Information Security Policies (Landmark) + Information Warfare and Security (ACM Press)
Buy the selected items together


Product details

  • Paperback: 240 pages
  • Publisher: Sams; 1 edition (2 Nov 2001)
  • Language: English
  • ISBN-10: 157870264X
  • ISBN-13: 978-1578702640
  • Product Dimensions: 1.3 x 17.8 x 22.5 cm
  • Average Customer Review: 5.0 out of 5 stars  See all reviews (1 customer review)
  • Amazon Bestsellers Rank: 275,663 in Books (See Top 100 in Books)
  • See Complete Table of Contents

More About the Author

Discover books, learn about writers, and more.

Product Description

From the Back Cover

Administrators, more technically savvy than their managers, have started to secure the networks in a way they see as appropriate. When management catches up to the notion that security is important, system administrators have already altered the goals and business practices. Although they may be grateful to these people for keeping the network secure, their efforts do not account for all assets and business requirements Finally, someone decides it is time to write a security policy. Management is told of the necessity of the policy document, and they support its development. A manager or administrator is assigned to the task and told to come up with something, and fast! Once security policies are written, they must be treated as living documents. As technology and business requirements change, the policy must be updated to reflect the new environment--at least one review per year. Additionally, policies must include provisions for security awareness and enforcement while not impeding corporate goals. This book serves as a guide to writing and maintaining these all-important security policies.

About the Author

Scott Barman is currently an information Security and Systems Architecture Analyst for The MITRE Corporation (http://www.mitre.org). He has been involved with information security for almost 20 years, nurturing the evolution of systems and their security requirements for commercial organizations and government agencies. Since the explosion of the Internet and prior to joining MITRE, he had focused on various areas of security and policy development for many organizations in the Washington, D.C. area. The inspiration for this book came from his SANS '99 presentation. He earned his undergraduate degree from the University of Georgia and a Masters of Information Systems Management from Carnegie Mellon University (http://www.mism.cmu.edu).

The reviewers contributed their considerable hands-on expertise to the entire development process for Writing Information Security Policies. As the book was being written, these dedicated professionals reviewed all the material for technical content, organization, and flow. Their feedback was critical to ensuring that Writing Information Security Policies fits our reader's need for the highest-quality technical information.

David Neilan has been working in the computer/network industry for over 10 years, the last six dealing primarily with network/Internet connectivity and security. From 1991 to 1995, he worked for Intergraph, dealing with graphics systems and networking. From 1995 to 1998, he was with Digital Equipment, working with DEC firewalls and network security. From 1998 to 2000, he was with Online Business Systems, doing LAN/WAN and Internet security. David is currently running a business, Security Technologies, in the network/security realm; he is working with local companies to enable and secure their networks. He is designing network infrastructures to support secure LAN/WAN connectivity for various companies utilizing Microsoft 2000 and Cisco products and the Internet to create secure Virtual Private Networks. David also has been beta testing Microsoft operating systems since Windows For Workgroups, WFW3.11, and has worked part-time as a technical editor on many Microsoft/networking/security books.

Larry Paccone is a Principal National/Systems Security Analyst at Logicon/TASC. As both a technical lead and project manager, he has worked in the Internet and network/systems security arena for more than eight years. He has been the technical lead for several network security projects supporting a government network/systems security research and development laboratory. Prior to that, Larry worked for five years at The Analytical Sciences Corporation (TASC) as a national security analyst assessing conventional military force structures. He has an M.S. in Information Systems, an M.A. in International Relations, and a B.A. in Political Science. He also has completed eight professional certifications in network and systems security, internetworking, wide area networking, Cisco routing/switching, and Windows NT.


Sell a Digital Version of This Book in the Kindle Store

If you are a publisher or author and hold the digital rights to a book, you can sell a digital version of it in our Kindle Store. Learn more

What Other Items Do Customers Buy After Viewing This Item?


Customer Reviews

4 star
0
3 star
0
2 star
0
1 star
0
5.0 out of 5 stars
5.0 out of 5 stars
Most Helpful Customer Reviews
5.0 out of 5 stars All IT Security Specialists should buy this. 21 Mar 2011
Format:Paperback|Verified Purchase
Working in IT Security, it is important to be able to write accurate and meaningful policies. This can be hard without guidance but luckily this book really helps. It describes how you should write policies on items such as Physical Security, Email Security and others. This book has really saved my life and thanks to it, my policies at work now make sense.
Comment | 
Was this review helpful to you?
Most Helpful Customer Reviews on Amazon.com (beta)
Amazon.com: 4.5 out of 5 stars  11 reviews
25 of 26 people found the following review helpful
4.0 out of 5 stars Not thorough or rigorous, but a good set of secpol topics 20 July 2002
By Jeff McNeill - Published on Amazon.com
Format:Paperback
Security policies are not security, and will not provide any protection. However, as the well-known formulation has it: security is a process. An organization does not "have" security, rather they participate in the process of security. Barnum explains that security policies are a component of the planning aspect of the security process, and as such can provide three advantages. The first is to insure security interoperability across an organization. The second advantage is the visibility given to the policy by management's participation in it, which provides a greater impetus for implementation. The third is to mitigate liability, presumably by the legal value of the policy, and the advantages to security that a policy-driven approach proves. Another reason mentioned is that for some organizations, policy documentation is needed for iso900x compliance. Unstated is the assumption that a security policy might result in greater security. After all, even with all the other purported advantages, a security policy is presumptively about making security better.
At 216 pages, "Writing Information Security Policies" seems just the right size to touch all the bases, but not enough for a home run in the subject area. Good worklike effort, but the diversity of subject matter, and a lack of focus and internal theoretical structure robs the work of providing insightful organizational direction, though it still pays dividends, and is ultimately very worth reading.
The book is divided into three sections. The first is titled "Starting the policy process," and includes such issues as policy needs and roles and responsibilities in the policy process. The second section is writing the security policies in the topical areas. The third is on maintaining policies, including acceptable use and compliance and enforcement. In the first section, the discussion includes such items as:
1. Identification of assets
2. Data security
3. Backups and archives
4. Intellectual property rights
5. Incident response and forensics
It is clear from these topics that though the title of the book is Information Security Policies, a more accurate one might be Information and Communication Technology Security Policies, as it is networks and software systems which are the focus throughout.
As far as real-world recommendations and a more serious framework for security policies at highly secured organizations, the reader will have to search elsewhere. However, this book amply suits the need for a series of more conversational approaches to a variety of ICT security policies and subject areas. Also of use are the distinctions between policy, procedure, and implementation, found scattered throughout this book, though unfortunately not strictly adhered to. And though the sample administrative policies found in the appendix are nowhere complete, there are helpful policy formulations throughout. In the second section, the seven major areas of discussion that offer the heart of the book are more of a topical arrangement, than any hierarchical or conceptual approach. They include security policy concerned with the following subject areas:
1. Physical
2. Authentication and network
3. Internet
4. Email
5. Viruses, worms, and Trojan horses
6. Encryption
7. Software development
There is enough that is badly worded and poorly organized in the book, but it is of real benefit--both on its own merits, and because there is little information of this kind available to practitioners and those managers who might want something that is more than a simple set of forms, but is less than a week-long course in security policy.
18 of 18 people found the following review helpful
5.0 out of 5 stars Get it (now read why) 31 Jan 2002
By Ed - Published on Amazon.com
Format:Paperback
It is difficult to find a book on security or a security consultant which wouldn't tell you that an information security policy is a mandatory requirement for any security-conscious organization. However it is even more difficult to write a meaningful and working security policy document which makes sense or to find someone qualified to do that from both business and technical viewpoints. While Scott Barman's book doesn't help you with finding qualified staff or consultants, it can help you become one. In about 200 pages the author manages to explain the need for information security policies, tells you how to approach this animal and shows how to define and write policies. There is no much technical details in this book - and that's the best part of it. Technical details change very often; good business and security practices don't. With this book the author starts at the very beginning ("Why do I need a security policy?") and goes on to actually helping you write one for your organization, system, or network. With sample policies which you can use, and with a good index of resources in the appendix this book is a good choice if you need to understand and/or define information security policies.
12 of 12 people found the following review helpful
5.0 out of 5 stars Brings best practices to small companies 5 July 2002
By Mike Tarrani - Published on Amazon.com
Format:Paperback
What makes this book an important addition to the IT security body of knowledge is that it makes a case for, and shows how to, create and implement IT security policies in small-to-medium enterprises.
The book itself is a short, somewhat superficial, treatment of IT security policies. It has strengths and weaknesses:
STRENGTHS: It makes a compelling business case for having IT security policies, then leads you through the creation of the more common ones. This material is augmented by the book's accompanying web site that provides all of the sample policies in Appendix C in HTML format (most modern word processing programs, such as MS Word can convert this to their native format without losing any of the embedded styles). Note that the URL given in the book has changed, but it is still active and automatically redirects you to the new URL.
In addition, the book touches on important topics that you may not think of if you're attempting to develop policies on your own. For example, intellectual property rights, law enforcement issues and forensics. These are touched upon, but will raise your awareness of their importance.
WEAKNESSES: The actual development and maintenance of policies is almost an afterthought. Moreover, I thought that a structured approach to threat and vulnerability assessments should have been covered (to be fair, the author discusses major threats on practically every page). I also felt that the policies should have been linked to processes, which is the hallmark of a well written policy, and the importance of clearly defining roles and responsibilities should have been highlighted. I recommend that readers also get a copy of Steve Pages " Achieving 100% Compliance of Policies and Procedures" (ISBN 1929065493) to supplement this book. Page's book is focused solely on policies and procedures development, and will fill in the gaps left in this book.
Overall, this book deserves recognition for raising awareness of the importance of IT security policies to small companies. It also deserves credit for sticking to the fundamentals (cited weaknesses notwithstanding), without overwhelming small enterprise IT professionals who are probably wearing many hats besides IT security. For that audience this book shows the way, and earns my praise.
7 of 7 people found the following review helpful
5.0 out of 5 stars The right book at the right time 4 Jun 2002
By J. Robinson - Published on Amazon.com
Format:Paperback
Network administration is only 10% of my job, which means the task of creating a security policy for our 40-user systems integration company needed to take a proportional amount of my time and energy. This book provides a lot of helpful examples, and really gives you what you need to get started. The length is appropriate, the language fits both technical and non-technical audiences, and the organization makes sense. It has definitely saved me considerable time and energy.
2 of 2 people found the following review helpful
4.0 out of 5 stars Good advice on filling a modern necessity 8 Dec 2001
By Charles Ashbacher - Published on Amazon.com
Format:Paperback
Like so many IT workers, I chafed under standards when I was a developer. The pressure to create the code as fast as possible seemed to leave little time for neatness or written explanations of what was done. However, not all of that was my fault. Given the time frame for development, reading standards and writing to them simply meant more overtime, which gave me the excuse to delay or ignore them.
The same thing applies to security standards, as to most developers; they seem to be the product of a paranoid mind. Well, like all things, even paranoia has its uses, as the events of September 11 in New York made obvious. It is to the benefits of both management and workers to write detailed security policies and then mandate that they be followed. No one knows what value company secrets may have and as the disclosures of people searching the garbage at Microsoft for company secrets points out, a casual reference or slip of paper can be worth millions.
The contents of this book fall into the category of obvious, yet often neglected necessities. Many companies have nebulous, piecemeal policies that allow so much latitude that they are essentially worthless. The value of writing policies that are both practically and legally enforceable gives everyone clear guidelines for their behavior. Which is really all anyone can ask for. When policies are set and clearly noted as being mandatory, people naturally have initial objections. However, after some time and they realize the degree of protection they provide, everyone realizes that they are better off with them.
Barman sets down the reasons for such policies and the value that they provide. He also gives many examples of policies that have been effectively used and covers most of the situations that arise on a daily basis. M y free spirit attitude was altered by the soundness of his arguments in favor of putting realistic restrictions on how information is stored and moved from point to point. This is one of those books that should be in the back pocket of any manager who really wants to cover that part of their anatomy.
Were these reviews helpful?   Let us know
Search Customer Reviews
Only search this product's reviews

Customer Discussions

This product's forum
Discussion Replies Latest Post
No discussions yet

Ask questions, Share opinions, Gain insight
Start a new discussion
Topic:
First post:
Prompts for sign-in
 

Search Customer Discussions
Search all Amazon discussions
   


Look for similar items by category


Feedback