Security policies are not security, and will not provide any protection. However, as the well-known formulation has it: security is a process. An organization does not "have" security, rather they participate in the process of security. Barnum explains that security policies are a component of the planning aspect of the security process, and as such can provide three advantages. The first is to insure security interoperability across an organization. The second advantage is the visibility given to the policy by management's participation in it, which provides a greater impetus for implementation. The third is to mitigate liability, presumably by the legal value of the policy, and the advantages to security that a policy-driven approach proves. Another reason mentioned is that for some organizations, policy documentation is needed for iso900x compliance. Unstated is the assumption that a security policy might result in greater security. After all, even with all the other purported advantages, a security policy is presumptively about making security better.
At 216 pages, "Writing Information Security Policies" seems just the right size to touch all the bases, but not enough for a home run in the subject area. Good worklike effort, but the diversity of subject matter, and a lack of focus and internal theoretical structure robs the work of providing insightful organizational direction, though it still pays dividends, and is ultimately very worth reading.
The book is divided into three sections. The first is titled "Starting the policy process," and includes such issues as policy needs and roles and responsibilities in the policy process. The second section is writing the security policies in the topical areas. The third is on maintaining policies, including acceptable use and compliance and enforcement. In the first section, the discussion includes such items as:
1. Identification of assets
2. Data security
3. Backups and archives
4. Intellectual property rights
5. Incident response and forensics
It is clear from these topics that though the title of the book is Information Security Policies, a more accurate one might be Information and Communication Technology Security Policies, as it is networks and software systems which are the focus throughout.
As far as real-world recommendations and a more serious framework for security policies at highly secured organizations, the reader will have to search elsewhere. However, this book amply suits the need for a series of more conversational approaches to a variety of ICT security policies and subject areas. Also of use are the distinctions between policy, procedure, and implementation, found scattered throughout this book, though unfortunately not strictly adhered to. And though the sample administrative policies found in the appendix are nowhere complete, there are helpful policy formulations throughout. In the second section, the seven major areas of discussion that offer the heart of the book are more of a topical arrangement, than any hierarchical or conceptual approach. They include security policy concerned with the following subject areas:
2. Authentication and network
5. Viruses, worms, and Trojan horses
7. Software development
There is enough that is badly worded and poorly organized in the book, but it is of real benefit--both on its own merits, and because there is little information of this kind available to practitioners and those managers who might want something that is more than a simple set of forms, but is less than a week-long course in security policy.