by Scott BarmanNew Riders, 2001
has done a wonderful job of writing a succinct book that addresses all the vital areas where security policies are required in an organization.The book explores the various caveats of information technology (physical security, authentication and network security, Internet, encryption, etc.) and concisely details appropriate policies for each technology domain.Security policies are typically not exciting reading, but Barman spices up the text with many real-world scenarios from his
experience in the field. Barman
starts on the right foot when he
advocates performing a risk assessment and audit.He
notes that a risk assessment is crucial to an effective information security infrastructure, and the only way to understand your infrastructure is to perform a full risk assessment and audit.By performing the assessment, information security policy writers can obtain a greater understanding of the reach of information technology within their organization.
At fewer than 200 pages, Writing Information Security Policies is a concise work that will provide valuable assistance to anyone starting information security policy endeavors.The only thing missing is a CD-ROM or companion Web site in which to download many of the well-written policy texts in the book.Aside from that omission, the book is a great way to jump-start an information security policy initiative and should be required reading for anyone who wants to ensure real security in their company.