REVIEW: "Governance Guidebook", Fred Cohen

2 views
Skip to first unread message

Rob, grandpa of Ryan, Trevor, Devon & Hannah

unread,
May 9, 2006, 3:53:57 PM5/9/06
to tech...@egroups.com, CISSP-...@yahoogroups.com, sec...@egroups.com
BKCISOGG.RVW 20051119

"Governance Guidebook", Fred Cohen, 2005, 1-878109-34-0
%A Fred Cohen http://all.net
%D 2005
%G 1-878109-34-0
%I ASP Press
%O http://www.amazon.com/exec/obidos/ASIN/1878109340/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/1878109340/robsladesinte-21
%O http://www.amazon.ca/exec/obidos/ASIN/1878109340/robsladesin03-20
%O Audience a+ Tech 1 Writing 2 (see revfaq.htm for explanation)
%P 204 p.
%T "Governance Guidebook"

The very short section one of the Governance Guidebook explains that
it is intended for the CISO (Chief Information Security Officer) of a
large concern. Which is to say that the reader should be experienced
in security and the management thereof. At that point one wonders
what such a work would entail: presumably such a person would already
know pretty much anything you could put into a book. This
introduction then goes on to detail the organization of the guidebook.
Section two is an overview of the structure of a security plan or
protection strategy. It also notes that the illustrations in this
section of the text are very busy and cluttered, but that careful
study will make the situation clearer.

All of this is true. This is definitely not your standard security
textbook. It is extremely demanding of the reader, but will amply
repay the effort put into using the volume. And I say "using," rather
than merely "reading": this is a tome that requires application. Bed-
time reading it is not.

This is not a primer to be read quickly in one sitting. The
illustrations are dense, and so is the text, but dense with meaning
and import. This is a work to be worked through, a page or even a
paragraph at a time. And then, when you are finished, work through it
again. If you are a CISO it won't teach you anything--but it will
remind you of things, practices, and procedures that have possibly
been forgotten in the press of other urgencies. This volume becomes,
therefore, an aide memoire for the strategic planning of information
protection.

This is not to say that there are no details provided. Section three,
entitled "Drill Down," provides greater depth to a number of the areas
(one example is an intriguing use of the human life span to address
personnel and human resources issues). The content does not deal with
specific technical areas of security, but does provide a very solid
overview of security management--or, if you prefer, governance.

This is a handy and useful guide for those in the CISO position. It
is destined to become well-thumbed, dirty, and dog-eared, over time.
Those who are not yet into a CISO job will not recognize all of the
value in its pages, yet. However, those who aspire to the calling
would do well to get a start on learning from it.

copyright Robert M. Slade, 2005 BKCISOGG.RVW 20051119


====================== (quote inserted randomly by Pegasus Mailer)
rsl...@vcn.bc.ca sl...@victoria.tc.ca rsl...@computercrime.org
Science is organized knowledge. Wisdom is organized life.
- Immanuel Kant
http://victoria.tc.ca/techrev/rms.htm

Reply all
Reply to author
Forward
0 new messages