 |
|
|
|
|
||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||
|
Book reviews |
||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||
|
|
|
|
 |
|||
 |
|||
|
|
|
|
 |
Purpose and scope
The central purpose of the book is to provide guidance on best practices in information security incident management as a professional discipline for commercial organizations and government bodies. As noted below, it is directly suited to large, relatively formalized organizations. Related topics such as information security and business continuity management are only briefly mentioned.
Sources
The main sources cited in the book are ISO/IEC 27002 (Code of Practice for Information Security Management), ISO/IEC TR 18044 (Information Security Incident Management), RFC2196 (Site security Handbook, 1997) and its 1991 predecessor RFC1244. CERT’s OCTAVE and ISACA’s COBIT methods merit fleeting mentions, as does the book Computer Security Incident Handling by Stephen Northcutt of SANS. Curiously, other excellent CERT, FIRST, SANS and computer forensics resources are not cited but there is no shortage of choice.
Content and structure
The A5-sized book’s 118 pages contain approximately 30,000 words with very little padding or unnecessary content in six main chapters:
- Understanding information security incident management - a good overview of the topic continues from and expands upon the brief introduction.
- Incident response requirements - this chapter is quite ambitious for its 8½ pages, attempting to describe policies, types of incidents and the continuous improvement aspects of the full process. A third of the chapter is devoted to a generic specification for an incident handling application, which may be useful for those considering procuring or developing such a beast.
- Responsibility and authority - defining an appropriate management structure for incidents is an integral part of defining the processes. Chapter 3 straightforwardly lays out the author’s preferred structure comprising a Security Working Group (responsible for managing information security as a whole), Information Owners (stakeholders held accountable for the protection of information assets), the Information Security incident Response Team (the focal point for managing incidents) and other Points of Contact (specialists throughout the organization such as audit, security, and PR people).
- Formulating an incident response process - along with the next chapter, this is the strongest part of the book. The author gives sound advice for anyone tasked with designing or reviewing an information security incident management process for their organization, such as that needed for an ISO/IEC 27002-conformant ISMS. Risk assessment approaches are outlined in this context, and the implementation steps are briefly described.
- The six steps of information security incident response - chapter 5 makes up a third of the book, reflecting the importance of understanding the incident response process in detail. After summarizing the six step process from RFC 2196, the author explains how to design, plan, document and test a process. Flowcharting gets a mention although I don’t understand the annotations on the virus response process example flowchart. A section on incident severity confusingly proposes an “urgent” category which name would be more appropriate in the next section on response priority. Reporting lines, incident notification and escalation are well covered. Forensics and legal issues are covered from the management not the practitioner’s point of view, and could have done with references to suitable forensic guidelines, textbooks etc. in addition to the solid ACPO Good Practice Guide.
- Summary - this half page summarizes the book rather literally. I was a little disappointed not to read a decent conclusion chapter, perhaps with the author’s thoughts as to the state of the art in incident management and future directions.
The appendices are rather brief:
- A generic typology for incidents - fine as far as it goes but not well described or integrated into the main text;
- A succinct glossary which fails to acknowledge common alternative definitions;
- A half-page bulleted list of incidents - I would be surprised if readers needed this;
- Four example forms used for recording incidents and tracing forensic evidence, plus two unexplained screenshots from an incident handling system - useful templates perhaps;
- A page of good references, cited with notes throughout the text.
About the author
Neil has extensive experience of information security incident management and forensics, stretching back 25 years to his time with the Metropolitan Police in London. His government and large company background shines throughout the book. Neil has an MSc in information security from Holloway, part of London University, and is currently researching for a PhD.
The book’s utility
On the upside, the incident management process as described is disciplined, rigorous and comprehensive. At the same time, the advice is reasonably pragmatic: a practitioner should be able to apply the advice without too much trouble, other than the effort required to persuade senior management to implement such a comprehensive process.
The book highlights the issue of competing demands to investigate or resolve incidents in progress, although it offers little advice to management forced with making such difficult decisions. Some generic decision criteria might have been useful guidance for those writing incident management policies, standards and procedures.
On the downside, being so comprehensive seems likely to make the process bureaucratic and expensive on resources. There are no obvious concessions or short cuts in the book for SMEs, and little effort to describe the commercial value of such an approach to private sector organizations. Given the author’s background, I would have expected to see a good sprinkling of illustrative case studies - describing situations he has been through to draw out the general lessons - but I found none. Neil would no doubt argue that employer/client confidentiality prevents him disclosing such sensitive details but I feel the book would have been brought to life by some real world examples, even if he had withheld all identifying information.
Repetition in some places, particularly the “six step process” described in chapter 5, does reinforce the key points but is a little distracting. By the way, the sixth step, responsibilities, is not really a step at all but a parallel activity. The 5 remaining steps ably describe the core process.
Some might quarrel with the footnote on page 43: “a ‘zero-day exploit’ is one that takes advantage of one or more security vulnerabilities within 24 hours of the vulnerability becoming generally known.” I think those would be categorized as ‘day 1’ exploits whereas true zero-day exploits take place before vulnerabilities are widely known as a result of patches being publicly released. Anyway, this is a debatable and minor point that certainly does not detract from the book as a whole.
Value for money
This small book is packed with advice to those responsible for managing information security incident management functions, and for those working in such functions. The comprehensive process is well suited to organizations with numerous incidents to manage and hence the need for a structured, comprehensive process. The process seems rather excessive for small organizations but still it is worth knowing the full scope of activities involved in managing major incidents professionally.
Conclusion
Buy this book if you are designing or reviewing information security incident management processes, perhaps as part of implementing ISO/IEC 27002, and if you work in a government or large commercial organization that needs such a comprehensive, well-structured incident management process. Smaller, more agile organizations may still learn something useful but it would not be easy to apply this design to a typical cut-down slimline incident management process.
|
|
|
|
