By Neil Hare-Brown
Publisher: BSI (2007)
Price £50 from BSI
The central purpose of the book is to provide guidance on best practices in information security incident management as a professional discipline for commercial organizations and government bodies. As noted below, it is directly suited to large, relatively formalized organizations. Related topics such as information security and business continuity management are only briefly mentioned.
The main sources cited in the book are ISO/IEC 27002 (Code of Practice for Information Security Management), ISO/IEC TR 18044 (Information Security Incident Management), RFC2196 (Site security Handbook, 1997) and its 1991 predecessor RFC1244. CERT’s OCTAVE and ISACA’s COBIT methods merit fleeting mentions, as does the book Computer Security Incident Handling by Stephen Northcutt of SANS. Curiously, other excellent CERT, FIRST and computer forensics resources are not cited but there is no shortage of choice.
Content and structure
The A5-sized book’s 118 pages contain approximately 30,000 words with very little padding or unnecessary content in six main chapters:
The appendices are rather brief:
About the author
Neil has extensive experience of information security incident management and forensics, stretching back 25 years to his time with the Metropolitan Police in London. His government and large company background shines throughout the book. Neil has an MSc in information security from Holloway, part of London University, and is currently researching for a PhD.
The book’s utility
On the upside, the incident management process as described is disciplined, rigorous and comprehensive. At the same time, the advice is reasonably pragmatic: a practitioner should be able to apply the advice without too much trouble, other than the effort required to persuade senior management to implement such a comprehensive process.
The book highlights the issue of competing demands to investigate or resolve incidents in progress, although it offers little advice to management forced with making such difficult decisions. Some generic decision criteria might have been useful guidance for those writing incident management policies, standards and procedures.
On the downside, being so comprehensive seems likely to make the process bureaucratic and expensive on resources. There are no obvious concessions or short cuts in the book for SMEs, and little effort to describe the commercial value of such an approach to private sector organizations. Given the author’s background, I would have expected to see a good sprinkling of illustrative case studies - describing situations he has been through to draw out the general lessons - but I found none. Neil would no doubt argue that employer/client confidentiality prevents him disclosing such sensitive details but I feel the book would have been brought to life by some real world examples, even if he had withheld all identifying information.
Repetition in some places, particularly the “six step process” described in chapter 5, does reinforce the key points but is a little distracting. By the way, the sixth step, responsibilities, is not really a step at all but a parallel activity. The 5 remaining steps ably describe the core process.
Some might quarrel with the footnote on page 43: “a ‘zero-day exploit’ is one that takes advantage of one or more security vulnerabilities within 24 hours of the vulnerability becoming generally known.” I think those would be categorized as ‘day 1’ exploits whereas true zero-day exploits take place before vulnerabilities are widely known as a result of patches being publicly released. Anyway, this is a debatable and minor point that certainly does not detract from the book as a whole.
Value for money
This small book is packed with advice to those responsible for managing information security incident management functions, and for those working in such functions. The comprehensive process is well suited to organizations with numerous incidents to manage and hence the need for a structured, comprehensive process. The process seems rather excessive for small organizations but still it is worth knowing the full scope of activities involved in managing major incidents professionally.
Buy this book if you are designing or reviewing information security incident management processes, perhaps as part of implementing ISO/IEC 27002, and if you work in a government or large commercial organization that needs such a comprehensive, well-structured incident management process. Smaller, more agile organizations may still learn something useful but it would not be easy to apply this design to a typical cut-down slimline incident management process.
|Home > Books > Incident mgmt >||
Copyright © 2012 IsecT Ltd.