|
IT Governance
A manager’s guide to data security
and BS 7799 / ISO 17799
3rd edition
by Alan Calder and Steve Watkins
Kogan Page, 2005
Hardback 386 pages
ISBN 0749444142
~US$170 from Amazon
In the subtitle and introduction, the authors indicate that managers should read this book to understand their
responsibilities towards the governance of IT. The introductory chapters do indeed discuss governance, summarizing the work of Turnbull and Cadbury for examples, with a brief mention of Sarbanes-Oxley (the
book takes a distinctly UK perspective, which is a shame given that IT governance is a global issue and the ISO standards are applicable worldwide). However the bulk of the book concentrates specifically on
information security management using ISO 17799 (now called ISO/IEC 27002) and ISO/IEC 27001 as a framework. The implication is that implementing ISO/IEC 27002 is sufficient to claim good governance of IT,
but the truth is that there is rather more to it than that. Take a look at ISACA’s COBIT for a broader perspective.
On a more positive note, the book’s coverage of ISO/IEC 27002 is comprehensive. It would be a
worthwhile read for information security managers who are new to ISO/IEC 27002 and, perhaps, a bit fazed by the huge breadth of security controls they are expected to implement and manage. The text expands on
ISO/IEC 27002’s relatively high level description of all manner of information security controls, providing a bit more depth and context. In some cases, though, it does little more than rephrase ISO/IEC 27002 itself, and
in a rather dry style at that. It is a shame that the authors did not see fit to pepper the book with more
practical examples based on their evident knowledge of the subject in real-world settings. As it is, there are relatively few snippets of pragmatic advice - it’s all a bit theoretical.
Take for example the paragraph on ‘secure disposal or reuse of equipment’. The ISO/IEC standard refers to
data being destroyed, deleted or overwritten rather than being simply deleted. The book talks about media
being ‘completely wiped’ or ‘destroyed’ but doesn’t take the final step of explaining how organizations might choose to do that (e.g. using DBAN’s Boot and Nuke to wipe system disks, shredding and incinerating
equipment using industrial-strength shredders, or handing the problem to a competent third party disposal agent with all the appropriate procedural and legal controls in place).
The book was written in 2004, a little before the 2005 version of ISO/IEC 27002 was published although it
does reference the later version thanks to the prior availability of the Final Draft International Standard. Not
all changes between the 2000 and 2005 versions are fully reflected but the bulk of the book follows the 2005 standard, an impressive feat given the amount of differences hidden in the details.
There is a website to accompany the book giving access to a collection of 19 additional papers which seem
to have been collated from the authors’ notes on related topics.
To sum up, the book would be a worthwhile supplement to ISO/IEC 27001 and 27002 for those information
security managers who need assistance or encouragement with their implementation of the information
security management standards. It is probably not appropriate reading, however, for ’directors and senior
managers’ who need to understand IT governance as a whole. To them, we’d probably recommend another IT governance book we have reviewed previously, other books by Alan Calder (see his company website) or the growing number of websites on this topic.
|
