This page is powered by Blogger.





Contacting Us
Mike Tarrani
Linda Zarate
Kate Hartshorn

Who We Are
TEAM Zarate-Tarrani

Our main weblog
Notes from the Field

Our other pages
Mike's home page
Linda's home page
Kate's home page

Simpatico [we]blogs
Dan Gilmore
Robert X. Cringely
Jakob Nielsen
Julian Bond
Deborah Branscum
Lisa Rein
Ed Yourdon


Saturday, May 04, 2002


Essential Security Resources. If you develop security policies and procedures you need to seriously consider investing in a copy of Information Security Policies Made Easy. The 1175 policies contained in this book are also provided in soft copy on the accompanying CD ROM, making this one of the most valuable resources to companies that need to cost-effectively develop and implement policies. This book is also particularly valuable for consultants, although the licensing appears to restrict the use of the policies if they are used verbatim. However, each of the policies are too generic to be used as is, so for consultants their value if the key elements and discussion of each.

Unlike other collections of security policies that I've purchased, this collection is up-to-date and address contemporary requirements. Among the specific policies in this collection are those that address:

  • HIPAA (Health Insurance Portability and Accountability Act), which is a high priority requirement in the health care industry
  • Gramm, Leach, Bliley Act for US federal government organizations
  • European Union Data Protection Directive, which makes this book as applicable to European readers as it does to US audiences
In addition, the policy collection addresses issues such as social engineering, digital signatures and public key infrastructures, which show the breadth of topics covered. It also addresses credit card fraud, internet use policies (another hot topic) and network and internet security.

What I like is the fact that the book is much more than a collection of policies - it also discusses implementation and enforcement issues, contains checklists for developing (or tailoring) and implementation of the policies.

On the topic of value: this book contains 18 core policies that should be in place regardless of company type. These alone would take between 150 and 200 hours to develop. Using the fully loaded rate by in-house experts it's easy to make a business case for buying this book because these 18 policies alone would cost more to develop from scratch than the cost of the book. If you are using consultants the cost savings will be dramatic. In addition to this book I recommend investing in the author's other book, Information Security Roles & Responsibilities Made Easy, which completes the picture for developing an effective security organization and posture.

This book, Information Security Roles & Responsibilities Made Easy is the other half of Information Security Policies Made Easy discussed above. What makes this book complement the policy book is that once the policies are written they are useless without defined roles and responsibilities assigned to manage and enforce them.

Included in this book (and in soft copy on the accompanying CD ROM) are organizational mission statements that form the framework for policies, job descriptions for major security role players, and organizational structures with reporting relationships.

The book does not merely present the roles and responsibilities - it goes into the hows and whys, and steps you through the definition and development of a security function in which the roles and responsibilities are defined. More important, the author does not use a canned approach, but provides alternative structures that will allow you to develop and implement the organization that is best aligned to your company. This is one of the most practical and flexible approaches I've seen, and shows the author's extensive experience and realistic attitude. Equally important is the fact that small companies are also addressed, making this book valuable to organizations of all sizes.

You're stepped through the process of identifying your requirements, tailoring the documents provided on the CD ROM to reflect those requirements, and given an idea of the time and resources needed to implement them. In addition to the documented roles and responsibilities and organizational structures provided, this book also covers (and the CD ROM provides) pamphlets to promote security awareness, memos, forms, action plans, a sample security manual and standards, and other documents that will be needed to effectively implement a security organization.

The chapter on common mistakes is worth its weight in gold, as are the appendices, which cover staffing levels, qualifications (this is valuable to HR), and IS security metrics.

Regardless of company size or scope of your security organization, this book will save literally hundreds of hours of research, document development and planning. Even for a small company of 25-100 employees this book will pay for itself many times over, and for a large company the value that this book (and the companion book I mentioned above) represents can run into the tens of thousands of dollars.