REVIEW: "Security Assessment", Greg Miles et al

Discussion in 'Computer Security' started by Rob Slade, doting grandpa of Ryan and Trevor, Aug 12, 2004.

  1. BKSACSNI.RVW 20040721

    "Security Assessment", Greg Miles et al, 2004, 1-932266-96-8,
    %A Greg Miles
    %A Russ Rogers
    %A Ed Fuller
    %A Matthew Paul Hoagberg
    %A Ted Dykstra
    %C 800 Hingham Street, Rockland, MA 02370
    %D 2004
    %G 1-932266-96-8
    %I Syngress Media, Inc.
    %O U$69.95/C$89.95 781-681-5151 fax: 781-681-3585
    %P 429 p.
    %T "Security Assessment: Case Studies for Implementing the NSA IAM"

    The introduction tries to explain the NSA (National Security Agency)
    IAM (Information Assurance Methodology), but is so heavily larded with
    (management) buzzwords that no clear concept emerges. The indications
    are that the book is primarily aimed at those who have taken one of
    the IAM courses, although there is an explicit statement that the
    material can be used by untrained professionals and also by the
    "customers" who are undergoing an assessment.

    Chapter one describes IAM in words that make it seem very similar to
    such tools as CoBIT (ISACA's Control Objectives for Information
    Technology tool), ISO 17799, and the NIST (the US National Institute
    of Standards and Technology) self-assessment guide. However, almost
    all of the chapter is devoted to a promotion of sharp negotiation of
    the scope of an IAM contract, from the vendor perspective. Chapter
    two reiterates the need to control customer expectations and define
    contract objectives. (There is more jargon, and also the use of
    idiosyncratic and undefined acronyms like PASV [Pre-Assessment Site
    Visit].) The Organizational Information Criticality Matrix (OICM)
    described in chapter three is a kind of simplistic business impact
    analysis. In chapter four, system information criticality and the
    System Criticality Matrix (SCM) are said to be more detailed than the
    OICM. Defining system boundaries is acknowledged to be difficult, but
    neither the explanation nor the examples used are of any help in
    clarifying the issue. Both the text and the tables used in the "case
    study" are extremely confusing in regard to the relation between
    entries in the OICM and the SCM.

    The system security environment, described in chapter five, is what
    most people would know as corporate culture: the general attitudes and
    behaviours common to an institution. The book suggests finding and
    using the CONOPS (concept of operations) documentation while admitting
    that it may not be found in most commercial enterprises. (The authors
    don't explain that this is basically identical to the common policy
    and procedures manuals, although they do eventually get around to
    mentioning these texts.) The TAP (Technical Assessment Plan) is
    actually just a specific format for a detailed contract, so we have to
    go through all of that type of editorial comment again, without really
    getting much information about the recommended TAP structure. Chapter
    seven involves the assessment itself, and generally deals with
    administrative details--and making sure that the customer does not
    modify the scope of the contract. The eighteen basic information
    security models get listed, although this seems to be almost an
    afterthought, rather than the core of the IAM itself. Findings, the
    report of the assessment results, are described in chapter eight. A
    sixteen page example does little more than provide a format. The
    close out report, in chapter nine, is a final sales meeting with the
    customer. The final report is given in a different, and more general,
    format in chapter ten. Cleanup work and followup sales of consulting
    are discussed in chapter eleven.

    The constant repetition of very basic ideas and the turgid and
    buzzword-laden text make this work far longer than is justified by the
    information provided. In addition, the extreme emphasis on the
    viewpoint of a vendor trying to sell a contract (and protect himself
    from doing any unbillable work) is a severe limitation on the audience
    for this tome. Essential components of the IAM model and process do
    not seem to hold any central place in the book, and the reader
    discovers them almost by accident, and despite of the writing rather
    than because of it.

    copyright Robert M. Slade, 2004 BKSACSNI.RVW 20040721


    ============= for back issues:
    [Base URL] site
    or mirror
    CISSP refs: [Base URL]mnbksccd.htm
    Security Dict.: [Base URL]secgloss.htm
    Security Educ.: [Base URL]comseced.htm
    Book reviews: [Base URL]mnbk.htm
    [Base URL]review.htm
    Security Educ.:
    Review mailing list: send mail to
    Rob Slade, doting grandpa of Ryan and Trevor, Aug 12, 2004
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Rob Slade, doting grandpa of Ryan and Trevor

    REVIEW: "Exploiting Software", Greg Hoglund/Gary McGraw

    Rob Slade, doting grandpa of Ryan and Trevor, Jun 28, 2004, in forum: Computer Security
    Jun 30, 2004
  2. Rob Slade, doting grandpa of Ryan and Trevor

    REVIEW: "Network Security Assessment", Chris McNab

    Rob Slade, doting grandpa of Ryan and Trevor, Oct 15, 2004, in forum: Computer Security
    Rob Slade, doting grandpa of Ryan and Trevor
    Oct 15, 2004
  3. RichA
    Sep 29, 2009
  4. Jordon

    98 miles from Richard?

    Jordon, Oct 10, 2009, in forum: Computer Support
    Oct 10, 2009
  5. Rob Slade, doting grandpa of Ryan and Trevor

    REVIEW: "Network Security Assessment", Steve Manzuik/Andre Gold/Chris Gatford

    Rob Slade, doting grandpa of Ryan and Trevor, Dec 23, 2009, in forum: Computer Security
    Rob Slade, doting grandpa of Ryan and Trevor
    Dec 23, 2009

Share This Page