Printer Friendly

Information Security Policies Made Easy.

I wish I had written this book - the product of both erudite knowledge and rich experience. The policies are concise. They can be used as the foundation for an automated information systems (AIS) security program.

The book offers a bonus. It clearly reveals the value of the concept of AIS security. AIS security addresses the protection of automated information and the systems in which it resides. The concept lends focus. Computer security, on the other hand, implies the protection of computers, which is false.

AIS security consists of two disciplines: computer science and security management. Wood describes how to unite these disciplines to prevent the loss of critical information.

The lack of password control can lead to loss. To prevent this, Wood recommends automatically revoking passwords after 60 days of inactivity and having a system deny access if its password-based access control system breaks down. He cautions against system testing or employees' attempts to compromise the system "just to see how secure the system is."

Downloading software from electronic bulletin boards is a dangerous practice because a computer can be infected by all sorts of deadly viruses and worms. Wood explains how to prevent this. He further warns against using any kind of software of dubious origin.

This is good advice because many individuals have watched in horror the destruction of an entire data base - a catastrophe caused by a virus or worm from a free diskette with a cloudy history.

Wood points out that Privacy Act violations can result in damaging lawsuits and offers more than five pages of powerful recommendations that describe how to prevent this type of loss.

Wood explains the restrictions of privacy rights on company systems and offers guidance on the collection, storage, and disclosure of specific types of private information and the handling of private data.

There is a problem with one of Wood's privacy policies. He writes, "To prevent slander and libel suits and also to preserve the privacy of personnel information, the reason for termination... must not be disclosed to third parties."

But suppose a company terminates a man for assaulting a woman. The accused man applies for employment in your firm. During preemployment screening, your firm contacts the accused's former employer. That company conceals the reason for termination, and your firm hires the applicant. He then rapes a woman on your company's premises.

If the victim can demonstrate a nexus between the concealment of information regarding her assailant's prior crime and her rape, she may be able to bring a charge of negligence against the reporting company.

Wood's policies on the use of fax machines and telephones are especially timely, considering the increase in industrial espionage. He cautions that these devices are not secure and details how to exercise special care when transmitting. He also implies that cordless or cellular phones can be encrypted. However, I don't believe such technology is available yet.

Wood closes with five pages of references, a rich source of information. He includes a three-page resume, which is inappropriate, as is the advertising in the back of the book.

The audience is the AIS community, but any security manager who wants an education in AIS security needs this book. As Wood says in his introduction, "The book weeks of effort since it provides information that has heretofore never been provided in a single source." This is an understatement.

Information Security Policies Made Easy is a teaching tool and a quick reference. Buy the book. Use the time it saves you to revise your information security policy or to write an accreditation package.
COPYRIGHT 1992 American Society for Industrial Security
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 1992 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Author:Pitorri, Peter
Publication:Security Management
Article Type:Book Review
Date:Jul 1, 1992
Previous Article:ATA Security Survey: A Guide to Analysis of Criticality and Vulnerability Factors of Security Programs.
Next Article:Contract security rolls into the transit industry.

Related Articles
The new and improved industrial security manual.
Information Security Policies Made Easy, version 7.
Latest firewall and network security products and services.
Information Security Policies Made Easy, Version 9. (Reviews).
Information Security Policies and Procedures: A Practitioner's Reference. Second Edition.
JUST is the First Jordanian University to Deploy Microsoft's Network Access.

Terms of use | Copyright © 2016 Farlex, Inc. | Feedback | For webmasters