Printer Friendly

Introduction to Data Security and Controls.

The purpose of this book is to familiarize the reader with the need for data security and the basic methods used to provide good security.

I was pleased by the manner in which the author presented this material. At the end of each chapter, he points out what he has stated in the text by asking a few questions about chapter content. Granted this is a textbook technique, but it serves to emphasize the main points.

In chapter three, Buck describes risk analysis as a part of risk management. It is the baseline of the risk management process because the purpose of the analysis is to identify all the risks, obvious and subtle, that need to be measured for the likelihood of occurrence and the impact of potential loss. Once the threats have been identified and measured, countermeasures are recommended.

It is from the analysis report that senior management makes its decisions as to which risks are considered acceptable and which countermeasures shall be implemented. The second phase of risk management pertains to prioritizing and scheduling recommendations.

The author makes an important point about security surveillance. He notes that after the countermeasures have been implemented they must be monitored for effectiveness and to ensure that they do not become obsolete.

Buck emphasizes that risk analysis is a project and should be treated as one. Establishing the scope of the project, defining the problems, selecting an approach, and proper planning are the elements of any project. The analysis team should be selected from personnel who have the skills and experience to fit the approach. They must then be apprised of their job functions and how they relate to the project's goals.

The author describes in detail how to conduct an analysis, right down to providing risk estimate detail sheets, check sheets, and risk summary charts. He also explains how to calculate annual loss exposure and return-on-investment figures. With the help of this book, individuals with little or no experience with such analyses can perform well.

Buck describes how to select computer technology security countermeasures, application software countermeasures and types, hardware countermeasures, and communications and terminal countermeasures, all in simple terms.

I particularly enjoyed the last chapter, "Doing It Right." In it he describes eight phases of a methodology known as total system development. This model describes the system life cycle of an application from end-user proposal to performance review and the need early on for security input.

The book includes a major case study of a fictitious telephone company that serves as a model for conducting your own analysis. The bibliography and glossary are extensive but concise.

The author accomplished his purpose and did so in a thoroughly understandable manner. I would buy this book for ready reference and recommend it to my fellow security practitioners.

Reviewer: Howard Keough, CPP, is a member of the ASIS Standing Committee on Computer Security.
COPYRIGHT 1992 American Society for Industrial Security
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 1992 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Author:Keough, Howard
Publication:Security Management
Article Type:Book Review
Date:Aug 1, 1992
Previous Article:Interviewing and Interrogation: The Reid Technique.
Next Article:Terrorism: Avoidance and Survival.

Related Articles
Back to the future with biometrics.
Introduction to Security.
The PC Virus Control Handbook, 2d ed.
Pointsec Mobile Security for Pocket PC 2002 Devices. (Network products).
Aventail Secures Backing of VA Vendors.
IT news: new website offers Jobshop manufacturing software.
Cut and paste errors a thing of the past with new spreadsheet system.
Portable device control.

Terms of use | Copyright © 2017 Farlex, Inc. | Feedback | For webmasters