Dr. Ali Jahangiri released a book titled "The Security Policy Cookbook: A Guide for IT and Security Professionals". From his website describing the book, he says "I decided to address the need, spending more than two years to study and bring together the contents of this book in order to create a comprehensive collection of security policy templates." This collection is "based on the 14 years of experience of its author, security expert and trainer" and "initiated in workshops and lectures by participants who asked for Jahangiri's security policy templates". There is no confusion over Jahangiri's language, that these are "his policies" and were developed over two years, based on workshops and lectures using his 14 years of experience.
After receiving a tip from a reader suggesting some content may have been taken from public sources without attribution, Attrition.org did a more thorough review of the book. Using simple Google queries for key phrases from the book ( partially available online via Amazon.com), we found what appears to be sweeping plagiarism. The table below breaks down the book, page count and approximate percent of material lifted from other sources. With a limited sample of the book available, we relied on Ben Rothke to check the remaining chapters since he had a physical copy of the book. This table represents investigation by Rothke and Attrition.org staff. Ben wrote a review of the book based on his experience and thoughts.
When Dr. Jahangiri was asked about the plagiarism, his e-mail response contained more interesting information along with more questions. He first responded that in the last 10 years, he had developed various policies for clients before saying that he subcontracted other companies in different countries to develop those documents. This makes it unclear if he and/or his company created the policies or if they were subcontracted from a third-party.
Jahangiri goes on to say that he purchased a set of policy templates in 2005 from a foreign company while he was busy on other engagements. He claims the set of documents included in that batch are the same ones found at the Texas Department of Information Resources and that he has the rights to use those purchased items. However, this claim seems bogus as some of the policies that were used had been published as early as 2002. Either the company he bought them from plagiarized, and he did not verify the material he received, or his claim is an outright lie.
Regardless of why, selling a book with 141 pages of security policies that are freely available on the Internet without disclosing where they came from (e.g., he hired a company to draft them, he collected them from the Internet) is fraud. Charging $49.95 for a print book of public material, and having the audacity to charge $150 for an electronic version is far from ethical.
| Chapter | Pages | Plag % | Original Source |
| 1. Administrative and Special Access Policy | 1-4 | 100% | Texas Department of Information Resources, IS Security Policies: Administrative/Special Access [Google HTML] [RTF] |
| 2. Antivirus Policy | 5-7 | 99% | Western Oklahoma State College Antivirus Policy (July 2003) |
| 3. Application Development Policy: Outside of the IT Department | 9-10 | 90% | Brigham Young University Application Development Policy |
| 4. Back Up and Disaster Recovery Policy | 11, 13 | 100% | Wayne State University School of Medicine (http://www.med.wayne.edu/hipaa/policies/security/MSIS%20Policy%20Binder/Section%2001%20-%20Policies/Tab%2012%20-%20Backup%20and%20Disaster%20Recovery%20Policy/Backup%20and%20Disaster%20Recovery%20Policy.pdf now 404) IS Security Policies: Backup/Disaster Recovery Protocol |
| 5. Change Management Policy | 15-17, 19 | 100% | Texas Department of Information Resources, IS Security Policies: Change Management [Google HTML] [RTF] |
| 6. Computer Account Management Policy | 21-23 | 100% | Texas Department of Information Resources, IS Security Policies: Account Management [Google HTML] [RTF] |
| 7. Computer Virus Detection Policy | 25-28 | 100% | Truth to Power Association Computer Virus Prevention (Policy) |
| 8. Email Policy | 29, 31-32 | 100% | Texas Department of Information Resources, IS Security Policies: E-Mail Pokicy [sic] [Google HTML] [Word Doc] |
| 9. Incident Management Policy | 33-38 | 100% | Texas Department of Information Resources, IS Security Policies: Incident Management [Google HTML] [Word Doc] |
| 10. Information Security Policy (1) | 39-42 | 100% | Sonoma State University CSU Information Security Policy |
| 11. Information Security Policy (2) | 43-52 | 100% | Griffith University Security Breach Notification & Reporting Policy (6 November 2002) |
| 12. Information Security Policy (3) | 53-56 | 100% | Binghamton Universirty ITS Confidentiality of Student and Employee Records and other University-Maintained Data Policy (April 24, 2006) |
| 13. Internet Access and Use Policy (1) | 57-60 | 100% | Small Island Developing States Network University Policies for Internet-related Technologies (August 31, 2004) |
| 14. Internet Use Policy | 61-66 | 100% | Texas Department of Information Resources, IS Security Policies: Acceptable Use Policy [Google HTML] [RTF] |
| 15. Intrusion Detection Policy | 67-72 | 100% | Texas Department of Information Resources, IS Security Policies: Intrusion Detection Policy [Google HTML] [RTF] |
| 16. Network Access Security Policy | 73-76 | 100% | Texas Department of Information Resources, IS Security Policies: Network Access [Google HTML] [Word Doc] |
| 17. Network Configuration Policy | 77-80 | 100% | Texas Department of Information Resources, IS Security Policies: Network Configuration [Google HTML] [Word Doc] |
| 18. Password Policy (1) | 81-84 | 100% | The College of New Jersey Information Technology Security Password Guidelines |
| 19. Password Policy (2) | 85-90 | 100% | Texas Department of Information Resources, IS Security Policies: Password Policy [Google HTML] [RTF] |
| 20. Physical Access Policy | 91-94 | 100% | Texas Department of Information Resources, IS Security Policies: Physical Access [Google HTML] [Word Doc] |
| 21. Portable Computing Devices Policy | 95-98 | 100% | Texas Department of Information Resources, IS Security Policies: [Word Doc] |
| 22. Privacy Policy | 99-102 | 100% | Texas Department of Information Resources, IS Security Policies: IS Privacy [Google HTML] [Word Doc] |
| 23. Public Access Privacy Policy | 103-106 | 100% | Joomla!Junkie Privacy Policy |
| 24. Public Mailing List Policy | 107-110 | 0% | (Several Google searches resulted no matches.) |
| 25. Security Monitoring Policy | 111-114 | 100% | Texas Department of Information Resources, IS Security Policies: Security Monitoring [Google HTML] [Word Doc] |
| 26. Security Training Policy | 115-118 | 100% | Texas Department of Information Resources, IS Security Policies: Security Training [Word Doc] |
| 27. Server Hardening Policy | 119-122 | 100% | Texas Department of Information Resources, IS Security Policies: Server Hardening Policy [Google HTML] [Word Doc] |
| 28. Software Licensing Policy | 123-126 | 100% | Texas Department of Information Resources, IS Security Policies: Software Licensing [Google HTML] [Word Doc] |
| 29. Staff-Owned Computing Equipment Policy | 127-128 | 0% | (Several Google searches resulted no matches.) |
| 30. System Development Policy | 129-132 | 100% | Texas Department of Information Resources, IS Security Policies: System Development Policy [RTF] |
| 31. Vendor Access Policy | 133-136 | 100% | Texas Department of Information Resources, IS Security Policies: Vendor Access [Google HTML] [Word Doc] |
| 32. Wireless Access Point Policy | 137-141 | 100% | The University of the South Pacific Wireless Access Point Policy |