[ISN] REVIEW: "Security Assessment", Greg Miles et al

InfoSec News isn at c4i.org
Fri Aug 13 13:05:28 EDT 2004

Fowarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" <rslade at sprint.ca>

BKSACSNI.RVW   20040721

"Security Assessment", Greg Miles et al, 2004, 1-932266-96-8,
%A   Greg Miles gmiles at securityhorizon.com
%A   Russ Rogers rrogers at securityhorizon.com
%A   Ed Fuller
%A   Matthew Paul Hoagberg
%A   Ted Dykstra
%C   800 Hingham Street, Rockland, MA   02370
%D   2004
%G   1-932266-96-8
%I   Syngress Media, Inc.
%O   U$69.95/C$89.95 781-681-5151 fax: 781-681-3585 www.syngress.com
%O  http://www.amazon.com/exec/obidos/ASIN/1932266968/robsladesinterne
%O   http://www.amazon.ca/exec/obidos/ASIN/1932266968/robsladesin03-20
%P   429 p.
%T   "Security Assessment: Case Studies for Implementing the NSA IAM"

The introduction tries to explain the NSA (National Security Agency)
IAM (Information Assurance Methodology), but is so heavily larded with
(management) buzzwords that no clear concept emerges.  The indications
are that the book is primarily aimed at those who have taken one of
the IAM courses, although there is an explicit statement that the
material can be used by untrained professionals and also by the
"customers" who are undergoing an assessment.

Chapter one describes IAM in words that make it seem very similar to
such tools as CoBIT (ISACA's Control Objectives for Information
Technology tool), ISO 17799, and the NIST (the US National Institute
of Standards and Technology) self-assessment guide.  However, almost
all of the chapter is devoted to a promotion of sharp negotiation of
the scope of an IAM contract, from the vendor perspective.  Chapter
two reiterates the need to control customer expectations and define
contract objectives.  (There is more jargon, and also the use of
idiosyncratic and undefined acronyms like PASV [Pre-Assessment Site
Visit].)  The Organizational Information Criticality Matrix (OICM)
described in chapter three is a kind of simplistic business impact
analysis.  In chapter four, system information criticality and the
System Criticality Matrix (SCM) are said to be more detailed than the
OICM.  Defining system boundaries is acknowledged to be difficult, but
neither the explanation nor the examples used are of any help in
clarifying the issue.  Both the text and the tables used in the "case
study" are extremely confusing in regard to the relation between
entries in the OICM and the SCM.

The system security environment, described in chapter five, is what
most people would know as corporate culture: the general attitudes and
behaviours common to an institution.  The book suggests finding and
using the CONOPS (concept of operations) documentation while admitting
that it may not be found in most commercial enterprises.  (The authors
don't explain that this is basically identical to the common policy
and procedures manuals, although they do eventually get around to
mentioning these texts.)  The TAP (Technical Assessment Plan) is
actually just a specific format for a detailed contract, so we have to
go through all of that type of editorial comment again, without really
getting much information about the recommended TAP structure.  Chapter
seven involves the assessment itself, and generally deals with
administrative details--and making sure that the customer does not
modify the scope of the contract.  The eighteen basic information
security models get listed, although this seems to be almost an
afterthought, rather than the core of the IAM itself.  Findings, the
report of the assessment results, are described in chapter eight.  A
sixteen page example does little more than provide a format.  The
close out report, in chapter nine, is a final sales meeting with the
customer.  The final report is given in a different, and more general,
format in chapter ten.  Cleanup work and followup sales of consulting
are discussed in chapter eleven.

The constant repetition of very basic ideas and the turgid and
buzzword-laden text make this work far longer than is justified by the
information provided.  In addition, the extreme emphasis on the
viewpoint of a vendor trying to sell a contract (and protect himself
from doing any unbillable work) is a severe limitation on the audience
for this tome.  Essential components of the IAM model and process do
not seem to hold any central place in the book, and the reader
discovers them almost by accident, and despite of the writing rather
than because of it.

copyright Robert M. Slade, 2004   BKSACSNI.RVW   20040721

======================  (quote inserted randomly by Pegasus Mailer)
rslade at vcn.bc.ca      slade at victoria.tc.ca      rslade at sun.soci.niu.edu
                  Ambivalent? Well, yes and no.
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

More information about the ISN mailing list