Information Security – A Practical Guide

by Mark Rowe

Author: Tom Mooney

ISBN No: 9781849287401

Review date: 29/03/2024

No of pages: 116

Publisher: IT Governance

Publisher URL:
http://www.itgovernance.co.uk/shop/p-1701-information-security-a-practical-guide-bridging-the-gap-between-it-and-management.aspx

Year of publication: 16/07/2015

Brief:

Information Security – A Practical Guide: Bridging the gap between IT and management

price

£29.95

Quick and dirty does it: we’ve reviewed several books on information and IT security published by IT Governance. The latest is one of the most impressive, writes Mark Rowe.

Tom Mooney begins this neat little book by recalling that he was struck when starting his career in information security how little he engaged with non-infosec people. IT would shy away from speaking to him, ‘as they feared security would stick its nose in’, and the business viewed security as a ‘dark art’. He likens security to brakes on a car; you would hardly drive a car without any, but you only use them when you have to, as a control. Without them, you will have an accident. As the book’s sub-title suggests, info-sec is about ‘Bridging the gap between IT and management’.

Like many books, this would have been half as good if it had been twice as long. As it is, Mooney has provided non-security and indeed security people with a very high ratio of good sense that’s worthwhile to read.

We’ve known for a while that it’s wisest to do computer security and physical security. In the old days, someone could walk out of a building with your server; now we have the Cloud, people can steal data even more simply, as Edward Snowden and others have. For a dozen years or more that truth has been reflected in the British Standard for information security management, 27001, that covers the IT and physical sides. Books telling you how to do the two equally well have been hard to find; either the author is a tech guy, lacking know-how of electronic and personnel security; or the other way round. Information Security – A Practical Guide, by Tom Mooney, offers more than the title suggests.

It’s a short book, of ten chapters each of about ten pages each – and that’s something of merit, given how busy the likely reader is likely to be. I would suggest the reader who can learn from this is either the physical security and guarding person who wants to gen up on infosec, or an IT guy who likewise wants to tighten up security. Mooney keeps it plain and simple, in style and content, and again that is a compliment. A middle chapter, ‘quick and dirty risk assessment’ as the title suggests takes you through how to do a risk assessment, and as important to keep doing them. Besides the nuts and bolts of the work, Mooney arguably does us more of a service in the chapters such as ‘getting buy-in from your peers’, because as in so many other parts of the workplace, it’s no good doing a decent or even excellent job if your non-security staff aren’t doing their bit, or aren’t funding it. “Often security is seen as a blocker or necessary evil at the end (some organisations are better than others.” Mooney advises building relationships; letting people know that their input is valued, and that they can help steer security. If you find yourself working for a place that doesn’t have a high regard for security, using some ‘fear, uncertainty and doubt’ stories is a start, he suggests. Choose stories from the media, and again he advises explaining yourself in plain and simple English.

One observation rather than a criticism is that the author ought to have gone into more detail; but then he would not have written such a concise book. In fairness he does introduce you to the necessary basics, such as the Senior Information Risk Owner (SIRO), a role often found in UK Government. Instead, Mooney points you in the right direction on such topics as penetration testing (again, with a physical and IT component) and information security policy; first knowing what the ‘risk appetite’ of your business is. While Mooney is writing for the information security professional, such is the spread of IT in the office and organisation, this book can apply to anyone in security management. This book is well worth an hour of your time, whether as a refresher, or if you are finding yourself facing more work on the info-security side. Recommended.

For IT Governance: ring 0845 070 1750.

Newsletter

Subscribe to our weekly newsletter to stay on top of security news and events.

© 2024 Professional Security Magazine. All rights reserved.

Website by MSEC Marketing