in a Windows environment:
the best practice implementation handbook for
a Microsoft Windows environment
Author: Brian Honan
Publisher: IT Governance Publishing (2009)
Price: ~US$81 from Amazon
Scope and purpose
Promoted by the publisher as “A step-by-step guide through the journey of implementing ISO27001”, the book’s main purpose is in fact to advise on the implementation of technical controls recommended by ISO27k specifically for organizations using Microsoft Windows. It identifies certain technical controls from Annex A of ISO/IEC 27001 and guides the reader on how to interpret and implement them on Windows systems.
Author Brian Honan told us “My goal for the book when originally writing it was to provide the typical IT manager with a resource to start them on the road to putting an ISO 27001 ISMS system in place ... [When] senior management react to media coverage of security breaches, the IT manager is typically tasked with implementing ISO 27001 because as we all know information security is [treated as] an IT problem <grin>. The IT manager now has the startled caught-in-the-headlights rabbit look and tries to figure out what to do. So the book was to provide them with a brief introduction to ISO 27001 and provide insight into how they could leverage off their existing investments in Microsoft's systems and technologies. Too often I have seen people rush out and buy more shiny technology toys to implement some of the technical controls, yet if they had conducted a proper risk analysis they may have been able to save that money. Finally the book was to give the IT manager the technical settings to give to his/her technical people to implement the selected controls.”
The book makes limited reference to the remaining non-technical controls from ISO27k, of which there are many, except in as far as it says how Microsoft software such as IIS, especially when connected to broadband connections, may be used to support them.
About the author
Brian is an independent information security consultant based in Dublin, Ireland, His day-job sometimes involves forensic analyses on Windows systems, in other words he knows Windows inside-out. Brian helped establish the Irish Corporate Windows NT User Group and Ireland’s Computer Security Incident Response Team. Brian is active in a number of information security groups such as ISSA.
Structure and content
After briefly introducing common information security and risk management concepts, the early part of the book describes how an ISMS (Information Security Management System) helps the organization manage its information security risks and controls through a coherent management system. It explains the history of the ISO27k standards, briefly describes concepts such as PDCA (Plan-Do-Check-Act), and outlines some of the key benefits of having an ISO/IEC 27001-compliant ISMS. Then two chapters briefly explain the processes of identifying and risk assessing information assets, and so ends the pure ISO27k part of the book on page 64 of 308.
From that point forward, the book changes style to focus almost entirely on technical security controls within the context of Microsoft Windows. It starts by outlining the main Microsoft security technologies in chapter 6. Chapter 7 consists of a table briefly explaining how the controls in Annex A of ISO/IEC 27001 can be implemented using Microsoft Windows systems. Chapters 8 and 9 summarize typical system security configuration activities on Windows Server 2008 and Vista systems. Chapter 10 describes audit and log settings on Windows Server 2008. Chapter 11 is a table listing a number of recommended Windows Server 2008 registry and network service settings for security.
The appendices reiterate some of the earlier material and provide references.
While the title and publisher’s blurb promise a lot, the book delivers an accurate but hardly comprehensive introduction to ISO27k (most of which is explained much more thoroughly in the ISO27k standards themselves) and follows on with information that is readily available from many sources including Microsoft and third party security guides for various flavours of Windows. The writing style is clear and straightforward, although at times it resembles Microsoft’s marketing materials a little too closely. Its biggest failing, however, is that the book almost exclusively concerns IT rather than information security, and hence ignores arguably the largest and most difficult part of any real-world ISMS or ISO27k implementation, namely the non-technical aspects.
While I am in awe of Brian’s technical expertise and have no hesitation in recommending the book to Windows sysadmins looking for sound advice on implementing security on Windows platforms and succinct listings of the main technical security configuration settings, the book falls short of offering pragmatic ISMS or ISO27k implementation assistance, even for a pure Microsoft shop. It is neither a handbook nor a step-by-step guide to the whole process.