an international guide to data security
by Alan Calder and Steve Watkins
Published by Kogan Page, 2012 (fifth edition)
Paperback 380 pages
ISBN 978 0 7494 6485 1
~US$68 from Amazon
Although the title plainly indicates that this is a book on IT governance, this is in fact an information security book: the authors describe IT governance as information security extending beyond the organization, taking in its extranets, partners etc. I suspect this anachronism stems from way back when the first edition was being written. ‘IT governance’ was definitely a hot topic at the time but the term was ill-defined as the field was evolving rapidly and - to be fair - it is still interpreted differently by different people. In the same vein, the subtitle’s mention of ‘data security’ implies that this is about the security of computer data whereas it actually discusses the security of information in all forms.
Misleading title aside, the book is largely concerned with selecting/designing information security controls based on the advice in ISO/IEC 27002.
The authors had senior and general management in mind when writing the book. Without strong links to business objectives and strategies, information security is destined to remain on the sidelines, under-resourced and peripheral to the business, hence it is vital for senior and general managers (not just IT managers and information security specialists) to appreciate the business value and imperatives for information security. However, I am not entirely convinced that this book is a suitable vehicle to engage senior and general managers fully with information security management: the advice it dispenses is quite detailed, better suited to lower-level managers and hands-on specialists designing and implementing an Information Security Management System. It is not an ‘executive guide’.
With the same sequence of topics as ISO/IEC 27002, the text expands on the standard’s relatively high level descriptions of all manner of information security controls, providing a bit more depth and additional context. In some cases, though, it does little more than rephrase ISO/IEC 27002 itself. It is a shame that the authors did not include more practical examples based on their experience. It’s a bit theoretical and dry in style.
Additional governance coverage draws on the UK Combined Code, Turnbull and Sarbanes Oxley. There are numerous references to the UK and US throughout the book.
Now in its fifth edition, the authors have consistently updated the book to mention topical information security issues such as Advanced Persistent Threats (APT), virtualization, social media and cloud computing, even though these are not explicitly mentioned in the ISO27k standards. Since it takes about five years or more to revise the ISO27k standards, the book’s one to two year cycle-time gives it an advantage in this fast-moving field, provided the coverage of emerging issues is accurate. Describing APT, for instance, as “a national government or state-level entity that has the capacity and the intent to persistently and effectively target - in cyberspace - another entity that it wishes to disrupt or otherwise compromise” may be technically correct, but today APT is used as a broader term for highly sophisticated attacks using stealthy multi-partite remote-controlled malware in conjunction with social engineering and network/system hacking methods - at least that is my understanding at the time of writing this review!
Whereas other books (such as Information Security Governance and IT Governance) are much stronger on governance, Calder and Watkins dispense a lot of sage advice on information security controls. The writing is clear and the guidance sensible. Information security professionals working for ISO/IEC 27001 certified organizations recommend this book.
The book is a worthwhile supplement to the actual standards for anyone actively implementing ISO/IEC 27001 and especially ISO/IEC 27002.