The subject of Security reminds me of the Lernean Hydra, a mythical monstrous serpent with nine heads, which was slain by Heracles (or Hercules), where for each chopped head two new ones, grew. Similarly, every time a security hole is plugged, at least two new ones seem to appear.
It is not suggested that the Herculean remedy be applied here, but a strategy is required to holistically address this subject, and that involves inevitable compromises. The Black Book tackles the subject by engaging multiple very credible authors (17) to give their knowledge and expertise in 14 diverse chapters. A bio and contact information is given for each author, as well as a Glossary and Resource Appendix (company profiles). Does it succeed?
I have reviewed the book as a non-expert in security, but as an associate professional having held responsible positions over many years in the management of the IT Infrastructure the battleground of the security campaign.
Generally, I feel the book is aimed at the IT Managers/CIO and above, most importantly business line managers, the CFOs/CEOs and the executive management committee, although it would be useful for all staff to be encouraged to browse it. The foreword chapter prepares the reader on what follows and outlines the central theme of the book, that there is a need for new thinking about security in corporates.
All contributors reference the growing regulatory landscape, e.g. ISO17799 on assessment, the Gramm-Leach-Bliley act (GLBA), Sarbanes Oxley, the European Data Protection Act (EDPA), HIPAA for the Health sector, Basel II .. enough to put anyone off security for good.
The first four chapters provide high level views on the need to build a secure corporate environment, integrating security with risk management strategies in an extended enterprise model, which includes multiple partners. Most corporates have to view themselves as Virtual Organisations. I like the phrase Risk should not be regarded with fatalism and defeatism, but with alertness and preparation. It is suggested using the onion model, generally accepted as the security model to follow where the levels are people, process and procedures, both physical and logical.
The need to understand Information Assets and their security brings in Corporate Governance. Planning and testing are essential and how true is the message: hackers and terrorists plan ahead, so should you.
Chapters 5 and 6 discuss some new ideas on Identity-Aware Business Service Management and Multi-Level Security in order to protect classification of data and enable the safe sharing of information. The focus is on resource effectiveness not efficiency.
Chapter 7 brings home the multiplicity of threats, such as viruses, worms, remote access Trojans, and even cookies occasionally. This probably is the most technical information in the book with explanations on malicious code and phishing attacks.
The use of behavioural technology is proposed for countering the threats, and in chapters 8 and 9 the suggestion is to focus on prevention rather than the cure. Help is available from information sharing & analysis centres (ISACs) in order to deal with zero day attacks.
Concerns over loss of intellectual property and the concept of the enterprise without boundaries highlight the need for content analysis techniques and the monitoring of the asset not the employee. Securing the company perimeter is no longer enough and attention is now switched to sources with respect to trust. Furthermore, network convergence expands security concerns to include voice applications, but the telecoms people may not be up too it.
The final chapter links security with business continuity and disaster recovery. Inevitably the 9/11 experience is used to emphasise the changing threat profile, from simple power failures and environmental incidents to the new term CBRNE (chemical, biological, radiological, nuclear, explosive). The author emphasises the need to validate assumptions and ensure testing of plans is done, hence the need for more active CEO involvement. Wasnt this the message of the foreword?
In conclusion, this is a well written and organised book, with sufficient gravitas to be accepted by company chiefs as essential guiding material. Will they act on it?
The Black Book on Corporate Security
Larstan Publishing, 2005
437 pages, $49.95