It is difficult to operate a business of any size these days without information technology (IT) systems, and it is largely impossible to operate IT systems without a connection to the Internet, accepting all of the risks that this brings. Organizations need processes in place to protect their IT systems and in particular need to meet legislated requirements to protect personal data that may apply in the countries in which they operate. Pompon provides step-by-step guidance for successfully establishing a security management system for an organization’s IT systems.

The book is divided into four parts. Part 1 introduces IT security management from the perspective of audit. Pompon explains the reasons why audit is necessary, how the audit process works, and why organizations should build their security processes as if an audit was coming--as sooner or later, it will. The risk analysis process is covered in significant detail in chapters 3, 4, and 5, each chapter dealing with analysis of different assets, risks, and threat areas, with several scenarios presented and their risks analyzed and assessed.

If you are developing a security management program for your organization, then Part 2 will be particularly useful. Chapter 6 covers the important initial task of developing the scope for a security management system--that is, identifying what assets need protection and the technical, physical, and procedural barriers that need to be in place to control access to these assets. Chapter 7 discusses the various governance framework roles that are needed to keep the security system working, and identifies the individuals and groups within the organization that should be involved. Detailed coverage of the cycle of planning, treatment, monitoring, and adjustment for addressing risk is provided. Lastly, chapters 8, 9, and 10 provide guidance for engaging with the three main groups of people within the organization (business management, technical staff, and users) that are needed to make the security management system a success. These three chapters provide good real-world advice, clearly written by someone who has “been there and done that.”

Part 3 covers the controls needed to manage IT system risk. Chapter 11 covers the development of security policies, explaining what a policy is and, importantly, what it is not, and provides templates for developing two of the key policies. Chapter 12 gives an overview of how to effectively design controls, and chapters 13 through 20 then go into more detail on particular controls necessary to manage risk. Administrative, access, physical, and technical controls are all covered in detail, as well as vulnerability management, business continuity, and disaster recovery. These chapters are packed with good advice from Pompon’s own experiences, and simple but important concepts are discussed, an example being the retention of adequate logs and records so that compliance can be demonstrated to an auditor.

The final part covers the inevitable audit and how an audit is conducted. Chapter 21 explains some of the types of audit, discusses what happens during an audit, and explains how to prepare for one. The checklist provided also makes a useful overall guide for the entire security management system development process. The importance of evidence and documentation is emphasized and the details of several specific audit types are explained. Chapter 22 looks at the role of internal audit in ensuring that an organization is ready for a formal audit, and also details some of the routine reviews and checks on controls that are necessary. Chapter 23 looks at managing the risk associated with the services provided to the organization by external parties. Policies, controls, and the need for formal agreements with external suppliers are discussed. Lastly, chapter 24 covers analysis of audit results with a view to continuous improvement of security management controls.

The introduction provides a good road map to the book, and each chapter finishes with a list of further readings. There is a good index and a very thorough table of contents. A minor annoyance is that the sections are not numbered, which does make it a little difficult to navigate through the book.

All in all, Pompon delivers on expectations. Unlike some other IT security works, he does not focus on just one particular security standard and so his approach is more generally useful. Standards and controls such as the US Federal Trade Commission security controls, International Standards Organization (ISO) 27001, the American Institute of Certified Public Accountants’ Statement on Standards for Attestation Engagements (SSAE) No.16 auditing standards, and the Payment Card Industry Data Security Standard (PCI DSS) are all covered. Although the specific pieces of legislation that Pompon refers to are US-centric, similar legislation also exists in most other developed countries. This is a good, step-by-step approach to building a security program that should protect an organization’s IT systems and, importantly, also be able to demonstrate that protection to an auditor.

More reviews about this item: Amazon