Today, security occupies a place of special importance in information technology (IT) activities. The number and sophistication of attacks grows every year, and legislation—such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA) or Fair and Accurate Credit Transactions Act (FACTA)—formulated to protect the integrity, security, and privacy of data makes many of the security activities in IT mandatory. In addition, as an increasing proportion of organizational assets becomes digitized, the value of protecting data and applications is increasing.

The IT activities needed to institute and support an adequate level of security are well known, and include access control, sensible use of security technologies, and following pre-set security policies and procedures, as well as a strict schedule of updates, patching, and maintenance. Oliva’s book describes some IT security activities, strategies, and procedures in detail. Although the book is not comprehensive, it addresses the issues that are of paramount importance in building an IT security approach for all organizations.

The book starts with a section on governance issues. Digital systems and assets will not be needed if access to them is completely restricted, and the author describes a pragmatic approach, combining control and quick access to assets by authorized personnel and systems. Advice on aligning assurance and business is provided by C. Kaucher, who analyzes the situation based on three trends: defense-in-depth, coherent enterprise architecture, and consistent information assurance requirements. The three areas converge, allowing strategists to create a coherent IT security approach, where requirements, architecture, and methods of implementation are aligned with IT security goals. Kaucher proposes using an adaptation of the McCumber model to develop a solid engineering approach to security based on enterprise architecture. Only in this way can security be defined as a series of concrete steps, rather than abstract policies and guidelines. In addition to architectural issues, users’ behaviors present a security hazard, and the chapter addresses issues of employee monitoring versus privacy, analyzes administrative policies, and discusses the security of shareholder communications.

C. Rex IV wrote the next chapter, on customer information. The chapter starts with a definition of customer information, and focuses on the difficulties of combining openness and information sharing with notions of privacy and security. The most dangerous attacks are the ones that go unnoticed; frequently, their consequences never become known and understood. The author calls security a winless game, but outlines strategies that lead to long-term success.

In the next chapter, C. Harrod describes global IT risk management strategies. The author explains, step by step, the design, function, and structure of risk management in organizations. The chapter provides a comprehensive description of the components of risk management, the best approaches to mitigation, and metrics to assess compliance.

Section 2, written by Oliva, discusses architectural issues. The section is a good summary of the activities of those in an organization whose work focuses on assessing the security threats inherent to the chosen enterprise architecture. Oliva suggests starting with a threat matrix, adjusting service level agreements (SLAs) in conjunction with the security threats and capabilities, analyzing internal processes to detect and define security threats, and compiling disaster recovery plans in advance.

Section 3 focuses on technology issues. It starts with a chapter by C. Pool, on wireless security. The author explains the protocols and standards used in wireless security, highlights the specific vulnerabilities of wireless networks, outlines countermeasures, and includes his views on future developments in wireless security. The chapter also mentions some technologies, such as smart cards and biometrics, as ways to restrict access to wireless networks, and thereby increase their security. The final chapter of the book lists reference materials, and explains the special terms used throughout the book.

This work is a very good starting point for those who need to quickly understand the essence of IT security. It is a good handbook for managers, and can be a manual for the general training of employees whose primary job is IT, but not IT security. The book is not comprehensive or technical, and does not contain many details, but it is an excellent tool to improve the general understanding of security in larger organizations. It could be used in many ways, with an eye toward increasing the awareness of security threats and risks, and of methods to define IT security strategies.