REVIEW: Information Security Policies, Procedures, and Standards


by Thomas R. Peltier, Auerbach Publications. 297 p.


Chapter one provides vague meanderings about information protection fundamentals. The author's opinion about how to write is given in chapter two. In the ultimate triumph of style over substance, this drafting advice is given before any examination of actual policy development. Chapter three defines policy and some related topics with lots of verbiage and overly lengthy examples. There are lots of sample mission statements in chapter four, although it is not really apparent why we are talking about this particular topic. The structure of chapter five, dealing with standards, is very confused, and the purpose of the examples given is unclear. (There is also an extremely odd assertion that standards, which are by definition rigid, must be "flexible.") We are given more writing advice, supposedly in aid of procedures, in chapter six. Chapter seven talks about information classification for a few paragraphs and then lays out a thirty page example. Random security thoughts and banal training ideas make up the security awareness program in chapter eight. Generic project management advice is in chapter nine. Chapter ten contains suggested topics for a security policy. What the book said is repeated in chapter eleven. The appendices include a very short sample policy, and a policy development checklist. Barman's "Writing Information Security Policies" (cf. BKWRINSP.RVW) provides far better advice on both the process and the topics to be covered in creating a security policy. Even "Information Security Policies Made Easy" (cf. BKISPME.RVW) is better..

Read more: