Вы находитесь на странице: 1из 2

Copyright © 2004 Information Systems Audit and Control Association. All rights reserved. www.isaca.org.

Network Security: The Complete Reference


By Roberta Bragg, CISSP, Mark Rhodes-Oulsey, CISSP, and Keith Strassberg, CISSP, CPA
Reviewed by Kamal Parmar, CISA, ACCA, CCNA, MCP

various points to break the monotony of

I
nformation security was regarded as something of a black
art until about a decade ago. There had been a dearth of prose and to aid comprehension.
information on security issues for specific technological As evidence of the growing recognition
environments, and one would have been hard pressed to of COBIT as a best practice standard for
find a single source of information on security for multiple information technology governance, the
system platforms. book briefly describes COBIT as a
This general gap has been gradually filled, due to the advent standard for IT governance and is a
of knowledge sharing on the Internet and books like Network tribute to the global presence of ISACA as an influence on
Security: The Complete Reference. governance issues with respect to technology.
This book covers a broad spectrum of security topics, to the Overall, the book is rich in detail; it is difficult to imagine
extent that one would want to classify it as a complete how the authors were able to squeeze so much content into
reference guide on security, rather than just network security. a book less than 1,000 pages in length. Contemporary
The major topics addressed include: return on security, security legal and regulatory issues, e.g., Sarbanes-Oxley, HIPAA,
strategy and risk analysis; security policy development and are suitably covered.
security organisation; access control and physical security; An excellent 25-page security dictionary has also been
biometrics; e-mail; network architecture; firewalls and IDSs; included, expounding definitions of contemporary technology
VPNs; wireless security; disaster recovery; Windows, Linux, used in the security space today.
UNIX and Novell; application and database security; and This is the first book the reviewer has seen using more than 20
incident response. coauthors. In light of this fact, the text is incredibly well-
This book will appeal roundly to security professionals and organised, and a common theme and style underlies the entire
IT administrators (e.g., for networks, applications, databases). text. Roberta Bragg is a leading authority in the arena of Windows
It will also attract software developers who seek to write security, having previously written in
secure code, particularly if they are using the J2EE and .NET this area and facilitated training on Windows security. Mark
platforms. Rhodes-Oulsey is a security professional with more than
The book may be classified as intermediate to advanced; in 10 years standing. He has advised, designed and installed security
other words, it is appropriate for anyone who has been exposed infrastructures and policies for dozens of large and small
to any of the technologies listed above. companies. Keith Strassberg is a security consultant with more
More importantly, the book is an excellent how-to on than seven years’ experience in various security technologies, such
securing corporate information assets. Unlike the genre of as firewalls, IDSs, forensics, policy formulation and vulnerability
Hacking Exposed and the like, this book stresses the how-to- testing. While it is impossible to describe all contributors here, the
protect element more than the how-to-hack element. community of authors that contributed includes engineers,
While the book might be considered equally suitable for all accountants, lawyers and software developers, and this is a
countries around the world, there may be regional biases in the testimony to the all-encompassing nature of the information
area of wireless networking, particularly with regard to security field today.
different standards adopted by the United States, Europe and This book is arguably the ultimate book on information
the rest of the world. Having said that, such differences are security. The sheer scope of the book represents an ambitious
minimal from the overall perspective of information security. undertaking.
The book is well structured, organised into six principal Unlike other books on security, which tend to concentrate
domains: network security foundations, access control, largely on the technical aspects, the authors in this case have
network architecture, operating system security, application struck a balance between the technical and nontechnical
security and response. It is written in a business-like language aspects of security. For instance, part one of the text is
and uses practical, real-life examples extensively where dedicated to the “soft” issues surrounding security, e.g., risk
appropriate. Bullet points and diagrams are used judiciously at analysis, security policy and security organisation.

INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 3, 2004


The text also has a sizeable section on wireless network Editor’s Note:
security, which is a timely inclusion, given the recent clamour Network Security: The Complete Reference is now
regarding wireless networks. available from the ISACA Bookstore. For information,
This is a valuable text for today’s information security see the ISACA Bookstore Supplement in this Journal, visit
professional, with logical and concise information, and a very www.isaca.org/bookstore, e-mail bookstore@isaca.org or
representative and deserving title. telephone +1.847.253.1545, ext. 401.

Kamal Parmar, CISA, ACCA, CCNA, MCP


is a senior consultant in Ernst & Young’s risk and technology
services practice in Melbourne, Australia. Over a six-year
period, he has performed IS audit, penetration testing, forensic
investigation and due diligence projects for multiple clients in
the financial services, aviation, telecommunications,
manufacturing and hospitality industries. He is a member of
ISACA’s Publications Committee and has previously written for
the Information Systems Control Journal.

Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the Information Systems Audit and Control Association, Inc.. Membership in the association, a voluntary
organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.

Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Audit
and Control Association and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal
does not attest to the originality of authors' content.

© Copyright 2004 by Information Systems Audit and Control Association Inc., formerly the EDP Auditors Association. All rights reserved. ISCATM Information Systems Control AssociationTM

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the
association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles
owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume,
and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the
association or the copyright owner is expressly prohibited.

www.isaca.org

INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 3, 2004