Information Security Roles & Responsibilities Made Easy, Version 1

It is a great compliment to the authors other work on info sec policy development.

Rating:
Summary: Essential Resource
Review: This book is the other half of the author's excellent Information Security Policies Made Easy (version 8), which provides 1175 ready-made policies on CD ROM. What makes this book complement the policy book is that once the policies are written they are useless without defined roles and responsibilities assigned to manage and enforce them,

Included in this book (and in soft copy on the accompanying CD ROM) are organizational mission statements that form the framework for policies, job descriptions for major security role players, and organizational structures with reporting relationships.

The book does not merely present the roles and responsibilities - it goes into the hows and whys, and steps you through the definition and development of a security function in which the roles and responsibilities are defined. More important, the author does not use a canned approach, but provides alternative structures that will allow you to develop and implement the organization that is best aligned to your company. This is one of the most practical and flexible approaches I've seen, and shows the author's extensive experience and realistic attitude. Equally important is the fact that small companies are also addressed, making this book valuable to organizations of all sizes.

You're stepped through the process of identifying your requirements, tailoring the documents provided on the CD ROM to reflect those requirements, and given an idea of the time and resources needed to implement them. In addition to the documented roles and responsibilities and organizational structures provided, this book also covers (and the CD ROM provides) pamphlets to promote security awareness, memos, forms, action plans, a sample security manual and standards, and other documents that will be needed to effectively implement a security organization.

The chapter on common mistakes is worth its weight in gold, as are the appendices, which cover staffing levels, qualifications (this is valuable to HR), and IS security metrics.

Regardless of company size or scope of your security organization, this book will save literally hundreds of hours of research, document development and planning. Even for a small company of 25-100 employees this book will pay for itself many times over, and for a large company the value that this book (and the companion book I mentioned above) represents can run into the tens of thousands of dollars.

Rating:
Summary: Essential Resource
Review: This book is the other half of the author's excellent Information Security Policies Made Easy (version 8), which provides 1175 ready-made policies on CD ROM. What makes this book complement the policy book is that once the policies are written they are useless without defined roles and responsibilities assigned to manage and enforce them,

Included in this book (and in soft copy on the accompanying CD ROM) are organizational mission statements that form the framework for policies, job descriptions for major security role players, and organizational structures with reporting relationships.

The book does not merely present the roles and responsibilities - it goes into the hows and whys, and steps you through the definition and development of a security function in which the roles and responsibilities are defined. More important, the author does not use a canned approach, but provides alternative structures that will allow you to develop and implement the organization that is best aligned to your company. This is one of the most practical and flexible approaches I've seen, and shows the author's extensive experience and realistic attitude. Equally important is the fact that small companies are also addressed, making this book valuable to organizations of all sizes.

You're stepped through the process of identifying your requirements, tailoring the documents provided on the CD ROM to reflect those requirements, and given an idea of the time and resources needed to implement them. In addition to the documented roles and responsibilities and organizational structures provided, this book also covers (and the CD ROM provides) pamphlets to promote security awareness, memos, forms, action plans, a sample security manual and standards, and other documents that will be needed to effectively implement a security organization.

The chapter on common mistakes is worth its weight in gold, as are the appendices, which cover staffing levels, qualifications (this is valuable to HR), and IS security metrics.

Regardless of company size or scope of your security organization, this book will save literally hundreds of hours of research, document development and planning. Even for a small company of 25-100 employees this book will pay for itself many times over, and for a large company the value that this book (and the companion book I mentioned above) represents can run into the tens of thousands of dollars.