INTRODUCTION

Have you ever found yourself wondering how to secure your corporation’s sensitive infrastructure, systems and information? Are you facing the paradox of overly ambitious goals but limited by a nonexistent or shoestring budget? John McCumber offers a structured methodology that can be applied to the biggest corporations or the smallest of businesses and everything in between.

BOOK INFORMATION

“Assessing and Managing Security Risk in IT Systems: A Structured Methodology” by John McCumber; Published 2005 by CRC Press LLC; ISBN 0-8493-2232-4; Library of Congress Card # 2004050274

REVIEW

Many believe that Information System Security is complicated. Stories of data breaches abound and corporations pay millions of dollars each year to protect their sensitive systems and data from attack. With an ever expanding and changing threat landscape, Information Systems Security can appear to many as an insurmountable challenge that can never be truly managed, let alone solved.

In his book “Assessing and Managing Security Risk in IT Systems: A Structured Methodology”, John McCumber has answered the call with a timeless structured methodology for managing IT Security that offers comprehensive security frameworks for the biggest Corporations while concurrently providing cost effective solutions for the smallest of businesses and everything in between. His easy to understand and implement approach is the product of decades of hands-on experience with both the U.S. Military and Civilian companies. McCumber’s methodology is a straight forward comprehensive security model that is applicable for corporations, medium businesses, small businesses, schools, churches, organizations, clubs and even homes.

Starting with guidance on how to determine the value of information, McCumber sets the stage for Security Practitioners to assess their specific needs by quantifying what they need to protect, and then guides them through the exploration of various scenarios and requirements to secure those infrastructures, systems and data. McCumber leverages a 3 dimensional cube, know as the McCumber Cube to diagram and illustrate a 27 point approach to IT security. The cube considers the three basic states of information ( Transmission, Storage, and Processing ), links that to the critical information characteristics of ( Confidentiality, Integrity, and Availability ), and then explores the requirements of the security measures of ( Human Factors, Policy and Practices, and Technology )

RECOMMENDATION

I find the model basic and easy to understand, but profoundly comprehensive to the needs of the Security Practitioner. The model creates a structured approach to Security evaluation, analysis, and application. By concentrating on the WHAT vs. the HOW, McCumber has created a model that will stand the test of time. Regardless of the date, and regardless of the value of your data and systems, John McCumber’s Cube can provide you a comprehensive solution for all your IT Security challenges.