The stated aim of this book is to “help managers make cost-effective decisions about the security measures that are needed to protect their information systems.” It is a book for those managers who are responsible for the security of computer-based assets, but who are not directly in charge of the computer service. It reflects a commercial, rather than a military, approach to security.
As the title suggests, this book is concerned with loss of data due to unintentional mistakes, as well as loss through theft. This theme is emphasized in the Introduction, where Moulton states that in the long run unintentional losses are likely to be more expensive than intentional losses, except in a few exceptional cases. The practical advice in the Introduction indicates how a manager could instigate a security improvement program.
The second chapter describes the fundamental controls that should be present in the system. It provides the reader, a manager, with the necessary technical understanding of how to protect data stored in a computer, and it is presented at the right degree of detail. This chapter strikes a very good balance between detail and abstraction, and is quite excellent. This chapter is not intended to make the manager technically competent but it will enable him or her to know what security controls the manager needs and to know when he or she is getting them. (One point of caution: I may find this chapter to be so good because I know what Moulton is describing.)
Chapter 3 helps the reader to define his or her computer security responsibilities and to decide which can be delegated to others. It emphasizes the importance of having a security policy. US legal requirements that affect the need for security are discussed; it is a shame that it does not cover British legal requirements as well.
Chapter 4 looks at end-user problems. Two aspects are discussed: how to identify the users using the system, and how to determine what the user’s security requirements are. Personally, I found this to be a funny combination.
Chapter 5 suggests how a manager can influence the computer service department to improve security. The main points are how a reader should identify security requirements and then how to get them implemented. This is a very important chapter, as it must be common for managers to be responsible for computer-based assets but not be able to directly control their security.
Chapter 6 looks at the role of the computer security auditor and suggests how to assist the auditor in order to maximize the value of the exercise. Moulton emphasizes the advantages of having an audit done, and he stresses that it should not be considered an intrusion and a nuisance.
Security, like any other form of insurance, is often looked upon as a necessary waste of money. Chapter 7 explains how improving security can also lead to an increase in productivity. A lot of the points identified here have more to do with reliability and availability than security; this is part of Moulton’s interest in accidental loss of assets.
In a commercial environment, security must be cost effective. Chapter 8 discusses risk assessment and points to consider when determining whether a particular security measure should be instigated or not.
Chapter 9 explains how to react when a computer fraud has been perpetrated. It covers how to identify a loss in the first place; how to collect evidence; how to analyze the crime in order to improve security and to prevent further losses; and, finally, how to deal with the criminal. This chapter also includes a rather nice description of computer-related crime techniques.
Chapter 10 is concerned with surviving computer disasters. Moulton identifies what must go into a disaster recovery plan; then, perhaps most importantly, he gives advice on how to sell such a plan to top management. All in all, it is a neat, self-contained, and important chapter.
Security is a people-related problem, and Chapter 11 looks at how to handle people. Moulton first addresses the problem of how to terminate the services of an employee without making the firm vulnerable to a revenge attack. If security is to be effective, then the employees responsible for maintaining security must be handled properly. Moulton gives advice on how to manage auditors and security officers.
Up to now, Moulton has primarily concentrated on large mainframe systems; in Chapter 12 his attention changes to microprocessors and the distribution that results from their introduction. Quite rightly, he emphasizes that the value of the data stored on a microcomputer will most likely be out of all proportion to the cost of the hardware. The chapter shows how the concepts related in previous chapters apply to microcomputers as well.
There are not a lot of references, but this does not detract from the book, as it is quite self-contained. It does, however, mean that the reader does not know where to look for more detailed information; but then, perhaps a manager is not meant to.
The Index covers the concepts introduced in the book, but it does not include words such as “trojan horse” that are used and explained in the main text. The Index appears to have been optimized for readers who have read the book and wish to reread a specific part. Given the rationale for the book, this is not a problem.
The format of the book is rather cramped. This is particularly noticeable around the figures, which do not stand out from the main text. However, you get used to it quickly and it stops being a distraction.
This book explains to management how to improve their security. The reader of this book should be able to set about defining his or her security requirements and getting them implemented. The approach taken is eminently practical and seems to be full of good commercial sense. It gets over the necessary technical concepts without resorting to details. This is a good book and one that fulfills its aim.