IT Governance: A Manager's Guide to Data Security and BS 7799/ISO 17799 3rd ed.

1 An IT practitioner perspective

The book's strong point is its in‐depth analysis on what is an information security management system (ISMS). This book offers a huge amount of information that is built around the selected standards. The main chapters of this book are structured around the BS7799/ISO 17799 topics, which could be grouped into four logical themes to better guide readers in understanding such an extensive subject. Chapters 1 to 6 provide a strategic overview on planning and developing information security within the authors’ definition of IT governance. Chapters 7 to 12 take a business administration approach to information security such as human resources, physical resources and operations. From chapters 13 to 23 the authors address IT risks in relation to IT infrastructure, IT networks and applications. The fourth theme which deals with the implementing and supporting an information security system could be found from chapters 24 to 27.

In general, directors or business managers require easily digestible information and knowledge that are strategic and free of technology jargon. From an IT practitioner perspective, I am unconvinced that the entire book (hard‐copy)[1] offers directors or business managers a managerial perspective on IT governance. The first six chapters are suitable reading for most non technology and security specialists who are interested in IT governance principles. The remaining chapters are more appropriate for IT the manager, IT security manager or project managers working with information security. If the authors are attempting to communicate a management perspective of IT governance to non‐technical senior managers, then some of the key recommendations that they are making on the impact of information technology on IT governance could be lost in translation beyond chapter 12. Specifically, chapters 13 to 23 of this book are too technical. Most business directors and managers will struggle to read these chapters without making reference to other text or the online reference of this book. Mainly because the authors often make reference to sections within BS7799 Standard and uses its numbering system e.g. A.10.1.3 and A.6.1.2. Hence, for managers who are not familiar with the Standards, to fully understand the book, they will also have to read the BS7799 or ISO 17799 manuals. Furthermore, many technical terms, such as SSL, IPSec, S/MIME and PKIX (page 207), found in this book come without any explanation to what these acronyms stand for and they also do not appear in the index.

2 Where is the research?

In this book, the big question is “Why is information security necessary?” However, when I look for the research behind that important question, the book is lacking any solid research or case studies to back up that important question. If I am business director or manager, I would like to know which companies Calder and Watkins have studied. In the absence of research and case studies, the contents of this book and the authors’ experience are coming across as merely anecdotal. Furthermore, the authors prescribed the adoption and implementation of an information security management system and certification by BS7799 as the most practical and effective way for directors to handle their IT governance. Such recommendation presents a highly focused or silo view of IT governance that may not be relevant in to all organizations. In today's complex organization, IT governance has to cover a more holistic field of subjects such as leadership, organizational structures and business processes. This book does not appear to give enough emphasis on the significance of these topics in the wider context of IT governance. Although the authors recommend compliance to standards, I believe many readers could still benefit from the book even if the readers are not aiming for certification. To a technical manager who needs to address and manage issues on information security, selected chapters in this book can be used as a checklist or a handbook, as recommended by the authors, for implementing a comprehensive information security programme at a tactical level.

Clearly, in today's volatile and increasingly “regulated” market place, IT governance is not just about information system security, which tends to be a defensive form of IT governance. Nolan and McFarlan (2005, p. 99) recommend that IT governance at board level should also consist of defensive, offensive and administrative oversight tasks. According to their study, IT governance activities generally depend on company's size, industry, and competitive landscape. Their framework presents directors and senior managers with a high‐level framework to develop IT governance strategy and policies, which this book fails to provide. Frameworks and models are important strategic tools if this book is to benefit board members, directors, executives and managers of any business or organization.

Metaphorically speaking, this book can be likened to an old fashioned recipe book – no graphic or diagrams and the emphasis is on the technicality of cooking, and offers little on the concepts of food, nutrition, presentation and origin of ingredients found in today's contemporary cook books. If information security is a recommended serving for an organization's IT governance nutritional regime, a revised version of this book must convince directors and managers to consume information security programs as a major portion of their governance diet. To further improve the book, the next edition could include the following:

• •

  Provide case studies or research on companies that have implemented the prescribed standards.

• •

  Improve the organization of the book by providing clearer guidelines on how to use the book and sectioning the book for different target audiences.

• •

  Improve the index to include all technology references and acronyms – personally, an index is the second most important part of a book after the table‐of‐contents because a comprehensive index functions as a guide to interrelated topics.

• •

  Writing the book without making reference to the sections of BS 7799 manual, but keep those references at the end of each chapter for those readers that are interested in certification – this will make the book suitable for a wider audience.

• •

  Include graphical illustrations, framework and models to emphasize its strategic position on IT governance and information security.

• •

  Justify the use of the of the tile “IT governance” by extending the subject of IT governance to include different dimensions, studies and research – this is important if the book is used as a text for university teaching.