Just to prove we aren’t that set in our ways we took a very different type of security product and reviewed it. This is neither hardware nor a software solution, but a security product nonetheless, in the shape of a manual. Where do you turn when you want to see whether you are secure or indeed going about planning your security in the best possible way? Some companies opt to hire a consultancy firm to do all the work on their behalf, while others struggle on because they don’t want to outsource one iota, seeing this as a possible weakness in the overall security process. Surely the fewer people who know what you need, what you have, where your vulnerabilities lie and how you propose to protect them, the better? So here you have it, a manual that we felt could guide you through an otherwise challenging process, cutting the stress and the oversights by half.

The Information Security Manual is a credit to itself when it comes to its own security. It has its very own protection against theft of copyright. Every page is marked with the purchasing company’s name (in our case it had West Coast Publishing emblazoned across every page) to protect the intellectual property from theft or manipulation. Each manual, we are told, although we couldn’t test this, is said to be slightly different to also provide a secondary method of security. There are blank pages too, which are numbered and security marked; with the text “Deliberately left blank” at the top of each blank page, this also distinguishes the individual product.

The idea is to provide the information each of us needs to supply our organization with a solid base to build our computer security audit on and from there develop a clear and unambiguous policy. This in turn brings areas that you may otherwise overlook in your rush to get a structure in place and helps you to get a quality security policy up and running. While the audit is certainly useful, it isn’t going to tell you how to configure your security solutions and devices, so you still need to keep this in mind and ensure that you have the required level of expertise within your organization.

The manual works on the basis that ‘people’ not ‘technology’ cause problems, and although this may sound simplistic it is very true. Even an audit of who’s who within your company, from the very top down, needs to be done and no stone left unturned. Each person must be analyzed and each job and area of responsibility scrutinized. From this you will be able to base your security policy on the business structure and stipulate permissions and authority only where it is required.

The Information Security Manual also covers the need to ensure that your policy is well understood and that everyone follows it to the letter, ensuring that the processes are in place to ensure this happens. No one should be above compliance and therefore you should be able to ensure that no vulnerabilities are opened up due to non-compliance. The basis of the manual is to provide the information required to assist you in mapping out your security strategy by initiating a complete audit of everything and everyone, thus providing a guide to how to achieve your goals. Every section ends with a scenario from a ‘real world’ situation that covers the chapter; this is called a ‘cameo’ and is a useful guide in part as to what can happen if the subject area isn’t covered adequately.

The processes that the Information Security Manual covers are quite comprehensive and include everything from your operating environment and back-up procedures to Palm PDAs and Internet use, to mention but a few. It encompasses the areas that you will need to scrutinize and this whole process should be followed without skipping anything or skirting around the edges. The Information Security Audit Score Sheet provides you with a well set out area to collect and collate all the information that you gather as you put each chapter to use. Once you have completed this you will have a starting point to ensure that your policy covers everything that you have discovered on your journey through the manual and will provide a secure basis for your policy to be put into practice. Hopefully it will help you to identify the areas that provide the greatest security challenges to your particular organization and should enable a smoother transition to a security-conscious business model.