The Philippines’ first and only industry magazine that deals with safety and security matters pervading the environment today.

Bridging Physical-Logical Security Gaps

Converging asset protection  with IT security enterprise-wide is not easy. In fact, there are three kinds of turf to be marked in corporate security nowadays: physical, personnel and information security. Previously, all three fell only under the management responsibility of just one person who is the Corporate Security Manager. With the advent of technology, however, information security has significantly evolved with the enterprise becoming more connected to a paperless society. In view of this, enterprises amass a great deal of proprietary information about their employees, products and customers most of which are now collected, processed and stored on computer systems and transmitted over the larger IT networks.

Undoubtedly, the best person to manage this evolved security function is someone with an IT background—and convincingly, the conventional security manager is just not it. Consequently, some enterprises now address Corporate Security Managers as Physical Security Managers to differentiate them from their counterparts, which are, of course, the IT Security Managers. A move that obviously widens the gap in asset protection as nobody seems to take care anymore of personnel security, which is an equally important element of security. Isn’t it that people are the reason why security exists in the first place, and people are the ones committing security breaches?

With the rapid growth of information technology, security professionals clearly have two options: evolve or dissolve.

To stay relevant to an organization, one must educate himself by reading books like the sixth edition of the Information Security Management Handbook, which addresses up-to-date issues not only in physical and logical security but also business continuity.

The book, which is Volume 1 of a 3-volume set, is a compendium of knowledge based on a collaborative work of both Certified Information Systems Security Professionals (CISSPs) and Certified Protection Professionals (CPPs). It covers ten domains of the Common Body of Knowledge (CBK) Generally Accepted Systems Security Principles (GASSP), which provides a wealth of information useful for anyone who is pursuing CISSP or CPP certifications. Security professionals would feast their eyes on white papers written using reference materials endorsed by the American Society for Industrial Security (ASIS) International. The Certified Protection Professionals (CPP) who contributed to the effort include Gerald L. Kovacich, Kelly J. Kuchta, R. Scott McCoy, George Richards, and Thomas Welch. The book is edited by Harold F. Tipton, CISSP and Micki Krause, CISSP.

The book, which is 3,280 pages long, would, indeed, delight any bookworm both for its practical form and professional substance. However, it is not suitable for those who have short interest span or simply lack the time to read or learn new things as the book is definitely not light reading. So, to make reading a pleasant experience, the book must be read one domain at a time. Nevertheless, the white papers presented in the book, individually and collectively, provide a wealth of information that bridges the gap on pressing security issues.

It successfully made reality clearer that information security cannot survive all on its own without the other elements of security. It also called spade a spade by addressing Corporate Security Managers as is—no further title distinctions that only blurs the real scope of asset protection. True enough, based on one of the white papers, performing security activities for technology’s sake does nothing to protect, or assure, those components that fall outside the purview of technical security. Furthermore, the book highlights, in an in-depth 200-page discussion on business continuity, that business continuity planning is rarely the competency of an organization unless they are a hot site vendor or consulting firm. Hence, readers would also benefit from the insights provided in the book on how companies would understand the appropriate role of the business continuity planning functions.

The book, which is equivalent to ten books, costs USD130.00. Even so, it is a worthy investment for security professionals who want to be both technically and tactically proficient in the field of security and business continuity.

Information Security Management Handbook, 6th Edition — published by Auerbach Publication on 14 May 2007.•