InfoSec Reviews – Adaptive Security Management Architecture

Book Title:   Adaptive Security Management Architecture

Author: James S Tiller

Publisher: CRC Press

Date of Publishing: 17 Nov 2010

ISBN(13): 9780849370526

Price (UK&US price – full price, not discounted price): £49.99,   $79.95

URL of Publisher Site: CRC Press, Boca Raton, USA

URL of Amazon UK web page:  Security Services Management: 002 (Section B)

URL of Amazon UK  (Kindle) web page: Not available

URL of Amazon US web page:  Adaptive Security Management Architecture

URL of Amazon US  (Kindle) web page:  Not available

With 11 chapters and 448 pages, this is a comprehensive architecture addressing security management.  The assertion is made in Chapter 1 that, “today’s information security practices … do not readily lend themselves to effective adaptation to the ever-changing needs of the business.”  This is explained here and later.  The complete architecture is laid out in the rest of the book, assuming that the reader agrees with the assertion. Chapter 2, Security and Business, puts forward the reasons for introducing a new architecture (the Adaptive Security Management Architecture) and adds further text to show how the ‘ASMA’ aligns with the business challenges of today and tomorrow. Chapter 3, Achieving Adaptability, adds detail to what security adaptability is – “an environment of excellence and maturity that resonates with the business in meeting its goals” – whilst seeding some of the underlying concepts such as management, measurement and security services.Chapter 4, Defining Security Services, contains pointers to what could be turned into a service, and the attributes that could be considered, without being prescriptive about either.Chapter 5, Services Management, draws comparisons between the ‘ASMA’ and the Information Technology Services Management section of the Information Technology Infrastructure Library before working through the detailed steps in planning and delivering security through services.Chapter 6, Risk Management, again takes an architectural approach and rather than examining models of risk management, focusing on placing risk management within the overall ‘ASMA’ – where it is extended beyond the standard Information Risk Management approach and given a role in guiding the architecture as a whole in the right direction.Chapter 7, Compliance Management, is also viewed in the ‘ASMA’ context, emphasising the need to move away from a reactive model to one that is embedded within every facet of the organization.Chapter 8, Governance, is seen as the funnel through which other security activities are communicated through to executive management.  It seeks out the metrics that provide insight into areas that align with business objectives and ensures these are seeded into the various security services.Chapter 9, Organizational Management, is the mechanism that exercises the governance from the previous chapter.  In addition, this chapter picks up areas not explicitly covered such as Policy, Standards and Training.Chapter 10, Capability Maturity Management, is seen as the glue that ensures each independent service not only works but also works to improve the whole.Chapter 11, Conclusion, is a call to arms to embrace the ‘ASMA’ and ensure security works with the business instead of being a series of barriers the business must leap over to achieve its goals.

This book is a serious tome that takes an architectural approach to Security Management. James Tiller comes across as an archetypical consultant dealing words to put his points across.  If you want something that will help you tie security into Capability Maturity Management using an architectural approach, go out and buy it.  If you have just been drawn in by the title and are not sure what it might be about, leave it on the shelf

If you are a fan of Capability Maturity Models, want to take an architectural approach to security management, and want to adapt to the way the business changes, then you will want to read this book.  If you have a short attention span then you may wish to give it a miss.

Marks:  3 out of 5