Fundamentals of Information Systems Security by David Kim and Michael G. Solomon is a new learning resource touted as a “forward-thinking” collection of materials that enable the reader to be prepared for the cybersecurity challenges of tomorrow. As I read this book I focused on a few questions I had as I got started with reading through the 514 pages of this relatively massive book. When I unwrapped the book and got my first glance through the table of contents I thought to myself, who could benefit from reading this book? Is it well-written and audience-appropriate? Could someone actually sit down and read this whole text?
Before I get into answering those questions, I’ll describe the layout of the book. It is designed as a three-part text with the first 140-page section being more of a “discussion” on the topic of information systems, why information systems security is needed in society and how technology and security blend together in a world of constant change. The second section includes an abridged review of the (ISC)2 common body of knowledge (CBK) for the Systems Security Certified Practitioner (SSCP) certification which covers seven domains of material relative to the information systems security industry. The third section is comprised of a number of resources that are provided to help the reader start to take the next step in their information security professional career, covering security standards, education and certification opportunities as well as reviewing compliance legislation unique to the U.S. government.
So, who could benefit from this book?
The authors indicate that the audience of the text is undergraduate or graduate level computer or information science majors or students at a two-year technical school with a background in technology. It also indicates that those with a basic understanding of IT security and looking to expand their knowledge would find the text useful. From an overall perspective, the first section efficiently reviews many aspects of information security and would be ideal as part of a guided lecture. I have two minor complaints about the first section, however.
First, when going through the first section, I noticed that there was significant fluctuation in the expected level of understanding presented in the text – one early page features keywords including “Generation Y” and “Smartphones”, and on the same page features a full break-out of an IP datagram – if this book is intended for those who aren’t used to seeing the term “smartphone”, how can they be expected to swallow the contents of a datagram chart?
Secondly, I found that many of the early sections could potentially induce “death by acronym (DBA)” for a reader that is not prepared, or able to churn through the numerous definition-style descriptions of concepts, the related acronym and its function in the security field. Despite these two minor shortcomings, I found the first section to be an excellent high-level review of security concepts that occasionally dives down into the weeds and gives the reader a chance to learn additional details if desired.
Is it well-written and audience-appropriate?
To answer this question I’ll look at the second section of the book, the SSCP CBK review. The entire book is essentially an expanded and glorified study resource for the SSCP certification, which is obvious given the (ISC)2 and SSCP logos plastered on the front of the book. The SSCP certification is (ISC)2’s entry-level certification and is intended to be either a run-up to the CISSP certification or as the “starting point” for someone who wants to obtain the CISSP but does not hold the requisite experience.
As the text goes through the seven domains of the SSCP CBK it was obvious to me how similar the content was to the official (ISC)2 CBK materials that I used during my preparations for my CISSP examination. This is both bad and good – the bad news is that to sit down and read any more than half a dozen pages in one sitting has the potential to leave the reader in a comatose state caused by information overload. The good news is that the content is an excellent and most importantly, authoritative resource which contains virtually all of the details of the CBK required for achieving successful completion of the SSCP examination.
Could someone actually sit down and read this whole book?
While the first and third sections are readable from a “sit down and read it” standpoint, the second section is not something I feel most individuals would generally be able to focus on for long periods of time. I want to stress that I am not indicating that this book is not a good resource, but it is important to recognize it for what it is – an in-depth and detailed resource that is best read, and digested in small doses. It is this style of usage that again reminded me how this would be an excellent text for use in some sort of classroom or structured training environment. The second and third sections are where this text really shines – when incorporated as part of a larger overall study plan, it can be leveraged as an excellent starting guide, reference material, and self-checking resource when the included sample questions are used.
There are a few other areas in which this book stands out from others that I have reviewed over the years. First, it features an extensive glossary and index, which is important since this is geared to be a book for beginner-to-intermediate technical and security professionals who may not be intimately familiar with some of the definitions contained in the text.
Nothing is more frustrating than a study guide that lacks a comprehensive glossary and index – and the attention to these sections of this text increases its value as a reference resource. Finally, the authors devoted a section to U.S. Compliance Laws – this fact does not necessarily matter to readers outside the U.S. but for those beginning their careers here in the U.S. this section is an excellent resource for information on U.S.-specific topics such as FISMA, HIPAA, Gramm-Leach-Bliley and Sarbanes-Oxley.
I recommend this book as an excellent resource for entry-level professionals and individuals who have some basic knowledge of information technology concepts and the desire to learn more about information security. While this book is about fundamentals of security, it is not about fundamentals of IT and those without the requisite IT knowledge may find it difficult to learn and apply some of the concepts in the text due to an inability to understand the “hands-on” application of what is being learned.