Total Information Risk Management

Alexander Borek et al

Published by

Morgan Kaufmann





Reviewed by

Nick Dunn, Senior Information Security Consultant, NCC Group


7 out of 10

Total Information Risk Management (TIRM) is a formal process devised by the four authors of this book. It is intended to provide a degree of assurance for data and to help preserve its confidentiality and integrity. This process appears to be aimed at larger organisations and while comprehensive, also threatens to increase the workload of anyone involved in implementation and maintenance of the system.

Part one of the book comprises four chapters that provide a useful introduction to information and risk management. It gives a clear overview of the concepts of data and information assets, the threats to assets and management of the associated risks. This section is capable of standing alone as guide for those interested in protecting data but reluctant to implement the process in its entirety.

The bulk of the book deals with the process itself, providing both instructions and case studies. The authors are primarily academics and as a possible consequence of this the process is highly structured with a strong emphasis on processes, procedures and documentation.

The book provides clear guidance on implementing each stage of the process and takes the reader through each of the steps and sub-steps that are involved. There are clear business benefits from following the process such as providing sound risk assessment and improving alignment between IT and the business.

However, from past experience, many organisations, particularly those looking for a ‘quick fix’, are likely to be tempted to either implement part of the process or to fail to use it in situations with tight deadlines or limited staffing.

Towards the end of the book, two chapters on risk assessment provide practical guidelines that, like part one, can stand as a useful guide whether the entire process is implemented or not.

Significantly the final chapter covers the subject of how to establish organisational support and obtain employee engagement for TIRM. The authors appear to have recognised that persuading management and technical staff to fully buy in to such a process is likely to be a serious undertaking.

Overall the book, and the process that it describes, offer a comprehensive and potentially effective system for protecting data, but the time and resources required may discourage many organisations from carrying out a full implementation.

Further information: Morgan Kaufmann

June 2014