Managing Information Security Risks: The OCTAVE Approach / Edition 1

Hardcover (Print)
Used and New from Other Sellers
Used and New from Other Sellers
from $15.38
Usually ships in 1-2 business days
(Save 80%)
Other sellers (Hardcover)
  • All (12) from $15.38   
  • New (5) from $61.75   
  • Used (7) from $15.38   
Close
Sort by
Page 1 of 1
Showing All
Note: Marketplace items are not eligible for any BN.com coupons and promotions
$61.75
GreatBookPrices
Seller since 2008

Feedback rating:

(16078)

Condition:

New — never opened or used in original packaging.

Like New — packaging may have been opened. A "Like New" item is suitable to give as a gift.

Very Good — may have minor signs of wear on packaging but item works perfectly and has no damage.

Good — item is in good condition but packaging may have signs of shelf wear/aging or torn packaging. All specific defects should be noted in the Comments section associated with each item.

Acceptable — item is in working order but may show signs of wear such as scratches or torn packaging. All specific defects should be noted in the Comments section associated with each item.

Used — An item that has been opened and may show signs of wear. All specific defects should be noted in the Comments section associated with each item.

Refurbished — A used item that has been renewed or updated and verified to be in proper working condition. Not necessarily completed by the original manufacturer.

New
Brand New, Perfect Condition, Please allow 4-14 business days for delivery. 100% Money Back Guarantee, Over 1,000,000 customers served.

Ships from: Westminster, MD

Usually ships in 1-2 business days

  • Canadian
  • International
  • Standard, 48 States
  • Standard (AK, HI)
$61.76
indoo
Seller since 2007

Feedback rating:

(22511)

Condition: New
BRAND NEW

Ships from: Avenel, NJ

Usually ships in 1-2 business days

  • Canadian
  • International
  • Standard, 48 States
  • Standard (AK, HI)
$81.14
DiscountLawBooksInc.
Seller since 2008

Feedback rating:

(78)

Condition: New
0321118863 BRAND NEW W/FAST SHIPPING! This item is: Managing Information Security Risks: The OCTAVE (SM) Approach, by Alberts, Christopher^Dorofee, Audrey; FORMAT: Hardcover; ... ISBN: 9780321118868. Choose Expedited for fastest shipping! Our 98%+ rating proves our commitment! We cannot ship to PO Boxes/APO addresses. To avoid ordering the wrong item, please check your item's ISBN number! Read more Show Less

Ships from: Lawrence, KS

Usually ships in 1-2 business days

  • Standard, 48 States
  • Express, 48 States
$89.95
Extremely_Reliable
Seller since 2007

Feedback rating:

(7877)

Condition: New
Buy with confidence. Excellent Customer Service & Return policy.

Ships from: Richmond, TX

Usually ships in 1-2 business days

  • Canadian
  • International
  • Standard, 48 States
  • Standard (AK, HI)
$98.14
Palexbooks
Seller since 2013

Feedback rating:

(0)

Condition: New
New

Ships from: San Diego, CA

Usually ships in 1-2 business days

  • Canadian
  • International
  • Standard, 48 States
  • Standard (AK, HI)
  • Express, 48 States
  • Express (AK, HI)
Page 1 of 1
Showing All
Close
Sort by

More About This Textbook

Overview

Information security requires far more than the latest tool or technology. Organizations must understand exactly what they are trying to protect -- and why -- before selecting specific solutions. Security issues are complex and often are rooted in organizational and business concerns. A careful evaluation of security needs and risks in this broader context must precede any security implementation to insure that all the relevant, underlying problems are first uncovered.
Read More Show Less

Editorial Reviews

From The Critics
Written for people who manage information security risks for their organizations, this book details a security risk evaluation approach called "OCTAVE." The book provides a framework for systematically evaluating and managing security risks, illustrates the implementation of self-directed evaluations, and shows how to tailor evaluation methods to the needs of specific organizations. A running example illustrates key concepts and techniques. Evaluation worksheets and a catalog of best practices are included. The authors are on the technical staff of the Software Engineering Institute. Annotation c. Book News, Inc., Portland, OR
Read More Show Less

Product Details

  • ISBN-13: 9780321118868
  • Publisher: Addison-Wesley
  • Publication date: 7/28/2002
  • Series: SEI Series in Software Engineering Series
  • Edition description: New Edition
  • Edition number: 1
  • Pages: 471
  • Product dimensions: 7.62 (w) x 9.46 (h) x 1.23 (d)

Meet the Author

Christopher Alberts is a senior member of the technical staff in the Networked Systems Survivability Program at the Software Engineering Institute (SEI). He and Audrey Dorofee are the principal developers of OCTAVE. Before joining the SEI, Christopher was a scientist at Carnegie Mellon Research Institute, where he developed mobile robots for hazardous environments. He also worked at AT&T Bell Laboratories, where he designed information systems to support AT&T's advanced manufacturing processes.

Audrey Dorofee is a senior member of the technical staff in the Networked Systems Survivability Program at the Software Engineering Institute (SEI). She and Christopher Alberts are the principal developers of OCTAVE. Audrey previously was project lead for risk management in the Risk Program at the SEI. Prior to joining the SEI, she worked for the MITRE Corporation, supporting various projects for NASA, including Space Station software environments, user interfaces, and expert systems.

Read More Show Less

Read an Excerpt

Many people seem to be looking for a silver bullet when it comes to information security. They often hope that buying the latest tool or piece of technology will solve their problems. Few organizations stop to evaluate what they are actually trying to protect (and why) from an organizational perspective before selecting solutions. In our work in the field of information security, we have found that security issues tend to be complex and are rarely solved simply by applying a piece of technology. Most security issues are firmly rooted in one or more organizational and business issues. Before implementing security solutions, you should consider characterizing the true nature of the underlying problems by evaluating your security needs and risks in the context of your business.

Considering the varieties and limitations of current security evaluation methods, it is easy to become confused when trying to select an appropriate method for evaluating your information security risks. Most of the current methods are "bottom-up": they start with the computing infrastructure and focus on the technological vulnerabilities without considering the risks to the organization's mission and business objectives. A better alternative is to look at the organization itself and identify what needs to be protected, determine why it is at risk, and develop solutions requiring both technology- and practice-based solutions.

A comprehensive information security risk evaluation approach

  • Incorporates assets, threats, and vulnerabilities
  • Enables decision makers to develop relative priorities based on what is important to the organization
  • Incorporates organizational issues related to how people use the computing infrastructure to meet the business objectives of the organization
  • Incorporates technological issues related to the configuration of the computing infrastructure
  • Should be a flexible method that can be uniquely tailored to each organization

One way to create a context-sensitive evaluation approach is to define a basic set of requirements for the evaluation and then develop a series, or family, of methods that meet those requirements. Each method within the approach could be targeted to a unique operational environment or situation. We conceived the Operationally Critical Threat, Asset, and Vulnerability EvaluationSM (OCTAVESM) project to define a systematic, organizationwide approach to evaluating information security risks comprising multiple methods consistent with the approach. We also designed the approach to be self-directed, enabling people to learn about security issues and improve their organization's security posture without unnecessary reliance on outside experts and vendors.

An evaluation by itself only provides a direction for an organization's information security activities. Meaningful improvement will not occur unless the organization follows through by implementing the results of the evaluation and managing its information security risks. OCTAVE is an important first step in approaching information security risk management.

History of OCTAVE

Before we developed OCTAVE, we performed expert-led Information Security Evaluations (ISEs) for organizations. A team of security experts would visit a site, interview selected information technology personnel and users of key systems, and examine selected pieces of the computing infrastructure for technological weaknesses. The assessors used their expertise to create a list of organizational and technological weaknesses (vulnerabilities). When the managers at a site received the list of vulnerabilities and corresponding recommendations, they often did not know how to begin to overcome the weaknesses. Which issues should they address first, the organizational or the technological? With limits on the funds and staff available, what are the top five priorities? These are good questions. Unfortunately, when you examine only vulnerabilities, it is hard to establish appropriate guidelines. You need to look at the vulnerabilities in the context of what the organization is trying to achieve before you can start establishing priorities.

In addition to our experience with vulnerability evaluations, we had also developed and applied a variety of software development risk evaluation and management techniques Williams 00 and Dorofee 96. These techniques focused on the critical risks that could affect project objectives.

With these experiences, we decided to focus on a risk-based approach rather than a vulnerability-based approach. A risk-based approach could help people understand how information security affects their organization's missions and business objectives, establishing which assets are important to the organization and how they are at risk. Vulnerability evaluations could then be performed in the context of this risk information. Because information security risks are tied to an organization's missions and business objectives, it became necessary to include business staff in addition to information technology personnel in the evaluation.

A second important observation from our vulnerability evaluation days concerned a given site's level of involvement and subsequent ownership of the results. Because the vulnerability evaluations were highly dependent on the expertise of the assessors, site personnel involved in the process participated very little. When we were able to go back to a site, we saw the same vulnerabilities from one visit to the next. There had been little or no organizational learning. People in those organizations did not feel "ownership" of the various evaluations' results and had therefore not implemented the findings. We decided that sites needed to be more involved in security evaluations in order to learn about their security processes and participate in developing improvement recommendations. We started to develop a self-directed evaluation approach that

  • Focused on risks to information assets
  • Focused on practice-based mitigation using recognized, good security practices1
  • Included business personnel as well as staff from the information technology department
  • Involved a site's personnel in all aspects of the evaluation

In June 1999 we published a report describing the OCTAVE framework Alberts 99, a specification for an information security risk evaluation. This was refined into the OCTAVE Method Alberts 01a, which was developed for large-scale organizations. In addition, we are developing a second method targeted at small organizations. During these efforts, we determined that the OCTAVE framework did not sufficiently capture the general approach to, or requirements for, the self-directed information security risk evaluations that we wanted. We refined the framework into the OCTAVE criteria Alberts 01b, namely, a set of principles, attributes, and outputs that define the OCTAVE approach.

Contents of This Book

This book focuses on four key aspects of information security risk evaluation.

  • It defines an approach for self-directed information security risk evaluations (OCTAVE criteria).
  • It illustrates how the evaluation approach can be implemented in an organization using the OCTAVE Method.
  • It shows how the OCTAVE Method can be tailored to different types of organizations.
  • It describes how this approach provides a foundation for managing information security risks.

To address these key issues, we have divided the contents of the book into three parts.

  • Part I, the Introduction, summarizes the OCTAVE approach and presents the principles, attributes, and outputs of self-directed information security risk evaluations.
  • Part II, The OCTAVE Method, illustrates one way in which the OCTAVE approach can be implemented in an organization. This part begins with an "executive summary" of the OCTAVE Method and then presents the method in detail.
  • Part III, Variations on the OCTAVE Approach, describes ideas for tailoring the OCTAVE Method for different types of organizations. This part also presents basic concepts related to managing information security risks after the evaluation.

Three appendices supplement the material provided in the main text.

  • Appendix A presents a sample final report from an OCTAVE example scenario.
  • Appendix B shows OCTAVE Method worksheets and instructions.
  • Appendix C lists a catalog of practices (a structured collection of commonly used good security practices).
Who Should Read This Book?

This book is written for a varied audience. Some familiarity with security issues is helpful, but not essential; we define all concepts and terms as they appear. The book should satisfy people who are new to security as well as experts in security and risk management.

Information security risk evaluations are appropriate for anyone who uses networked computers to conduct business and thus may have critical information assets at risk. This book is for people who need to perform information security risk evaluations and who are interested in using a self-directed method that addresses both organizational and information technology issues. Managers, staff members, and information technology personnel concerned about and responsible for protecting critical information assets should all find this book useful.

In addition, consultants who provide information security services to other organizations may be interested in seeing how the OCTAVE approach or the OCTAVE Method might be incorporated into their existing products and services. Consumers of information security risk evaluation products and services can use the principles, attributes, and outputs of the OCTAVE approach to understand what constitutes a comprehensive approach for evaluating information security risks. Consumers can also use the principles, attributes, and outputs as a benchmark for selecting products and services that are provided by vendors and consultants.

The OCTAVE Method requires an interdisciplinary analysis team to perform the evaluation and act as a focal point for security improvement efforts. The primary audience for this book, then, is anyone who might be on the analysis team or work with them. The book includes "how to" information for conducting an evaluation as well as concepts related to managing risks after the evaluation. For an analysis team, the entire book is applicable.

Those who want to understand the OCTAVE approach should read Part I. Those who just want an overview of the OCTAVE Method and a general idea of how it might be used should read Chapters 1 and 3. People who already perform information security risk evaluations and are looking for additional ideas for improvement should first read Chapters 1 and 3 and then decide which areas to explore further. Those ready to start learning how to conduct self-directed information security evaluations in their organizations should read Part II. Finally, people who are interested in customizing the OCTAVE Method or learning about what to do after an evaluation should read Part III.

How to Get OCTAVE

OCTAVE and OCTAVE-related materials can be downloaded at no cost from the following website: http://www.cert.org/octave

  • OCTAVE Method Implementation Guide—a complete set of guidelines, worksheets, instructions, and examples that can be used by an analysis team to conduct the OCTAVE Method for larger organizations
  • OCTAVE-S Implementation Guide—a complete set of guidelines, worksheets, instructions, and examples that can be used by an analysis team to conduct the OCTAVE-S method for smaller organizations
  • OCTAVE Criteria—the basic requirements for an OCTAVE-consistent information security risk evaluation
  • miscellaneous presentations, white papers, and other information pertinent to OCTAVE
Notes

SMOperationally Critical Threat, Asset, and Vulnerability Evaluation and OCTAVE are service marks of Carnegie Mellon University. OCTAVE was developed at the CERT Coordination Center (CERT/CC). Established in 1988, it is the oldest computer security response group in existence. The center both advises Internet sites that have had their security compromised and offers tools and techniques that enable typical users and administrators to protect systems effectively from damage caused by intruders. The CERT/CC’s home is the Software Engineering Institute (SEI), a federally funded research and development center operated by Carnegie Mellon University, with a broad charter to improve the practice of software engineering.

1. Practices in the catalog of practices (Appendix C) were derived from several sources of security practices including CERT/CC, the British Standards Institute, the National Institute for Standards and Technology, and government regulations.

Read More Show Less

Table of Contents

List of Figures
List of Tables
Preface
Acknowledgments
Pt. I Introduction 1
Ch. 1 Managing Information Security Risks 3
Ch. 2 Principles and Attributes of Information Security Risk Evaluations 17
Pt. II The OCTAVE Method 41
Ch. 3 Introduction to the OCTAVE Method 43
Ch. 4 Preparing for OCTAVE 59
Ch. 5 Identifying Organizational Knowledge (Processes 1 to 3) 81
Ch. 6 Creating Threat Profiles (Process 4) 109
Ch. 7 Identifying Key Components (Process 5) 137
Ch. 8 Evaluating Selected Components (Process 6) 157
Ch. 9 Conducting the Risk Analysis (Process 7) 169
Ch. 10 Developing a Protection Strategy - Workshop A (Process 8A) 191
Ch. 11 Developing a Protection Strategy - Workshop B (Process 8B) 227
Pt. III Variations on the OCTAVE Approach 239
Ch. 12 An Introduction to Tailoring OCTAVE 241
Ch. 13 Practical Applications 255
Ch. 14 Information Security Risk Management 275
Glossary 293
Bibliography 301
App. A Case Scenario for the OCTAVE Method 311
App. B: Worksheets 363
App. C: Catalog of Practices 443
About the Authors 457
Index 461
Read More Show Less

Preface

Many people seem to be looking for a silver bullet when it comes to information security. They often hope that buying the latest tool or piece of technology will solve their problems. Few organizations stop to evaluate what they are actually trying to protect (and why) from an organizational perspective before selecting solutions. In our work in the field of information security, we have found that security issues tend to be complex and are rarely solved simply by applying a piece of technology. Most security issues are firmly rooted in one or more organizational and business issues. Before implementing security solutions, you should consider characterizing the true nature of the underlying problems by evaluating your security needs and risks in the context of your business.

Considering the varieties and limitations of current security evaluation methods, it is easy to become confused when trying to select an appropriate method for evaluating your information security risks. Most of the current methods are "bottom-up" — they start with the computing infrastructure and focus on the technological vulnerabilities without considering the risks to the organization's mission and business objectives. A better alternative is to start with the organization itself and determine what needs to be protected, why it is at risk, and develop solutions requiring both technology- and practice-based solutions.

A comprehensive information security risk evaluation approach

  • incorporates assets, threats, and vulnerabilities
  • enables decision-makers to develop relative priorities based on what is important to the organization
  • incorporates organizational issuesrelated to how people use the computing infrastructure to meet the business objectives of the organization
  • incorporates technological issues related to the configuration of the computing infrastructure
  • should be a flexible method that can be uniquely tailored to each organization

One way to create a context-sensitive evaluation approach is to define a basic set of requirements for the evaluation and then develop a series, or family, of methods that meet those requirements. Each method within the approach could be targeted at a unique operational environment or situation. The Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) project was conceived to define a systematic, organization-wide approach to evaluating information security risks comprising multiple methods consistent with the approach. We also designed the approach to be self directed, enabling people to learn about security issues and improve their organization's security posture without unnecessary reliance on outside experts and vendors.

An evaluation by itself only provides a direction for an organization's information security activities. Meaningful improvement will not occur unless the organization follows through by implementing the results of the evaluation and managing its information security risks. OCTAVE is an important first step of an information security risk management approach.

History of OCTAVE

Before we developed OCTAVE, we performed expert-led Information Security Evaluations (ISEs) for organizations. A team of security experts would visit a site, interview selected information technology personnel and users of key systems, and examine se pieces of the computing infrastructure for technological weaknesses. The assessors used their expertise to create a list of organizational and technological weaknesses (vulnerabilities). When the managers at a site received the list of vulnerabilities and corresponding recommendations, they often did not know where to begin to address the weaknesses. Should they address the organizational issues first, or should they address the technological issues? With limits on the funds and staff available, which five things should be addressed first? These are good questions. Unfortunately, when you only examine vulnerabilities, it is hard to establish appropriate priorities.

You need to look at the vulnerabilities in the context of what the organization is trying to achieve before you can start establishing priorities.

In addition to our experience with vulnerability evaluations, we had also developed and applied a variety of software development risk evaluation and management techniques Williams 00 and Dorofee 96. These techniques focused on the critical risks that could affect project objectives.

With these experiences, we decided to focus on a risk-based approach rather than a vulnerability-based approach. A risk-based approach could help people understand how information security affects their organizations' missions and business objectives, establishing which assets are important to the organization and how they are at risk. Vulnerability evaluations could then performed in the context of risk information. Because information security risks are tied to an organizations' missions and business objectives, it became necessary to include staff members from an organization's business lines in addition to information technology personnel in the evaluation.

A second important observation from our vulnerability evaluation days concerned the level of involvement of a site and their subsequent ownership of the results. Because the vulnerability evaluations were highly dependent on the expertise of the assessors, there was little participation of site personnel involved in the process. When we were able to go back to a site, we saw the same vulnerabilities from one visit to the next. There had been little or no organizational learning. People in those organizations did not feel "ownership" of the evaluations' results and had not followed through by implementing the findings. We decided that sites needed to be more involved in security evaluations, enabling them to learn about their security processes and participate in developing improvement recommendations. We started to develop a self-directed evaluation approach that

  • focused on risks to information assets
  • focused on practice-based mitigation using recognized, good security practices
  • included personnel from business lines as well as from the information technology department
  • involved a site's personnel in all aspects of the evaluation.

In June 1999, we published a report describing the OCTAVE framework Alberts 99, a specification for an information security risk evaluation. This was refined into the OCTAVE Method Alberts 01a, which was developed for large-scale organizations. In addition, we are developing a second method targeted at small organizations. During these efforts, we determined that the OCTAVE framework did not sufficiently ca general approach, or requirements, for self-directed information security risk evaluations that we wanted. We refined the framework into the OCTAVE criteria Alberts 01b, a set of principles, attributes, and outputs that define the OCTAVE approach.

Contents of This Book

This book focuses on the following key subjects:

  • defining an approach for self-directed information security risk evaluations (OCTAVE criteria)
  • illustrating how the evaluation approach can be implemented in an organization using the OCTAVE Method
  • showing how the OCTAVE Method can be tailored to different types of organizations
  • describing how this approach provides a foundation for managing information security risks

  • To address the key subjects, we have divided the contents of the book into the following three parts:

    • Part 1, the Introduction, summarizes the OCTAVE approach and presents the principles, attributes, and outputs of self-directed information security risk evaluations.
    • Part 2, The OCTAVE Method, illustrates one way in which the OCTAVE approach can be implemented in an organization. This part of the book begins with an "executive summary" of the OCTAVE Method and then presents the details of the method.
    • Finally, Part 3, Variations on the OCTAVE Approach, describes ideas for tailoring the OCTAVE Method for different types of organizations. This part of the book also presents basic concepts related to managing information security risks after the evaluation.

    The appendices contain additional, detailed material. The following appendices are provided in this book:

    • A. S example scenario
    • B. OCTAVE Method Worksheets and Instructions
    • C. Catalog of Practices (a structured collection of commonly used good security practices)

    Who Should Read This Book?

    This book is written for a varied audience. Some familiarity with security issues may be helpful, but not essential; we define all concepts and terms as they appear. The book should satisfy people who are new to security as well as experts in security and risk management.

    Information security risk evaluations are appropriate for anyone who uses networked computers to conduct business and, thus, may have critical information assets at risk. This book is for people who need to perform information security risk evaluations and who are interested in using a self-directed method that addresses both organizational and information technology issues. Managers, staff members, and information technology personnel concerned about and responsible for protecting critical information assets will find this book useful. In addition, consultants who provide information security services to other organizations may be interested in seeing how the OCTAVE approach or the OCTAVE Method might be incorporated into their existing products and services. Consumers of information security risk evaluation products and services can use the principles, attributes, and outputs of the OCTAVE approach to understand what constitutes a comprehensive approach for evaluating information security risks. Consumers can also use the principles, attributes, and outputs as a benchmark for selecting products and services that are provided by vendors and consultants.

    The OCTAVE Method requires an interdisciplinary analysis team to perform the evaluation and act as a focal point for security improvement efforts. The primary audience for this book, then, is anyone who might be on the analysis team or work with them. The book includes "how to" information for conducting an evaluation as well as concepts related to managing risks after the evaluation. For an analysis team, the entire book is applicable.

    For those who want to understand OCTAVE approach, read Part 1. For those who just want an overview of the OCTAVE Method and a general idea of how it might be used, read Chapters 1 and 3. For those who already perform information security risk evaluations and are looking for additional ideas for improvement, read Chapters 1 and 3, and then decide which areas to explore further. Those ready to start learning how to conduct self-directed information security evaluations in their organizations, should read Part 2. Finally, for people who are interested in tailoring the OCTAVE Method or learning about what to do after an evaluation, read Part 3.



Read More Show Less

Customer Reviews

Be the first to write a review
( 0 )
Rating Distribution

5 Star

(0)

4 Star

(0)

3 Star

(0)

2 Star

(0)

1 Star

(0)

Your Rating:

Review Guidelines
Add Recommendations
Your Name: Create a Pen Name or

Barnes & Noble.com Review Rules

Our reader reviews allow you to share your comments on titles you liked, or didn't, with others. By submitting an online review, you are representing to Barnes & Noble.com that all information contained in your review is original and accurate in all respects, and that the submission of such content by you and the posting of such content by Barnes & Noble.com does not and will not violate the rights of any third party. Please follow the rules below to help ensure that your review can be posted.

Reviews by Our Customers Under the Age of 13

We highly value and respect everyone's opinion concerning the titles we offer. However, we cannot allow persons under the age of 13 to have accounts at BN.com or to post customer reviews. Please see our Terms of Use for more details.

What to exclude from your review:

Please do not write about reviews, commentary, or information posted on the product page. If you see any errors in the information on the product page, please send us an email.

Reviews should not contain any of the following:

  • - HTML tags, profanity, obscenities, vulgarities, or comments that defame anyone
  • - Time-sensitive information such as tour dates, signings, lectures, etc.
  • - Single-word reviews. Other people will read your review to discover why you liked or didn't like the title. Be descriptive.
  • - Comments focusing on the author or that may ruin the ending for others
  • - Phone numbers, addresses, URLs
  • - Pricing and availability information or alternative ordering information
  • - Advertisements or commercial solicitation

Reminder:

  • - By submitting a review, you grant to Barnes & Noble.com and its sublicensees the royalty-free, perpetual, irrevocable right and license to use the review in accordance with the Barnes & Noble.com Terms of Use.
  • - Barnes & Noble.com reserves the right not to post any review -- particularly those that do not follow the terms and conditions of these Rules. Barnes & Noble.com also reserves the right to remove any review at any time without notice.
  • - See Terms of Use for other conditions and disclaimers.
Search for Products You'd Like to Recommend

Recommend other products that relate to your review. Just search for them below and share!

Create a Pen Name

Your Pen Name is your unique identity on BN.com. It will appear on the reviews you write and other website activities. Your Pen Name cannot be edited, changed or deleted once submitted.

 
Your Pen Name can be any combination of alphanumeric characters (plus - and _), and must be at least two characters long.

Continue Anonymously
    If you find inappropriate content, please report it to Barnes & Noble
    Why is this product inappropriate?
    Comments (optional)