Loading ...
Sorry, an error occurred while loading the content.

REVIEW: "The CISA Prep Guide", John B. Kramer

Expand Messages
  • Rob, grandpa of Ryan, Trevor, Devon & Ha
    BKCISAPG.RVW 20041221 The CISA Prep Guide , John B. Kramer, 2003, 0-471-25032-5, U$70.00/C$108.95/UK#49.95 %A John B. Kramer %C 5353 Dundas Street West,
    Message 1 of 1 , Feb 14, 2005
      BKCISAPG.RVW 20041221

      "The CISA Prep Guide", John B. Kramer, 2003, 0-471-25032-5,
      %A John B. Kramer
      %C 5353 Dundas Street West, 4th Floor, Etobicoke, ON M9B 6H8
      %D 2003
      %G 0-471-25032-5
      %I John Wiley & Sons, Inc.
      %O U$70.00/C$108.95/UK#49.95 416-236-4433 fax: 416-236-4448
      %O http://www.amazon.com/exec/obidos/ASIN/0471250325/robsladesinterne
      %O http://www.amazon.ca/exec/obidos/ASIN/0471250325/robsladesin03-20
      %O tl a rl 2 tc 2 ta 2 tv 2 wq 2
      %P 570 p. + CD-ROM
      %T "The CISA Prep Guide"

      The CISA, or Certified Information Systems Auditor, has been the
      accepted standard for information system and security audits and
      reviews for some time now.

      Chapter one outlines the types and activities of audit. Management is
      the topic of chapter two, and there is an emphasis on signals that
      indicate faults or failures. Technical infrastructure, in terms of
      operating systems, centralized computers, and communications networks,
      are generically discussed in chapter three. There is little technical
      detail, and it is interesting to see the significance and primacy
      given to financial audit considerations such as assessments of capital
      depreciation, which have little to do with security or performance of
      the information systems in question. Similarly, chapter four,
      ostensibly about the protection of information assets, is quite
      abstract, and concentrates primarily on issues of access control.
      (The material on viruses is based on outdated concepts: I was
      astonished to find the CISA does not consider user training to be an
      appropriate control for virus protection.) Chapter five provides a
      good outline of what should be included in a business continuity or
      disaster recovery plan, although it is not as helpful in regard to the
      process for achieving the plan. There is a general overview of
      systems development in chapter six, but it does not indicate how to
      check if the proper procedures were followed, the influences of
      specific practices, or how to judge the quality of the outcome.
      Chapter seven reiterates some points from chapters one and two.

      Those who can address this material will be able to raise questions
      about all aspects of computer and communications operations. The
      emphasis is on management, and (naturally enough) the technical or
      mechanistic aspects of management at that. Those with an accounting
      background will be more comfortable with the content and concepts than
      those who have worked with security reviews of systems. Whether those
      questions will result in directions for significant improvements in
      the security or performance of information systems might still be
      uncertain. As Albert Einstein famously said, not everything that can
      be counted counts, and not everything that counts can be counted.

      copyright Robert M. Slade, 2004 BKCISAPG.RVW 20041221

      ====================== (quote inserted randomly by Pegasus Mailer)
      rslade@... slade@... rslade@...
      The purpose of computing is insight, not numbers.
      - Richard Wesley Hamming
      http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade
    Your message has been successfully submitted and would be delivered to recipients shortly.