REVIEW: "The CISA Prep Guide", John B. Kramer
- BKCISAPG.RVW 20041221
"The CISA Prep Guide", John B. Kramer, 2003, 0-471-25032-5,
%A John B. Kramer
%C 5353 Dundas Street West, 4th Floor, Etobicoke, ON M9B 6H8
%I John Wiley & Sons, Inc.
%O U$70.00/C$108.95/UK#49.95 416-236-4433 fax: 416-236-4448
%O tl a rl 2 tc 2 ta 2 tv 2 wq 2
%P 570 p. + CD-ROM
%T "The CISA Prep Guide"
The CISA, or Certified Information Systems Auditor, has been the
accepted standard for information system and security audits and
reviews for some time now.
Chapter one outlines the types and activities of audit. Management is
the topic of chapter two, and there is an emphasis on signals that
indicate faults or failures. Technical infrastructure, in terms of
operating systems, centralized computers, and communications networks,
are generically discussed in chapter three. There is little technical
detail, and it is interesting to see the significance and primacy
given to financial audit considerations such as assessments of capital
depreciation, which have little to do with security or performance of
the information systems in question. Similarly, chapter four,
ostensibly about the protection of information assets, is quite
abstract, and concentrates primarily on issues of access control.
(The material on viruses is based on outdated concepts: I was
astonished to find the CISA does not consider user training to be an
appropriate control for virus protection.) Chapter five provides a
good outline of what should be included in a business continuity or
disaster recovery plan, although it is not as helpful in regard to the
process for achieving the plan. There is a general overview of
systems development in chapter six, but it does not indicate how to
check if the proper procedures were followed, the influences of
specific practices, or how to judge the quality of the outcome.
Chapter seven reiterates some points from chapters one and two.
Those who can address this material will be able to raise questions
about all aspects of computer and communications operations. The
emphasis is on management, and (naturally enough) the technical or
mechanistic aspects of management at that. Those with an accounting
background will be more comfortable with the content and concepts than
those who have worked with security reviews of systems. Whether those
questions will result in directions for significant improvements in
the security or performance of information systems might still be
uncertain. As Albert Einstein famously said, not everything that can
be counted counts, and not everything that counts can be counted.
copyright Robert M. Slade, 2004 BKCISAPG.RVW 20041221
====================== (quote inserted randomly by Pegasus Mailer)
rslade@... slade@... rslade@...
The purpose of computing is insight, not numbers.
- Richard Wesley Hamming
http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade