Loading ...
Sorry, an error occurred while loading the content.

REVIEW: "Auditing Information Systems", Jack J. Champlain

Expand Messages
  • Rob, grandpa of Ryan, Trevor, Devon & Ha
    BKAUINSS.RVW 20060706 Auditing Information Systems , Jack J. Champlain, 2003, 0-471-28117-4, U$92.00/C$119.99 %A Jack J. Champlain %C 5353 Dundas Street
    Message 1 of 1 , Jul 31, 2006
    • 0 Attachment
      BKAUINSS.RVW 20060706

      "Auditing Information Systems", Jack J. Champlain, 2003,
      0-471-28117-4, U$92.00/C$119.99
      %A Jack J. Champlain
      %C 5353 Dundas Street West, 4th Floor, Etobicoke, ON M9B 6H8
      %D 2003
      %G 0-471-28117-4
      %I John Wiley & Sons, Inc.
      %O U$92.00/C$119.99 416-236-4433 fax: 416-236-4448
      %O http://www.amazon.com/exec/obidos/ASIN/0471281174/robsladesinterne
      %O http://www.amazon.ca/exec/obidos/ASIN/0471281174/robsladesin03-20
      %O Audience i- Tech 1 Writing 2 (see revfaq.htm for explanation)
      %P 430 p.
      %T "Auditing Information Systems, second edition"

      The preface states that the audience is intended to be general (non-
      specialist) managers, auditing students, and new auditors, but that
      all readers are assumed to be familiar with some fairly specialized
      audit concepts.

      Part one is for core concepts, more related to computing than
      auditing. Chapter one outlines the basic components of computers, but
      tersely, and dealing with specific items rather than ideas. There is
      an odd digression into computer viruses when discussing memory, and a
      brief mention of physical and logical controls. "Identifying Computer
      Systems," in chapter two, mostly suggests having an inventory, with a
      brief mention of risk assessment.

      Part two covers the standard information system audit approach.
      Chapter three explains that an information system audit programme is
      basically a checklist. Definitions of policies and standards (and a
      weak interpretation of guidelines) are in chapter four. Various
      country standards for audits (concentrating on what types of opinions
      outside auditors can express) and some private certification
      organizations are summarized in chapter five. Chapter six is about
      assessing vendors on the basis of audits that have been done on them,
      and most of the content repeats, in slightly different wording, the
      concepts from chapters four and five. Physical security is presented,
      with some rather large gaps (there is no mention of facilities
      construction issues), in chapter seven. (Somewhat oddly, backups and
      business continuity planning are included here.) Logical security, in
      chapter eight, is limited to aspects of access control and operations,
      and is padded out with lots of anecdotes under the heading of "case
      studies." Chapter nine's review of information systems operations is
      circumscribed and random, and has additional stories.

      Champlain seems to think that the topics in part three are
      contemporary, or possibly advanced, auditing concepts. Chapter ten
      explains that Control Self-Assessment (CSA) is the idea of having
      auditors talk to the people who actually do the work in order to find
      out what controls might be necessary (what a novel idea!), and devotes
      a great deal of space to describing the various control frameworks,
      such as COSO (report of the Committee of Sponsoring Organizations of
      the Treadway commission) and CObIT (Control Objectives for Information
      Technology). There is lots of trivia, but little useful information,
      about encryption and cryptography in chapter eleven. Computer
      forensics gets slightly better treatment in chapter twelve, but is
      restricted to disk recovery and investigation management. Chapter
      thirteen contains miscellaneous topics like computer-aided auditing
      tools, and computer viruses, but most of the text concentrates on the
      Internet (which section includes, for some reason, a large discussion
      of privacy issues). (Despite the fact that the piece on viruses holds
      very little real information, it manages to make a surprising number
      of errors, including an astounding retailing of the "Desert Storm"
      virus myth that seems to have become inverted.) Chapter fourteen
      seems to be advice on career issues for auditors. A fairly banal
      review of project (particularly development project) management
      methods makes up the examination of information systems project
      auditing, in chapter fifteen. Chapter sixteen is a collection of
      random thoughts on a variety of risks.

      There is a lot of space devoted to "case studies" in the book. These
      anecdotes are often odd, and the relevance to the surrounding text is
      difficult to determine. Similarly, exhibits and tables are not always
      illustrative of the subjects under discussion. Sometimes these
      "supporting" materials are the opposite of exemplar: at one point a
      "sample" policy is reprinted, but then later content points out a
      number of problems with it.

      Security professionals are all too used to seeing auditors as the
      "enemy": ignorant management weenies and accounting dweebs with little
      or no understanding of the technology or information system
      operations. This perception is unfortunate, since the reality is that
      nobody can realistically and objectively assess their own work, and
      the viewpoint from another perspective is exceedingly valuable for
      finding potential problems before they find you. It's too bad that a
      promising activity gets a work like this, which is going to reinforce
      the negative prejudice.

      copyright Robert M. Slade, 2006 BKAUINSS.RVW 20060706

      ====================== (quote inserted randomly by Pegasus Mailer)
      rslade@... slade@... rslade@...
      Many wise words are spoken in jest, but they don't compare with
      the number of stupid words spoken in earnest. - Sam Levenson
      Dictionary of Information Security www.syngress.com/catalog/?pid=4150
    Your message has been successfully submitted and would be delivered to recipients shortly.