REVIEW: "Auditing Information Systems", Jack J. Champlain
- BKAUINSS.RVW 20060706
"Auditing Information Systems", Jack J. Champlain, 2003,
%A Jack J. Champlain
%C 5353 Dundas Street West, 4th Floor, Etobicoke, ON M9B 6H8
%I John Wiley & Sons, Inc.
%O U$92.00/C$119.99 416-236-4433 fax: 416-236-4448
%O Audience i- Tech 1 Writing 2 (see revfaq.htm for explanation)
%P 430 p.
%T "Auditing Information Systems, second edition"
The preface states that the audience is intended to be general (non-
specialist) managers, auditing students, and new auditors, but that
all readers are assumed to be familiar with some fairly specialized
Part one is for core concepts, more related to computing than
auditing. Chapter one outlines the basic components of computers, but
tersely, and dealing with specific items rather than ideas. There is
an odd digression into computer viruses when discussing memory, and a
brief mention of physical and logical controls. "Identifying Computer
Systems," in chapter two, mostly suggests having an inventory, with a
brief mention of risk assessment.
Part two covers the standard information system audit approach.
Chapter three explains that an information system audit programme is
basically a checklist. Definitions of policies and standards (and a
weak interpretation of guidelines) are in chapter four. Various
country standards for audits (concentrating on what types of opinions
outside auditors can express) and some private certification
organizations are summarized in chapter five. Chapter six is about
assessing vendors on the basis of audits that have been done on them,
and most of the content repeats, in slightly different wording, the
concepts from chapters four and five. Physical security is presented,
with some rather large gaps (there is no mention of facilities
construction issues), in chapter seven. (Somewhat oddly, backups and
business continuity planning are included here.) Logical security, in
chapter eight, is limited to aspects of access control and operations,
and is padded out with lots of anecdotes under the heading of "case
studies." Chapter nine's review of information systems operations is
circumscribed and random, and has additional stories.
Champlain seems to think that the topics in part three are
contemporary, or possibly advanced, auditing concepts. Chapter ten
explains that Control Self-Assessment (CSA) is the idea of having
auditors talk to the people who actually do the work in order to find
out what controls might be necessary (what a novel idea!), and devotes
a great deal of space to describing the various control frameworks,
such as COSO (report of the Committee of Sponsoring Organizations of
the Treadway commission) and CObIT (Control Objectives for Information
Technology). There is lots of trivia, but little useful information,
about encryption and cryptography in chapter eleven. Computer
forensics gets slightly better treatment in chapter twelve, but is
restricted to disk recovery and investigation management. Chapter
thirteen contains miscellaneous topics like computer-aided auditing
tools, and computer viruses, but most of the text concentrates on the
Internet (which section includes, for some reason, a large discussion
of privacy issues). (Despite the fact that the piece on viruses holds
very little real information, it manages to make a surprising number
of errors, including an astounding retailing of the "Desert Storm"
virus myth that seems to have become inverted.) Chapter fourteen
seems to be advice on career issues for auditors. A fairly banal
review of project (particularly development project) management
methods makes up the examination of information systems project
auditing, in chapter fifteen. Chapter sixteen is a collection of
random thoughts on a variety of risks.
There is a lot of space devoted to "case studies" in the book. These
anecdotes are often odd, and the relevance to the surrounding text is
difficult to determine. Similarly, exhibits and tables are not always
illustrative of the subjects under discussion. Sometimes these
"supporting" materials are the opposite of exemplar: at one point a
"sample" policy is reprinted, but then later content points out a
number of problems with it.
Security professionals are all too used to seeing auditors as the
"enemy": ignorant management weenies and accounting dweebs with little
or no understanding of the technology or information system
operations. This perception is unfortunate, since the reality is that
nobody can realistically and objectively assess their own work, and
the viewpoint from another perspective is exceedingly valuable for
finding potential problems before they find you. It's too bad that a
promising activity gets a work like this, which is going to reinforce
the negative prejudice.
copyright Robert M. Slade, 2006 BKAUINSS.RVW 20060706
====================== (quote inserted randomly by Pegasus Mailer)
rslade@... slade@... rslade@...
Many wise words are spoken in jest, but they don't compare with
the number of stupid words spoken in earnest. - Sam Levenson
Dictionary of Information Security www.syngress.com/catalog/?pid=4150