Loading ...
Sorry, an error occurred while loading the content.

REVIEW: "IT Governance", Alan Calder/Steve Watkins

Expand Messages
  • Rob, grandpa of Ryan, Trevor, Devon & Ha
    BKITGVRN.RVW 20061007 IT Governance , Alan Calder/Steve Watkins, 2005, 0-7494-4394-4, U$84.57/C$93.89 %A Alan Calder %A Steve Watkins %C 120
    Message 1 of 1 , Nov 27, 2006
    • 0 Attachment
      BKITGVRN.RVW 20061007

      "IT Governance", Alan Calder/Steve Watkins, 2005, 0-7494-4394-4,
      %A Alan Calder
      %A Steve Watkins
      %C 120 Pentonville Rd, London, UK, N1 9JN
      %D 2005
      %G 0-7494-4394-4
      %I Kogan Page Ltd.
      %O U$84.57/C$93.89 +44-020-7278-0433 kpinfo@...
      %O http://www.amazon.com/exec/obidos/ASIN/0749443944/robsladesinterne
      %O http://www.amazon.ca/exec/obidos/ASIN/0749443944/robsladesin03-20
      %O Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
      %P 368 p.
      %T "IT Governance: A Managers Guide to Data Security and BS 7799/
      ISO 17799"

      The introduction states that this book is intended for business
      managers, board members, and other senior executives, rather than IT

      Chapter one, preaching about the rationale behind information
      security, reiterates the material given in the introduction.
      Management and reporting regulations for the UK (the Combined Code)
      and the US (Sarbanes-Oxley) are discussed in chapter two. Chapter
      three is supposed to outline and explain the BS (British Standard)
      7799, and while it does recommend designing your own information
      security management system, much space is devoted to promoting sales
      of the BS 7799 standard through the authors' Websites. More vague
      encouragement to produce a security management system is given in
      chapter four.

      Chapter five contains a limited and generic deliberation on high-level
      security policies. Similarly terse overviews are given in subsequent
      chapters for risk (six), assets (eight), human resources (nine,
      concentrating on hiring), and physical security (in ten, and, for some
      reason, addressed specifically at equipment in eleven). Chapter seven
      seems oddly out of place in this series, looking at access
      requirements for partners, contractors, clients, and other outsiders.

      There are a number of odd inclusions in the work that seem
      misclassified. Chapter twelve titularly combines the two issues of
      communications and operations security (in reality only talking about
      operations). Malware and backups are examined (tersely, erroneously,
      and insufficiently) in thirteen while fourteen looks at networks and
      media. An undefined topic of "information exchange" makes for a
      confusing chapter fifteen, with a grab bag of trivia about e-commerce
      filling out sixteen. An odd acceptable use policy for email and Web
      use is in chapter seventeen.

      An incomplete list of procedures for issuing and reviewing access is
      in chapter eighteen. Chapter nineteen has very spotty coverage of
      network access controls, implying that encryption is always present in
      a virtual private network (VPN: it isn't, VPNs are defined more by
      management than confidentiality), there is no discussion of the
      different types of firewalls, and intrusion detection is limited to
      those with network-based sensors. Access to the operating system is
      reviewed in chapter twenty, and applications in twenty-one (with an
      odd inclusion of mobile or remote computing).

      Chapter twenty-two is a nominal look at applications development. A
      vague and fragmentary overview of cryptography makes up twenty three.
      Application development appears again in chapter twenty-four, along
      with some pondering about access to operating system files. (The
      authors actually admit, in the text, that there is no necessary
      relation between the two topics.) Audit logs and incident response
      are examined in twenty-five, a brief look at business continuity
      planning is in twenty-six, lengthy advice to adhere to relevant (UK)
      laws is in twenty-seven, and chapter twenty-eight suggests that you
      use outlines from the authors' Website to prepare for a BS 7799 audit.

      The text has a Web component to it, and this is referred to in a
      number of places in the work. However, it should also be noted that
      this Web component is also promoted, in the publication, as a general
      security management portal (unrelated to the book), and it is, in
      fact, the Website of the consultancy run by one of the authors. The
      files available on the site do not deliver the promised information:
      first, the files, when you do get to download them, lack any
      indication as to type, and when you finally find out which file format
      they are (mostly PDFs, with a few XLSs) the contents are generally of
      the marketing brochure level, advising you to buy further materials
      from the site.

      The book is extremely verbose, with a turgid style that makes
      excessive use of business buzzwords. In addition, points are repeated
      many times in different places with minor variations in wording or
      emphasis. The central content could have been provided in a much
      shorter work (which would probably have been easier to read). (Given
      the targeted audience at the executive level, one would think that a
      shorter work would have been more appropriate.)

      Senior managers do not have to know all the technical details,
      granted. Even so, the level of technical information provided is
      inconsistent, and the quality is often suspect. It is probably more
      important that the structure of the book makes no sense either in
      technical or in management terms: the various subjects are dealt with
      in a random fashion that will provide the reader with no understanding
      of either the base technical concepts or the interdependencies between
      different classes and types of controls.

      While many senior managers may have desperate need of some kind of
      guidance in regard to the management of security within information
      systems, this work is probably not going to provide it. The subtitle,
      in particular, is misleading: there is a great deal of interest in BS
      7799 and ISO 17799 but, aside from mentioning sections of the
      standards relating to the topics under discussion, there is really no
      information about the standards themselves.

      copyright Robert M. Slade, 2006 BKITGVRN.RVW 20061007

      ====================== (quote inserted randomly by Pegasus Mailer)
      rslade@... slade@... rslade@...
      The things that count most in life, usually can't be counted.
      Dictionary of Information Security www.syngress.com/catalog/?pid=4150
    Your message has been successfully submitted and would be delivered to recipients shortly.