Loading ...
Sorry, an error occurred while loading the content.

REVIEW: "Sarbanes-Oxley IT Compliance Using COBIT and Open Source Tools", Christian B. Lahti/Roderick Peterson

Expand Messages
  • Rob, grandpa of Ryan, Trevor, Devon & Ha
    BKSOITCU.RVW 20061013 Sarbanes-Oxley IT Compliance Using COBIT and Open Source Tools , Christian B. Lahti/Roderick Peterson, 2005, 1-59749-036-9,
    Message 1 of 1 , Nov 29, 2006
      BKSOITCU.RVW 20061013

      "Sarbanes-Oxley IT Compliance Using COBIT and Open Source Tools",
      Christian B. Lahti/Roderick Peterson, 2005, 1-59749-036-9,
      %A Christian B. Lahti
      %A Roderick Peterson
      %C 800 Hingham Street, Rockland, MA 02370
      %D 2005
      %G 1-59749-036-9
      %I Syngress Media, Inc.
      %O U$49.95/C$69.95 781-681-5151 fax: 781-681-3585 www.syngress.com
      %O http://www.amazon.com/exec/obidos/ASIN/1597490369/robsladesinterne
      %O http://www.amazon.ca/exec/obidos/ASIN/1597490369/robsladesin03-20
      %O Audience a- Tech 1 Writing 1 (see revfaq.htm for explanation)
      %P 333 p. + CD-ROM
      %T "Sarbanes-Oxley IT Compliance Using COBIT and Open Source Tools"

      "This book is essentially a technical book, with as much applicable
      content as we could muster by way of open source technologies and how
      they fit into the Sarbanes-Oxley sphere of influence." Thus speaketh
      the authors in chapter one (page 4), giving us, almost immediately,
      fair warning that there may be problems in this book. For one thing,
      the Sarbanes-Oxley (SOX) law is *not* technical (if it were, the
      drafters would have known not to give the central point related to
      information technology section number 404). The authors seem to be
      intent on listing off all manner of open source programs, using the
      magic title of SOX to add legitimacy to an otherwise aimless
      catalogue. (The use of vague buzzwords is also supposed to increase
      the perceived erudition of the work, although the authors seem to
      stumble occasionally, such as when they confuse the French "voila"
      with the musical "viola" on page 5.) If the authors were truly to
      answer some of the questions that they pose (for example, is open
      source software compliant with the law, and can it reduce the costs of
      achieving and monitoring compliance) then the text might have some
      utility. However, there is no introduction to the legislation as
      such, and the list of roles within an organization has little specific
      relevance to the issues underlying the analysis, integrity, and
      reporting of financial data. Most of the space in the initial chapter
      is devoted to screenshots of Knoppix, a poorly explained installation
      section, and a list of the programs in the eGroupware application.

      SOX and COBIT are supposed to be defined in chapter two. SOX gets
      almost no exegesis, while there is a list of some of the COBIT
      objectives. Chapter three lists various open source security tools,
      has some random notes on policy and auditing, and a "sample" policy on
      password change. The usual promotional piece for open source software
      makes up chapter four, with the standard arguments for using open
      source, but no new rationale for the application to this particular

      Chapters five through eight are based on four domains from COBIT
      (loosely based on the Deming plan-do-check-act cycle). In sequence,
      we have planning and organization, acquisition and implementation,
      delivery and support, and monitoring. Each of the chapters has a
      section entitled "What does [name of domain] mean?" but these
      questions are not answered in any useful way. Each chapter has an
      extensive (but not comprehensive) list of tasks that might be
      undertaken, and each delves deeply into the technical minutia of one
      or more isolated topics.

      Chapter nine finishes off with miscellaneous advice in random areas.

      If you have no experience with security, and are scared stiff of even
      approaching SOX, this book may get you working on some areas that will
      probably be useful. Mind you, if you don't get information from other
      sources, you may find that there are gaps in your security that you
      never considered. If you are experienced in security, and want to
      know about SOX or COBIT, and what you should do about them, you will
      be very disappointed with what you find in this text. If you want to
      know about open source security tools, you will be even more

      (Having a Knoppix boot CD around might be handy, if you know how to
      use it.)

      copyright Robert M. Slade, 2006 BKSOITCU.RVW 20061013

      ====================== (quote inserted randomly by Pegasus Mailer)
      rslade@... slade@... rslade@...
      Those who are too smart to engage in politics are punished by
      being governed by those who are dumber. - Plato (427-347 B.C.)
      Dictionary of Information Security www.syngress.com/catalog/?pid=4150
    Your message has been successfully submitted and would be delivered to recipients shortly.