REVIEW: "International IT Governance", Alan Calder/Steve Watkins
- BKINITGV.RVW 20061106
"International IT Governance", Alan Calder/Steve Watkins, 2006,
%A Alan Calder www.27001.com
%A Steve Watkins
%C 120 Pentonville Rd, London, UK, N1 9JN
%I Kogan Page Ltd.
%O U$80.00/UK#45.00 +44-020-7278-0433 kpinfo@...
%O Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P 366 p.
%T "International IT Governance: An Executive Guide to ISO
Chapter one lists various threats. A minimal explanation of the US
Sarbanes-Oxley law is in chapter two. A muddled description of ISO
17799 and 27001 is in chapter three. Chapter four lists bits of a
possible security management project. A generic statement about
security policies is in chapter five. Chapter six contains a verbose
but sketchy outline of risk assessment.
The risk of external users is discussed in chapter seven. Although
the title of chapter eight suggests it deals with assets, most of the
material concentrates on classification. Various aspects of
employment are listed in chapter nine. Random topics to do with
facility physical security are in chapter ten, and equipment
protection in eleven. Chapter twelve is entitled "Communications and
Operations Management" and instead talks about contracts.
Viruses are examined (poorly) in chapter thirteen, along with a brief
mention of backups. Fourteen has another odd pairing: network
security and media handling (both treated very tersely). "Exchanges
of information," in fifteen, seems to mean email. Certain aspects of
electronic commerce are mentioned in sixteen. Email gets another
review in seventeen.
There is a surprisingly reasonable outline of access control (with an
odd inclusion of blackhat activities) in chapter eighteen. Chapter
nineteen turns to network access control, with "operating system"
access control in twenty, and a weird amalgam titled "application
access control and teleworking," in twenty-one.
System development is the topic of chapter twenty-two. Cryptography
gets an extremely terse overview in twenty-three. Development comes
back for a second try in twenty-four. Audit and logging is listed in
twenty-five and business continuity in twenty-six. "Compliance," in
twenty-seven, simply catalogues various laws. Chapter twenty-eight
finishes off with a short description of what to expect in an ISO/IEC
The text has a Web component to it, and this is referred to in a
number of places in the work. It should be noted that this Web
component is also promoted, in the publication, as a general security
management portal (unrelated to the book). However, it is, in fact,
the Website of the consultancy run by one of the authors. The files
available on the site do not deliver the promised information: first,
the files, when you do get to download them, lack any indication as to
type, and when you finally find out which file format they are (mostly
PDFs, with a few XLSs) the contents are generally of the marketing
brochure level, advising you to buy further materials from the site.
The book is somewhat less verbose and turgid than the earlier "IT
Governance" (cf. BKITGVRN.RVW), but is astoundingly similar in many
ways. The quality of technical information is inconsistent and
suspect, and the structure is random. Managers will not find
guidance in regard to the management of security within information
systems, nor about ISO 17799/27001.
copyright Robert M. Slade, 2006 BKINITGV.RVW 20061106
====================== (quote inserted randomly by Pegasus Mailer)
rslade@... slade@... rslade@...
I have often stood there and looked out upon my past life and
upon the different surroundings which have exercised their power
upon me: and the pettiness which so often gives offense in life,
the numerous misunderstandings too often separating minds which
if they properly understood one another would be bound together
by indissoluble ties, vanished before my gaze. - Soren Kierkegaard
Dictionary of Information Security www.syngress.com/catalog/?pid=4150