Loading ...
Sorry, an error occurred while loading the content.

REVIEW: "Security Controls for Sarbanes-Oxley Section 404 IT Compliance", Dennis C. Brewer

Expand Messages
  • Rob, grandpa of Ryan, Trevor, Devon & Ha
    BKSCSOXC.RVW 20070112 Security Controls for Sarbanes-Oxley Section 404 IT Compliance , Dennis C. Brewer, 2006, 0-7645-9838-4 %A Dennis C. Brewer %C 5353
    Message 1 of 1 , Feb 26, 2007
    • 0 Attachment
      BKSCSOXC.RVW 20070112

      "Security Controls for Sarbanes-Oxley Section 404 IT Compliance",
      Dennis C. Brewer, 2006, 0-7645-9838-4
      %A Dennis C. Brewer
      %C 5353 Dundas Street West, 4th Floor, Etobicoke, ON M9B 6H8
      %D 2006
      %G 0-7645-9838-4
      %I John Wiley & Sons, Inc.
      %O U$50.00/C$64.99 416-236-4433 fax: 416-236-4448
      %O http://www.amazon.com/exec/obidos/ASIN/0764598384/robsladesinterne
      %O http://www.amazon.ca/exec/obidos/ASIN/0764598384/robsladesin03-20
      %O Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
      %P 262 p.
      %T "Security Controls for Sarbanes-Oxley Section 404 IT Compliance"

      The United States Sarbanes-Oxley law (frequently referred to as Sarbox
      or SOX) dictates that corporate management is responsible for the
      reliability of financial reports about publicly traded companies. SOX
      extends beyond the reporting for publicly traded companies, touching
      on private companies doing business with other companies which do
      provide public reports, and even on entities outside American
      jurisdiction. Section 404 (and also 302, in a marvelous confusion
      with Web result codes) notes that the integrity of information systems
      supporting these financial reports must also be managed. Yet the
      first five words in this book are "[i]dentity theft and fraudulent
      access" which seems a bit of a stretch even for the latitude in
      topical range SOX currently enjoys. Publishers, rather than authors,
      get to choose titles, but this work does seem to be somewhat vague in

      Chapter one states that the plethora of new regulations is making life
      difficult for information systems managers, and that discipline is
      needed for building secure systems. However, information technology
      architecture is nominally supposed to be the topic. There is a great
      deal of verbiage and opinion about architecture, but little in the way
      of definition. What details are given seem to boil down to having a
      formal process, and lots of documentation. Too few concepts about
      privacy are discussed in too many words (and some large and relatively
      pointless diagrams) in chapter two. It is highly ironic that chapter
      three is entitled "Defining and Enforcing Architecture," because there
      is almost no definition of architecture (and nothing enforceable) in
      the text. Again, there is lots of stress on documentation and
      pictures, but little of use to systems managers. Chapter four lists a
      number of factors that should be considered in designing a system or
      infrastructure. There is a simple overview of some elementary access
      control functions and technologies in chapter five. Chapter six
      suggests supporting access control functions with LDAP (Lightweight
      Directory Access Protocol), although it stops short of outlining how
      this might be accomplished. Chapter seven takes a rather confused
      look at a number of the complexities that are increasingly involved
      with access control. Although chapter eight is supposed to be about
      protecting private information, it only reiterates material already
      covered. There is an extremely terse review of information
      classification in chapter nine. Chapter ten is a curt look at access
      control in Web applications. Federated identity is a sort of special
      case of single sign-on technology, and some of the complications are
      mentioned in chapter eleven. Chapter twelve finishes off the book
      with odd pondering of some factors that would need to be considered
      for the implementation of a universal identity system.

      There is almost nothing in regard to SOX in this work, and the only
      security controls discussed are those relating to access control, and
      almost no detail is provided. Those interested in the access control
      topic would be far better served by Richard E. Smith's
      "Authentication" (cf. BKAUTHNT.RVW).

      copyright Robert M. Slade, 2007 BKSCSOXC.RVW 20070112

      ====================== (quote inserted randomly by Pegasus Mailer)
      rslade@... slade@... rslade@...
      The only thing a network is good for is to poll the system
      in the morning to see which computers were stolen.
      Dictionary of Information Security www.syngress.com/catalog/?pid=4150
    Your message has been successfully submitted and would be delivered to recipients shortly.