BKSCSOXC.RVW 20070112
"Security Controls for Sarbanes-Oxley Section 404 IT Compliance",
Dennis C. Brewer, 2006, 0-7645-9838-4
%A Dennis C. Brewer
%C 5353 Dundas Street West, 4th Floor, Etobicoke, ON M9B 6H8
%D 2006
%G 0-7645-9838-4
%I John Wiley & Sons, Inc.
%O U$50.00/C$64.99 416-236-4433 fax: 416-236-4448
%O http://www.amazon.com/exec/obidos/ASIN/0764598384/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/0764598384/robsladesinte-21
%O http://www.amazon.ca/exec/obidos/ASIN/0764598384/robsladesin03-20
%O Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P 262 p.
%T "Security Controls for Sarbanes-Oxley Section 404 IT Compliance"
The United States Sarbanes-Oxley law (frequently referred to as Sarbox
or SOX) dictates that corporate management is responsible for the
reliability of financial reports about publicly traded companies. SOX
extends beyond the reporting for publicly traded companies, touching
on private companies doing business with other companies which do
provide public reports, and even on entities outside American
jurisdiction. Section 404 (and also 302, in a marvelous confusion
with Web result codes) notes that the integrity of information systems
supporting these financial reports must also be managed. Yet the
first five words in this book are "[i]dentity theft and fraudulent
access" which seems a bit of a stretch even for the latitude in
topical range SOX currently enjoys. Publishers, rather than authors,
get to choose titles, but this work does seem to be somewhat vague in
intent.
Chapter one states that the plethora of new regulations is making life
difficult for information systems managers, and that discipline is
needed for building secure systems. However, information technology
architecture is nominally supposed to be the topic. There is a great
deal of verbiage and opinion about architecture, but little in the way
of definition. What details are given seem to boil down to having a
formal process, and lots of documentation. Too few concepts about
privacy are discussed in too many words (and some large and relatively
pointless diagrams) in chapter two. It is highly ironic that chapter
three is entitled "Defining and Enforcing Architecture," because there
is almost no definition of architecture (and nothing enforceable) in
the text. Again, there is lots of stress on documentation and
pictures, but little of use to systems managers. Chapter four lists a
number of factors that should be considered in designing a system or
infrastructure. There is a simple overview of some elementary access
control functions and technologies in chapter five. Chapter six
suggests supporting access control functions with LDAP (Lightweight
Directory Access Protocol), although it stops short of outlining how
this might be accomplished. Chapter seven takes a rather confused
look at a number of the complexities that are increasingly involved
with access control. Although chapter eight is supposed to be about
protecting private information, it only reiterates material already
covered. There is an extremely terse review of information
classification in chapter nine. Chapter ten is a curt look at access
control in Web applications. Federated identity is a sort of special
case of single sign-on technology, and some of the complications are
mentioned in chapter eleven. Chapter twelve finishes off the book
with odd pondering of some factors that would need to be considered
for the implementation of a universal identity system.
There is almost nothing in regard to SOX in this work, and the only
security controls discussed are those relating to access control, and
almost no detail is provided. Those interested in the access control
topic would be far better served by Richard E. Smith's
"Authentication" (cf. BKAUTHNT.RVW).
copyright Robert M. Slade, 2007 BKSCSOXC.RVW 20070112
====================== (quote inserted randomly by Pegasus Mailer)
rslade%40vcn.bc.ca">rslade
vcn.bc.ca slade%40victoria.tc.ca">sladevictoria.tc.ca rslade%40computercrime.org">rsladecomputercrime.org
The only thing a network is good for is to poll the system
in the morning to see which computers were stolen.
Dictionary of Information Security www.syngress.com/catalog/?pid=4150
http://victoria.tc.ca/techrev/rms.htm
.
