Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security CISSP-Discussion
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[CISSP-D] REVIEW: "Sarbanes-Oxley IT Compliance Using COBIT and Open Sou

from [Rob, grandpa of Ryan, Trevor, Devon & Hannah] Network Security [Permanent Link]
Subject: [CISSP-D] REVIEW: "Sarbanes-Oxley IT Compliance Using COBIT and Open Source Tools", Christian B. Lahti/Roderick Peterson
Date: Wed, 29 Nov 2006 21:07:16 -0800 
BKSOITCU.RVW   20061013

"Sarbanes-Oxley IT Compliance Using COBIT and Open Source Tools",
Christian B. Lahti/Roderick Peterson, 2005, 1-59749-036-9,
U$49.95/C$69.95
%A   Christian B. Lahti
%A   Roderick Peterson
%C   800 Hingham Street, Rockland, MA   02370
%D   2005
%G   1-59749-036-9
%I   Syngress Media, Inc.
%O   U$49.95/C$69.95 781-681-5151 fax: 781-681-3585 www.syngress.com
%O  http://www.amazon.com/exec/obidos/ASIN/1597490369/robsladesinterne
  http://www.amazon.co.uk/exec/obidos/ASIN/1597490369/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1597490369/robsladesin03-20
%O   Audience a- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   333 p. + CD-ROM
%T   "Sarbanes-Oxley IT Compliance Using COBIT and Open Source Tools"

"This book is essentially a technical book, with as much applicable
content as we could muster by way of open source technologies and how
they fit into the Sarbanes-Oxley sphere of influence."  Thus speaketh
the authors in chapter one (page 4), giving us, almost immediately,
fair warning that there may be problems in this book.  For one thing,
the Sarbanes-Oxley (SOX) law is *not* technical (if it were, the
drafters would have known not to give the central point related to
information technology section number 404).  The authors seem to be
intent on listing off all manner of open source programs, using the
magic title of SOX to add legitimacy to an otherwise aimless
catalogue.  (The use of vague buzzwords is also supposed to increase
the perceived erudition of the work, although the authors seem to
stumble occasionally, such as when they confuse the French "voila"
with the musical "viola" on page 5.)  If the authors were truly to
answer some of the questions that they pose (for example, is open
source software compliant with the law, and can it reduce the costs of
achieving and monitoring compliance) then the text might have some
utility.  However, there is no introduction to the legislation as
such, and the list of roles within an organization has little specific
relevance to the issues underlying the analysis, integrity, and
reporting of financial data.  Most of the space in the initial chapter
is devoted to screenshots of Knoppix, a poorly explained installation
section, and a list of the programs in the eGroupware application.

SOX and COBIT are supposed to be defined in chapter two.  SOX gets
almost no exegesis, while there is a list of some of the COBIT
objectives.  Chapter three lists various open source security tools,
has some random notes on policy and auditing, and a "sample" policy on
password change.  The usual promotional piece for open source software
makes up chapter four, with the standard arguments for using open
source, but no new rationale for the application to this particular
topic.

Chapters five through eight are based on four domains from COBIT
(loosely based on the Deming plan-do-check-act cycle).  In sequence,
we have planning and organization, acquisition and implementation,
delivery and support, and monitoring.  Each of the chapters has a
section entitled "What does [name of domain] mean?" but these
questions are not answered in any useful way.  Each chapter has an
extensive (but not comprehensive) list of tasks that might be
undertaken, and each delves deeply into the technical minutia of one
or more isolated topics.

Chapter nine finishes off with miscellaneous advice in random areas.

If you have no experience with security, and are scared stiff of even
approaching SOX, this book may get you working on some areas that will
probably be useful.  Mind you, if you don't get information from other
sources, you may find that there are gaps in your security that you
never considered.  If you are experienced in security, and want to
know about SOX or COBIT, and what you should do about them, you will
be very disappointed with what you find in this text.  If you want to
know about open source security tools, you will be even more
frustrated.

(Having a Knoppix boot CD around might be handy, if you know how to
use it.)

copyright Robert M. Slade, 2006   BKSOITCU.RVW   20061013
infosecbc@yahoogroups.com


======================  (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca     slade@victoria.tc.ca     rslade@computercrime.org
Those who are too smart to engage in politics are punished by
being governed by those who are dumber.       - Plato (427-347 B.C.)
Dictionary of Information Security  www.syngress.com/catalog/?pid=4150
http://victoria.tc.ca/techrev/rms.htm


 
Yahoo! Groups Links

<*> To visit your group on the web, go to:
    http://groups.yahoo.com/group/CISSP-Discuss/

<*> Your email settings:
    Individual Email | Traditional

<*> To change settings online go to:
    http://groups.yahoo.com/group/CISSP-Discuss/join
    (Yahoo! ID required)

<*> To change settings via email:
    mailto:CISSP-Discuss-digest@yahoogroups.com 
    mailto:CISSP-Discuss-fullfeatured@yahoogroups.com

<*> To unsubscribe from this group, send an email to:
    CISSP-Discuss-unsubscribe@yahoogroups.com

<*> Your use of Yahoo! Groups is subject to:
    http://docs.yahoo.com/info/terms/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [CISSP-D] REVIEW: "Sarbanes-Oxley IT Compliance Using COBIT and Open Source Tools", Christian B. Lahti/Roderick Peterson, Rob, grandpa of Ryan, Trevor, Devon & Hannah <=
Previous by Date:  RE: [CISSP-D] Friends ---- need help, santoshkumarprajapati
Next by Date:  [CISSP-D] CERT Protecting Against Insider Threat, Gideon T. Rasmussen
Previous by Thread:  [CISSP-D] US-CCU Cyber-Security Check List 2007, lists@virtualcso.com
Next by Thread:  [CISSP-D] CERT Protecting Against Insider Threat, Gideon T. Rasmussen
Indexes:  [Date] [Thread] [Top] [All Lists]