Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security CISSP-Discussion
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[CISSP-D] REVIEW: "Security Controls for Sarbanes-Oxley Section 404 IT C

from [Rob, grandpa of Ryan, Trevor, Devon & Hannah] Network Security [Permanent Link]
Subject: [CISSP-D] REVIEW: "Security Controls for Sarbanes-Oxley Section 404 IT Compliance", Dennis C. Brewer
Date: Mon, 26 Feb 2007 15:10:39 -0800 
BKSCSOXC.RVW   20070112

"Security Controls for Sarbanes-Oxley Section 404 IT Compliance",
Dennis C. Brewer, 2006, 0-7645-9838-4
%A   Dennis C. Brewer
%C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
%D   2006
%G   0-7645-9838-4
%I   John Wiley & Sons, Inc.
%O   U$50.00/C$64.99 416-236-4433 fax: 416-236-4448
%O  http://www.amazon.com/exec/obidos/ASIN/0764598384/robsladesinterne
  http://www.amazon.co.uk/exec/obidos/ASIN/0764598384/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0764598384/robsladesin03-20
%O   Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   262 p.
%T   "Security Controls for Sarbanes-Oxley Section 404 IT Compliance"

The United States Sarbanes-Oxley law (frequently referred to as Sarbox
or SOX) dictates that corporate management is responsible for the
reliability of financial reports about publicly traded companies.  SOX
extends beyond the reporting for publicly traded companies, touching
on private companies doing business with other companies which do
provide public reports, and even on entities outside American
jurisdiction.  Section 404 (and also 302, in a marvelous confusion
with Web result codes) notes that the integrity of information systems
supporting these financial reports must also be managed.  Yet the
first five words in this book are "[i]dentity theft and fraudulent
access" which seems a bit of a stretch even for the latitude in
topical range SOX currently enjoys.  Publishers, rather than authors,
get to choose titles, but this work does seem to be somewhat vague in
intent.

Chapter one states that the plethora of new regulations is making life
difficult for information systems managers, and that discipline is
needed for building secure systems.  However, information technology
architecture is nominally supposed to be the topic.  There is a great
deal of verbiage and opinion about architecture, but little in the way
of definition.  What details are given seem to boil down to having a
formal process, and lots of documentation.  Too few concepts about
privacy are discussed in too many words (and some large and relatively
pointless diagrams) in chapter two.  It is highly ironic that chapter
three is entitled "Defining and Enforcing Architecture," because there
is almost no definition of architecture (and nothing enforceable) in
the text.  Again, there is lots of stress on documentation and
pictures, but little of use to systems managers.  Chapter four lists a
number of factors that should be considered in designing a system or
infrastructure.  There is a simple overview of some elementary access
control functions and technologies in chapter five.  Chapter six
suggests supporting access control functions with LDAP (Lightweight
Directory Access Protocol), although it stops short of outlining how
this might be accomplished.  Chapter seven takes a rather confused
look at a number of the complexities that are increasingly involved
with access control.  Although chapter eight is supposed to be about
protecting private information, it only reiterates material already
covered.  There is an extremely terse review of information
classification in chapter nine.  Chapter ten is a curt look at access
control in Web applications.  Federated identity is a sort of special
case of single sign-on technology, and some of the complications are
mentioned in chapter eleven.  Chapter twelve finishes off the book
with odd pondering of some factors that would need to be considered
for the implementation of a universal identity system.

There is almost nothing in regard to SOX in this work, and the only
security controls discussed are those relating to access control, and
almost no detail is provided.  Those interested in the access control
topic would be far better served by Richard E. Smith's
"Authentication" (cf. BKAUTHNT.RVW).

copyright Robert M. Slade, 2007   BKSCSOXC.RVW   20070112


======================  (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca     slade@victoria.tc.ca     rslade@computercrime.org
      The only thing a network is good for is to poll the system
          in the morning to see which computers were stolen.
Dictionary of Information Security  www.syngress.com/catalog/?pid=4150
http://victoria.tc.ca/techrev/rms.htm


------------------------ Yahoo! Groups Sponsor --------------------~--> 
See what's inside the new Yahoo! Groups email.
http://us.click.yahoo.com/0It09A/bOaOAA/yQLSAA/kgFolB/TM
--------------------------------------------------------------------~-> 

 
Yahoo! Groups Links

<*> To visit your group on the web, go to:
    http://groups.yahoo.com/group/CISSP-Discuss/

<*> Your email settings:
    Individual Email | Traditional

<*> To change settings online go to:
    http://groups.yahoo.com/group/CISSP-Discuss/join
    (Yahoo! ID required)

<*> To change settings via email:
    mailto:CISSP-Discuss-digest@yahoogroups.com 
    mailto:CISSP-Discuss-fullfeatured@yahoogroups.com

<*> To unsubscribe from this group, send an email to:
    CISSP-Discuss-unsubscribe@yahoogroups.com

<*> Your use of Yahoo! Groups is subject to:
    http://docs.yahoo.com/info/terms/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [CISSP-D] REVIEW: "Security Controls for Sarbanes-Oxley Section 404 IT Compliance", Dennis C. Brewer, Rob, grandpa of Ryan, Trevor, Devon & Hannah <=
Previous by Date:  Re: [CISSP-D] SRV Question bank for CISSP, Rob, grandpa of Ryan, Trevor, Devon & Hannah
Next by Date:  [CISSP-D] CISSP Vs SSCP, Rajesh G
Previous by Thread:  [CISSP-D] SRV Question bank for CISSP, himanshu jain
Next by Thread:  [CISSP-D] CISSP Vs SSCP, Rajesh G
Indexes:  [Date] [Thread] [Top] [All Lists]