Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security CISSP-Discussion
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[CISSP-D] REVIEW: "Manager's Guide to Compliance", Anthony Tarantino

from [Rob, grandpa of Ryan, Trevor, Devon & Hannah] Network Security [Permanent Link]
Subject: [CISSP-D] REVIEW: "Manager's Guide to Compliance", Anthony Tarantino
Date: Tue, 20 Mar 2007 12:00:17 -0800 
BKMAGUCO.RVW   20070213

"Manager's Guide to Compliance", Anthony Tarantino, 2006,
0-471-79257-8, U$50.00/C$64.99
%A   Anthony Tarantino
%C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
%D   2006
%G   0-471-79257-8
%I   John Wiley & Sons, Inc.
%O   U$50.00/C$64.99 416-236-4433 fax: 416-236-4448
%O  http://www.amazon.com/exec/obidos/ASIN/0471792578/robsladesinterne
  http://www.amazon.co.uk/exec/obidos/ASIN/0471792578/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0471792578/robsladesin03-20
%O   Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   315 p.
%T   "Manager's Guide to Compliance"

In the preface, the author states that compliance (presumably with
national laws such as Sarbanes-Oxley, or SOX, from the United States)
is important even in an international market (where foreign
regulations may not apply), primarily in terms of interest and
insurance rates.  He also compares government regulations, such as
SOX, with "principles-based" standards such as ISO 27000, seeming to
imply that the latter are not quite as significant.

(Compliance has recently become a commodity rather than a condition. 
One of the indications of this change is that nobody seems to need to
define what they mean by compliance any more.  In this case, Tarantino
is apparently talking about the various regulations, standards, and
directives dealing with financial reporting.)

The first six chapters of the book deal with various sections of SOX
and implications they have for companies.  Chapter one examines off-
balance sheet items, such as contracts and agreements, and notes that
the guidance from the Security and Exchange Commission has been
confusing.  Section 404, discussed in chapter two, is the directive on
internal controls that is of such moment in information security.  The
author notes that a great many planning tools (generally spreadsheets)
are used within companies in a completely uncontrolled manner, and
frequently erroneously.  Chapter three looks at section 406 and codes
of ethics, while four notes section 409's requirements on material
changes to company status.  The implications of SOX for private
companies are purportedly reviewed in chapter five, which basically
promotes the pursuit of "good practices" and marginally mentions the
provisions for non-reporting companies doing business with companies
that must report.  The excessive cost to small business is noted in
chapter six.  Chapter seven remarks that many foreign companies are
delisting from American stock exchanges in order to avoid reporting
provisions, but does not deal with the provisions for foreign
companies that do substantial business with United States' firms that
are covered by the Act.  The United States' Office of Management and
Budget (OMB) circular A-123 on the requirements for federal agencies
to report on internal controls is outlined in chapter eight.

Chapter nine looks at the Health Insurance Portability and
Accountability Act (HIPAA).  The banking industry's Basel II
requirements for bank solvency is noted in chapter ten, along with the
American Gramm-Leach-Bliley Act (GLBA) on privacy in banking
operations.  Australian, Canadian (actually only the Ontario
Securities Commission standards 52-109 and 52-111, with no mention of
the Criteria Control Committee [CoCo] of the Canadian Insitute of
Chartered Accountants and other guidance), and the United Kingdom
(Turnbull Guidance) standards on internal controls are examined in
chapter eleven, with the 1999 Organization for Economic Cooperation
and Development (OECD) Principles (particularly section 8) and the
Corporate Governance Scoring (CGS) benchmarks briefly touched on in
chapter twelve.  Chapter thirteen outlines the International Financial
Reporting Standards (IFRS), but not in detail.

The chapters that follow rather tersely address issues that may have
implications for or from the various standards: outsourcing is in
chapter fourteen, legal penalties in fifteen, business penalties in
sixteen, differences in revenue recognition in seventeen, and data
retention standards in eighteen.

Chapter nineteen notes a few software tools for assessing compliance. 
A sample checklist and flowchart (and some case studies) for auditing
internal controls are in chapter twenty.  The COSO (Committee of
Sponsoring Organizations of the Treadway Commission) three-dimensional
structure for assessing enterprise risk management and internal
controls is given in chapter twenty-one.  Chapter twenty-two reviews
the United States' National Institute for Standards and Technology
(NIST) document 800-30 on risk management and systems development life
cycles.  A rough mapping of the COBIT (Control OBjectives for
Information Technology) items to the areas of the COSO structure and
the Public Company Accounting Oversight Board (PCAOB, a provision of
SOX) components is in twenty-three.  Chapter twenty-four has a few
further objectives from the COBIT lists.  Australian Stock Exchange
(ASX) principles are given a detailed treatment in chapter twenty-
five, which is rather odd in view of the paucity of information in
other sections.

Another roundup of miscellaneous topics finishes off the book with
chapters on segregation of duties (twenty-six), some "case studies"
(twenty-seven), compliance project management (twenty-eight),
governance and ethics (twenty-nine), and cost/benefit analysis
(thirty, which gives hard data on costs: the benefits are mostly just
suggested).

While the collection of various frameworks could be helpful for those
confused by the alphabet soup of assorted standards, the lack of
detail in most areas is not.  There is very little in the way of
guidance in regard to actual compliance with the standards or
directives: basically, even with this book, you are going to have to
get diverse documents and work out the requirements for yourself.

copyright Robert M. Slade, 2007   BKMAGUCO.RVW   20070213


======================  (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca     slade@victoria.tc.ca     rslade@computercrime.org
The simple fact that nobody understands you is not to be taken as
                 proof that you are an artist
Dictionary of Information Security  www.syngress.com/catalog/?pid=4150
http://victoria.tc.ca/techrev/rms.htm


 
Yahoo! Groups Links

<*> To visit your group on the web, go to:
    http://groups.yahoo.com/group/CISSP-Discuss/

<*> Your email settings:
    Individual Email | Traditional

<*> To change settings online go to:
    http://groups.yahoo.com/group/CISSP-Discuss/join
    (Yahoo! ID required)

<*> To change settings via email:
    mailto:CISSP-Discuss-digest@yahoogroups.com 
    mailto:CISSP-Discuss-fullfeatured@yahoogroups.com

<*> To unsubscribe from this group, send an email to:
    CISSP-Discuss-unsubscribe@yahoogroups.com

<*> Your use of Yahoo! Groups is subject to:
    http://docs.yahoo.com/info/terms/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [CISSP-D] REVIEW: "Manager's Guide to Compliance", Anthony Tarantino, Rob, grandpa of Ryan, Trevor, Devon & Hannah <=
Previous by Date:  [CISSP-D] REVIEW: "Cryptography for Developers", Tom St. Denis, Rob, grandpa of Ryan, Trevor, Devon & Hannah
Next by Date:  [CISSP-D] Re: ISF & the ISO17799/27001, Rob, grandpa of Ryan, Trevor, Devon & Hannah
Previous by Thread:  [CISSP-D] REVIEW: "Cryptography for Developers", Tom St. Denis, Rob, grandpa of Ryan, Trevor, Devon & Hannah
Next by Thread:  [CISSP-D] ISF & the ISO17799/27001, Labib Ramy
Indexes:  [Date] [Thread] [Top] [All Lists]