Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security CISSP-Discussion
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[CISSP-D] REVIEW: "Simple Tools and Techniques for Enterprise Risk Manag

from [Rob, grandpa of Ryan, Trevor, Devon & Hannah] Network Security [Permanent Link]
Subject: [CISSP-D] REVIEW: "Simple Tools and Techniques for Enterprise Risk Management", Robert J. Chapman
Date: Mon, 26 Mar 2007 12:30:04 -0800 
BKSTTERM.RVW   20070213

"Simple Tools and Techniques for Enterprise Risk Management", Robert
J. Chapman, 2006, 0-470-01466-0, U$110.00/C$131.99
%A   Robert J. Chapman mail@drchapman.fsworld.co.uk
%C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
%D   2006
%G   0-470-01466-0
%I   John Wiley & Sons, Inc.
%O   U$110.00/C$131.99 416-236-4433 fax: 416-236-4448
%O  http://www.amazon.com/exec/obidos/ASIN/0470014660/robsladesinterne
  http://www.amazon.co.uk/exec/obidos/ASIN/0470014660/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0470014660/robsladesin03-20
%O   Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   466 p.
%T   "Simple Tools and Techniques for Enterprise Risk Management"

The preface is not terribly clear on the purpose of the book, and lays
claim to an ambitiously wide audience.  (It goes on to outline the
structure of the work, basically by repeating the table of contents.)

Part one looks at enterprise risk management in context.  (What
context is not stated: from the material is seems to be just "in
general.")  Chapter one lists various perspectives on risk and
management.  Corporate governance in the United Kingdom is reviewed in
chapter two, with positions in the United States and Canada in three. 
Chapter four outlines internal controls and the relation to risk
management.  United Kingdom government documents on risk management
are described in chapter five.

Part two deals with aspects of consulting.  Chapter six views the
process from the perspective of the client: how to choose a
consultant.  The remaining chapters are advice on how to operate as a
consultant: seven tells how to conduct an interview with the client
(the material is of questionable value), eight mentions components
that should go into a proposal, and nine tells you to be a really good
consultant and delight the client.

A risk management process is described in part three.  The delineation
is supposed to be structured as six stages, but the phases seem to
come in three pairs.  Chapter ten is on analysis: chapter eleven, on
risk identification, duplicates much of the material.  Risk assessment
is covered in chapter twelve, and while chapter thirteen's "risk
evaluation" does not copy the content of twelve, it is certainly
closely related.  Risk planning, in fourteen, and risk management, in
fifteen, are both generic outlines of the risk management process
overall.  I suppose that these are the titularly promised simple tools
and techniques: while they are simple, the processes and tools would
require a great deal of work by anyone who wants to get value from
them.

Part four examines influences within the environment of the
enterprise.  Chapter sixteen looks at financial matters.  Operational
risk management, in seventeen, is the banking industry term, and
covers what is known in business and security circles simply as
general risk management.  The material is similar to that in chapters
fourteen and fifteen, but has more details.  Technological risk, as
presented in chapter eighteen, is a generic overview of information
technology.

The external influences that are discussed in part five are vaguely
related issues.  Chapters nineteen and twenty deal with macro economic
and environmental risks (on the scope of global warming), but are
rather beyond the ability of most corporations to control.  The
material on legal matters, in chapter twenty-one, is more directly
helpful.  Chapter twenty-two reviews political factors.  The
deliberation about market considerations, in twenty-three, is fairly
similar to the content of nineteen.  Social perspectives finish off
the book in twenty-four.

There is not much in this work that could not be found in cheaper and
more accessible resources.  (To give only one example, there is the
"Risk Management Guide for Information Technology Systems," document
800-30 available at no cost from the US National Institute for
Standards and Technology.)  In fact, the valuable content could have
been compressed into a magazine article, if a somewhat lengthy one. 
If you wish to set up a risk management consultancy, and are
completely new to the game, there is an outline here that will get you
started.  (If you rely only on this book, those clients who hire you
will deserve everything they get ...)

copyright Robert M. Slade, 2007   BKSTTERM.RVW   20070213


======================  (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca     slade@victoria.tc.ca     rslade@computercrime.org
             Si hoc legere scis nimium eruditionis habes
Dictionary of Information Security  www.syngress.com/catalog/?pid=4150
http://victoria.tc.ca/techrev/rms.htm


 
Yahoo! Groups Links

<*> To visit your group on the web, go to:
    http://groups.yahoo.com/group/CISSP-Discuss/

<*> Your email settings:
    Individual Email | Traditional

<*> To change settings online go to:
    http://groups.yahoo.com/group/CISSP-Discuss/join
    (Yahoo! ID required)

<*> To change settings via email:
    mailto:CISSP-Discuss-digest@yahoogroups.com 
    mailto:CISSP-Discuss-fullfeatured@yahoogroups.com

<*> To unsubscribe from this group, send an email to:
    CISSP-Discuss-unsubscribe@yahoogroups.com

<*> Your use of Yahoo! Groups is subject to:
    http://docs.yahoo.com/info/terms/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [CISSP-D] REVIEW: "Simple Tools and Techniques for Enterprise Risk Management", Robert J. Chapman, Rob, grandpa of Ryan, Trevor, Devon & Hannah <=
Previous by Date:  [CISSP-D] ISF & the ISO17799/27001, Labib Ramy
Next by Date:  [CISSP-D] Repeating messages on Yahoo mailing lists, Rob, grandpa of Ryan, Trevor, Devon & Hannah
Previous by Thread:  [CISSP-D] ISF & the ISO17799/27001, Labib Ramy
Next by Thread:  [CISSP-D] Repeating messages on Yahoo mailing lists, Rob, grandpa of Ryan, Trevor, Devon & Hannah
Indexes:  [Date] [Thread] [Top] [All Lists]