Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security CISSP-Discussion
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[CISSP-D] REVIEW: "COSO Enterprise Risk Management", Robert R. Moeller

from [Rob, grandpa of Ryan, Trevor, Devon & Hannah] Network Security [Permanent Link]
Subject: [CISSP-D] REVIEW: "COSO Enterprise Risk Management", Robert R. Moeller
Date: Mon, 06 Aug 2007 11:50:15 -0800 
BKCOSERM.RVW   20070506

"COSO Enterprise Risk Management", Robert R. Moeller, 2007,
0-471-74115-9
%A   Robert R. Moeller
%C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
%D   2007
%G   0-471-74115-9 978-0-471-74115-2
%I   John Wiley & Sons, Inc.
%O   416-236-4433 fax: 416-236-4448
%O  http://www.amazon.com/exec/obidos/ASIN/0471741159/robsladesinterne
  http://www.amazon.co.uk/exec/obidos/ASIN/0471741159/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0471741159/robsladesin03-20
%O   Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   367 p.
%T   "COSO Enterprise Risk Management"

The inclusion of "COSO" (the Committee Of Sponsoring Organizations of
the Treadway Commission) in the title indicates that this work takes a
corporate, and particularly financial, perspective with respect to
risk management.  The fact that the first paragraph of the preface
makes reference to the key (if rather vague) phrase "internal
controls" reinforces this idea.  It is, therefore, somewhat ironic
that the introduction complains that risk management is poorly defined
and understood.  The concept of internal control is similarly
nebulous, and a badly understood abstraction can hardly be expected to
result in advice likely to lead to solid implementations by the
readers of the book.

Chapter one is a general introduction to the perceived need for COSO
and internal controls.  With yet more unintentional incongruity there
is heavy emphasis on ethics and philosophy within the organization. 
(An ethical enterprise would presumably have no need for internal
controls.)  A traditional risk management process is outlined in
chapter two.  (There is a great deal of consideration given to
surveys, but little to either hard facts or statistics.)  Chapter
three's review of "enterprise" risk management reiterates a good deal
of the previous material.  The COSO risk management components are
noted, mostly in regard to the highest corporate levels.  The
additional COSO dimensions of objectives and entity levels are covered
in chapter four.  Chapter five repeats content on roles,
responsibilities, and process aspects of risk management.  The history
of the initial (1992 version) COSO structure is given in chapter six.

Chapter seven provides background on the Sarbanes-Oxley law, and some
relations to the COSO framework.  Audit is discussed in both chapters
eight and nine, first with respect to the board, and then in regard to
internal audit activities.  The project management cycle is reviewed
in chapter ten: unlike most similar pieces in risk management books,
this one at least addresses specific functions regarding risk
management.  Chapter eleven purportedly ties enterprise risk
management to information technology, but the topics are limited to
application development, business continuity, and malware.

Chapter twelve's suggestions on building a risk culture follow the
usual advice on creating a security awareness program.  Various
national financial standards and regulations are noted in chapter
thirteen.  In chapter fourteen the author ruminates on what should
happen with risk management in the future.

This book is almost identical in content and style to numerous others
on similar topics, such as Marchetti's "Beyond Sarbanes-Oxley
Compliance" (cf. BKBYNSOX.RVW), "Security Controls for Sarbanes-Oxley
Section 404 IT Compliance" by Brewer (cf. BKSCSOXC.RVW),  Lahti and
Peterson's "Sarbanes-Oxley IT Compliance Using COBIT and Open Source
Tools" (cf. BKSOITCU.RVW), and the rather better "Beyond COSO", by
Steven J. Root (cf. BKBECOSO.RVW).  The writing and material may
provide some assistance with a risk management process, but the
central points could have been provided in a clearer and more concise
form.

copyright Robert M. Slade, 2007   BKCOSERM.RVW   20070506


======================  (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca     slade@victoria.tc.ca     rslade@computercrime.org
...a State, which dwarfs its men, in order that they may be more
docile instruments in its hands even for beneficial purposes,
will find that with small men no great thing can really be
accomplished...
       - John Stuart Mill (1806-1873), On Liberty and Utilitarianism
http://victoria.tc.ca/techrev/rms.htm


 
Yahoo! Groups Links

<*> To visit your group on the web, go to:
    http://groups.yahoo.com/group/CISSP-Discuss/

<*> Your email settings:
    Individual Email | Traditional

<*> To change settings online go to:
    http://groups.yahoo.com/group/CISSP-Discuss/join
    (Yahoo! ID required)

<*> To change settings via email:
    mailto:CISSP-Discuss-digest@yahoogroups.com 
    mailto:CISSP-Discuss-fullfeatured@yahoogroups.com

<*> To unsubscribe from this group, send an email to:
    CISSP-Discuss-unsubscribe@yahoogroups.com

<*> Your use of Yahoo! Groups is subject to:
    http://docs.yahoo.com/info/terms/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [CISSP-D] REVIEW: "COSO Enterprise Risk Management", Robert R. Moeller, Rob, grandpa of Ryan, Trevor, Devon & Hannah <=
Previous by Date:  [CISSP-D] ISO 27000 standards, vijay tikkoo
Next by Date:  [CISSP-D] Re:ISO 27000 standards, David Cannon
Previous by Thread:  [CISSP-D] New member, mahesh.vagadiya
Next by Thread:  [CISSP-D] Re:ISO 27000 standards, David Cannon
Indexes:  [Date] [Thread] [Top] [All Lists]