BKCISAPG.RVW 20041221 "The CISA Prep Guide", John B. Kramer, 2003, 0-471-25032-5, U$70.00/C$108.95/UK#49.95 %A John B. Kramer %C 5353 Dundas Street West, 4th Floor, Etobicoke, ON M9B 6H8 %D 2003 %G 0-471-25032-5 %I John Wiley & Sons, Inc. %O U$70.00/C$108.95/UK#49.95 416-236-4433 fax: 416-236-4448 %O http://www.amazon.com/exec/obidos/ASIN/0471250325/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0471250325/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0471250325/robsladesin03-20 %O tl a rl 2 tc 2 ta 2 tv 2 wq 2 %P 570 p. + CD-ROM %T "The CISA Prep Guide" The CISA, or Certified Information Systems Auditor, has been the accepted standard for information system and security audits and reviews for some time now. Chapter one outlines the types and activities of audit. Management is the topic of chapter two, and there is an emphasis on signals that indicate faults or failures. Technical infrastructure, in terms of operating systems, centralized computers, and communications networks, are generically discussed in chapter three. There is little technical detail, and it is interesting to see the significance and primacy given to financial audit considerations such as assessments of capital depreciation, which have little to do with security or performance of the information systems in question. Similarly, chapter four, ostensibly about the protection of information assets, is quite abstract, and concentrates primarily on issues of access control. (The material on viruses is based on outdated concepts: I was astonished to find the CISA does not consider user training to be an appropriate control for virus protection.) Chapter five provides a good outline of what should be included in a business continuity or disaster recovery plan, although it is not as helpful in regard to the process for achieving the plan. There is a general overview of systems development in chapter six, but it does not indicate how to check if the proper procedures were followed, the influences of specific practices, or how to judge the quality of the outcome. Chapter seven reiterates some points from chapters one and two. Those who can address this material will be able to raise questions about all aspects of computer and communications operations. The emphasis is on management, and (naturally enough) the technical or mechanistic aspects of management at that. Those with an accounting background will be more comfortable with the content and concepts than those who have worked with security reviews of systems. Whether those questions will result in directions for significant improvements in the security or performance of information systems might still be uncertain. As Albert Einstein famously said, not everything that can be counted counts, and not everything that counts can be counted. copyright Robert M. Slade, 2004 BKCISAPG.RVW 20041221