BKSCSOXC.RVW 20070112 "Security Controls for Sarbanes-Oxley Section 404 IT Compliance", Dennis C. Brewer, 2006, 0-7645-9838-4 %A Dennis C. Brewer %C 5353 Dundas Street West, 4th Floor, Etobicoke, ON M9B 6H8 %D 2006 %G 0-7645-9838-4 %I John Wiley & Sons, Inc. %O U$50.00/C$64.99 416-236-4433 fax: 416-236-4448 %O http://www.amazon.com/exec/obidos/ASIN/0764598384/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0764598384/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0764598384/robsladesin03-20 %O Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation) %P 262 p. %T "Security Controls for Sarbanes-Oxley Section 404 IT Compliance" The United States Sarbanes-Oxley law (frequently referred to as Sarbox or SOX) dictates that corporate management is responsible for the reliability of financial reports about publicly traded companies. SOX extends beyond the reporting for publicly traded companies, touching on private companies doing business with other companies which do provide public reports, and even on entities outside American jurisdiction. Section 404 (and also 302, in a marvelous confusion with Web result codes) notes that the integrity of information systems supporting these financial reports must also be managed. Yet the first five words in this book are "[i]dentity theft and fraudulent access" which seems a bit of a stretch even for the latitude in topical range SOX currently enjoys. Publishers, rather than authors, get to choose titles, but this work does seem to be somewhat vague in intent. Chapter one states that the plethora of new regulations is making life difficult for information systems managers, and that discipline is needed for building secure systems. However, information technology architecture is nominally supposed to be the topic. There is a great deal of verbiage and opinion about architecture, but little in the way of definition. What details are given seem to boil down to having a formal process, and lots of documentation. Too few concepts about privacy are discussed in too many words (and some large and relatively pointless diagrams) in chapter two. It is highly ironic that chapter three is entitled "Defining and Enforcing Architecture," because there is almost no definition of architecture (and nothing enforceable) in the text. Again, there is lots of stress on documentation and pictures, but little of use to systems managers. Chapter four lists a number of factors that should be considered in designing a system or infrastructure. There is a simple overview of some elementary access control functions and technologies in chapter five. Chapter six suggests supporting access control functions with LDAP (Lightweight Directory Access Protocol), although it stops short of outlining how this might be accomplished. Chapter seven takes a rather confused look at a number of the complexities that are increasingly involved with access control. Although chapter eight is supposed to be about protecting private information, it only reiterates material already covered. There is an extremely terse review of information classification in chapter nine. Chapter ten is a curt look at access control in Web applications. Federated identity is a sort of special case of single sign-on technology, and some of the complications are mentioned in chapter eleven. Chapter twelve finishes off the book with odd pondering of some factors that would need to be considered for the implementation of a universal identity system. There is almost nothing in regard to SOX in this work, and the only security controls discussed are those relating to access control, and almost no detail is provided. Those interested in the access control topic would be far better served by Richard E. Smith's "Authentication" (cf. BKAUTHNT.RVW). copyright Robert M. Slade, 2007 BKSCSOXC.RVW 20070112