[ISN] REVIEW: "Risk Management Solutions for Sarbanes-Oxley Section 404 IT Compliance", John S. Quarterman

From: InfoSec News (alerts@private)
Date: Sun Aug 20 2006 - 23:46:11 PDT


Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" <rMslade@private>

BKRMSSOX.RVW   20060722

"Risk Management Solutions for Sarbanes-Oxley Section 404 IT
Compliance", John S. Quarterman, 2006, 0-7645-9839-2,
U$50.00/C$64.99/UK#31.99
%A   John S. Quarterman
%C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
%D   2006
%G   0-7645-9839-2
%I   John Wiley & Sons, Inc.
%O   U$50.00/C$64.99/UK#31.99 416-236-4433 fax: 416-236-4448
%O  http://www.amazon.com/exec/obidos/ASIN/0764598392/robsladesinterne
  http://www.amazon.co.uk/exec/obidos/ASIN/0764598392/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0764598392/robsladesin03-20
%O   Audience a+ Tech 2 Writing 2 (see revfaq.htm for explanation)
%P   278 p.
%T   "Risk Management Solutions for Sarbanes-Oxley Section 404 IT
      Compliance"

There is a problem with the title, quite apart from the fact that it
is just too long.  This book is not about "Sarbanes-Oxley Section 404"
(which is in the largest type on the front cover) as such.  In the
preface, Quarterman explains that this work addresses risk management,
and, specifically, those risks related to the Internet.  The text is
intended for a wide ranging audience: C-level executives who need to
manage and report risk, IT professionals needing information about
non-technical control of risk, insurance and financial organizations
needing to make monetary assessments of risks and benefits, employees
of Internet related companies, and business risk management students.

Having been through the publishing process myself, I know that the
title and cover are not Quarterman's fault: publishers get to choose. 
(And, somewhere in Wiley, there is a marketing person just bouncing up
and down with glee at finally being able to publish a SOX book.)  On
the other hand, the title is not completely misleading: SOX 404 is
about the proper assessment and reporting of potential risks, and
pretty much every company these days has to factor in the perils of
dependence upon the Internet.

Chapter one is an introduction, noting that, contrary to standard risk
assessment ideology, some threats are beyond the control of the
enterprise, and not subject to any kind of technical safeguards. 
Perils may be too large for the company (some financial losses are
simply too great for an individual company to survive) and difficult
to quantify.  Quarterman points out that, rather than a fixed value
resource, the Internet may be more similar in valuation to a stock
option, or other financial instrument, and doesn't fit older
cost/benefit models.  A variety of hazards from and to the Internet
are listed in chapter two.  Solutions are addressed in chapter three,
and the author also examines proposed solutions that do not work.  For
example, the difficulties of the Internet are frequently blamed on the
fact that there is no central authority and management, and it has
often been proposed to implement (or impose) such centralized command
structures on the net.  However, Quarterman demonstrates that
decentralization has worked in a number of cases, including a number
of Internet applications.

Chapter four, is problematic: options for risk transfer are discussed
before the concept is raised, and although the title talks about
strategy it is hard to pick strategic measures out of all the tactical
measures.  The work of Basel II, with the concepts of credit and
operational risk calculations, are outlined in chapter five.  Examples
of risks that are troublesome to quantify are given in chapter six.

Chapter seven turns to large enterprises, noting some threats that are
somewhat intrinsic to the breed.  Quarterman doesn't stop with the
"trite but true": some of the perils are hubris and a reputation for
bullying behaviour.  Small enterprises might not find the same kind of
help in chapter eight: the material here talks more about
opportunities and benefits.  Various aspects of bonding, insuring, and
service level agreements (SLAs) for Internet service providers are
examined in chapter nine.  There is an interesting discussion of
third-party bonding, and the advantages that automatically accrue to
all parties under such a situation.  Chapter ten turns to the
government, and the ways in which it can, and can't, help.  Numerous
aspects of insurance; policy language, legal precedents, new concepts,
and the lack of hard data for the effectiveness of the new
instruments; are reviewed in chapter eleven to address the
possibilities, limits, and restrictions of new forms fo risk
transference.  Chapter twelve summarizes the reasons why Internet risk
is different than others.

This book has a rushed feeling to it, and there are a number of odd
errors.  The "Acknowledgements" section is, instead, a repeat of the
first page of the preface.  Text and phrases are repeated
("cyberhurricanes"), often without definition and sometimes in
contradictory fashion.  There is, for example, an amount of $100
billion for risk from the Internet.  This number is repeated on pages
xxiii, 1, 30, 146, and 256 but seems to be used in one place for a
global figure, and in another for the risk to an individual company. 
The structure of individual chapters can be difficult as well: it is
hard to determine threads of specific arguments out of the (admittedly
intriguing) stream of information.

There are three threads that are repeated again and again in the book:
diversity, insurance, and mapping of the Internet.  But there is much
more: Quarterman does not address the standard picture of risk
management, since he is pointing out that the Internet throws our
usual tools for quantified risk analysis into disarray.  Instead he
notes areas that have been neglected, because of the difficulty of
fitting them into standard models, and proposes new, if somewhat
vague, risk paradigms.  This is not a text that can be used as a
reference for ordinary threat analysis, but should be thoroughly
studied by anyone involved with protecting information (and
particularly communications) for a large company, anyone with a major
involvement in the Internet itself, and anyone responsible for
business risks in a rapidly changing environment.

copyright Robert M. Slade, 2006   BKRMSSOX.RVW   20060722


======================  (quote inserted randomly by Pegasus Mailer)
rslade@private     slade@private     rslade@private
A European says, `I can't understand this, what's wrong with me?'
An American says, `I can't understand this, what's wrong with
      him?'                               - Terry Pratchett (author)
Dictionary of Information Security  www.syngress.com/catalog/?pid=4150
http://victoria.tc.ca/techrev/rms.htm


_________________________________
HITBSecConf2006 - Malaysia 
The largest network security event in Asia 
32 internationally renowned speakers 
7 tracks of hands-on technical training sessions. 
Register now: http://conference.hitb.org/hitbsecconf2006kl/



This archive was generated by hypermail 2.1.3 : Sun Aug 20 2006 - 23:58:43 PDT