BKINITGV.RVW 20061106 "International IT Governance", Alan Calder/Steve Watkins, 2006, 0-7494-4748-6, U$80.00/UK#45.00 %A Alan Calder www.27001.com %A Steve Watkins %C 120 Pentonville Rd, London, UK, N1 9JN %D 2006 %G 0-7494-4748-6 %I Kogan Page Ltd. %O U$80.00/UK#45.00 +44-020-7278-0433 kpinfo@kogan-page.co.uk %O http://www.amazon.com/exec/obidos/ASIN/0749447486/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0749447486/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0749447486/robsladesin03-20 %O Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation) %P 366 p. %T "International IT Governance: An Executive Guide to ISO 17799/ISO 27001" Chapter one lists various threats. A minimal explanation of the US Sarbanes-Oxley law is in chapter two. A muddled description of ISO 17799 and 27001 is in chapter three. Chapter four lists bits of a possible security management project. A generic statement about security policies is in chapter five. Chapter six contains a verbose but sketchy outline of risk assessment. The risk of external users is discussed in chapter seven. Although the title of chapter eight suggests it deals with assets, most of the material concentrates on classification. Various aspects of employment are listed in chapter nine. Random topics to do with facility physical security are in chapter ten, and equipment protection in eleven. Chapter twelve is entitled "Communications and Operations Management" and instead talks about contracts. Viruses are examined (poorly) in chapter thirteen, along with a brief mention of backups. Fourteen has another odd pairing: network security and media handling (both treated very tersely). "Exchanges of information," in fifteen, seems to mean email. Certain aspects of electronic commerce are mentioned in sixteen. Email gets another review in seventeen. There is a surprisingly reasonable outline of access control (with an odd inclusion of blackhat activities) in chapter eighteen. Chapter nineteen turns to network access control, with "operating system" access control in twenty, and a weird amalgam titled "application access control and teleworking," in twenty-one. System development is the topic of chapter twenty-two. Cryptography gets an extremely terse overview in twenty-three. Development comes back for a second try in twenty-four. Audit and logging is listed in twenty-five and business continuity in twenty-six. "Compliance," in twenty-seven, simply catalogues various laws. Chapter twenty-eight finishes off with a short description of what to expect in an ISO/IEC 27001 audit. The text has a Web component to it, and this is referred to in a number of places in the work. It should be noted that this Web component is also promoted, in the publication, as a general security management portal (unrelated to the book). However, it is, in fact, the Website of the consultancy run by one of the authors. The files available on the site do not deliver the promised information: first, the files, when you do get to download them, lack any indication as to type, and when you finally find out which file format they are (mostly PDFs, with a few XLSs) the contents are generally of the marketing brochure level, advising you to buy further materials from the site. The book is somewhat less verbose and turgid than the earlier "IT Governance" (cf. BKITGVRN.RVW), but is astoundingly similar in many ways. The quality of technical information is inconsistent and suspect, and the structure is random. Managers will not find guidance in regard to the management of security within information systems, nor about ISO 17799/27001. copyright Robert M. Slade, 2006 BKINITGV.RVW 20061106