BKSOITCU.RVW 20061013 "Sarbanes-Oxley IT Compliance Using COBIT and Open Source Tools", Christian B. Lahti/Roderick Peterson, 2005, 1-59749-036-9, U$49.95/C$69.95 %A Christian B. Lahti %A Roderick Peterson %C 800 Hingham Street, Rockland, MA 02370 %D 2005 %G 1-59749-036-9 %I Syngress Media, Inc. %O U$49.95/C$69.95 781-681-5151 fax: 781-681-3585 www.syngress.com %O http://www.amazon.com/exec/obidos/ASIN/1597490369/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/1597490369/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/1597490369/robsladesin03-20 %O Audience a- Tech 1 Writing 1 (see revfaq.htm for explanation) %P 333 p. + CD-ROM %T "Sarbanes-Oxley IT Compliance Using COBIT and Open Source Tools" "This book is essentially a technical book, with as much applicable content as we could muster by way of open source technologies and how they fit into the Sarbanes-Oxley sphere of influence." Thus speaketh the authors in chapter one (page 4), giving us, almost immediately, fair warning that there may be problems in this book. For one thing, the Sarbanes-Oxley (SOX) law is *not* technical (if it were, the drafters would have known not to give the central point related to information technology section number 404). The authors seem to be intent on listing off all manner of open source programs, using the magic title of SOX to add legitimacy to an otherwise aimless catalogue. (The use of vague buzzwords is also supposed to increase the perceived erudition of the work, although the authors seem to stumble occasionally, such as when they confuse the French "voila" with the musical "viola" on page 5.) If the authors were truly to answer some of the questions that they pose (for example, is open source software compliant with the law, and can it reduce the costs of achieving and monitoring compliance) then the text might have some utility. However, there is no introduction to the legislation as such, and the list of roles within an organization has little specific relevance to the issues underlying the analysis, integrity, and reporting of financial data. Most of the space in the initial chapter is devoted to screenshots of Knoppix, a poorly explained installation section, and a list of the programs in the eGroupware application. SOX and COBIT are supposed to be defined in chapter two. SOX gets almost no exegesis, while there is a list of some of the COBIT objectives. Chapter three lists various open source security tools, has some random notes on policy and auditing, and a "sample" policy on password change. The usual promotional piece for open source software makes up chapter four, with the standard arguments for using open source, but no new rationale for the application to this particular topic. Chapters five through eight are based on four domains from COBIT (loosely based on the Deming plan-do-check-act cycle). In sequence, we have planning and organization, acquisition and implementation, delivery and support, and monitoring. Each of the chapters has a section entitled "What does [name of domain] mean?" but these questions are not answered in any useful way. Each chapter has an extensive (but not comprehensive) list of tasks that might be undertaken, and each delves deeply into the technical minutia of one or more isolated topics. Chapter nine finishes off with miscellaneous advice in random areas. If you have no experience with security, and are scared stiff of even approaching SOX, this book may get you working on some areas that will probably be useful. Mind you, if you don't get information from other sources, you may find that there are gaps in your security that you never considered. If you are experienced in security, and want to know about SOX or COBIT, and what you should do about them, you will be very disappointed with what you find in this text. If you want to know about open source security tools, you will be even more frustrated. (Having a Knoppix boot CD around might be handy, if you know how to use it.) copyright Robert M. Slade, 2006 BKSOITCU.RVW 20061013