Sarbanes-Oxley Compliance Using COBIT and Open Source Tools and over one million other books are available for Amazon Kindle. Learn more
Have one to sell?
Flip to back Flip to front
Listen Playing... Paused   You're listening to a sample of the Audible audio edition.
Learn more
See this image

Sarbanes-Oxley Compliance Using COBIT and Open Source Tools Paperback – Sep 10 2005

See all 2 formats and editions Hide other formats and editions
Amazon Price New from Used from
Kindle Edition
"Please retry"
"Please retry"
CDN$ 69.79 CDN$ 0.39

Join Amazon Student in Canada

Customers Who Bought This Item Also Bought


Product Details

Inside This Book (Learn More)
Browse Sample Pages
Front Cover | Copyright | Table of Contents | Excerpt | Index
Search inside this book:

Customer Reviews

There are no customer reviews yet on
5 star
4 star
3 star
2 star
1 star

Most Helpful Customer Reviews on (beta) 16 reviews
15 of 15 people found the following review helpful
Two books in one Oct. 21 2005
By Stephen Northcutt - Published on
Format: Paperback
This is the hardest review I have ever written. The book has enormous potential. The concepts behind the book can probably save organizations a lot of money. The book is a primer to COBIT, which is the model most people use to implement Sarbanes-Oxley. It is also a book about open source tools that may be able to support a COBIT framework.

As a pointer to tools and ideas, you cannot beat this book. However, if you are not already a part of the Linux open source world, I don't think this book can get you there. I had trouble with the CD and had to use a Knoppix cheat code to get it to boot. In addition, the examples on the CD are not populated with enough data to let you play with the tools.

The bottom line, I think this has all the earmarks to become a really important book in the auditing and compliance world in its next edition. I have purchased a copy for every one of my students in my management class and I am flying the authors out to demonstrate the tools to my class. I honestly don't think you can afford to miss this book if you have responsibility for Sarbanes-Oxley or GLBA for that matter. However, you are going to have to find a Linux geek to actually put any of this into practice.
8 of 8 people found the following review helpful
Very helpful introduction to SOX compliance through COBIT March 13 2006
By Richard Bejtlich - Published on
Format: Paperback
I read Sarbanes-Oxley IT Compliance Using COBIT and Open Source Tools (SOICUCAOST) to learn more about compliance issues. I am a security engineer who thankfully has not had to suffer through a SOX audit. I am glad I read SOICUCAOST, however. The book is clear, well-written, and makes innovative use of a live CD. While the book is not the answer to SOX compliance (no book is), small-to-medium-sized businesses will find SOICUCAOST a valuable guide.

I found SOICUCAOST's advice to be surprisingly candid. This is no "SOX is awesome" book. On p 276 we read "one could conclude that not only is there no realistic way to calculate ROI for SOX compliance, but if there were, there would be no positive ROI for SOX. The value of SOX compliance is qualitative and not quantitative. If there is no way to justify SOX compliance, how do I answer questions about how my company's compliance activities affect the bottom line? By shifting the ROI from SOX and the cost savings to open source and cost avoidance... a decision point of whether to comply with SOX or not does not exist." That is only one dose of brutal honesty -- there are many others in this book.

I thought the XFLD-based live CD was an innovative touch. Assuming one can get it to work (I had no trouble), it is a slick way to use a portal for two fictitious companies created to demonstrate ways to achieve IT-related SOX compliance. Not every component works, but using the live CD gets the reader to think he or she may be doing SOX activities instead of reading a book about it.

As far as specific open source tools goes, I don't think it's realistic to be able to use tools based on the information in this book. Syngress published an entire book on Nagios, an entire book on host-based integrity monitoring, an entire book on Snort, and so on. I would have preferred to see SOICUCAOST spend more time on presenting options with advantages and disadvantages for each. I also though the idea of running Snort from a live CD as a production sensor (Ch 6) to be very ill-conceived.

Regarding the reviews -- I am surprised to see they are all over the map. I think Christopher Byrne makes a few good points, but his criticism doesn't warrant a one-star review. Author Roderick Peterson should not have written a five-star "rebuttal". Authors write books, not reviews of their own books. That's poor form and it manipulates Amazon's star ratings.

Overall, I think SOICUCAOST is helpful for any SMB staring at SOX compliance. It certainly provides plenty of sound guidance, solid frameworks, and examples (on the live CD). The book is well-written and organized. I think some of the material could have been formatted for easier reading; Syngress has a tendency to use fonts that are way too large and thereby distracting. Still, I recommend anyone involved with IT-related SOX issues and/or COBIT give SOICUCAOST a try.
4 of 4 people found the following review helpful
Nice Resource on Sarbanes-Oxley Compliance Aug. 11 2006
By Dan McKinnon - Published on
Format: Paperback
If you are a company or IT person that is responsible for keeping your company compliant with the Sarbanes-Oxley act of 2002, you owe it to yourself to pick up this book. Chock full of tons of helpful advice and guidelines, this 300+ page text will help get your IT department streamlined and well structured. The Sarbanes-Oxley act was put into place in direct response to the outlandish acts of companies such as Tyco, Enron, MCI and the such where the public will know that their investment money is being used towards non-corrupt practices and this involves not only financial numbers, but also the systems that hold such important data.

Nice book, helpful guide

4 of 4 people found the following review helpful
Great resource, very helpful in ensuring complying with SOX April 19 2006
By Harold McFarland - Published on
Format: Paperback
Compliance with the Sarbanes-Oxley Act is a legal requirement for publicly traded companies. The problem with the Act is that it requires things like adequate internal control structure and a report on the effectiveness of the internal control structure and procedures while not providing any guidance or any specific mention of information technology implications. Luckily there are several other more specific standards to follow, with the most common among auditors being COBIT (Control Objectives for Information and Related Technology).

This book concentrates on using various open source tools (included on a CD with the book) to audit and document your system for compliance with COBIT. The authors take the reader through a detailed walk through the COBIT components and explain each one as well as how to implement it successfully. If it is followed the result is a sustainable system that is well documented, has set policies to prevent problems, has solid controls, and establishes responsibilities for change and improvements. Sarbanes-Oxley IT Compliance Using COBIT and Open Source Tools is highly recommended for anyone preparing to undergo and Sarbanes-Oxley audit but is also highly recommended to others because it is so useful for documenting your system and setting responsibility for changes to it.
10 of 13 people found the following review helpful
Authors' Rebuttal Oct. 27 2005
By Roderick Peterson - Published on
Format: Paperback
As the authors of this book, we'd like to respond to Christopher Byrne's review of our book. We appreciate Christopher's time and attention paid to our book, but would like to respond to a couple of criticisms presented in the review....

The first paragraph of the review states "The only justification for buying it might be to get the CD with the open-source toolkit which might help smaller organizations get something in place quickly, but that is it." As the authors of the book we find this statement very gratifying as it tells us we were able to accomplish one of the main goals of the book. It tells us we accurately identified our target audience, small to medium size companies and it tells us that we presented the right mix of information and CD content to enable the reader to easily take the book from concept to practical application for SOX compliance.

The next section of the review "Why Do I Not Like This Book contains various sections we'd like to address.

1."Backgrounds of the authors "- As the authors we never stated, conveyed, nor inferred that we were auditors and/or had any certifications in audit related disciplines. What we did however state was that we were IT professionals who had successfully been through the SOX certifications process. A process that yielded no material weaknesses or significant deficiencies, and that is what we endeavored to shared and convey with our readers.

The review attempts to support this logic by quoting responses to a question posed to colleagues. Although on first look that might appear to be the case, the majority of the responses actual state or convey that certifications aren't always necessary and practical experience is more important. Also, these quotes are from people who have not even seen the book.

2.Understanding COBIT - On one hand the review criticizes us for ... publishing information on COBIT, in some cases verbatim." and on the other hand "In addition, the authors fail to provide the entire context and understanding of COBIT". So again, we will simply say we passed our audit with no material weaknesses or significant deficiencies.

3.And The List Goes On and The Sarbanes-Oxley FUD Factor - These sections are very subjective. Based on our experience and discussions with our colleagues, the stated subject matter was not relevant to the objectives of the book. As for the title it conveys the main components of the book - Open Source, COBIT and SOX compliance.

4."Sox and COBIT Defined" - It was not our intent to advocate the implementation of COBIT but merely to provide, based on our experience, criteria and a mechanism for extracting from COBIT the components needed for SOX compliance. As for the importance of risk the following quote from the book illustrates how we feel risk and risk assessment should be handled ""Risk assessment from an IT perspective is also an important subject to undertake as a normal course of capacity planning and disaster recovery.".

5.SOX Compliance Policies - This section is merely semantics. The review itself actually reinforces one of the points in the book "COBIT is a framework for internal governance and when done properly, takes care of compliance with any law or regulation." We never disputed this point and made similar comments in the book.

SOX Compliance Policy - Is there a difference between a SOX Compliance Policy and a Policy that complies with SOX - or are we just nit picking words?

We would give this 5 stars, only because they won't allow 1,000