Auditing and Security: AS/400, NT, UNIX, Networks, and Disaster Recovery Plans [Hardcover]

Yusufali F. Musaji (Author)

Book Description

ISBN-10: 0471383716 | ISBN-13: 978-0471383710 | Publication Date: February 21, 2001 | Edition: 1

A complete and definitive guide to auditing the security of IT systems for managers, CIOs, controllers, and auditors
This up-to-date resource provides all the tools you need to perform practical security audits on the entire spectrum of a company's IT platforms-from the mainframe to the individual PC-as well as the networks that connect them to each other and to the global marketplace. Auditing and Security: AS/400, NT, Unix, Networks, and Disaster Recovery Plans is the first book on IT security written specifically for the auditor, detailing what controls are necessary to ensure a secure system regardless of the specific hardware, software, or architecture a company runs. The author uses helpful checklists and diagrams and a practical, rather than theoretical, method to understanding and auditing a company's IT security systems and their requirements. This comprehensive volume covers the full range of issues relating to security audits, including:
* Hardware and software
* Operating systems
* Network connections
* The cooperation of logical and physical security systems
* Disaster recovery planning

Editorial Reviews

From the Inside Flap

According to law enforcement figures, American corporations lose billions of dollars a year due to IT security breaches. Auditing and Security: AS/400, NT, Unix, Networks, and Disaster Recovery Plans provides the tools that an auditor needs to ensure that a company's platforms and networks are adequately protected.

Auditing information systems for security requires knowledge across a wide range of disciplines beyond computer science, including management science, information security, accounting, finance, business, and human resources. This book supplies the vital information across these divergent fields that auditors, IT managers, controllers, and CIOs need to measure the security of their systems. This comprehensive volume covers the full range of issues relating to security audits-hardware, operating systems, network connections, the cooperation of logical and physical security measures, and disaster recovery planning.

The author begins with an overview of the structure of information systems and their security requirements and then shows you how physical and logical security systems work together to create a safe corporate information structure. Comprehensive treatment of the different structures and security needs of AS/400, Microsoft NT, and Unix allows you to understand security requirements regardless of which computer architecture a company runs. Auditing and Security also uses helpful checklists and diagrams and a practical, rather than theoretical, method for understanding hardware, operating systems, and the networks that enable the interconnection of platforms and applications. Another important topic this volume covers is disaster recovery planning to help you ensure that IT systems and the information they safeguard are recoverable in the event of a major disruption in service or intentional destruction of data.

This up-to-date resource provides all the tools you need to perform practical security audits on the entire spectrum of a company's various IT platforms-from the mainframe to the individual PC-as well as the networks that connect them to each other and to the global marketplace. Auditing and Security: AS/400, NT, Unix, Networks, and Disaster Recovery Plans is the first book on IT security written specifically for the auditor, detailing what controls are necessary to ensure a secure system regardless of the specific hardware, software, or architecture a company runs. For the companion Web site, please visit www.wiley.com/musaji.

From the Back Cover

A complete and definitive guide to auditing the security of IT systems for managers, CIOs, controllers, and auditors

This up-to-date resource provides all the tools you need to perform practical security audits on the entire spectrum of a company's IT platforms-from the mainframe to the individual PC-as well as the networks that connect them to each other and to the global marketplace. Auditing and Security: AS/400, NT, Unix, Networks, and Disaster Recovery Plans is the first book on IT security written specifically for the auditor, detailing what controls are necessary to ensure a secure system regardless of the specific hardware, software, or architecture a company runs. The author uses helpful checklists and diagrams and a practical, rather than theoretical, method to understanding and auditing a company's IT security systems and their requirements. This comprehensive volume covers the full range of issues relating to security audits, including:
* Hardware and software
* Operating systems
* Network connections
* The cooperation of logical and physical security systems
* Disaster recovery planning

See all Editorial Reviews

Product Details

• Hardcover: 552 pages
• Publisher: Wiley; 1 edition (February 21, 2001)
• Language: English
• ISBN-10: 0471383716
• ISBN-13: 978-0471383710
• Product Dimensions: 10 x 7 x 1.2 inches
• Shipping Weight: 2.8 pounds (View shipping rates and policies)
• Average Customer Review: 1.0 out of 5 stars  See all reviews (2 customer reviews)
• Amazon Best Sellers Rank: #262,375 in Books (See Top 100 in Books)

More About the Author

Discover books, learn about writers, read author blogs, and more.

Customer Reviews

Most Helpful Customer Reviews

3 of 4 people found the following review helpful:

1.0 out of 5 stars Not a good source for recent AS/400 info, April 15, 2003

By 

John Earl - See all my reviews

This review is from: Auditing and Security: AS/400, NT, UNIX, Networks, and Disaster Recovery Plans (Hardcover)

Because the book was published in 2001, and it used the AS/400 name in it's title, I expected it to be a good source on recent developments in security on the AS/400 (AKA the IBM iSeries). I am dissapointed. While the information that is included in the book seems generally accurate (I have a few quibbles in areas like QSECURITY, Adopted Authority, CHGSYSLIBL, and CRTAUT to name a few), the big problem is that there are huge chunks of current technologies that are not even addressed in this audit standard.

Some examples include, the entire IFS (Integrated File System), Operations Navigator, NetServer and other network servers like SMTP, HTTP, FTP, etc. No reference to exit programs beyond the ancient PCSACC and DDMACC network attirbutes, spotty acknowledgement of System Values added after V3R1 (1995?) and a general lack of understanding of what the potential security exposures might be in areas that were audited. It's one thing to say that you should "discuss with management" the existance on a workstation entry in subsystem QDSNX, but what is an auditor to discuss if the author hasn't explained the potential security exposure?

It may be a rally good book with respect ot the other OS's that it purports to cover, but from an OS/400 perspective it is not current enough to be very effective on modern versions.

1.0 out of 5 stars Not intended for auditors, September 18, 2009

By 

Dave (New York, NY) - See all my reviews

This review is from: Auditing and Security: AS/400, NT, UNIX, Networks, and Disaster Recovery Plans (Hardcover)

As an experienced Technology Auditor, I picked up this book to brush up on some of the considerations involved in auditing UNIX systems. After reading through most of the section on UNIX, I couldnt help but think that this book was written without considering the intended audience. Generally speaking, an IT Auditor has to be a jack-of-all-trades when it comes to systems, because it is extremely difficult to find a company that uses ONLY Unix, or ONLY Windows, or ONLY Linux. As a result, the IT Auditor has to know enough about each system to navigate through, but is not necessarily an expert in any of them.

This book seems to be written for a security administrator, assuming that the reader knows the details of every command the system has to offer and offering little or no explanation as to what the command does. Convincing a system administrator to run a command that you, as the auditor, do not understand is potentially disasterous.

Beyond that, typos and spelling errors within the commands (ex: using "is -1" instead of "ls -l" or "chcl" instead of "chacl"), are simply inexcusable for what they are charging for this book.