Sarbanes-Oxley Compliance Using COBIT and Open Source Tools [Illustrated] [Paperback]

Christian Lahti (Author), Roderick Peterson (Author), Steve Lanza (Contributor)

Book Description

Publication Date: August 1, 2005 | ISBN-10: 1597490369 | ISBN-13: 978-1597490368 | Edition: 1

This book illustrates the many Open Source cost savings opportunities available to companies seeking Sarbanes-Oxley compliance. It also provides examples of the Open Source infrastructure components that can and should be made compliant. In addition, the book clearly documents which Open Source tools you should consider using in the journey towards compliance. Although many books and reference material have been authored on the financial and business side of Sox compliance, very little material is available that directly address the information technology considerations, even less so on how Open Source fits into that discussion.

Each chapter begins with an analysis of the business and technical ramifications of Sarbanes-Oxley as regards to topics covered before moving into the detailed instructions on the use of the various Open Source applications and tools relating to the compliance objectives.

The bootable CD contains fully configured demonstrations of Open Source tools.

* Shows companies how to use Open Source tools to achieve SOX compliance, which dramatically lowers the cost of using proprietary, commercial applications
* Contains a bootable-Linux CD containing countless applications, forms, and checklists to assist companies in achieving SOX compliance
* Only SOX compliance book specifically detailing steps to achieve SOX compliance for IT Professionals

Editorial Reviews

From the Back Cover

This book illustrates the many Open Source cost savings opportunities available to companies seeking Sarbanes-Oxley compliance. It also provides examples of the Open Source infrastructure components that can and should be made compliant. In addition, the book clearly documents which Open Source tools you should consider using in the journey towards compliance. Although many books and reference material have been authored on the financial and business side of Sox compliance, very little material is available that directly address the information technology considerations, even less so on how Open Source fits into that discussion.

Each chapter begins with an analysis of the business and technical ramifications of Sarbanes-Oxley as regards to topics covered before moving into the detailed instructions on the use of the various Open Source applications and tools relating to the compliance objectives. The bootable CD contains fully configured demonstrations of Open Source tools.

About the Author

Christian Lahti is a computer services consultant and an expert in security. He is a regular speaker at industry shows such as LinuxWorld and OSCON. He is the technical editor of Windows to Linux Migration Toolkit (Syngress, ISBN: 1931836396).

Roderick Peterson is the Information Technology Director at NeoMagic. He has more than 20 yeras' experience in the IT industry and has successfully led the development and deployment of major applications at several global companies.

Product Details

• Paperback: 356 pages
• Publisher: Syngress; 1 edition (August 1, 2005)
• Language: English
• ISBN-10: 1597490369
• ISBN-13: 978-1597490368
• Product Dimensions: 8.9 x 7 x 1.1 inches
• Shipping Weight: 1.4 pounds
• Average Customer Review: 3.8 out of 5 stars  See all reviews (17 customer reviews)
• Amazon Best Sellers Rank: #1,573,920 in Books (See Top 100 in Books)

More About the Author

Discover books, learn about writers, read author blogs, and more.

Customer Reviews

Most Helpful Customer Reviews

15 of 15 people found the following review helpful:

3.0 out of 5 stars Two books in one, October 21, 2005

By 

Stephen Northcutt (Kauai, HI USA) - See all my reviews
(REAL NAME)   

This review is from: Sarbanes-Oxley Compliance Using COBIT and Open Source Tools (Paperback)

This is the hardest review I have ever written. The book has enormous potential. The concepts behind the book can probably save organizations a lot of money. The book is a primer to COBIT, which is the model most people use to implement Sarbanes-Oxley. It is also a book about open source tools that may be able to support a COBIT framework.

As a pointer to tools and ideas, you cannot beat this book. However, if you are not already a part of the Linux open source world, I don't think this book can get you there. I had trouble with the CD and had to use a Knoppix cheat code to get it to boot. In addition, the examples on the CD are not populated with enough data to let you play with the tools.

The bottom line, I think this has all the earmarks to become a really important book in the auditing and compliance world in its next edition. I have purchased a copy for every one of my students in my management class and I am flying the authors out to demonstrate the tools to my class. I honestly don't think you can afford to miss this book if you have responsibility for Sarbanes-Oxley or GLBA for that matter. However, you are going to have to find a Linux geek to actually put any of this into practice.

8 of 8 people found the following review helpful:

4.0 out of 5 stars Very helpful introduction to SOX compliance through COBIT, March 13, 2006

By 

Richard Bejtlich "TaoSecurity" (Metro Washington, DC) - See all my reviews
(REAL NAME)   

This review is from: Sarbanes-Oxley Compliance Using COBIT and Open Source Tools (Paperback)

I read Sarbanes-Oxley IT Compliance Using COBIT and Open Source Tools (SOICUCAOST) to learn more about compliance issues. I am a security engineer who thankfully has not had to suffer through a SOX audit. I am glad I read SOICUCAOST, however. The book is clear, well-written, and makes innovative use of a live CD. While the book is not the answer to SOX compliance (no book is), small-to-medium-sized businesses will find SOICUCAOST a valuable guide.

I found SOICUCAOST's advice to be surprisingly candid. This is no "SOX is awesome" book. On p 276 we read "one could conclude that not only is there no realistic way to calculate ROI for SOX compliance, but if there were, there would be no positive ROI for SOX. The value of SOX compliance is qualitative and not quantitative. If there is no way to justify SOX compliance, how do I answer questions about how my company's compliance activities affect the bottom line? By shifting the ROI from SOX and the cost savings to open source and cost avoidance... a decision point of whether to comply with SOX or not does not exist." That is only one dose of brutal honesty -- there are many others in this book.

I thought the XFLD-based live CD was an innovative touch. Assuming one can get it to work (I had no trouble), it is a slick way to use a portal for two fictitious companies created to demonstrate ways to achieve IT-related SOX compliance. Not every component works, but using the live CD gets the reader to think he or she may be doing SOX activities instead of reading a book about it.

As far as specific open source tools goes, I don't think it's realistic to be able to use tools based on the information in this book. Syngress published an entire book on Nagios, an entire book on host-based integrity monitoring, an entire book on Snort, and so on. I would have preferred to see SOICUCAOST spend more time on presenting options with advantages and disadvantages for each. I also though the idea of running Snort from a live CD as a production sensor (Ch 6) to be very ill-conceived.

Regarding the reviews -- I am surprised to see they are all over the map. I think Christopher Byrne makes a few good points, but his criticism doesn't warrant a one-star review. Author Roderick Peterson should not have written a five-star "rebuttal". Authors write books, not reviews of their own books. That's poor form and it manipulates Amazon's star ratings.

Overall, I think SOICUCAOST is helpful for any SMB staring at SOX compliance. It certainly provides plenty of sound guidance, solid frameworks, and examples (on the live CD). The book is well-written and organized. I think some of the material could have been formatted for easier reading; Syngress has a tendency to use fonts that are way too large and thereby distracting. Still, I recommend anyone involved with IT-related SOX issues and/or COBIT give SOICUCAOST a try.

5 of 5 people found the following review helpful:

5.0 out of 5 stars ARE YOU IN COMPLIANCE??, July 22, 2006

By 

John R. Vacca "Tech Write Independent Reviewer" (Pomeroy, Ohio) - See all my reviews
(REAL NAME)   

This review is from: Sarbanes-Oxley Compliance Using COBIT and Open Source Tools (Paperback)

Are you a CFO, CIO, CEO, VP, Director of IT, IT Operations Manager, and/or IT Consultant? If you are, then this book is for you! Authors Christian Lahti, Roderick Peterson, and Steve Lanza, have done an outstanding job of writing a practical book that gives you the reader, an understanding of how open source technology and tools might be applied to your individual requirements.

Lahti, Peterson, and Lanza, begin by discussing why the Sarbanes-Oxley (SOX) experience promises to be quite different in terms of depth, cost, and resources. Then, the authors discuss how Congress enacted the Sarbanes-Oxley Act of 2002 in an effort to prevent financial scandals such as those that occurred at Enron and MCI. Next, they explore the need for SOX compliance and the possible consequences of noncompliance--lawsuits, negative publicity for the company, and fines for executive management. The authors then investigate the entire open source phenomenon and the fundamental differences between it and nonfree software. They continue by covering the difference between SOX and COBIT. Then, the authors discuss automation and why it should be a key component of any small to medium-sized company's SOX compliance activities. Next, they cover the COBIT Delivery and Support Delivery and Support Domain and why it is important, not only to SOX compliance activities, but also from an IT Department repositioning perspective. The authors then discuss Deming's continuous quality improvement process, specifically how it was predicted on a closed-loop process. Finally, they show you how to reposition an IT Department, by utilizing COBIT for SOX.

In this most excellent book, you will find a lot of applicable content--basically as much as the authors could muster by way of open source technologies and how they fit into the SOX sphere of influence. More importantly, this book illustrates the many Open Source cost-saving opportunities that public companies can deploy in their IT organizations to meet the mandatory compliance requirements of SOX.