"Risk Management Solutions for Sarbanes-Oxley Section 404 IT Compliance",

John S. Quarterman, 2006, 0-7645-9839-2, U$50.00/C$64.99/UK#31.99
%A John S. Quarterman
%C 5353 Dundas Street West, 4th Floor, Etobicoke, ON M9B 6H8
%D 2006
%T 0-7645-9839-2
%I John Wiley & Sons, Inc.
%O U$50.00/C$64.99/UK#31.99 416-236-4433 fax: 416-236-4448
%O http://www.amazon.com/exec/obidos/ASIN/0764598392/robsladesinterne
%O http://www.amazon.co.uk/exec/obidos/ASIN/0764598392/robsladesinte-21
%O http://www.amazon.ca/exec/obidos/ASIN/0764598392/robsladesin03-20
%O Audience a+ Tech 2 Writing 2 (see revfaq.htm for explanation)
%P 278 p.
%T "Risk Management Solutions for Sarbanes-Oxley Section 404 IT Compliance"

There is a problem with the title, quite apart from the fact that it is just too long. This book is not about "Sarbanes-Oxley Section 404" (which is in the largest type on the front cover) as such. In the preface, Quarterman explains that this work addresses risk management, and specifically risks related to the Internet. The text is intended for a wide ranging audience: C-level executives who need to manage and report risk, IT professionals needing information about non-technical control of risk, insurance and financial organizations needing to make monetary assessments of risks and benefits, employees of Internet related companies, and business risk management students.

Having been through this myself, I know that the title and cover are not Quarterman's fault: publishers get to choose. (And, somewhere in Wiley, there is a marketing person just bouncing up and down with glee at finally being able to publish a SOX book.) On the other hand, the title is not completely misleading: SOX 404 is about the proper assessment and reporting of potential risks, and pretty much every company these days has to factor in the perils of dependence upon the Internet.

Chapter one is an introduction, noting that, contrary to standard risk assessment ideology, some threats are beyond the control of the enterprise, and not subject to any kind of technical safeguards. Perils may be too large for the company and difficult to quantify. Quarterman points out that, rather than a fixed value resource, the Internet may be more similar in valuation to a stock option, or other financial instrument, and doesn't fit older cost/benefit models. A variety of hazards from and to the Internet are listed in chapter two. Solutions are addressed in chapter three, and the author also examines proposed solutions that do not work. For example, the difficulties of the Internet are frequently blamed on the fact that there is no central authority and management, and such command structures have often been proposed to impose on the net. However, Quarterman demonstrates that decentralization has worked in a number of cases, including a number of Internet applications.

Chapter four, is difficult: options for risk transfer are discussed before the concept is raised, and although the title talks about strategy it is hard to pick strategic measures out of all the tactical measures. The work of Basel II, with the concepts of credit and operational risk calculations, are outlined in chapter five. Examples of risks that are troublesome to quantify are given in chapter six.

Chapter seven turns to large enterprises, noting some threats that are somewhat intrinsic to the breed. Quarterman doesn't stop with the trite but true: some of the perils are hubris and a reputation for bullying behaviour. Small enterprises might not find the same kind of help in chapter eight: the material here talks more about opportunities and benefits. Various aspects of bonding, insuring, and service level agreements (SLAs) for Internet service providers are examined in chapter nine. There is an interesting discussion of third-party bonding, and the advantages that automatically accrue to all parties under such a situation. Chapter ten turns to the government, and the ways in which it can, and can't, help. Numerous aspects of insurance; policy language, legal precedents, new concepts, and the lack of hard data for the effectiveness of the new instruments; are reviewed in chapter eleven to address the possibilities, limits, and restrictions of new forms. Chapter twelve summarizes the reasons why Internet risk is different than others.

This book has a rushed feeling to it, and there are a number of odd errors. The "Acknowledgements" section is, instead, a repeat of the first page of the preface. Text and phrases are repeated ("cyberhurricanes"), often without definition and sometimes in contradictory fashion. There is, for example, an amount of $100 billion for risk from the Internet. This number is repeated on pages xxiii, 1, 30, 146, and 256 but seems to be used in one place for a global figure, and in another for the risk to an individual company. The structure of individual chapters can be difficult as well: it is hard to determine threads of specific arguments out of the (admittedly intriguing) stream of information.

There are three threads that are repeated again and again in the book: diversity, insurance, and mapping of the Internet. But there is much more: Quarterman does not address the standard picture of risk management, since he is pointing out that the Internet throws our usual tools for quantified risk analysis into disarray. Instead he notes areas that have been neglected, because of the difficulty of fitting them into standard models, and proposes new, if somewhat vague, risk paradigms. This is not a text that can be used as a reference for ordinary threat analysis, but should be thoroughly studied by anyone involved with information (and particularly communications) protection for a large company, anyone involved with the Internet in a big way, and anyone responsible for business risks in a rapidly changing environment.

copyright Robert M. Slade, 2006 BKRMSSOX.RVW 20060722

Risk Book Cover Risk Management Solutions

QC Quarterman Creations