This represents the proceedings of the Fourth Working Conference on the book title held 15‐16 November, 2001 in Brussels, Belgium. It consists of five refereed papers, two invited ones, two valuable tutorial papers on COBIT, two vendor white papers, and the final panel discussion. This is a vital area and the emphasis on IT Governance is essential, although one needs to ensure that this does mean top level governance, organisation‐wise, and not just within an IT department, which would completely defeat the object of the lesson. The language of the text is such that it would communicate well with members of a board of directors, but those attending the conference and the explicit singling out of a readership of security specialists, IT auditors and researchers indicates that board members are unlikely to come across this book. One can only hope that those who are the most likely readers might take the trouble to write a short briefing note on the ramifications of the text to their board, and that this might inspire some discussion and action. One would encourage that all boards would either have a standing item, or at least consider the topic once a year.
This is a European contribution to the debate with links to ISACA and computer societies in the UK and Benelux, as well as the Institute of Chartered Accountants of England and Wales. Data Integrity within “secure systems”, commons software vulnerabilities, using accounting invariants within financial systems as a safeguard as software evolves, and using diversity as a defensive mechanism in the midst of the homogeneity of the contemporary computer environment occupy the first section. The invited papers are on data quality and developments in electronic payment systems security. The tutorial section is the one most crying out to be placed in front of a board of directors. The first part provides a detailed excursion into COBIT (see www.isaca.org/cobit.htm) and then follows it up with a case study.
The vendor section does not add much, and would have best been deleted in the publication. A critical assessment of what is available would have been relevant, but not a rather superficial sales pitch. Mercifully there are only 17 pages of this. The panel discussion is helpful but brief and seems to be leading more on to the next conference. The message is that for the next bite of the cherry the readership would be better served by more editing and developing the publication beyond the confines of what happened at the conference. Indeed, if the needs of a board of directors, as well as the participants, were to be the benchmark, one might produce a trend setting publication next time around.
