Book description
PART OF THE NEW JONES & BARTLETT LEARNING INFORMATION SYSTEMS SECURITY & ASSURANCE SERIES! Information systems and IT infrastructures are no longer void from governance and compliance given recent U.S.-based compliancy laws that were consummated during the early to mid-2000s. As a result of these laws, both public sector and private sector verticals must have proper security controls in place. Auditing IT Infrastructures for Compliance identifies and explains what each of these compliancy laws requires. It then goes on to discuss how to audit an IT infrastructure for compliance based on the laws and the need to protect and secure business and consumer privacy data. It closes with a resource for readers who desire more information on becoming skilled at IT auditing and IT compliance auditing.Table of contents
- Copyright
- Preface
- Acknowledgments
- About the Authors
-
ONE. The Need for Compliance
- 1. The Need for Information Systems Security Compliance
-
2. Overview of U.S. Compliance Laws
- Introduction to Public and Private Sector Regulatory Requirements
- Federal Information Security Management Act (FISMA)
- U.S. Department of Defense (DoD) Requirements
- Sarbanes-Oxley Act (SOX)
- Gramm-Leach-Bliley Act (GLBA)
- Health Insurance Portability and Accountability Act (HIPAA)
- Children's Internet Protection Act (CIPA)
- Family Educational Rights and Privacy Act (FERPA)
- Payment Card Industry Data Security Standard (PCI DSS)
- Red Flags Rule
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 2 ASSESSMENT
- 3. What Is the Scope of an IT Compliance Audit?
-
TWO. Auditing for Compliance: Frameworks, Tools, and Techniques
- 4. Auditing Standards and Frameworks
-
5. Planning an IT Infrastructure Audit for Compliance
- Defining Scope, Goals and Objectives, and Frequency
- Identifying Critical Requirements for the Audit
- Assessing IT Security
- Obtaining Information, Documentation, and Resources
- Organizing the IT Security Policy Framework Definitions for the Seven Domains of a Typical IT Infrastructure
- Identifying and Testing Monitoring Requirements
- Identifying Critical Security Control Points That Must Be Verified Throughout the IT Infrastructure
- Building a Project Plan Organizing the IT Infrastructure Audit Approach, Tasks, Deliverables, Timelines, and Resources Needed
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 5 ASSESSMENT
- ENDNOTES
-
6. Conducting an IT Infrastructure Audit for Compliance
- Identifying Minimum Acceptable Level of Risk and Appropriate Security Baseline Definitions
- Identifying All Documented IT Security Policies, Standards, Procedures, and Guidelines
- Conducting the Audit in a Layered Fashion
- Performing a Security Assessment for the Entire IT Infrastructure and Individual Domains
- Incorporating the Security Assessment Into the Overall Audit Validating Compliance Process
- Using Audit Tools to Organize Data Capture—CAATTs, Checklists, Spreadsheets
- Investigating the Use of Automated Audit Reporting Tools and Methodologies
- Reviewing Configurations and Implementations in Compliance with Defined IT Security Policies, Standards, Procedures, and Guidelines
- Performing Testing and Monitoring to Verify and Validate Proper Configuration and Implementation of Security Controls and Countermeasures
- Identifying Common Problems or Issues When Conducting an IT Infrastructure Audit
- Validating Security Operations and Administration Roles, Responsibilities, and Accountabilities Throughout the IT Infrastructure
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 6 ASSESSMENT
- ENDNOTES
-
7. Writing the IT Infrastructure Audit Report
- Executive Summary
- Summary of Findings Within the Seven Domains of Typical IT Infrastructure, Gap Analysis
- IT Security Assessment Results: Risk, Threats, and Vulnerabilities
- IT Security Controls and Countermeasures Implementation
- IT Security Controls and Countermeasure Gap Analysis
- Compliance Assessment Throughout the IT Infrastructure
- Presenting Compliance Recommendations
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 7 ASSESSMENT
-
8. Compliance Within the User Domain
- Compliance Law Requirements and Business Drivers
- Items Commonly Found in the User Domain
- Separation of Duties
- Least Privilege
- Need-to-Know Basis
- Confidentiality Agreements
- Employee Background Checks
- Acknowledgment of Responsibilities and Accountabilities
- Security Awareness and Training for New Employees
- Information Systems Security Accountability
- Adherence to Documented IT Security Policies, Standards, Procedures, and Guidelines
- Best Practices for User Domain Compliance Requirements
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 8 ASSESSMENT
-
9. Compliance Within the Workstation Domain
- Compliance Law Requirements and Business Drivers
- Devices and Components Commonly Found in the Workstation Domain
- Access Rights and Access Controls in the Workstation Domain
- Maximizing A-I-C
- Workstation Vulnerability Management
- Adherence to Documented IT Security Policies, Standards, Procedures, and Guidelines
- Best Practices for Workstation Domain Compliance Requirements
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 9 ASSESSMENT
-
10. Compliance Within the LAN Domain
- Compliance Law Requirements and Business Drivers
- Devices and Components Commonly Found in the LAN Domain
- LAN Traffic and Performance Monitoring and Analysis
- LAN Configuration and Change Management
- LAN Management, Tools, and Systems
- Access Rights and Access Controls in the LAN Domain
- Maximizing A-I-C
- LAN File/Print/Communication Server Vulnerability Management
- Adherence to Documented IT Security Policies, Standards, Procedures, and Guidelines
- Best Practices for LAN Domain Compliance Requirements
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 10 ASSESSMENT
-
11. Compliance Within the LAN-to-WAN Domain
- Compliance Law Requirements and Business Drivers
- Devices and Components Commonly Found in the LAN-to-WAN Domain
- LAN-to-WAN Traffic and Performance Monitoring and Analysis
- LAN-to-WAN Configuration and Change Management
- LAN-to-WAN Management, Tools, and Systems
- Access Rights and Access Controls in the LAN-to-WAN Domain
- Maximizing A-I-C
- Penetration Testing and LAN-to-WAN Configuration Validation
- Adherence to Documented IT Security Policies, Standards, Procedures, and Guidelines
- Best Practices for LAN-to-WAN Domain Compliance
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 11 ASSESSMENT
-
12. Compliance Within the WAN Domain
- Compliance Law Requirements and Business Drivers
- Devices and Components Commonly Found in the WAN Domain
- WAN Traffic and Performance Monitoring and Analysis
- WAN Configuration and Change Management
- WAN Management, Tools, and Systems
- Access Rights and Access Controls in the WAN Domain
- Maximizing A-I-C
- WAN Service Provider SAS Compliance
- Adherence to Documented IT Security Policies, Standards, Procedures, and Guidelines
- Best Practices for WAN Domain Compliance Requirements
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 12 ASSESSMENT
- ENDNOTE
-
13. Compliance Within the Remote Access Domain
- Compliance Law Requirements and Business Drivers
- Devices and Components Commonly Found in the Remote Access Domain
- Remote Access and VPN Tunnel Monitoring
- Remote Access Traffic and Performance Monitoring and Analysis
- Remote Access Configuration and Change Management
- Remote Access Management, Tools, and Systems
- Access Rights and Access Controls in the Remote Access Domain
- Remote Access Domain Configuration Validation
- Adherence to Documented IT Security Policies, Standards, Procedures, and Guidelines
- Best Practices for Remote Access Domain Compliance Requirements
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 13 ASSESSMENT
-
14. Compliance Within the System/Application Domain
- Compliance Law Requirements and Business Drivers
- Devices and Components Commonly Found in the System/Application Domain
- System and Application Traffic and Performance Monitoring and Analysis
- System and Application Configuration and Change Management
- System and Application Management, Tools, and Systems
- Access Rights and Access Controls in the System/Application Domain
- Maximizing A-I-C
- System/Application Server Vulnerability Management
- Adherence to Documented IT Security Policies, Standards, Procedures, and Guidelines
- Best Practices for System/Application Domain Compliance Requirements
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 14 ASSESSMENT
-
THREE. Ethics, Education, and Certification for IT Auditors
- 15. Ethics, Education, and Certification for IT Auditors
- A. Answer Key
- B. Standard Acronyms
- Glossary of Key Terms
- References
Product information
- Title: Auditing IT Infrastructures for Compliance
- Author(s):
- Release date: September 2010
- Publisher(s): Jones & Bartlett Learning
- ISBN: 9780763791827
You might also like
book
Auditing IT Infrastructures for Compliance, 3rd Edition
The third edition of Auditing IT Infrastructures for Compliance provides a unique, in-depth look at recent …
book
Auditing IT Infrastructures for Compliance, 2nd Edition
The Second Edition of Auditing IT Infrastructures for Compliance provides a unique, in-depth look at recent …
book
IT Security Risk Control Management: An Audit Preparation Plan
Follow step-by-step guidance to craft a successful security program. You will identify with the paradoxes of …
book
Agile Application Security
Agile continues to be the most adopted software development methodology among organizations worldwide, but it generally …