book

Auditing IT Infrastructures for Compliance

by Martin Weiss, Michael G. Solomon

September 2010

Intermediate to advanced

384 pages

11h 24m

English

Jones & Bartlett Learning

Read now

Unlock full access

Copyright
Preface
Purpose of This BookLearning FeaturesAudience
Acknowledgments
About the Authors
ONE. The Need for Compliance
1. The Need for Information Systems Security Compliance
What Is an IT Security Assessment?What Is an IT Security Audit?What Is Compliance?How Does an Audit Differ from an Assessment?Why Are Governance and Compliance Important?Case Study: EnronCase Study: WorldComWhat If Our Organization Does Not Comply with Compliance Laws?Case Study: TJX Credit Card BreachCHAPTER SUMMARYKEY CONCEPTS AND TERMSCHAPTER 1 ASSESSMENT
2. Overview of U.S. Compliance Laws
Introduction to Public and Private Sector Regulatory RequirementsFederal Information Security Management Act (FISMA)U.S. Department of Defense (DoD) RequirementsCertification and Accreditation (C&A)Information Assurance (IA)Sarbanes-Oxley Act (SOX)Gramm-Leach-Bliley Act (GLBA)Health Insurance Portability and Accountability Act (HIPAA)Children's Internet Protection Act (CIPA)Family Educational Rights and Privacy Act (FERPA)Payment Card Industry Data Security Standard (PCI DSS)Red Flags RuleCHAPTER SUMMARYKEY CONCEPTS AND TERMSCHAPTER 2 ASSESSMENT
3. What Is the Scope of an IT Compliance Audit?
What Must Your Organization Do to Be in Compliance?Protecting and Securing Privacy DataDesigning and Implementing Proper Security ControlsWhat Are You Auditing Within the IT Infrastructure?User DomainWorkstation DomainLAN DomainLAN-to-WAN DomainWAN DomainRemote Access DomainSystem/Application DomainWhat Must Your Organization Do to Maintain IT Compliance?Conducting Periodic Security AssessmentsPerforming an Annual Security Compliance AuditDefining Proper Security ControlsCreating an IT Security Policy FrameworkImplementing Security Operations and Administration ManagementConfiguration and Change ManagementCHAPTER SUMMARYKEY CONCEPTS AND TERMSCHAPTER 3 ASSESSMENT
TWO. Auditing for Compliance: Frameworks, Tools, and Techniques
4. Auditing Standards and Frameworks
Why Frameworks Are Important for AuditingThe Importance of Using Standards in Compliance AuditingCOSOCOBITSAS 70 ComplianceType I and Type II Service Audit ReportsISO/IEC StandardsISO/IEC 27001 StandardISO/IEC 27002 StandardNIST 800-53Developing a Hybrid Auditing Framework or ApproachCHAPTER SUMMARYKEY CONCEPTS AND TERMSCHAPTER 4 ASSESSMENTENDNOTES

5. Planning an IT Infrastructure Audit for Compliance
Defining Scope, Goals and Objectives, and FrequencyIdentifying Critical Requirements for the AuditImplementing Security ControlsProtecting Privacy DataAssessing IT SecurityRisk ManagementThreat AnalysisVulnerability AnalysisRisk Assessment Analysis—Defining an Acceptable Security Baseline DefinitionObtaining Information, Documentation, and ResourcesExisting IT Security Policy Framework DefinitionConfiguration Documentation for IT InfrastructureInterviews with Key IT Support and Management Personnel—Identifying and PlanningNIST Standards and MethodologiesOrganizing the IT Security Policy Framework Definitions for the Seven Domains of a Typical IT InfrastructureIdentifying and Testing Monitoring RequirementsIdentifying Critical Security Control Points That Must Be Verified Throughout the IT InfrastructureBuilding a Project Plan Organizing the IT Infrastructure Audit Approach, Tasks, Deliverables, Timelines, and Resources NeededCHAPTER SUMMARYKEY CONCEPTS AND TERMSCHAPTER 5 ASSESSMENTENDNOTES
6. Conducting an IT Infrastructure Audit for Compliance
Identifying Minimum Acceptable Level of Risk and Appropriate Security Baseline DefinitionsOrganization-WideSeven Domains of a Typical IT InfrastructureGap Analysis for the Seven DomainsIdentifying All Documented IT Security Policies, Standards, Procedures, and GuidelinesConducting the Audit in a Layered FashionPerforming a Security Assessment for the Entire IT Infrastructure and Individual DomainsIncorporating the Security Assessment Into the Overall Audit Validating Compliance ProcessUsing Audit Tools to Organize Data Capture—CAATTs, Checklists, SpreadsheetsInvestigating the Use of Automated Audit Reporting Tools and MethodologiesReviewing Configurations and Implementations in Compliance with Defined IT Security Policies, Standards, Procedures, and GuidelinesPerforming Testing and Monitoring to Verify and Validate Proper Configuration and Implementation of Security Controls and CountermeasuresIdentifying Common Problems or Issues When Conducting an IT Infrastructure AuditValidating Security Operations and Administration Roles, Responsibilities, and Accountabilities Throughout the IT InfrastructureCHAPTER SUMMARYKEY CONCEPTS AND TERMSCHAPTER 6 ASSESSMENTENDNOTES
7. Writing the IT Infrastructure Audit Report
Executive SummarySummary of Findings Within the Seven Domains of Typical IT Infrastructure, Gap AnalysisIT Security Assessment Results: Risk, Threats, and VulnerabilitiesIT Security Controls and Countermeasures ImplementationPer Documented IT Security Policy FrameworkPrivacy DataIT Security Controls and Countermeasure Gap AnalysisCompliance RequirementRisk, Threat, and Vulnerability Mitigation RequirementCompliance Assessment Throughout the IT InfrastructurePresenting Compliance RecommendationsCHAPTER SUMMARYKEY CONCEPTS AND TERMSCHAPTER 7 ASSESSMENT
8. Compliance Within the User Domain
Compliance Law Requirements and Business DriversProtecting Privacy DataImplementing Proper Security Controls for the User DomainItems Commonly Found in the User DomainSeparation of DutiesLeast PrivilegeNeed-to-Know BasisConfidentiality AgreementsEmployee Background ChecksAcknowledgment of Responsibilities and AccountabilitiesSecurity Awareness and Training for New EmployeesInformation Systems Security AccountabilityRequiring That Human Resources Take a Lead RoleDefining Accurate IT and IT Security Employee Job DescriptionsIncorporating Accountability into the Annual Performance Reviews for EmployeesAdherence to Documented IT Security Policies, Standards, Procedures, and GuidelinesBest Practices for User Domain Compliance RequirementsCHAPTER SUMMARYKEY CONCEPTS AND TERMSCHAPTER 8 ASSESSMENT
9. Compliance Within the Workstation Domain
Compliance Law Requirements and Business DriversProtecting Private DataImplementing Proper Security Controls for the Workstation DomainDevices and Components Commonly Found in the Workstation DomainUninterruptible Power SupplyDesktop ComputerLaptop/Netbook ComputerLocal PrinterAnalog ModemFixed Hard Disk DriveRemovable Storage DeviceAccess Rights and Access Controls in the Workstation DomainMaximizing A-I-CMaximizing AvailabilitySurviving Power OutagesBackup and Recovery StrategyMaximizing IntegrityMaximizing ConfidentialityWorkstation Vulnerability ManagementOperating System Patch ManagementApplication Software Patch ManagementAdherence to Documented IT Security Policies, Standards, Procedures, and GuidelinesBest Practices for Workstation Domain Compliance RequirementsCHAPTER SUMMARYKEY CONCEPTS AND TERMSCHAPTER 9 ASSESSMENT
10. Compliance Within the LAN Domain
Compliance Law Requirements and Business DriversProtecting Data PrivacyImplementing Proper Security Controls for the LAN DomainDevices and Components Commonly Found in the LAN DomainConnection MediaWired LAN ConnectionsWireless LAN ConnectionsNetworking DevicesHubSwitchRouterServer Computers and Services DevicesLAN File ServerLAN Print ServerLAN Data StorageNetworking Services SoftwareLAN Traffic and Performance Monitoring and AnalysisLAN Configuration and Change ManagementLAN Management, Tools, and SystemsAccess Rights and Access Controls in the LAN DomainMaximizing A-I-CMaximizing AvailabilityMaximizing IntegrityMaximizing ConfidentialityLAN File/Print/Communication Server Vulnerability ManagementOperating System Patch ManagementApplication Software Patch ManagementAdherence to Documented IT Security Policies, Standards, Procedures, and GuidelinesBest Practices for LAN Domain Compliance RequirementsCHAPTER SUMMARYKEY CONCEPTS AND TERMSCHAPTER 10 ASSESSMENT
11. Compliance Within the LAN-to-WAN Domain
Compliance Law Requirements and Business DriversProtecting Data PrivacyImplementing Proper Security Controls for the LAN-to-WAN DomainDevices and Components Commonly Found in the LAN-to-WAN DomainRouterFirewallProxy ServerDemilitarized Zone (DMZ)HoneypotsInternet Service Provider (ISP) Connection and Backup ConnectionIntrusion Detection System (IDS)/Intrusion Prevention System (IPS)Data Leakage Security ApplianceWeb Content Filtering DeviceTraffic Monitoring DeviceLAN-to-WAN Traffic and Performance Monitoring and AnalysisLAN-to-WAN Configuration and Change ManagementLAN-to-WAN Management, Tools, and SystemsFCAPSNetwork Management ToolsAccess Rights and Access Controls in the LAN-to-WAN DomainMaximizing A-I-CMinimizing Single Points of FailureDual-Homed ISP ConnectionsRedundant Routers and FirewallsWeb Server Data and Hard Drive Backup and RecoveryUse of Virtual Private Networks (VPNs) for Remote Access to Organizational Systems and DataPenetration Testing and LAN-to-WAN Configuration ValidationExternal to InternalInternal to ExternalIntrusive Versus Nonintrusive TestingConfiguration Management VerificationAdherence to Documented IT Security Policies, Standards, Procedures, and GuidelinesBest Practices for LAN-to-WAN Domain ComplianceCHAPTER SUMMARYKEY CONCEPTS AND TERMSCHAPTER 11 ASSESSMENT
12. Compliance Within the WAN Domain
Compliance Law Requirements and Business DriversProtecting Data PrivacyImplementing Proper Security Controls for the WAN DomainDevices and Components Commonly Found in the WAN DomainWAN Service ProviderDedicated Lines/CircuitsMPLS/VPN WAN or Metro EthernetWAN Layer 2/Layer 3 SwitchesWAN Backup and Redundant LinksWAN Traffic and Performance Monitoring and AnalysisWAN Configuration and Change ManagementWAN Management, Tools, and SystemsAccess Rights and Access Controls in the WAN DomainMaximizing A-I-CWAN Service Availability SLAsWAN Recovery and Restoration SLAsWAN Traffic Encryption/VPNsWAN Service Provider SAS ComplianceAdherence to Documented IT Security Policies, Standards, Procedures, and GuidelinesBest Practices for WAN Domain Compliance RequirementsCHAPTER SUMMARYKEY CONCEPTS AND TERMSCHAPTER 12 ASSESSMENTENDNOTE
13. Compliance Within the Remote Access Domain
Compliance Law Requirements and Business DriversProtecting Data PrivacyImplementing Proper Security Controls for the Remote Access DomainDevices and Components Commonly Found in the Remote Access DomainRemote UserRemote Workstation or LaptopRemote Access Controls and ToolsAuthentication ServersRADIUSTACACS+VPNs and EncryptionInternet Service Provider (ISP) WAN ConnectionBroadband Internet Service Provider WAN ConnectionRemote Access and VPN Tunnel MonitoringRemote Access Traffic and Performance Monitoring and AnalysisRemote Access Configuration and Change ManagementRemote Access Management, Tools, and SystemsAccess Rights and Access Controls in the Remote Access DomainRemote Access Domain Configuration ValidationVPN Client Definition and Access ControlsSSL/VPN Remote Access Via Browser and SSL, 128-Bit EncryptionVPN Configuration Management VerificationAdherence to Documented IT Security Policies, Standards, Procedures, and GuidelinesBest Practices for Remote Access Domain Compliance RequirementsCHAPTER SUMMARYKEY CONCEPTS AND TERMSCHAPTER 13 ASSESSMENT
14. Compliance Within the System/Application Domain
Compliance Law Requirements and Business DriversProtecting Data PrivacyImplementing Proper Security Controls for the System/Application DomainDevices and Components Commonly Found in the System/Application DomainComputer Room/Data CenterRedundant Computer Room/Data CenterUPS Power Supplies and Diesel Generators to Maintain OperationsMainframe ComputersMinicomputersServer ComputersData Storage DevicesApplicationsSource CodeDatabases and Privacy DataSystem and Application Traffic and Performance Monitoring and AnalysisSystem and Application Configuration and Change ManagementSystem and Application Management, Tools, and SystemsAccess Rights and Access Controls in the System/Application DomainMaximizing A-I-CBCP and DRPAccess ControlsDatabase and Drive EncryptionSystem/Application Server Vulnerability ManagementOperating System Patch ManagementApplication Software Patch ManagementAdherence to Documented IT Security Policies, Standards, Procedures, and GuidelinesBest Practices for System/Application Domain Compliance RequirementsCHAPTER SUMMARYKEY CONCEPTS AND TERMSCHAPTER 14 ASSESSMENT
THREE. Ethics, Education, and Certification for IT Auditors
15. Ethics, Education, and Certification for IT Auditors
IT Auditing Career OpportunitiesProfessional Ethics and Integrity of IT AuditorsCodes of Conduct for Employees and IT AuditorsEmployer/Organization DrivenEmployee Handbook and Employment Policies(ISC)2 Code of EthicsCertification and Accreditation for IT AuditingIIACertified Internal Auditor (CIA) CertificationCertification in Control Self-Assessment (CCSA)Certified Government Auditing Professional (CGAP) CertificationCertified Financial Services Auditor (CFSA) CertificationISACACertified Information Systems Auditor (CISA) CertificationCertified Information Security Manager (CISM) CertificationCertified in Risk and Information Systems Control (CRISC) CertificationCertified in the Governance of Enterprise IT (CGEIT) CertificationSANS InstituteGIAC CertificationsGIAC Systems and Network Auditor (GSNA) CertificationGIAC Certified ISO-17799 Specialist (G7799) CertificationCHAPTER SUMMARYKEY CONCEPTS AND TERMSCHAPTER 15 ASSESSMENTENDNOTES
A. Answer Key
B. Standard Acronyms
Glossary of Key Terms
References

Content preview from Auditing IT Infrastructures for Compliance

Chapter 7. Writing the IT Infrastructure Audit Report

AFTER DOING AN AUDIT, the final report is arguably the most important part of the process. The report provides the means of communicating the project. The purpose of communicating the efforts effectively helps drive management to consider resources and appropriate steps to improve compliance across the IT infrastructure. The primary purposes of the audit report include the following actions:

Communicate the results.
Prevent misunderstanding of the results.
Facilitate follow-up corrective actions.

Various entities and standards provide guidance on what should be included in the final report. These include, for example, the following:

The American Institute of Certified Public Accountants (AICPA) ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Auditing IT Infrastructures for Compliance, 2nd Edition

Publisher Resources

ISBN: 9780763791810

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Auditing IT Infrastructures for Compliance

by Martin Weiss, Michael G. Solomon

Chapter 7. Writing the IT Infrastructure Audit Report

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.