O'Reilly logo

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Auditing IT Infrastructures for Compliance, 2nd Edition

Book Description

The Second Edition of Auditing IT Infrastructures for Compliance provides a unique, in-depth look at recent U.S. based Information systems and IT infrastructures compliance laws in both the public and private sector. Written by industry experts, this book provides a comprehensive explanation of how to audit IT infrastructures for compliance based on the laws and the need to protect and secure business and consumer privacy data. Using examples and exercises, this book incorporates hands-on activities to prepare readers to skillfully complete IT compliance auditing.

Table of Contents

  1. Cover
  2. Title Page
  3. Copyright
  4. Dedication
  5. Contents
  6. Preface
  7. Acknowledgments
  8. Part One The Need for Compliance
    1. Chapter 1 The Need for Information Systems Security Compliance
      1. What Is an IT Security Assessment?
      2. What Is an IT Security Audit?
      3. What Is Compliance?
      4. How Does an Audit Differ from an Assessment?
      5. Why Are Governance and Compliance Important?
        1. Case Study: Enron
        2. Case Study: WorldCom
      6. What If an Organization Does Not Comply with Compliance Laws?
        1. Case Study: TJX Credit Card Breach
      7. Chapter Summary
      8. Key Concepts and Terms
      9. Chapter 1 Assessment
    2. Chapter 2 Overview of U.S. Compliance Laws
      1. Introduction to Public and Private Sector Regulatory Requirements
      2. Federal Information Security Management Act
      3. U.S. Department of Defense Requirements
        1. Certification and Accreditation and Risk Management Framework
        2. Cybersecurity
      4. Sarbanes-Oxley Act
      5. Gramm-Leach-Bliley Act
      6. Health Insurance Portability and Accountability Act
      7. Children’s Internet Protection Act
      8. Children’s Online Privacy Protection Act
      9. Family Educational Rights and Privacy Act
      10. Payment Card Industry Data Security Standard
      11. Red Flags Rule
      12. Chapter Summary
      13. Key Concepts and Terms
      14. Chapter 2 Assessment
    3. Chapter 3 What Is the Scope of an IT Compliance Audit?
      1. What Must Your Organization Do to Be in Compliance?
        1. Protecting and Securing Privacy Data
        2. Designing and Implementing Proper Security Controls
      2. What Are You Auditing Within the IT Infrastructure?
        1. User Domain
        2. Workstation Domain
        3. LAN Domain
        4. LAN-to-WAN Domain
        5. WAN Domain
        6. Remote Access Domain
        7. System/Application Domain
      3. Maintaining IT Compliance
        1. Conducting Periodic Security Assessments
        2. Performing an Annual Security Compliance Audit
        3. Defining Proper Security Controls
      4. Chapter Summary
      5. Key Concepts and Terms
      6. Chapter 3 Assessment
  9. Part Two Auditing for Compliance: Frameworks, Tools, and Techniques
    1. Chapter 4 Auditing Standards and Frameworks
      1. Why Frameworks Are Important for Auditing
      2. The Importance of Using Standards in Compliance Auditing
        1. COSO
        2. COBIT
      3. Service Organization Control Reports
      4. ISO/IEC Standards
        1. ISO/IEC 27001 Standard
        2. ISO/IEC 27002 Standard
      5. NIST 800-53
      6. Cybersecurity Framework
      7. Developing a Hybrid Auditing Framework or Approach
      8. Chapter Summary
      9. Key Concepts and Terms
      10. Chapter 4 Assessment
    2. Chapter 5 Planning an IT Infrastructure Audit for Compliance
      1. Defining the Scope, Objectives, Goals, and Frequency of an Audit
      2. Identifying Critical Requirements for the Audit
        1. Implementing Security Controls
        2. Protecting Privacy Data
      3. Assessing IT Security
        1. Risk Management
        2. Threat Analysis
        3. Vulnerability Analysis
        4. Risk Assessment Analysis: Defining an Acceptable Security Baseline Definition
      4. Obtaining Information, Documentation, and Resources
        1. Existing IT Security Policy Framework Definition
        2. Configuration Documentation for IT Infrastructure
        3. Interviews with Key IT Support and Management Personnel: Identifying and Planning
        4. NIST Standards and Methodologies
      5. Mapping the IT Security Policy Framework Definitions to the Seven Domains of a Typical IT Infrastructure
      6. Identifying and Testing Monitoring Requirements
      7. Identifying Critical Security Control Points That Must Be Verified Throughout the IT Infrastructure
      8. Building a Project Plan
      9. Chapter Summary
      10. Key Concepts and Terms
      11. Chapter 5 Assessment
    3. Chapter 6 Conducting an IT Infrastructure Audit for Compliance
      1. Identifying the Minimum Acceptable Level of Risk and Appropriate Security Baseline Definitions
        1. Organization-Wide
        2. Seven Domains of a Typical IT Infrastructure
        3. Gap Analysis for the Seven Domains
      2. Identifying All Documented IT Security Policies, Standards, Procedures, and Guidelines
      3. Conducting the Audit in a Layered Fashion
      4. Performing a Security Assessment for the Entire IT Infrastructure and Individual Domains
      5. Incorporating the Security Assessment into the Overall Audit Validating Compliance Process
      6. Using Audit Tools to Organize Data Capture
      7. Using Automated Audit Reporting Tools and Methodologies
      8. Reviewing Configurations and Implementations
      9. Verifying and Validating Proper Configuration and the Implementation of Security Controls and Countermeasures
      10. Identifying Common Problems When Conducting an IT Infrastructure Audit
      11. Validating Security Operations and Administration Roles, Responsibilities, and Accountabilities Throughout the IT Infrastructure
      12. Chapter Summary
      13. Key Concepts and Terms
      14. Chapter 6 Assessment
    4. Chapter 7 Writing the IT Infrastructure Audit Report
      1. Executive Summary of an Audit Report
      2. Summary of Findings
      3. IT Security Assessment Results: Risk, Threats, and Vulnerabilities
      4. Reporting on Implementation of IT Security Controls and Countermeasures
        1. Per Documented IT Security Policy Framework
        2. Privacy Data
      5. IT Security Controls and Countermeasure Gap Analysis
        1. Compliance Requirement
        2. Risk, Threat, and Vulnerability Mitigation Requirement
      6. Compliance Assessment Throughout the IT Infrastructure
      7. Presenting Compliance Recommendations
      8. Chapter Summary
      9. Key Concepts and Terms
      10. Chapter 7 Assessment
    5. Chapter 8 Compliance Within the User Domain
      1. Compliance Law Requirements and Business Drivers
        1. Protecting Privacy Data
        2. Implementing Proper Security Controls for the User Domain
      2. Items Commonly Found in the User Domain
      3. Separation of Duties
      4. Least Privilege
      5. Need to Know
      6. Confidentiality Agreements
      7. Employee Background Checks
      8. Acknowledgment of Responsibilities and Accountabilities
      9. Security Awareness and Training for New Employees
      10. Information Systems Security Accountability
        1. Requiring That Human Resources Take a Lead Role
        2. Defining Accurate IT and IT Security Employee Job Descriptions
        3. Incorporating Accountability into Annual Employee Performance Reviews
      11. Adherence to Documented IT Security Policies, Standards, Procedures, and Guidelines
      12. Best Practices for User Domain Compliance
      13. Chapter Summary
      14. Key Concepts and Terms
      15. Chapter 8 Assessment
    6. Chapter 9 Compliance Within the Workstation Domain
      1. Compliance Law Requirements and Business Drivers
        1. Protecting Private Data
        2. Implementing Proper Security Controls for the Workstation Domain
      2. Devices and Components Commonly Found in the Workstation Domain
        1. Uninterruptible Power Supplies
        2. Desktop Computers
        3. Laptops/Tablets/Smartphones
        4. Local Printers
        5. Modems and Wireless Access Points
        6. Fixed Hard Disk Drives
        7. Removable Storage Devices
      3. Access Rights and Access Controls in the Workstation Domain
      4. Maximizing C-I-A
        1. Maximizing Availability
        2. Maximizing Integrity
        3. Maximizing Confidentiality
      5. Workstation Vulnerability Management
        1. Operating System Patch Management
        2. Application Software Patch Management
      6. Adherence to Documented IT Security Policies, Standards, Procedures, and Guidelines
      7. Best Practices for Workstation Domain Compliance
      8. Chapter Summary
      9. Key Concepts and Terms
      10. Chapter 9 Assessment
    7. Chapter 10 Compliance Within the LAN Domain
      1. Compliance Law Requirements and Business Drivers
        1. Protecting Data Privacy
        2. Implementing Proper Security Controls for the LAN Domain
      2. Devices and Components Commonly Found in the LAN Domain
        1. Connection Media
        2. Networking Devices
        3. Server Computers and Services Devices
        4. Networking Services Software
      3. LAN Traffic and Performance Monitoring and Analysis
      4. LAN Configuration and Change Management
      5. LAN Management, Tools, and Systems
      6. Access Rights and Access Controls in the LAN Domain
      7. Maximizing C-I-A
        1. Maximizing Confidentiality
        2. Maximizing Integrity
        3. Maximizing Availability
      8. Managing the Vulnerability of LAN Components
        1. Operating System Patch Management
        2. Application Software Patch Management
      9. Adherence to Documented IT Security Policies, Standards, Procedures, and Guidelines
      10. Best Practices for LAN Domain Compliance
      11. Chapter Summary
      12. Key Concepts and Terms
      13. Chapter 10 Assessment
    8. Chapter 11 Compliance Within the LAN-to-WAN Domain
      1. Compliance Law Requirements and Business Drivers
        1. Protecting Data Privacy
        2. Implementing Proper Security Controls for the LAN-to-WAN Domain
      2. Devices and Components Commonly Found in the LAN-to-WAN Domain
        1. Routers
        2. Firewalls
        3. Proxy Servers
        4. Demilitarized Zones
        5. Honeypots
        6. Internet Service Provider Connections and Backup Connections
        7. Intrusion Detection Systems/Intrusion Prevention Systems
        8. Data Loss/Leak Security Appliances
        9. Web Content Filtering Devices
        10. Traffic-Monitoring Devices
      3. LAN-to-WAN Traffic and Performance Monitoring and Analysis
      4. LAN-to-WAN Configuration and Change Management
      5. LAN-to-WAN Management, Tools, and Systems
        1. FCAPS
        2. Network-Management Tools
      6. Access Rights and Access Controls in the LAN-to-WAN Domain
      7. Maximizing C-I-A
        1. Minimizing Single Points of Failure
        2. Dual-Homed ISP Connections
        3. Redundant Routers and Firewalls
        4. Web Server Data and Hard Drive Backup and Recovery
        5. Use of Virtual Private Networks for Remote Access to Organizational Systems and Data
      8. Penetration Testing and Validating LAN-to-WAN Configuration
        1. External Attacks
        2. Internal Attacks
        3. Intrusive Versus Nonintrusive Testing
        4. Configuration Management Verification
      9. Adherence to Documented IT Security Policies, Standards, Procedures, and Guidelines
      10. Best Practices for LAN-to-WAN Domain Compliance
      11. Chapter Summary
      12. Key Concepts and Terms
      13. Chapter 11 Assessment
    9. Chapter 12 Compliance Within the WAN Domain
      1. Compliance Law Requirements and Business Drivers
        1. Protecting Data Privacy
        2. Implementing Proper Security Controls for the WAN Domain
      2. Devices and Components Commonly Found in the WAN Domain
        1. WAN Service Providers
        2. Dedicated Lines/Circuits
        3. MPLS/VPN WAN or Metro Ethernet
        4. WAN Layer 2/Layer 3 Switches
        5. WAN Backup and Redundant Links
      3. WAN Traffic and Performance Monitoring and Analysis
      4. WAN Configuration and Change Management
      5. WAN Management Tools and Systems
      6. Access Rights and Access Controls in the WAN Domain
      7. Maximizing C-I-A
        1. WAN Service Availability SLAs
        2. WAN Recovery and Restoration SLAs
        3. WAN Traffic Encryption/VPNs
      8. WAN Service Provider SOC Compliance
      9. Adherence to Documented IT Security Policies, Standards, Procedures, and Guidelines
      10. Best Practices for WAN Domain Compliance
      11. Chapter Summary
      12. Key Concepts and Terms
      13. Chapter 12 Assessment
    10. Chapter 13 Compliance Within the Remote Access Domain
      1. Compliance Law Requirements and Business Drivers
        1. Protecting Data Privacy
        2. Implementing Proper Security Controls for the Remote Access Domain
      2. Devices and Components Commonly Found in the Remote Access Domain
        1. Remote Users
        2. Remote Workstations or Laptops
        3. Remote Access Controls and Tools
        4. Authentication Servers
        5. VPNs and Encryption
        6. Internet Service Provider WAN Connections
        7. Broadband Internet Service Provider WAN Connections
      3. Remote Access and VPN Tunnel Monitoring
      4. Remote Access Traffic and Performance Monitoring and Analysis
      5. Remote Access Configuration and Change Management
      6. Remote Access Management, Tools, and Systems
      7. Access Rights and Access Controls in the Remote Access Domain
      8. Remote Access Domain Configuration Validation
        1. VPN Client Definition and Access Controls
        2. TLS VPN Remote Access Via a Web Browser
        3. VPN Configuration Management Verification
      9. Adherence to Documented IT Security Policies, Standards, Procedures, and Guidelines
      10. Best Practices for Remote Access Domain Compliance
      11. Chapter Summary
      12. Key Concepts and Terms
      13. Chapter 13 Assessment
    11. Chapter 14 Compliance Within the System/Application Domain
      1. Compliance Law Requirements and Business Drivers
        1. Protecting Data Privacy
        2. Implementing Proper Security Controls for the System/Application Domain
      2. Devices and Components Commonly Found in the System/Application Domain
        1. Computer Room/Data Center
        2. Redundant Computer Room/Data Center
        3. Uninterruptible Power Supplies and Diesel Generators to Maintain Operations
        4. Mainframe Computers
        5. Minicomputers
        6. Server Computers
        7. Data Storage Devices
        8. Applications
        9. Source Code
        10. Databases and Privacy Data
      3. System and Application Traffic and Performance Monitoring and Analysis
      4. System and Application Configuration and Change Management
      5. System and Application Management, Tools, and Systems
      6. Access Rights and Access Controls in the System/Application Domain
      7. Maximizing C-I-A
        1. BCP and DRP
        2. Access Controls
        3. Database and Drive Encryption
      8. System/Application Server Vulnerability Management
        1. Operating System Patch Management
        2. Application Software Patch Management
      9. Adherence to Documented IT Security Policies, Standards, Procedures, and Guidelines
      10. Best Practices for System/Application Domain Compliance
      11. Chapter Summary
      12. Key Concepts and Terms
      13. Chapter 14 Assessment
  10. Part Three Beyond Audits
    1. Chapter 15 Ethics, Education, and Certification for IT Auditors
      1. IT Auditing Career Opportunities
      2. Professional Ethics and Integrity of IT Auditors
      3. Codes of Conduct for Employees and IT Auditors
        1. Employer-/Organization-Driven Codes of Conduct
        2. Employee Handbook and Employment Policies
        3. (ISC)2 Code of Ethics
      4. Certification and Accreditation for IT Auditing
        1. IIA
        2. ISACA
        3. SANS Institute
      5. Chapter Summary
      6. Key Concepts and Terms
      7. Chapter 15 Assessment
  11. Appendix A Answer Key
  12. Appendix B Standard Acronyms
  13. Glossary of Key Terms
  14. References
  15. Index