book

Auditing IT Infrastructures for Compliance, 2nd Edition

by Marty Weiss, Michael G. Solomon

July 2015

Intermediate to advanced

398 pages

12h 40m

English

Jones & Bartlett Learning

Read now

Unlock full access

Cover
Title Page
Copyright
Dedication
Contents
Preface
Acknowledgments
Part One The Need for Compliance
Chapter 1 The Need for Information Systems Security Compliance
What Is an IT Security Assessment?What Is an IT Security Audit?What Is Compliance?How Does an Audit Differ from an Assessment?Why Are Governance and Compliance Important?Case Study: EnronCase Study: WorldComWhat If an Organization Does Not Comply with Compliance Laws?Case Study: TJX Credit Card BreachChapter SummaryKey Concepts and TermsChapter 1 Assessment
Chapter 2 Overview of U.S. Compliance Laws
Introduction to Public and Private Sector Regulatory RequirementsFederal Information Security Management ActU.S. Department of Defense RequirementsCertification and Accreditation and Risk Management FrameworkCybersecuritySarbanes-Oxley ActGramm-Leach-Bliley ActHealth Insurance Portability and Accountability ActChildren’s Internet Protection ActChildren’s Online Privacy Protection ActFamily Educational Rights and Privacy ActPayment Card Industry Data Security StandardRed Flags RuleChapter SummaryKey Concepts and TermsChapter 2 Assessment

Chapter 3 What Is the Scope of an IT Compliance Audit?
What Must Your Organization Do to Be in Compliance?Protecting and Securing Privacy DataDesigning and Implementing Proper Security ControlsWhat Are You Auditing Within the IT Infrastructure?User DomainWorkstation DomainLAN DomainLAN-to-WAN DomainWAN DomainRemote Access DomainSystem/Application DomainMaintaining IT ComplianceConducting Periodic Security AssessmentsPerforming an Annual Security Compliance AuditDefining Proper Security ControlsChapter SummaryKey Concepts and TermsChapter 3 Assessment
Part Two Auditing for Compliance: Frameworks, Tools, and Techniques
Chapter 4 Auditing Standards and Frameworks
Why Frameworks Are Important for AuditingThe Importance of Using Standards in Compliance AuditingCOSOCOBITService Organization Control ReportsISO/IEC StandardsISO/IEC 27001 StandardISO/IEC 27002 StandardNIST 800-53Cybersecurity FrameworkDeveloping a Hybrid Auditing Framework or ApproachChapter SummaryKey Concepts and TermsChapter 4 Assessment
Chapter 5 Planning an IT Infrastructure Audit for Compliance
Defining the Scope, Objectives, Goals, and Frequency of an AuditIdentifying Critical Requirements for the AuditImplementing Security ControlsProtecting Privacy DataAssessing IT SecurityRisk ManagementThreat AnalysisVulnerability AnalysisRisk Assessment Analysis: Defining an Acceptable Security Baseline DefinitionObtaining Information, Documentation, and ResourcesExisting IT Security Policy Framework DefinitionConfiguration Documentation for IT InfrastructureInterviews with Key IT Support and Management Personnel: Identifying and PlanningNIST Standards and MethodologiesMapping the IT Security Policy Framework Definitions to the Seven Domains of a Typical IT InfrastructureIdentifying and Testing Monitoring RequirementsIdentifying Critical Security Control Points That Must Be Verified Throughout the IT InfrastructureBuilding a Project PlanChapter SummaryKey Concepts and TermsChapter 5 Assessment
Chapter 6 Conducting an IT Infrastructure Audit for Compliance
Identifying the Minimum Acceptable Level of Risk and Appropriate Security Baseline DefinitionsOrganization-WideSeven Domains of a Typical IT InfrastructureGap Analysis for the Seven DomainsIdentifying All Documented IT Security Policies, Standards, Procedures, and GuidelinesConducting the Audit in a Layered FashionPerforming a Security Assessment for the Entire IT Infrastructure and Individual DomainsIncorporating the Security Assessment into the Overall Audit Validating Compliance ProcessUsing Audit Tools to Organize Data CaptureUsing Automated Audit Reporting Tools and MethodologiesReviewing Configurations and ImplementationsVerifying and Validating Proper Configuration and the Implementation of Security Controls and CountermeasuresIdentifying Common Problems When Conducting an IT Infrastructure AuditValidating Security Operations and Administration Roles, Responsibilities, and Accountabilities Throughout the IT InfrastructureChapter SummaryKey Concepts and TermsChapter 6 Assessment
Chapter 7 Writing the IT Infrastructure Audit Report
Executive Summary of an Audit ReportSummary of FindingsIT Security Assessment Results: Risk, Threats, and VulnerabilitiesReporting on Implementation of IT Security Controls and CountermeasuresPer Documented IT Security Policy FrameworkPrivacy DataIT Security Controls and Countermeasure Gap AnalysisCompliance RequirementRisk, Threat, and Vulnerability Mitigation RequirementCompliance Assessment Throughout the IT InfrastructurePresenting Compliance RecommendationsChapter SummaryKey Concepts and TermsChapter 7 Assessment
Chapter 8 Compliance Within the User Domain
Compliance Law Requirements and Business DriversProtecting Privacy DataImplementing Proper Security Controls for the User DomainItems Commonly Found in the User DomainSeparation of DutiesLeast PrivilegeNeed to KnowConfidentiality AgreementsEmployee Background ChecksAcknowledgment of Responsibilities and AccountabilitiesSecurity Awareness and Training for New EmployeesInformation Systems Security AccountabilityRequiring That Human Resources Take a Lead RoleDefining Accurate IT and IT Security Employee Job DescriptionsIncorporating Accountability into Annual Employee Performance ReviewsAdherence to Documented IT Security Policies, Standards, Procedures, and GuidelinesBest Practices for User Domain ComplianceChapter SummaryKey Concepts and TermsChapter 8 Assessment
Chapter 9 Compliance Within the Workstation Domain
Compliance Law Requirements and Business DriversProtecting Private DataImplementing Proper Security Controls for the Workstation DomainDevices and Components Commonly Found in the Workstation DomainUninterruptible Power SuppliesDesktop ComputersLaptops/Tablets/SmartphonesLocal PrintersModems and Wireless Access PointsFixed Hard Disk DrivesRemovable Storage DevicesAccess Rights and Access Controls in the Workstation DomainMaximizing C-I-AMaximizing AvailabilityMaximizing IntegrityMaximizing ConfidentialityWorkstation Vulnerability ManagementOperating System Patch ManagementApplication Software Patch ManagementAdherence to Documented IT Security Policies, Standards, Procedures, and GuidelinesBest Practices for Workstation Domain ComplianceChapter SummaryKey Concepts and TermsChapter 9 Assessment
Chapter 10 Compliance Within the LAN Domain
Compliance Law Requirements and Business DriversProtecting Data PrivacyImplementing Proper Security Controls for the LAN DomainDevices and Components Commonly Found in the LAN DomainConnection MediaNetworking DevicesServer Computers and Services DevicesNetworking Services SoftwareLAN Traffic and Performance Monitoring and AnalysisLAN Configuration and Change ManagementLAN Management, Tools, and SystemsAccess Rights and Access Controls in the LAN DomainMaximizing C-I-AMaximizing ConfidentialityMaximizing IntegrityMaximizing AvailabilityManaging the Vulnerability of LAN ComponentsOperating System Patch ManagementApplication Software Patch ManagementAdherence to Documented IT Security Policies, Standards, Procedures, and GuidelinesBest Practices for LAN Domain ComplianceChapter SummaryKey Concepts and TermsChapter 10 Assessment
Chapter 11 Compliance Within the LAN-to-WAN Domain
Compliance Law Requirements and Business DriversProtecting Data PrivacyImplementing Proper Security Controls for the LAN-to-WAN DomainDevices and Components Commonly Found in the LAN-to-WAN DomainRoutersFirewallsProxy ServersDemilitarized ZonesHoneypotsInternet Service Provider Connections and Backup ConnectionsIntrusion Detection Systems/Intrusion Prevention SystemsData Loss/Leak Security AppliancesWeb Content Filtering DevicesTraffic-Monitoring DevicesLAN-to-WAN Traffic and Performance Monitoring and AnalysisLAN-to-WAN Configuration and Change ManagementLAN-to-WAN Management, Tools, and SystemsFCAPSNetwork-Management ToolsAccess Rights and Access Controls in the LAN-to-WAN DomainMaximizing C-I-AMinimizing Single Points of FailureDual-Homed ISP ConnectionsRedundant Routers and FirewallsWeb Server Data and Hard Drive Backup and RecoveryUse of Virtual Private Networks for Remote Access to Organizational Systems and DataPenetration Testing and Validating LAN-to-WAN ConfigurationExternal AttacksInternal AttacksIntrusive Versus Nonintrusive TestingConfiguration Management VerificationAdherence to Documented IT Security Policies, Standards, Procedures, and GuidelinesBest Practices for LAN-to-WAN Domain ComplianceChapter SummaryKey Concepts and TermsChapter 11 Assessment
Chapter 12 Compliance Within the WAN Domain
Compliance Law Requirements and Business DriversProtecting Data PrivacyImplementing Proper Security Controls for the WAN DomainDevices and Components Commonly Found in the WAN DomainWAN Service ProvidersDedicated Lines/CircuitsMPLS/VPN WAN or Metro EthernetWAN Layer 2/Layer 3 SwitchesWAN Backup and Redundant LinksWAN Traffic and Performance Monitoring and AnalysisWAN Configuration and Change ManagementWAN Management Tools and SystemsAccess Rights and Access Controls in the WAN DomainMaximizing C-I-AWAN Service Availability SLAsWAN Recovery and Restoration SLAsWAN Traffic Encryption/VPNsWAN Service Provider SOC ComplianceAdherence to Documented IT Security Policies, Standards, Procedures, and GuidelinesBest Practices for WAN Domain ComplianceChapter SummaryKey Concepts and TermsChapter 12 Assessment
Chapter 13 Compliance Within the Remote Access Domain
Compliance Law Requirements and Business DriversProtecting Data PrivacyImplementing Proper Security Controls for the Remote Access DomainDevices and Components Commonly Found in the Remote Access DomainRemote UsersRemote Workstations or LaptopsRemote Access Controls and ToolsAuthentication ServersVPNs and EncryptionInternet Service Provider WAN ConnectionsBroadband Internet Service Provider WAN ConnectionsRemote Access and VPN Tunnel MonitoringRemote Access Traffic and Performance Monitoring and AnalysisRemote Access Configuration and Change ManagementRemote Access Management, Tools, and SystemsAccess Rights and Access Controls in the Remote Access DomainRemote Access Domain Configuration ValidationVPN Client Definition and Access ControlsTLS VPN Remote Access Via a Web BrowserVPN Configuration Management VerificationAdherence to Documented IT Security Policies, Standards, Procedures, and GuidelinesBest Practices for Remote Access Domain ComplianceChapter SummaryKey Concepts and TermsChapter 13 Assessment
Chapter 14 Compliance Within the System/Application Domain
Compliance Law Requirements and Business DriversProtecting Data PrivacyImplementing Proper Security Controls for the System/Application DomainDevices and Components Commonly Found in the System/Application DomainComputer Room/Data CenterRedundant Computer Room/Data CenterUninterruptible Power Supplies and Diesel Generators to Maintain OperationsMainframe ComputersMinicomputersServer ComputersData Storage DevicesApplicationsSource CodeDatabases and Privacy DataSystem and Application Traffic and Performance Monitoring and AnalysisSystem and Application Configuration and Change ManagementSystem and Application Management, Tools, and SystemsAccess Rights and Access Controls in the System/Application DomainMaximizing C-I-ABCP and DRPAccess ControlsDatabase and Drive EncryptionSystem/Application Server Vulnerability ManagementOperating System Patch ManagementApplication Software Patch ManagementAdherence to Documented IT Security Policies, Standards, Procedures, and GuidelinesBest Practices for System/Application Domain ComplianceChapter SummaryKey Concepts and TermsChapter 14 Assessment
Part Three Beyond Audits
Chapter 15 Ethics, Education, and Certification for IT Auditors
IT Auditing Career OpportunitiesProfessional Ethics and Integrity of IT AuditorsCodes of Conduct for Employees and IT AuditorsEmployer-/Organization-Driven Codes of ConductEmployee Handbook and Employment Policies(ISC)2 Code of EthicsCertification and Accreditation for IT AuditingIIAISACASANS InstituteChapter SummaryKey Concepts and TermsChapter 15 Assessment
Appendix A Answer Key
Appendix B Standard Acronyms
Glossary of Key Terms
References
Index

Content preview from Auditing IT Infrastructures for Compliance, 2nd Edition

CHAPTER 4

Auditing Standards and Frameworks

CONDUCTING AUDITS AND ASSESSMENTS is challenging in the absence of a standard against which to audit or assess. Two concepts that are helpful include control objectives and control activities. Control objectives, despite the rapid evolution of technology, remain mostly constant. These tend to be high level and describe the goal for the organization. Control activities provide details on how to achieve the goals of the relevant control objective. There is no such thing as a one-size-fits-all framework or standard. Frameworks and standards simply provide the building blocks and guidance needed for organizations to tailor them to their specific needs. They are useful for guiding the control objectives ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Auditing IT Infrastructures for Compliance, 3rd Edition

Publisher Resources

ISBN: 9781284090703

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Auditing IT Infrastructures for Compliance, 2nd Edition

by Marty Weiss, Michael G. Solomon

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.