book

Auditing IT Infrastructures for Compliance, 3rd Edition

Name: Auditing IT Infrastructures for Compliance, 3rd Edition
ISBN: 9781284236613

by Robert Johnson, Marty Weiss, Michael G. Solomon

October 2022

Intermediate to advanced

398 pages

14h 14m

English

Jones & Bartlett Learning

Read now

Unlock full access

Cover
Title Page
Copyright Page
Contents
Dedication Page
Preface
Acknowledgments
About the Author
CHAPTER 1 The Need for Information Systems Compliance
What Is the Difference Between Information System and Information Security Compliance?
Difference Between Information System and Information SecurityAuditing Information Security

What Is the Confidentiality, Integrity, and Availability (CIA) Triad?
What Is Compliance?
Why Are Governance and Compliance Important?
Case Study: Cetera and Cambridge
What If an Organization Does Not Comply with Compliance Laws?
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 1 ASSESSMENT
CHAPTER 2 Overview of U.S. Compliance Laws
Introduction to Regulatory Requirements
Regulatory Acts of Congress
Federal Information Security Management Act
Red Flag Rules
Cybersecurity Information Sharing Act
Sarbanes-Oxley Act
Gramm-Leach-Bliley Act
Health Insurance Portability and Accountability Act
Children’s Internet Protection Act
Children’s Online Privacy Protection Act
California Consumer Privacy Act
Payment Card Industry Data Security Standard
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 2 ASSESSMENT
CHAPTER 3 What Is the Scope of an IT Compliance Audit?
What Must Your Organization Do to Be in Compliance?
Business View on ComplianceProtecting and Securing Privacy DataDesigning and Implementing Proper Security ControlsChoosing Between Automated, Manual, and Hybrid Controls
What Are You Auditing Within the IT Infrastructure?
User DomainWorkstation DomainLAN DomainLAN-to-WAN DomainWAN DomainRemote Access DomainSystem/Application Domain
Maintaining IT Compliance
Conducting Periodic Security AssessmentsPerforming an Annual Security Compliance AuditDefining Proper Security ControlsCreating an IT Security Policy FrameworkImplementing Security Operations and Administration ManagementConfiguration and Change Management
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 3 ASSESSMENT
CHAPTER 4 Auditing Standards and Frameworks
Difference Between Standards and Frameworks
Why Frameworks Are Important for Auditing
The Importance of Using Standards in Compliance Auditing
Institute of Internal AuditorsCOBIT
Service Organization Control Reports
ISO/IEC Standards
ISO/IEC 27001 StandardISO/IEC 27002 Standard
NIST 800-53
Cybersecurity Framework
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 4 ASSESSMENT
CHAPTER 5 Planning an IT Infrastructure Audit for Compliance
Defining the Scope, Objectives, Goals, and Frequency of an Audit
Identifying Critical Requirements for the Audit
Implementing Security ControlsProtecting Data Privacy
Assessing IT Security
Risk ManagementThreat Versus Vulnerability Versus RiskVulnerability AnalysisRisk Assessment Analysis: Defining an Acceptable Security Baseline Definition
Obtaining Information, Documentation, and Resources
Existing IT Security Policy Framework DefinitionConfiguration Documentation for IT InfrastructureInterviews with Key IT Support and Management Personnel: Identifying and PlanningNIST Standards and Methodologies
Mapping the IT Security Policy Framework Definitions to the Seven Domains of a Typical IT Infrastructure
Identifying and Testing Monitoring Requirements
Identifying Critical Security Control Points That Must Be Verified Throughout the IT Infrastructure
Building a Project Plan
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 5 ASSESSMENT
CHAPTER 6 Conducting an IT Infrastructure Audit for Compliance
Identifying the Minimum Acceptable Level of Risk and Appropriate Security Baseline Definitions
Preventive Security ControlDetective Security ControlCorrective Security ControlOrganization-WideSeven Domains of a Typical IT InfrastructureBusiness Liability InsuranceControlling RiskGap Analysis for the Seven Domains
Identifying All Documented IT Security Policies, Standards, Procedures, and Guidelines
Conducting the Audit in a Layered Fashion
Performing a Security Assessment for the Entire IT Infrastructure and Individual Domains
Incorporating the Security Assessment into the Overall Audit Validating Compliance Process
Using Audit Tools to Organize Data Capture
Using Automated Audit Reporting Tools and Methodologies
Reviewing Configurations and Implementations
Auditing Change Management
Verifying and Validating Proper Configuration and the Implementation of Security Controls and Countermeasures
Identifying Common Problems When Conducting an IT Infrastructure Audit
Validating Security Operations and Administration Roles, Responsibilities, and Accountabilities Throughout the IT Infrastructure
Separation of Duties
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 6 ASSESSMENT
CHAPTER 7 Writing the IT Infrastructure Audit Report
Anatomy of an Audit Report
Audit Report Ratings
Audit Report Opinion
Summary of Findings
IT Security Assessment Results: Risk, Threats, and Vulnerabilities
Reporting on Implementation of IT Security Controls and Frameworks
Per Documented IT Security Policy Framework
Privacy Data
IT Security Controls and Countermeasure Gap Analysis
Compliance Requirement
Compliance Assessment Throughout the IT Infrastructure
Presenting Compliance Recommendations
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 7 ASSESSMENT
CHAPTER 8 Compliance Within the User Domain
User Domain Business Drivers
Social EngineeringHuman MistakesInsiders
Anatomy of a User Domain
Protecting Privacy DataImplementing Proper Security Controls for the User Domain
Items Commonly Found in the User Domain
Separation of Duties
Least Privilege
System Administrators
Confidentiality Agreements
Employee Background Checks
Acknowledgment of Responsibilities and Accountabilities
Security Awareness and Training for New Employees
Information Systems Security Accountability
Incorporating Accountability into Annual Employee Performance ReviewsOrganization’s Right to Monitor User Actions and Traffic
Best Practices for User Domain Compliance
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 8 ASSESSMENT
CHAPTER 9 Compliance Within the Workstation Domain
Compliance Law Requirements and Business Drivers
Importance of PoliciesProtecting Data PrivacyImplementing Proper Security Controls for the Workstation DomainManagement Systems
Devices and Components Commonly Found in the Workstation Domain
Uninterruptible Power SuppliesDesktop ComputersLaptops/Tablets/SmartphonesLocal PrintersWireless Access PointsFixed Hard Disk DrivesRemovable Storage Devices
Access Rights and Access Controls in the Workstation Domain
Maximizing C-I-A
Maximizing AvailabilityMaximizing IntegrityMaximizing Confidentiality
Workstation Vulnerability Management
Operating System Patch ManagementApplication Software Patch Management
Adherence to Documented IT Security Policies, Standards, Procedures, and Guidelines
Best Practices for Workstation Domain Compliance
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 9 ASSESSMENT
CHAPTER 10 Compliance Within the LAN Domain
LAN Domain Business Drivers
Data Leakage ProtectionEncryption of Mobile DevicesImplementing Proper Security Controls for the LAN Domain
Devices and Components Commonly Found in the LAN Domain
Connection MediaCommon Network Server and Service DevicesNetworking Services Software
LAN Traffic and Performance Monitoring and Analysis
LAN Configuration and Change Management
LAN Domain PoliciesControl StandardsBaseline StandardsGuidelines
LAN Management, Tools, and Systems
Maximizing C-I-A
Maximizing ConfidentialityMaximizing IntegrityMaximizing AvailabilityPatch Management
Adherence to Documented IT Security Policies, Standards, Procedures, and Guidelines
Best Practices for LAN Domain Compliance
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 10 ASSESSMENT
CHAPTER 11 Compliance Within the LAN-to-WAN Domain
Compliance Law Requirements and Protecting Data Privacy
Implementing Proper Security Controls for the LAN-to-WAN Domain
Devices and Components Commonly Found in the LAN-to-WAN Domain
RoutersFirewallsProxy ServersDMZVirtual Private Network ConcentratorNetwork Address Translation (NAT)Internet Service Provider Connections and Backup ConnectionsCloud ServicesIntrusion Detection Systems/Intrusion Prevention SystemsData Loss/Leak Security AppliancesWeb Content Filtering DevicesTraffic-Monitoring Devices
LAN-to-WAN Traffic and Performance Monitoring and Analysis
LAN-to-WAN Configuration and Change Management
LAN-to-WAN Management, Tools, and Systems
FCAPSNetwork-Management Tools
Access Rights and Access Controls in the LAN-to-WAN Domain
Maximizing C-I-A
Minimizing Single Points of FailureDual-Homed ISP ConnectionsRedundant Routers and FirewallsWeb Server Data and Hard Drive Backup and RecoveryUse of VPN for Remote Access to Organizational Systems and Data
Penetration Testing and Validating LAN-to-WAN Configuration
External AttacksInternal AttacksIntrusive Versus Nonintrusive TestingConfiguration Management Verification
Adherence to Documented IT Security Policies, Standards, Procedures, and Guidelines
Best Practices for LAN-to-WAN Domain Compliance
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 11 ASSESSMENT
CHAPTER 12 Compliance Within the WAN Domain
Compliance Law Requirements and Business Drivers
Protecting Data PrivacySD-WANImplementing Proper Security Controls for the WAN Domain
Devices and Components Commonly Found in the WAN Domain
WAN Service ProvidersDedicated Lines/CircuitsMPLS/VPN WAN or Metro EthernetWAN Layer 2/Layer 3 SwitchesWAN Backup and Redundant Links
WAN Traffic and Performance Monitoring and Analysis
WAN Configuration and Change Management
WAN Management Tools and Systems
Incident Response Management Tools
Access Rights and Access Controls in the WAN Domain
Maximizing C-I-A
WAN Service Availability SLAsWAN Traffic Encryption/VPNs
WAN Service Provider SOC Compliance
Adherence to Documented IT Security Policies, Standards, Procedures, and Guidelines
Best Practices for WAN Domain Compliance
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 12 ASSESSMENT
CHAPTER 13 Compliance Within the Remote Access Domain
Remote Access Business Drivers
Protecting Data PrivacyImplementing Proper Security Controls for the Remote Access Domain
Devices and Components Commonly Found in the Remote Access Domain
Remote UsersRemote Workstations or LaptopsRemote Access Controls and ToolsAuthentication ServersISP WAN Connections
Remote Access and VPN Tunnel Monitoring
Remote Access Traffic and Performance Monitoring and Analysis
Remote Access Configuration and Change Management
Remote Access Management, Tools, and Systems
Access Rights and Access Controls in the Remote Access Domain
Remote Access Domain Configuration Validation
VPN Client Definition and Access ControlsTLS VPN Remote Access via a Web BrowserVPN Configuration Management Verification
Adherence to Documented IT Security Policies, Standards, Procedures, and Guidelines
Best Practices for Remote Access Domain Compliance
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 13 ASSESSMENT
CHAPTER 14 Compliance Within the System/Application Domain
Compliance Law Requirements and Business Drivers
Application Software Versus System SoftwareProtecting Data PrivacyImplementing Proper Security Controls for the System/Application DomainSoftware Development Life Cycle (SDLC)
Devices and Components Commonly Found in the System/Application Domain
Computer Room/Data CenterRedundant Computer Room/Data CenterUninterruptible Power Supplies and Diesel Generators to Maintain OperationsMainframe ComputersMinicomputersServer ComputersData Storage DevicesApplicationsSource CodeDatabases and Privacy DataSecure Coding
System and Application Configuration and Change Management
System and Application Management, Tools, and Systems
Access Rights and Access Controls in the System/Application Domain
System Account and Service Accounts
Maximizing C-I-A
Access ControlsDatabase and Drive Encryption
System/Application Server Vulnerability Management
Operating System Patch ManagementApplication Software Patch ManagementData Loss Protection
Adherence to Documented IT Security Policies, Standards, Procedures, and Guidelines
Best Practices for System/Application Domain Compliance
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 14 ASSESSMENT
CHAPTER 15 Ethics, Education, and Certification for IT Auditors
Professional Associations and Certifications
Professional Ethics, Code of Conduct, and Integrity of IT Auditors
Ethical Independence
Codes of Conduct for Employees and IT Auditors
Employer-/Organization-Driven Codes of ConductEmployee Handbook and Employment Policies
Certification and Accreditation for Information Security
Certification and Accreditation for Auditors
IIA
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 15 ASSESSMENT
APPENDIX A Answer Key
APPENDIX B Standard Acronyms
Glossary of Key Terms
References
Index

Content preview from Auditing IT Infrastructures for Compliance, 3rd Edition

Identifying Critical Security Control Points That Must Be Verified Throughout the IT Infrastructure

Adequate controls should be in place to meet high-level defined control objectives. The organizational risk assessment plays an important role in identifying high-risk areas. Areas identified as being the riskiest should be assessed as often as possible. Levels of risk across the IT infrastructure vary across organizations. This is a result of differing objectives and risk appetites. Regardless, most organizations do share common critical controls.

Security controls are the cornerstone of a well-defined security program. The security controls prevent or detect a security breach. Security controls allow businesses to resume operations after a major ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Auditing IT Infrastructures for Compliance, 2nd Edition

Publisher Resources

ISBN: 9781284236613

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Auditing IT Infrastructures for Compliance, 3rd Edition

by Robert Johnson, Marty Weiss, Michael G. Solomon

Identifying Critical Security Control Points That Must Be Verified Throughout the IT Infrastructure

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

More than 5,000 organizations count on O’Reilly

Julian F.

Addison B.

Amir M.

Mark W.

You might also like

Auditing IT Infrastructures for Compliance, 2nd Edition

The Basics of IT Audit

EU General Data Protection Regulation (GDPR) – An implementation and compliance guide, fourth edition

Information Security Management, 2nd Edition

Publisher Resources