CHAPTER 54

SECURITY AUDITS, STANDARDS, AND INSPECTIONS

Donald Glass, Chris Davis, John Mason, David Gursky, James Thomas, Wendy Carr, and Diane Levine

54.1 INTRODUCTION

54.2 AUDITING STANDARDS

54.2.1 Introduction to ISO

54.2.2 ISO/IEC 27001

54.2.3 Gramm-Leach-Bliley Act

54.2.4 Auditing Standards Conclusion

54.3 SAS 70 AUDITS

54.3.1 Introduction to SAS 70 Audits

54.3.2 Cost and Benefits of SAS 70 Audits

54.3.3 SAS 70 Audits Conclusion

54.4 SARBANES-OXLEY

54.4.1 Introduction

54.4.2 Section 404

54.4.3 Achieving Compliance

54.4.4 Audit and Certification

54.4.5 Sarbanes-Oxley Conclusion

54.5 ADDRESSING MULTIPLE REGULATIONS FOR INFORMATION SECURITY

54.5.1 Publicly Available Security Publications

54.5.2 Federal Information Systems Management Act (FISMA)

54.5.3 Risk Framework

54.5.4 Multiple Regulations and Information Security Audits Conclusion

54.6 TECHNICAL FRAMEWORKS FOR IT AUDITS

54.6.1 Framework 1: People, Processes, Tools, and Measures

54.6.2 Framework 2: STRIDE

54.6.3 Framework 3: PDIO

54.6.4 General Best Practices

54.6.5 Technical Frameworks Conclusion

54.7 FURTHER READING

54.8 NOTES

54.1 INTRODUCTION.

Traditional auditing focused on reviewing organizational financial records and controls to validate the accuracy and integrity of financial data. External auditors typically focused on material or macro-level issues, and internal auditors focused primarily on transaction-level controls, protecting assets, and validating information adequacy and validity. However, changes in the ...

Get Computer Security Handbook, Fifth Edition now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.