book

IT Auditing Using Controls to Protect Information Assets, 2nd Edition, 2nd Edition

by Chris Davis, Mike Schiller, Kevin Wheeler

February 2011

Intermediate to advanced

512 pages

15h 37m

English

McGraw-Hill

Read now

Unlock full access

Cover Page
IT Auditing: Using Controls to Protect Information Assets
Copyright Page
Dedication
About the Authors
Contents
Foreword
Acknowledgments
Introduction
Part I Audit Overview

Chapter 1 Building an Effective Internal IT Audit Function
Independence: The Great MythConsulting and Early InvolvementFour Methods for Consulting and Early InvolvementEarly InvolvementInformal AuditsKnowledge SharingSelf-AssessmentsFinal ThoughtsRelationship Building: Partnering vs. PolicingLearning to Build PartnershipsThe Role of the IT Audit TeamApplication AuditorsData Extraction and Analysis SpecialistsIT AuditorsForming and Maintaining an Effective IT Audit TeamCareer IT AuditorsIT ProfessionalsCareer IT Auditors vs. IT Professionals: Final ThoughtsCosourcingMaintaining ExpertiseSources of LearningRelationship with External AuditorsSummary
Chapter 2 The Audit Process
Internal ControlsTypes of Internal ControlsInternal Control ExamplesDetermining What to AuditCreating the Audit UniverseRanking the Audit UniverseDetermining What to Audit: Final ThoughtsThe Stages of an AuditPlanningFieldwork and DocumentationIssue Discovery and ValidationSolution DevelopmentReport Drafting and IssuanceIssue TrackingStandardsSummary
PART II Auditing Techniques
Chapter 3 Auditing Entity-Level Controls
BackgroundTest Steps for Auditing Entity-Level ControlsKnowledge BaseMaster ChecklistAuditing Entity-Level Controls
Chapter 4 Auditing Data Centers and Disaster Recovery
BackgroundData Center Auditing EssentialsPhysical Security and Environmental ControlsSystem and Site ResiliencyData Center OperationsDisaster PreparednessTest Steps for Auditing Data CentersNeighborhood and External Risk FactorsPhysical Access ControlsEnvironmental ControlsPower and ElectricityFire SuppressionData Center OperationsSystem ResiliencyData Backup and RestoreDisaster Recovery PlanningKnowledge BaseMaster ChecklistsAuditing Data Centers
Chapter 5 Auditing Routers, Switches, and Firewalls
BackgroundNetwork Auditing EssentialsProtocolsOSI ModelRouters and SwitchesFirewallsAuditing Switches, Routers, and FirewallsGeneral Network Equipment Audit StepsAdditional Switch Controls: Layer 2Additional Router Controls: Layer 3Additional Firewall ControlsTools and TechnologyKnowledge BaseMaster ChecklistsGeneral Network Equipment Audit StepsAuditing Layer 2 Devices: Additional Controls for SwitchesAuditing Layer 3 Devices: Additional Controls for RoutersAuditing Firewalls: Additional Controls
Chapter 6 Auditing Windows Operating Systems
BackgroundWindows Auditing EssentialsCommand-Line TipsEssential Command-Line ToolsCommon CommandsServer Administration ToolsPerforming the AuditTest Steps for Auditing WindowsSetup and General ControlsReview Services, Installed Applications, and Scheduled TasksAccount Management and Password ControlsReview User Rights and Security OptionsNetwork Security and ControlsNetwork Vulnerability Scanning and Intrusion PreventionHow to Perform a Simplified Audit of a Windows ClientTools and TechnologyKnowledge BaseMaster ChecklistsAuditing Windows ServersAuditing Windows Clients
Chapter 7 Auditing Unix and Linux Operating Systems
BackgroundUnix and Linux Auditing EssentialsKey ConceptsFile System Layout and NavigationFile System PermissionsUsers and AuthenticationNetwork ServicesTest Steps for Auditing Unix and LinuxAccount Management and Password ControlsFile Security and ControlsNetwork Security and ControlsAudit LogsSecurity Monitoring and General ControlsTools and TechnologyNessusNMAPChkrootkitCrack and John the RipperTiger and TARAShell/Awk/etcKnowledge BaseMaster ChecklistsAuditing Account Management and Password ControlsAuditing File Security and ControlsAuditing Network Security and ControlsAuditing Audit LogsAuditing Security Monitoring and General Controls
Chapter 8 Auditing Web Servers and Web Applications
BackgroundWeb Auditing EssentialsOne Audit with Multiple ComponentsPart 1: Test Steps for Auditing the Host Operating SystemPart 2: Test Steps for Auditing Web ServersPart 3: Test Steps for Auditing Web ApplicationsAdditional Steps for Auditing Web ApplicationsTools and TechnologyKnowledge BaseMaster ChecklistsAuditing Web ServersAuditing Web Applications
Chapter 9 Auditing Databases
BackgroundDatabase Auditing EssentialsCommon Database VendorsDatabase ComponentsTest Steps for Auditing DatabasesSetup and General ControlsOperating System SecurityAccount and Permissions ManagementData EncryptionMonitoring and ManagementTools and TechnologyAuditing ToolsMonitoring ToolsKnowledge BaseMaster ChecklistAuditing Databases
Chapter 10 Auditing Storage
BackgroundStorage Auditing EssentialsKey Storage ComponentsKey Storage ConceptsTest Steps for Auditing StorageSetup and General ControlsAccount ManagementStorage ManagementAdditional Security ControlsKnowledge BaseMaster Checklists
Chapter 11 Auditing Virtualized Environments
BackgroundCommercial and Open Source ProjectsVirtualization Auditing EssentialsTest Steps for Auditing VirtualizationSetup and General ControlsAccount and Resource Provisioning and DeprovisioningVirtual Environment ManagementAdditional Security ControlsKnowledge BaseHypervisorsToolsMaster Checklists
Chapter 12 Auditing WLAN and Mobile Devices
BackgroundWLAN BackgroundData-Enabled Mobile Devices BackgroundWLAN and Mobile Device Auditing EssentialsTest Steps for Auditing Wireless LANsPart 1: WLAN Technical AuditPart 2: WLAN Operational AuditTest Steps for Auditing Mobile DevicesPart 1: Mobile Device Technical AuditPart 2: Mobile Device Operational AuditAdditional ConsiderationsTools and TechnologyKnowledge BaseMaster ChecklistsAuditing Wireless LANsAuditing Mobile Devices
Chapter 13 Auditing Applications
BackgroundApplication Auditing EssentialsGeneralized FrameworksBest PracticesTest Steps for Auditing ApplicationsInput ControlsInterface ControlsAudit TrailsAccess ControlsSoftware Change ControlsBackup and RecoveryData Retention and Classification and User InvolvementOperating System, Database, and Other Infrastructure ControlsMaster ChecklistsApplication Best PracticesAuditing Applications
Chapter 14 Auditing Cloud Computing and Outsourced Operations
BackgroundIT Systems and Infrastructure OutsourcingIT Service OutsourcingOther Considerations for IT Service OutsourcingSAS 70 ReportsTest Steps for Auditing Cloud Computing and Outsourced OperationsPreliminary and OverviewVendor Selection and ContractsData SecurityOperationsLegal Concerns and Regulatory ComplianceKnowledge BaseMaster ChecklistAuditing Cloud Computing and Outsourced Operations
Chapter 15 Auditing Company Projects
BackgroundProject Auditing EssentialsHigh-Level Goals of a Project AuditBasic Approaches to Project AuditingSeven Major Parts of a Project AuditTest Steps for Auditing Company ProjectsOverall Project ManagementProject Start-up: Requirements Gathering and Initial DesignDetailed Design and System DevelopmentTestingImplementationTrainingProject Wrap-upKnowledge BaseMaster ChecklistsAuditing Overall Project ManagementAuditing Project StartupAuditing Detailed Design and System DevelopmentAuditing TestingAuditing ImplementationAuditing TrainingAuditing Project Wrap-up
PART III Frameworks, Standards, and Regulations
Chapter 16 Frameworks and Standards
Introduction to Internal IT Controls, Frameworks, and StandardsCOSOCOSO Definition of Internal ControlKey Concepts of Internal ControlInternal Control—Integrated FrameworkEnterprise Risk Management—Integrated FrameworkRelationship Between Internal Control and Enterprise Risk-Management PublicationsCOBITCOBIT ConceptsIT GovernanceIT Governance Maturity ModelThe COSO-COBIT ConnectionCOBIT 5.0ITILITIL ConceptsISO 27001ISO 27001 ConceptsNSA INFOSEC Assessment MethodologyNSA INFOSEC Assessment Methodology ConceptsPre-assessment PhaseOn-Site Activities PhasePost-assessment PhaseFrameworks and Standards TrendsReferences
Chapter 17 Regulations
An Introduction to Legislation Related to Internal ControlsRegulatory Impact on IT AuditsHistory of Corporate Financial RegulationThe Sarbanes-Oxley Act of 2002SOX’s Impact on Public CorporationsCore Points of the SOX ActSOX’s Impact on IT DepartmentsSOX Considerations for Companies with Multiple LocationsImpact of Third-Party Services on SOX ComplianceSpecific IT Controls Required for SOX ComplianceThe Financial Impact of SOX Compliance on CompaniesGramm-Leach-Bliley ActGLBA RequirementsFederal Financial Institutions Examination CouncilPrivacy RegulationsCalifornia SB 1386International Privacy LawsPrivacy Law TrendsHealth Insurance Portability and Accountability Act of 1996HIPAA Privacy and Security RulesThe HITECH ActHIPAA’s Impact on Covered EntitiesEU Commission and Basel IIBasel II Capital AccordPayment Card Industry (PCI) Data Security StandardPCI Impact on the Payment Card IndustryOther Regulatory TrendsReferences
Chapter 18 Risk Management
Benefits of Risk ManagementRisk Management from an Executive PerspectiveAddressing RiskQuantitative vs. Qualitative Risk AnalysisQuantitative Risk AnalysisElements of RiskPractical ApplicationQuantitative Risk Analysis in PracticeCommon Causes for InaccuraciesQualitative Risk AnalysisIT Risk Management Life CyclePhase 1: Identify Information AssetsPhase 2: Quantify and Qualify ThreatsPhase 3: Assess VulnerabilitiesPhase 4: Remediate Control GapsPhase 5: Manage Residual RiskSummary of Formulas
Index
Footnotes
ch16fn01ch16fn02

Content preview from IT Auditing Using Controls to Protect Information Assets, 2nd Edition, 2nd Edition

CHAPTER 4Auditing Data Centers and Disaster Recovery

Information technology (IT) processing facilities, usually referred to as data centers, are at the core of most modern organizations’ operations, supporting almost all critical business activities. In this chapter we will discuss the steps for auditing data center controls, including the following areas:

• Physical security and environmental controls

• Data center operations

• System and site resiliency

• Disaster preparedness

Background

Ever since the first general-purpose electronic computer (the Electronic Numerical Integrator and Computer, or ENIAC) was created in 1946, computer systems have had specific environmental, power, and physical security requirements. Beginning in the late 1950s, ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

IT Auditing Using Controls to Protect Information Assets, Third Edition, 3rd Edition

Publisher Resources

ISBN: 9780071742382

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

IT Auditing Using Controls to Protect Information Assets, 2nd Edition, 2nd Edition

by Chris Davis, Mike Schiller, Kevin Wheeler