You are previewing Auditing Information Systems, Second Edition.
O'Reilly logo
Auditing Information Systems, Second Edition

Book Description

Have you been asked to perform an information systems audit and don't know where to start? Examine a company's hardware, software, and data organization and processing methods to ensure quality control and security with this easy, practical guide to auditing computer systems--the tools necessary to implement an effective IS audit. In nontechnical language and following the format of an IS audit program, you'll gain insight into new types of security certifications (e.g., TruSecure, CAP SysTrust, CPA WebTrust) as well as the importance of physical security controls, adequate insurance, and digital surveillance systems.

Order your copy today!

Table of Contents

  1. Copyright
  2. Dedication
  3. List of Registered and Trademarked Names
  4. Preface
  5. Acknowledgments
  6. Core Concepts
    1. Basics of Computing Systems
      1. CENTRAL PROCESSING UNIT
      2. OPERATING SYSTEM
      3. APPLICATION PROGRAMS
      4. DATABASE MANAGEMENT SYSTEMS
      5. PHYSICAL SECURITY CONTROLS
      6. LOGICAL SECURITY CONTROLS
      7. LOCATION OF PHYSICAL AND LOGICAL SECURITY CONTROLS SECURITY CONTROLS
      8. NOTES
    2. Identifying Computer Systems
      1. GETTING STARTED
      2. BENEFITS OF A COMPUTING SYSTEMS INVENTORY
      3. RISK ASSESSMENT
      4. NOTE
  7. Standard Information Systems Audit Approach
    1. Information Systems Audit Program
      1. OTHER BENEFITS OF AUDIT PROGRAMS
      2. INFORMATION SYSTEMS AUDIT PROGRAM
    2. Information Systems Security Policies, Standards, and/or Guidelines
      1. INFORMATION SYSTEMS SECURITY POLICIES
      2. INFORMATION SYSTEMS SECURITY STANDARDS
      3. INFORMATION SYSTEMS SECURITY GUIDELINES
      4. NOTES
    3. Auditing Service Organization Applications
      1. SERVICE AUDITOR REPORTS
      2. USE OF SERVICE AUDITOR REPORTS FOR INTERNAL AUDITS
      3. REPORT OF INDEPENDENT AUDITORS
      4. DESCRIPTION OF RELEVANT POLICIES AND PROCEDURES AND OTHER INFORMATION
      5. CONTROL OBJECTIVES AS SPECIFIED BY SERVICE ORGANIZATION MANAGEMENT
      6. CLIENT CONTROL CONSIDERATIONS
      7. ALTERNATIVES TO SAS 70–TYPE AUDITS
      8. NOTES
    4. Assessing the Financial Stability of Vendor Organizations, Examining Vendor Organization Contracts, and Examining Accounting Treatment of Computer Equipment and Software
      1. ASSESSING FINANCIAL STABILITY OF VENDOR ORGANIZATIONS
      2. EXAMINING VENDOR ORGANIZATION CONTRACTS
      3. EXAMINING ACCOUNTING TREATMENT OF COMPUTER HARDWARE AND SOFTWARE
      4. NOTES
    5. Physical Security
      1. PHYSICAL LOCKS
      2. SECURITY GUARDS
      3. VIDEO SURVEILLANCE CAMERAS
      4. GENERAL EMERGENCY AND DETECTION CONTROLS
      5. HEATING, VENTILATION, AND COOLING SYSTEMS
      6. INSURANCE COVERAGE
      7. PERIODIC BACKUPS
      8. EMERGENCY POWER AND UNINTERRUPTIBLE POWER SUPPLY SYSTEMS
      9. BUSINESS RESUMPTION PROGRAMS
      10. KEY ASPECTS OF AN INFORMATION SYSTEMS BUSINESS RESUMPTION PROGRAM
      11. BACKUP SYSTEM SECURITY ADMINISTRATOR
      12. NOTES
    6. Logical Security
      1. LOGICAL SECURITY DESIGN
      2. BRINGING A NEW SYSTEM TO LIFE
      3. USER IDs AND PASSWORDS
      4. REMOTE ACCESS CONTROLS
      5. SYSTEM SECURITY ADMINISTRATION
      6. WIRE TRANSFER FRAUD
      7. NOTES
    7. Information Systems Operations
      1. COMPUTER OPERATIONS
      2. BUSINESS OPERATIONS
      3. EFFICIENCY AND EFFECTIVENESS OF INFORMATION SYSTEMS IN BUSINESS OPERATIONS
  8. Contemporary Information Systems Auditing Concepts
    1. Control Self-Assessment and an Application in an Information Systems Environment
      1. DEFINITION AND OVERVIEW
      2. HISTORY
      3. KEYS TO A SUCCESSFUL PROGRAM
      4. ADDITIONAL KEYS TO A SUCCESSFUL PROGRAM
      5. VARIOUS APPROACHES
      6. BENEFITS OF A SUCCESSFUL PROGRAM
      7. NOTES
    2. Encryption and Cryptography
      1. TERMINOLOGY
      2. GOAL OF CRYPTOGRAPHIC CONTROLS
      3. ENCRYPTION
      4. HASHING
      5. DIGITAL SIGNATURES AND DIGITAL CERTIFICATES
      6. KEY MANAGEMENT
      7. POLITICAL ASPECTS OF CRYPTOGRAPHY
      8. NOTES
    3. Computer Forensics
      1. INVESTIGATIONS
      2. CONCLUSION
      3. NOTES
    4. Other Contemporary Information Systems Auditing Challenges
      1. COMPUTER-ASSISTED AUDIT TECHNIQUES
      2. COMPUTER VIRUSES
      3. SOFTWARE PIRACY
      4. ELECTRONIC COMMERCE
      5. INTERNET SECURITY
      6. NOTES
    5. Humanistic Aspects of Information Systems Auditing
      1. TRAINING
      2. ACTIVE PARTICIPATION IN PROFESSIONAL ASSOCIATIONS
      3. NETWORKING
      4. PROFESSIONAL CERTIFICATIONS RELATED TO INFORMATION SYSTEMS AUDIT, CONTROL, AND SECURITY
      5. READING
      6. PRACTICAL EXPERIENCE
      7. HUMANISTIC SKILLS FOR SUCCESSFUL AUDITING
      8. MOTIVATION OF AUDITORS
      9. NOTE
    6. Information Systems Project Management Audits
      1. PRIMARY INFORMATION SYSTEMS PROJECT RISKS
      2. PROJECT FAILURE
      3. VENDOR GOES OUT OF BUSINESS
      4. POORLY WORDED CONTRACTS OR AGREEMENTS
      5. EXTERNAL CONTRACTOR RISKS
      6. FINANCIAL STATEMENT RISKS
      7. CONCLUSION
      8. NOTES
    7. Conclusion
      1. NEW TECHNOLOGIES
      2. CONSTANT RISKS
      3. NOTES
    8. Professional Auditing Associations and Other Organizations Related to Information Systems Auditing and Computer Security
    9. Common Criteria for Information Technology Security Evaluation
    10. The International Organization for Standardization: Seven-Layer Open Systems Interconnection (OSI) Reference Model
    11. Selected References
    12. Glossary
  9. Index