Auditing IT Infrastructures for Compliance

Table of contents

1. Copyright
2. Preface
   1. Purpose of This Book
   2. Learning Features
   3. Audience
3. Acknowledgments
4. About the Authors
5. ONE. The Need for Compliance
   1. 1. The Need for Information Systems Security Compliance
      1. What Is an IT Security Assessment?
      2. What Is an IT Security Audit?
      3. What Is Compliance?
      4. How Does an Audit Differ from an Assessment?
      5. Why Are Governance and Compliance Important?
         1. Case Study: Enron
         2. Case Study: WorldCom
      6. What If Our Organization Does Not Comply with Compliance Laws?
         1. Case Study: TJX Credit Card Breach
      7. CHAPTER SUMMARY
      8. KEY CONCEPTS AND TERMS
      9. CHAPTER 1 ASSESSMENT
   2. 2. Overview of U.S. Compliance Laws
      1. Introduction to Public and Private Sector Regulatory Requirements
      2. Federal Information Security Management Act (FISMA)
      3. U.S. Department of Defense (DoD) Requirements
         1. Certification and Accreditation (C&A)
         2. Information Assurance (IA)
      4. Sarbanes-Oxley Act (SOX)
      5. Gramm-Leach-Bliley Act (GLBA)
      6. Health Insurance Portability and Accountability Act (HIPAA)
      7. Children's Internet Protection Act (CIPA)
      8. Family Educational Rights and Privacy Act (FERPA)
      9. Payment Card Industry Data Security Standard (PCI DSS)
      10. Red Flags Rule
      11. CHAPTER SUMMARY
      12. KEY CONCEPTS AND TERMS
      13. CHAPTER 2 ASSESSMENT
   3. 3. What Is the Scope of an IT Compliance Audit?
      1. What Must Your Organization Do to Be in Compliance?
         1. Protecting and Securing Privacy Data
         2. Designing and Implementing Proper Security Controls
      2. What Are You Auditing Within the IT Infrastructure?
         1. User Domain
         2. Workstation Domain
         3. LAN Domain
         4. LAN-to-WAN Domain
         5. WAN Domain
         6. Remote Access Domain
         7. System/Application Domain
      3. What Must Your Organization Do to Maintain IT Compliance?
         1. Conducting Periodic Security Assessments
         2. Performing an Annual Security Compliance Audit
         3. Defining Proper Security Controls
            1. Creating an IT Security Policy Framework
            2. Implementing Security Operations and Administration Management
            3. Configuration and Change Management
      4. CHAPTER SUMMARY
      5. KEY CONCEPTS AND TERMS
      6. CHAPTER 3 ASSESSMENT
6. TWO. Auditing for Compliance: Frameworks, Tools, and Techniques
   1. 4. Auditing Standards and Frameworks
      1. Why Frameworks Are Important for Auditing
      2. The Importance of Using Standards in Compliance Auditing
         1. COSO
         2. COBIT
         3. SAS 70 Compliance
            1. Type I and Type II Service Audit Reports
      3. ISO/IEC Standards
         1. ISO/IEC 27001 Standard
         2. ISO/IEC 27002 Standard
      4. NIST 800-53
      5. Developing a Hybrid Auditing Framework or Approach
      6. CHAPTER SUMMARY
      7. KEY CONCEPTS AND TERMS
      8. CHAPTER 4 ASSESSMENT
      9. ENDNOTES
   2. 5. Planning an IT Infrastructure Audit for Compliance
      1. Defining Scope, Goals and Objectives, and Frequency
      2. Identifying Critical Requirements for the Audit
         1. Implementing Security Controls
         2. Protecting Privacy Data
      3. Assessing IT Security
         1. Risk Management
         2. Threat Analysis
         3. Vulnerability Analysis
         4. Risk Assessment Analysis—Defining an Acceptable Security Baseline Definition
      4. Obtaining Information, Documentation, and Resources
         1. Existing IT Security Policy Framework Definition
         2. Configuration Documentation for IT Infrastructure
         3. Interviews with Key IT Support and Management Personnel—Identifying and Planning
         4. NIST Standards and Methodologies
      5. Organizing the IT Security Policy Framework Definitions for the Seven Domains of a Typical IT Infrastructure
      6. Identifying and Testing Monitoring Requirements
      7. Identifying Critical Security Control Points That Must Be Verified Throughout the IT Infrastructure
      8. Building a Project Plan Organizing the IT Infrastructure Audit Approach, Tasks, Deliverables, Timelines, and Resources Needed
      9. CHAPTER SUMMARY
      10. KEY CONCEPTS AND TERMS
      11. CHAPTER 5 ASSESSMENT
      12. ENDNOTES
   3. 6. Conducting an IT Infrastructure Audit for Compliance
      1. Identifying Minimum Acceptable Level of Risk and Appropriate Security Baseline Definitions
         1. Organization-Wide
         2. Seven Domains of a Typical IT Infrastructure
         3. Gap Analysis for the Seven Domains
      2. Identifying All Documented IT Security Policies, Standards, Procedures, and Guidelines
      3. Conducting the Audit in a Layered Fashion
      4. Performing a Security Assessment for the Entire IT Infrastructure and Individual Domains
      5. Incorporating the Security Assessment Into the Overall Audit Validating Compliance Process
      6. Using Audit Tools to Organize Data Capture—CAATTs, Checklists, Spreadsheets
      7. Investigating the Use of Automated Audit Reporting Tools and Methodologies
      8. Reviewing Configurations and Implementations in Compliance with Defined IT Security Policies, Standards, Procedures, and Guidelines
      9. Performing Testing and Monitoring to Verify and Validate Proper Configuration and Implementation of Security Controls and Countermeasures
      10. Identifying Common Problems or Issues When Conducting an IT Infrastructure Audit
      11. Validating Security Operations and Administration Roles, Responsibilities, and Accountabilities Throughout the IT Infrastructure
      12. CHAPTER SUMMARY
      13. KEY CONCEPTS AND TERMS
      14. CHAPTER 6 ASSESSMENT
      15. ENDNOTES
   4. 7. Writing the IT Infrastructure Audit Report
      1. Executive Summary
      2. Summary of Findings Within the Seven Domains of Typical IT Infrastructure, Gap Analysis
      3. IT Security Assessment Results: Risk, Threats, and Vulnerabilities
      4. IT Security Controls and Countermeasures Implementation
         1. Per Documented IT Security Policy Framework
         2. Privacy Data
      5. IT Security Controls and Countermeasure Gap Analysis
         1. Compliance Requirement
         2. Risk, Threat, and Vulnerability Mitigation Requirement
      6. Compliance Assessment Throughout the IT Infrastructure
      7. Presenting Compliance Recommendations
      8. CHAPTER SUMMARY
      9. KEY CONCEPTS AND TERMS
      10. CHAPTER 7 ASSESSMENT
   5. 8. Compliance Within the User Domain
      1. Compliance Law Requirements and Business Drivers
         1. Protecting Privacy Data
         2. Implementing Proper Security Controls for the User Domain
      2. Items Commonly Found in the User Domain
      3. Separation of Duties
      4. Least Privilege
      5. Need-to-Know Basis
      6. Confidentiality Agreements
      7. Employee Background Checks
      8. Acknowledgment of Responsibilities and Accountabilities
      9. Security Awareness and Training for New Employees
      10. Information Systems Security Accountability
          1. Requiring That Human Resources Take a Lead Role
          2. Defining Accurate IT and IT Security Employee Job Descriptions
          3. Incorporating Accountability into the Annual Performance Reviews for Employees
      11. Adherence to Documented IT Security Policies, Standards, Procedures, and Guidelines
      12. Best Practices for User Domain Compliance Requirements
      13. CHAPTER SUMMARY
      14. KEY CONCEPTS AND TERMS
      15. CHAPTER 8 ASSESSMENT
   6. 9. Compliance Within the Workstation Domain
      1. Compliance Law Requirements and Business Drivers
         1. Protecting Private Data
         2. Implementing Proper Security Controls for the Workstation Domain
      2. Devices and Components Commonly Found in the Workstation Domain
         1. Uninterruptible Power Supply
         2. Desktop Computer
         3. Laptop/Netbook Computer
         4. Local Printer
         5. Analog Modem
         6. Fixed Hard Disk Drive
         7. Removable Storage Device
      3. Access Rights and Access Controls in the Workstation Domain
      4. Maximizing A-I-C
         1. Maximizing Availability
            1. Surviving Power Outages
            2. Backup and Recovery Strategy
         2. Maximizing Integrity
         3. Maximizing Confidentiality
      5. Workstation Vulnerability Management
         1. Operating System Patch Management
         2. Application Software Patch Management
      6. Adherence to Documented IT Security Policies, Standards, Procedures, and Guidelines
      7. Best Practices for Workstation Domain Compliance Requirements
      8. CHAPTER SUMMARY
      9. KEY CONCEPTS AND TERMS
      10. CHAPTER 9 ASSESSMENT
   7. 10. Compliance Within the LAN Domain
      1. Compliance Law Requirements and Business Drivers
         1. Protecting Data Privacy
         2. Implementing Proper Security Controls for the LAN Domain
      2. Devices and Components Commonly Found in the LAN Domain
         1. Connection Media
            1. Wired LAN Connections
            2. Wireless LAN Connections
         2. Networking Devices
            1. Hub
            2. Switch
            3. Router
         3. Server Computers and Services Devices
            1. LAN File Server
            2. LAN Print Server
            3. LAN Data Storage
         4. Networking Services Software
      3. LAN Traffic and Performance Monitoring and Analysis
      4. LAN Configuration and Change Management
      5. LAN Management, Tools, and Systems
      6. Access Rights and Access Controls in the LAN Domain
      7. Maximizing A-I-C
         1. Maximizing Availability
         2. Maximizing Integrity
         3. Maximizing Confidentiality
      8. LAN File/Print/Communication Server Vulnerability Management
         1. Operating System Patch Management
         2. Application Software Patch Management
      9. Adherence to Documented IT Security Policies, Standards, Procedures, and Guidelines
      10. Best Practices for LAN Domain Compliance Requirements
      11. CHAPTER SUMMARY
      12. KEY CONCEPTS AND TERMS
      13. CHAPTER 10 ASSESSMENT
   8. 11. Compliance Within the LAN-to-WAN Domain
      1. Compliance Law Requirements and Business Drivers
         1. Protecting Data Privacy
         2. Implementing Proper Security Controls for the LAN-to-WAN Domain
      2. Devices and Components Commonly Found in the LAN-to-WAN Domain
         1. Router
         2. Firewall
         3. Proxy Server
         4. Demilitarized Zone (DMZ)
         5. Honeypots
         6. Internet Service Provider (ISP) Connection and Backup Connection
         7. Intrusion Detection System (IDS)/Intrusion Prevention System (IPS)
         8. Data Leakage Security Appliance
         9. Web Content Filtering Device
         10. Traffic Monitoring Device
      3. LAN-to-WAN Traffic and Performance Monitoring and Analysis
      4. LAN-to-WAN Configuration and Change Management
      5. LAN-to-WAN Management, Tools, and Systems
         1. FCAPS
         2. Network Management Tools
      6. Access Rights and Access Controls in the LAN-to-WAN Domain
      7. Maximizing A-I-C
         1. Minimizing Single Points of Failure
         2. Dual-Homed ISP Connections
         3. Redundant Routers and Firewalls
         4. Web Server Data and Hard Drive Backup and Recovery
         5. Use of Virtual Private Networks (VPNs) for Remote Access to Organizational Systems and Data
      8. Penetration Testing and LAN-to-WAN Configuration Validation
         1. External to Internal
         2. Internal to External
         3. Intrusive Versus Nonintrusive Testing
         4. Configuration Management Verification
      9. Adherence to Documented IT Security Policies, Standards, Procedures, and Guidelines
      10. Best Practices for LAN-to-WAN Domain Compliance
      11. CHAPTER SUMMARY
      12. KEY CONCEPTS AND TERMS
      13. CHAPTER 11 ASSESSMENT
   9. 12. Compliance Within the WAN Domain
      1. Compliance Law Requirements and Business Drivers
         1. Protecting Data Privacy
         2. Implementing Proper Security Controls for the WAN Domain
      2. Devices and Components Commonly Found in the WAN Domain
         1. WAN Service Provider
         2. Dedicated Lines/Circuits
         3. MPLS/VPN WAN or Metro Ethernet
         4. WAN Layer 2/Layer 3 Switches
         5. WAN Backup and Redundant Links
      3. WAN Traffic and Performance Monitoring and Analysis
      4. WAN Configuration and Change Management
      5. WAN Management, Tools, and Systems
      6. Access Rights and Access Controls in the WAN Domain
      7. Maximizing A-I-C
         1. WAN Service Availability SLAs
         2. WAN Recovery and Restoration SLAs
         3. WAN Traffic Encryption/VPNs
      8. WAN Service Provider SAS Compliance
      9. Adherence to Documented IT Security Policies, Standards, Procedures, and Guidelines
      10. Best Practices for WAN Domain Compliance Requirements
      11. CHAPTER SUMMARY
      12. KEY CONCEPTS AND TERMS
      13. CHAPTER 12 ASSESSMENT
      14. ENDNOTE
   10. 13. Compliance Within the Remote Access Domain
       1. Compliance Law Requirements and Business Drivers
          1. Protecting Data Privacy
          2. Implementing Proper Security Controls for the Remote Access Domain
       2. Devices and Components Commonly Found in the Remote Access Domain
          1. Remote User
          2. Remote Workstation or Laptop
          3. Remote Access Controls and Tools
          4. Authentication Servers
             1. RADIUS
             2. TACACS+
          5. VPNs and Encryption
          6. Internet Service Provider (ISP) WAN Connection
          7. Broadband Internet Service Provider WAN Connection
       3. Remote Access and VPN Tunnel Monitoring
       4. Remote Access Traffic and Performance Monitoring and Analysis
       5. Remote Access Configuration and Change Management
       6. Remote Access Management, Tools, and Systems
       7. Access Rights and Access Controls in the Remote Access Domain
       8. Remote Access Domain Configuration Validation
          1. VPN Client Definition and Access Controls
          2. SSL/VPN Remote Access Via Browser and SSL, 128-Bit Encryption
          3. VPN Configuration Management Verification
       9. Adherence to Documented IT Security Policies, Standards, Procedures, and Guidelines
       10. Best Practices for Remote Access Domain Compliance Requirements
       11. CHAPTER SUMMARY
       12. KEY CONCEPTS AND TERMS
       13. CHAPTER 13 ASSESSMENT
   11. 14. Compliance Within the System/Application Domain
       1. Compliance Law Requirements and Business Drivers
          1. Protecting Data Privacy
          2. Implementing Proper Security Controls for the System/Application Domain
       2. Devices and Components Commonly Found in the System/Application Domain
          1. Computer Room/Data Center
          2. Redundant Computer Room/Data Center
          3. UPS Power Supplies and Diesel Generators to Maintain Operations
          4. Mainframe Computers
          5. Minicomputers
          6. Server Computers
          7. Data Storage Devices
          8. Applications
          9. Source Code
          10. Databases and Privacy Data
       3. System and Application Traffic and Performance Monitoring and Analysis
       4. System and Application Configuration and Change Management
       5. System and Application Management, Tools, and Systems
       6. Access Rights and Access Controls in the System/Application Domain
       7. Maximizing A-I-C
          1. BCP and DRP
          2. Access Controls
          3. Database and Drive Encryption
       8. System/Application Server Vulnerability Management
          1. Operating System Patch Management
          2. Application Software Patch Management
       9. Adherence to Documented IT Security Policies, Standards, Procedures, and Guidelines
       10. Best Practices for System/Application Domain Compliance Requirements
       11. CHAPTER SUMMARY
       12. KEY CONCEPTS AND TERMS
       13. CHAPTER 14 ASSESSMENT
7. THREE. Ethics, Education, and Certification for IT Auditors
   1. 15. Ethics, Education, and Certification for IT Auditors
      1. IT Auditing Career Opportunities
      2. Professional Ethics and Integrity of IT Auditors
      3. Codes of Conduct for Employees and IT Auditors
         1. Employer/Organization Driven
         2. Employee Handbook and Employment Policies
         3. (ISC)2 Code of Ethics
      4. Certification and Accreditation for IT Auditing
         1. IIA
            1. Certified Internal Auditor (CIA) Certification
            2. Certification in Control Self-Assessment (CCSA)
            3. Certified Government Auditing Professional (CGAP) Certification
            4. Certified Financial Services Auditor (CFSA) Certification
         2. ISACA
            1. Certified Information Systems Auditor (CISA) Certification
            2. Certified Information Security Manager (CISM) Certification
            3. Certified in Risk and Information Systems Control (CRISC) Certification
            4. Certified in the Governance of Enterprise IT (CGEIT) Certification
         3. SANS Institute
            1. GIAC Certifications
            2. GIAC Systems and Network Auditor (GSNA) Certification
            3. GIAC Certified ISO-17799 Specialist (G7799) Certification
      5. CHAPTER SUMMARY
      6. KEY CONCEPTS AND TERMS
      7. CHAPTER 15 ASSESSMENT
      8. ENDNOTES
8. A. Answer Key
9. B. Standard Acronyms
10. Glossary of Key Terms
11. References