You are previewing IT Auditing: Using Controls to Protect Information Assets.
O'Reilly logo
IT Auditing: Using Controls to Protect Information Assets

Book Description

Secure Your Systems Using the Latest IT Auditing Techniques

Fully updated to cover leading-edge tools and technologies, IT Auditing: Using Controls to Protect Information Assets, Second Edition, explains, step by step, how to implement a successful, enterprise-wide IT audit program. New chapters on auditing cloud computing, outsourced operations, virtualization, and storage are included. This comprehensive guide describes how to assemble an effective IT audit team and maximize the value of the IT audit function. In-depth details on performing specific audits are accompanied by real-world examples, ready-to-use checklists, and valuable templates. Standards, frameworks, regulations, and risk management techniques are also covered in this definitive resource.

• Build and maintain an internal IT audit function with maximum effectiveness and value

• Audit entity-level controls, data centers, and disaster recovery

• Examine switches, routers, and firewalls

• Evaluate Windows, UNIX, and Linux operating systems

• Audit Web servers and applications

• Analyze databases and storage solutions

• Assess WLAN and mobile devices

• Audit virtualized environments

• Evaluate risks associated with cloud computing and outsourced operations

• Drill down into applications to find potential control weaknesses

• Use standards and frameworks, such as COBIT, ITIL, and ISO

• Understand regulations, including Sarbanes-Oxley, HIPAA, and PCI

• Implement proven risk management practices

Table of Contents

  1. Cover Page
  2. IT Auditing: Using Controls to Protect Information Assets
  3. Copyright Page
  4. Dedication
  5. About the Authors
  6. Contents
  7. Foreword
  8. Acknowledgments
  9. Introduction
  10. Part I Audit Overview
    1. Chapter 1 Building an Effective Internal IT Audit Function
      1. Independence: The Great Myth
      2. Consulting and Early Involvement
      3. Four Methods for Consulting and Early Involvement
        1. Early Involvement
        2. Informal Audits
        3. Knowledge Sharing
        4. Self-Assessments
        5. Final Thoughts
      4. Relationship Building: Partnering vs. Policing
        1. Learning to Build Partnerships
      5. The Role of the IT Audit Team
        1. Application Auditors
        2. Data Extraction and Analysis Specialists
        3. IT Auditors
      6. Forming and Maintaining an Effective IT Audit Team
        1. Career IT Auditors
        2. IT Professionals
        3. Career IT Auditors vs. IT Professionals: Final Thoughts
        4. Cosourcing
      7. Maintaining Expertise
        1. Sources of Learning
      8. Relationship with External Auditors
      9. Summary
    2. Chapter 2 The Audit Process
      1. Internal Controls
        1. Types of Internal Controls
        2. Internal Control Examples
      2. Determining What to Audit
        1. Creating the Audit Universe
        2. Ranking the Audit Universe
        3. Determining What to Audit: Final Thoughts
      3. The Stages of an Audit
        1. Planning
        2. Fieldwork and Documentation
        3. Issue Discovery and Validation
        4. Solution Development
        5. Report Drafting and Issuance
        6. Issue Tracking
      4. Standards
      5. Summary
  11. PART II Auditing Techniques
    1. Chapter 3 Auditing Entity-Level Controls
      1. Background
      2. Test Steps for Auditing Entity-Level Controls
      3. Knowledge Base
      4. Master Checklist
        1. Auditing Entity-Level Controls
    2. Chapter 4 Auditing Data Centers and Disaster Recovery
      1. Background
      2. Data Center Auditing Essentials
        1. Physical Security and Environmental Controls
        2. System and Site Resiliency
        3. Data Center Operations
        4. Disaster Preparedness
      3. Test Steps for Auditing Data Centers
        1. Neighborhood and External Risk Factors
        2. Physical Access Controls
        3. Environmental Controls
        4. Power and Electricity
        5. Fire Suppression
        6. Data Center Operations
        7. System Resiliency
        8. Data Backup and Restore
        9. Disaster Recovery Planning
      4. Knowledge Base
      5. Master Checklists
        1. Auditing Data Centers
    3. Chapter 5 Auditing Routers, Switches, and Firewalls
      1. Background
      2. Network Auditing Essentials
        1. Protocols
        2. OSI Model
        3. Routers and Switches
        4. Firewalls
      3. Auditing Switches, Routers, and Firewalls
        1. General Network Equipment Audit Steps
        2. Additional Switch Controls: Layer 2
        3. Additional Router Controls: Layer 3
        4. Additional Firewall Controls
      4. Tools and Technology
      5. Knowledge Base
      6. Master Checklists
        1. General Network Equipment Audit Steps
        2. Auditing Layer 2 Devices: Additional Controls for Switches
        3. Auditing Layer 3 Devices: Additional Controls for Routers
        4. Auditing Firewalls: Additional Controls
    4. Chapter 6 Auditing Windows Operating Systems
      1. Background
      2. Windows Auditing Essentials
        1. Command-Line Tips
        2. Essential Command-Line Tools
        3. Common Commands
        4. Server Administration Tools
        5. Performing the Audit
      3. Test Steps for Auditing Windows
        1. Setup and General Controls
        2. Review Services, Installed Applications, and Scheduled Tasks
        3. Account Management and Password Controls
        4. Review User Rights and Security Options
        5. Network Security and Controls
        6. Network Vulnerability Scanning and Intrusion Prevention
      4. How to Perform a Simplified Audit of a Windows Client
      5. Tools and Technology
      6. Knowledge Base
      7. Master Checklists
        1. Auditing Windows Servers
        2. Auditing Windows Clients
    5. Chapter 7 Auditing Unix and Linux Operating Systems
      1. Background
      2. Unix and Linux Auditing Essentials
        1. Key Concepts
        2. File System Layout and Navigation
        3. File System Permissions
        4. Users and Authentication
        5. Network Services
      3. Test Steps for Auditing Unix and Linux
        1. Account Management and Password Controls
        2. File Security and Controls
        3. Network Security and Controls
        4. Audit Logs
        5. Security Monitoring and General Controls
      4. Tools and Technology
        1. Nessus
        2. NMAP
        3. Chkrootkit
        4. Crack and John the Ripper
        5. Tiger and TARA
        6. Shell/Awk/etc
      5. Knowledge Base
      6. Master Checklists
        1. Auditing Account Management and Password Controls
        2. Auditing File Security and Controls
        3. Auditing Network Security and Controls
        4. Auditing Audit Logs
        5. Auditing Security Monitoring and General Controls
    6. Chapter 8 Auditing Web Servers and Web Applications
      1. Background
      2. Web Auditing Essentials
        1. One Audit with Multiple Components
      3. Part 1: Test Steps for Auditing the Host Operating System
      4. Part 2: Test Steps for Auditing Web Servers
      5. Part 3: Test Steps for Auditing Web Applications
        1. Additional Steps for Auditing Web Applications
      6. Tools and Technology
      7. Knowledge Base
      8. Master Checklists
        1. Auditing Web Servers
        2. Auditing Web Applications
    7. Chapter 9 Auditing Databases
      1. Background
      2. Database Auditing Essentials
        1. Common Database Vendors
        2. Database Components
      3. Test Steps for Auditing Databases
        1. Setup and General Controls
        2. Operating System Security
        3. Account and Permissions Management
        4. Data Encryption
        5. Monitoring and Management
      4. Tools and Technology
        1. Auditing Tools
        2. Monitoring Tools
      5. Knowledge Base
      6. Master Checklist
        1. Auditing Databases
    8. Chapter 10 Auditing Storage
      1. Background
      2. Storage Auditing Essentials
        1. Key Storage Components
        2. Key Storage Concepts
      3. Test Steps for Auditing Storage
        1. Setup and General Controls
        2. Account Management
        3. Storage Management
        4. Additional Security Controls
      4. Knowledge Base
      5. Master Checklists
    9. Chapter 11 Auditing Virtualized Environments
      1. Background
        1. Commercial and Open Source Projects
      2. Virtualization Auditing Essentials
      3. Test Steps for Auditing Virtualization
        1. Setup and General Controls
        2. Account and Resource Provisioning and Deprovisioning
        3. Virtual Environment Management
        4. Additional Security Controls
      4. Knowledge Base
        1. Hypervisors
        2. Tools
      5. Master Checklists
    10. Chapter 12 Auditing WLAN and Mobile Devices
      1. Background
        1. WLAN Background
        2. Data-Enabled Mobile Devices Background
      2. WLAN and Mobile Device Auditing Essentials
      3. Test Steps for Auditing Wireless LANs
        1. Part 1: WLAN Technical Audit
        2. Part 2: WLAN Operational Audit
      4. Test Steps for Auditing Mobile Devices
        1. Part 1: Mobile Device Technical Audit
        2. Part 2: Mobile Device Operational Audit
      5. Additional Considerations
      6. Tools and Technology
      7. Knowledge Base
      8. Master Checklists
        1. Auditing Wireless LANs
        2. Auditing Mobile Devices
    11. Chapter 13 Auditing Applications
      1. Background
      2. Application Auditing Essentials
        1. Generalized Frameworks
        2. Best Practices
      3. Test Steps for Auditing Applications
        1. Input Controls
        2. Interface Controls
        3. Audit Trails
        4. Access Controls
        5. Software Change Controls
        6. Backup and Recovery
        7. Data Retention and Classification and User Involvement
        8. Operating System, Database, and Other Infrastructure Controls
      4. Master Checklists
        1. Application Best Practices
        2. Auditing Applications
    12. Chapter 14 Auditing Cloud Computing and Outsourced Operations
      1. Background
        1. IT Systems and Infrastructure Outsourcing
        2. IT Service Outsourcing
        3. Other Considerations for IT Service Outsourcing
        4. SAS 70 Reports
      2. Test Steps for Auditing Cloud Computing and Outsourced Operations
        1. Preliminary and Overview
        2. Vendor Selection and Contracts
        3. Data Security
        4. Operations
        5. Legal Concerns and Regulatory Compliance
      3. Knowledge Base
      4. Master Checklist
        1. Auditing Cloud Computing and Outsourced Operations
    13. Chapter 15 Auditing Company Projects
      1. Background
      2. Project Auditing Essentials
        1. High-Level Goals of a Project Audit
        2. Basic Approaches to Project Auditing
        3. Seven Major Parts of a Project Audit
      3. Test Steps for Auditing Company Projects
        1. Overall Project Management
        2. Project Start-up: Requirements Gathering and Initial Design
        3. Detailed Design and System Development
        4. Testing
        5. Implementation
        6. Training
        7. Project Wrap-up
      4. Knowledge Base
      5. Master Checklists
        1. Auditing Overall Project Management
        2. Auditing Project Startup
        3. Auditing Detailed Design and System Development
        4. Auditing Testing
        5. Auditing Implementation
        6. Auditing Training
        7. Auditing Project Wrap-up
  12. PART III Frameworks, Standards, and Regulations
    1. Chapter 16 Frameworks and Standards
      1. Introduction to Internal IT Controls, Frameworks, and Standards
      2. COSO
        1. COSO Definition of Internal Control
        2. Key Concepts of Internal Control
        3. Internal Control—Integrated Framework
        4. Enterprise Risk Management—Integrated Framework
        5. Relationship Between Internal Control and Enterprise Risk-Management Publications
      3. COBIT
        1. COBIT Concepts
        2. IT Governance
        3. IT Governance Maturity Model
        4. The COSO-COBIT Connection
        5. COBIT 5.0
      4. ITIL
        1. ITIL Concepts
      5. ISO 27001
        1. ISO 27001 Concepts
      6. NSA INFOSEC Assessment Methodology
        1. NSA INFOSEC Assessment Methodology Concepts
        2. Pre-assessment Phase
        3. On-Site Activities Phase
        4. Post-assessment Phase
      7. Frameworks and Standards Trends
        1. References
    2. Chapter 17 Regulations
      1. An Introduction to Legislation Related to Internal Controls
        1. Regulatory Impact on IT Audits
        2. History of Corporate Financial Regulation
      2. The Sarbanes-Oxley Act of 2002
        1. SOX’s Impact on Public Corporations
        2. Core Points of the SOX Act
        3. SOX’s Impact on IT Departments
        4. SOX Considerations for Companies with Multiple Locations
        5. Impact of Third-Party Services on SOX Compliance
        6. Specific IT Controls Required for SOX Compliance
        7. The Financial Impact of SOX Compliance on Companies
      3. Gramm-Leach-Bliley Act
        1. GLBA Requirements
        2. Federal Financial Institutions Examination Council
      4. Privacy Regulations
        1. California SB 1386
        2. International Privacy Laws
        3. Privacy Law Trends
      5. Health Insurance Portability and Accountability Act of 1996
        1. HIPAA Privacy and Security Rules
        2. The HITECH Act
        3. HIPAA’s Impact on Covered Entities
      6. EU Commission and Basel II
        1. Basel II Capital Accord
      7. Payment Card Industry (PCI) Data Security Standard
        1. PCI Impact on the Payment Card Industry
      8. Other Regulatory Trends
        1. References
    3. Chapter 18 Risk Management
      1. Benefits of Risk Management
      2. Risk Management from an Executive Perspective
        1. Addressing Risk
        2. Quantitative vs. Qualitative Risk Analysis
      3. Quantitative Risk Analysis
        1. Elements of Risk
        2. Practical Application
        3. Quantitative Risk Analysis in Practice
        4. Common Causes for Inaccuracies
      4. Qualitative Risk Analysis
      5. IT Risk Management Life Cycle
        1. Phase 1: Identify Information Assets
        2. Phase 2: Quantify and Qualify Threats
        3. Phase 3: Assess Vulnerabilities
        4. Phase 4: Remediate Control Gaps
        5. Phase 5: Manage Residual Risk
      6. Summary of Formulas
  13. Index
  14. Footnotes
    1. ch16fn01
    2. ch16fn02