Auditing IT Infrastructures for Compliance, 3rd Edition
- Length: 398 pages
- Edition: 3
- Language: English
- Publisher: Jones & Bartlett Learning
- Publication Date: 2022-10-21
- ISBN-10: 1284236609
- ISBN-13: 9781284236606
- Sales Rank: #0 (See Top 100 Books)
The third edition of Auditing IT Infrastructures for Compliance provides a unique, in-depth look at recent U.S. based Information systems and IT infrastructures compliance laws in both the public and private sector. Written by industry experts, this book provides a comprehensive explanation of how to audit IT infrastructures for compliance based on the laws and the need to protect and secure business and consumer privacy data. Using examples and exercises, this book incorporates hands-on activities to prepare readers to skillfully complete IT compliance auditing. Each new print copy includes Navigate eBook Access enabling you to read your digital textbook online or offline from your computer, tablet, or mobile device.
Cover
Title Page
Copyright Page
Contents
Dedication Page
Preface
Acknowledgments
About the Author
CHAPTER 1 The Need for Information Systems Compliance
What Is the Difference Between Information System and Information Security Compliance?
Difference Between Information System and Information Security
Auditing Information Security
What Is the Confidentiality, Integrity, and Availability (CIA) Triad?
What Is Compliance?
Why Are Governance and Compliance Important?
Case Study: Cetera and Cambridge
What If an Organization Does Not Comply with Compliance Laws?
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 1 ASSESSMENT
CHAPTER 2 Overview of U.S. Compliance Laws
Introduction to Regulatory Requirements
Regulatory Acts of Congress
Federal Information Security Management Act
Red Flag Rules
Cybersecurity Information Sharing Act
Sarbanes-Oxley Act
Gramm-Leach-Bliley Act
Health Insurance Portability and Accountability Act
Children’s Internet Protection Act
Children’s Online Privacy Protection Act
California Consumer Privacy Act
Payment Card Industry Data Security Standard
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 2 ASSESSMENT
CHAPTER 3 What Is the Scope of an IT Compliance Audit?
What Must Your Organization Do to Be in Compliance?
Business View on Compliance
Protecting and Securing Privacy Data
Designing and Implementing Proper Security Controls
Choosing Between Automated, Manual, and Hybrid Controls
What Are You Auditing Within the IT Infrastructure?
User Domain
Workstation Domain
LAN Domain
LAN-to-WAN Domain
WAN Domain
Remote Access Domain
System/Application Domain
Maintaining IT Compliance
Conducting Periodic Security Assessments
Performing an Annual Security Compliance Audit
Defining Proper Security Controls
Creating an IT Security Policy Framework
Implementing Security Operations and Administration Management
Configuration and Change Management
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 3 ASSESSMENT
CHAPTER 4 Auditing Standards and Frameworks
Difference Between Standards and Frameworks
Why Frameworks Are Important for Auditing
The Importance of Using Standards in Compliance Auditing
Institute of Internal Auditors
COBIT
Service Organization Control Reports
ISO/IEC Standards
ISO/IEC 27001 Standard
ISO/IEC 27002 Standard
NIST 800-53
Cybersecurity Framework
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 4 ASSESSMENT
CHAPTER 5 Planning an IT Infrastructure Audit for Compliance
Defining the Scope, Objectives, Goals, and Frequency of an Audit
Identifying Critical Requirements for the Audit
Implementing Security Controls
Protecting Data Privacy
Assessing IT Security
Risk Management
Threat Versus Vulnerability Versus Risk
Vulnerability Analysis
Risk Assessment Analysis: Defining an Acceptable Security Baseline Definition
Obtaining Information, Documentation, and Resources
Existing IT Security Policy Framework Definition
Configuration Documentation for IT Infrastructure
Interviews with Key IT Support and Management Personnel: Identifying and Planning
NIST Standards and Methodologies
Mapping the IT Security Policy Framework Definitions to the Seven Domains of a Typical IT Infrastructure
Identifying and Testing Monitoring Requirements
Identifying Critical Security Control Points That Must Be Verified Throughout the IT Infrastructure
Building a Project Plan
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 5 ASSESSMENT
CHAPTER 6 Conducting an IT Infrastructure Audit for Compliance
Identifying the Minimum Acceptable Level of Risk and Appropriate Security Baseline Definitions
Preventive Security Control
Detective Security Control
Corrective Security Control
Organization-Wide
Seven Domains of a Typical IT Infrastructure
Business Liability Insurance
Controlling Risk
Gap Analysis for the Seven Domains
Identifying All Documented IT Security Policies, Standards, Procedures, and Guidelines
Conducting the Audit in a Layered Fashion
Performing a Security Assessment for the Entire IT Infrastructure and Individual Domains
Incorporating the Security Assessment into the Overall Audit Validating Compliance Process
Using Audit Tools to Organize Data Capture
Using Automated Audit Reporting Tools and Methodologies
Reviewing Configurations and Implementations
Auditing Change Management
Verifying and Validating Proper Configuration and the Implementation of Security Controls and Countermeasures
Identifying Common Problems When Conducting an IT Infrastructure Audit
Validating Security Operations and Administration Roles, Responsibilities, and Accountabilities Throughout the IT Infrastructure
Separation of Duties
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 6 ASSESSMENT
CHAPTER 7 Writing the IT Infrastructure Audit Report
Anatomy of an Audit Report
Audit Report Ratings
Audit Report Opinion
Summary of Findings
IT Security Assessment Results: Risk, Threats, and Vulnerabilities
Reporting on Implementation of IT Security Controls and Frameworks
Per Documented IT Security Policy Framework
Privacy Data
IT Security Controls and Countermeasure Gap Analysis
Compliance Requirement
Compliance Assessment Throughout the IT Infrastructure
Presenting Compliance Recommendations
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 7 ASSESSMENT
CHAPTER 8 Compliance Within the User Domain
User Domain Business Drivers
Social Engineering
Human Mistakes
Insiders
Anatomy of a User Domain
Protecting Privacy Data
Implementing Proper Security Controls for the User Domain
Items Commonly Found in the User Domain
Separation of Duties
Least Privilege
System Administrators
Confidentiality Agreements
Employee Background Checks
Acknowledgment of Responsibilities and Accountabilities
Security Awareness and Training for New Employees
Information Systems Security Accountability
Incorporating Accountability into Annual Employee Performance Reviews
Organization’s Right to Monitor User Actions and Traffic
Best Practices for User Domain Compliance
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 8 ASSESSMENT
CHAPTER 9 Compliance Within the Workstation Domain
Compliance Law Requirements and Business Drivers
Importance of Policies
Protecting Data Privacy
Implementing Proper Security Controls for the Workstation Domain
Management Systems
Devices and Components Commonly Found in the Workstation Domain
Uninterruptible Power Supplies
Desktop Computers
Laptops/Tablets/Smartphones
Local Printers
Wireless Access Points
Fixed Hard Disk Drives
Removable Storage Devices
Access Rights and Access Controls in the Workstation Domain
Maximizing C-I-A
Maximizing Availability
Maximizing Integrity
Maximizing Confidentiality
Workstation Vulnerability Management
Operating System Patch Management
Application Software Patch Management
Adherence to Documented IT Security Policies, Standards, Procedures, and Guidelines
Best Practices for Workstation Domain Compliance
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 9 ASSESSMENT
CHAPTER 10 Compliance Within the LAN Domain
LAN Domain Business Drivers
Data Leakage Protection
Encryption of Mobile Devices
Implementing Proper Security Controls for the LAN Domain
Devices and Components Commonly Found in the LAN Domain
Connection Media
Common Network Server and Service Devices
Networking Services Software
LAN Traffic and Performance Monitoring and Analysis
LAN Configuration and Change Management
LAN Domain Policies
Control Standards
Baseline Standards
Guidelines
LAN Management, Tools, and Systems
Maximizing C-I-A
Maximizing Confidentiality
Maximizing Integrity
Maximizing Availability
Patch Management
Adherence to Documented IT Security Policies, Standards, Procedures, and Guidelines
Best Practices for LAN Domain Compliance
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 10 ASSESSMENT
CHAPTER 11 Compliance Within the LAN-to-WAN Domain
Compliance Law Requirements and Protecting Data Privacy
Implementing Proper Security Controls for the LAN-to-WAN Domain
Devices and Components Commonly Found in the LAN-to-WAN Domain
Routers
Firewalls
Proxy Servers
DMZ
Virtual Private Network Concentrator
Network Address Translation (NAT)
Internet Service Provider Connections and Backup Connections
Cloud Services
Intrusion Detection Systems/Intrusion Prevention Systems
Data Loss/Leak Security Appliances
Web Content Filtering Devices
Traffic-Monitoring Devices
LAN-to-WAN Traffic and Performance Monitoring and Analysis
LAN-to-WAN Configuration and Change Management
LAN-to-WAN Management, Tools, and Systems
FCAPS
Network-Management Tools
Access Rights and Access Controls in the LAN-to-WAN Domain
Maximizing C-I-A
Minimizing Single Points of Failure
Dual-Homed ISP Connections
Redundant Routers and Firewalls
Web Server Data and Hard Drive Backup and Recovery
Use of VPN for Remote Access to Organizational Systems and Data
Penetration Testing and Validating LAN-to-WAN Configuration
External Attacks
Internal Attacks
Intrusive Versus Nonintrusive Testing
Configuration Management Verification
Adherence to Documented IT Security Policies, Standards, Procedures, and Guidelines
Best Practices for LAN-to-WAN Domain Compliance
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 11 ASSESSMENT
CHAPTER 12 Compliance Within the WAN Domain
Compliance Law Requirements and Business Drivers
Protecting Data Privacy
SD-WAN
Implementing Proper Security Controls for the WAN Domain
Devices and Components Commonly Found in the WAN Domain
WAN Service Providers
Dedicated Lines/Circuits
MPLS/VPN WAN or Metro Ethernet
WAN Layer 2/Layer 3 Switches
WAN Backup and Redundant Links
WAN Traffic and Performance Monitoring and Analysis
WAN Configuration and Change Management
WAN Management Tools and Systems
Incident Response Management Tools
Access Rights and Access Controls in the WAN Domain
Maximizing C-I-A
WAN Service Availability SLAs
WAN Traffic Encryption/VPNs
WAN Service Provider SOC Compliance
Adherence to Documented IT Security Policies, Standards, Procedures, and Guidelines
Best Practices for WAN Domain Compliance
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 12 ASSESSMENT
CHAPTER 13 Compliance Within the Remote Access Domain
Remote Access Business Drivers
Protecting Data Privacy
Implementing Proper Security Controls for the Remote Access Domain
Devices and Components Commonly Found in the Remote Access Domain
Remote Users
Remote Workstations or Laptops
Remote Access Controls and Tools
Authentication Servers
ISP WAN Connections
Remote Access and VPN Tunnel Monitoring
Remote Access Traffic and Performance Monitoring and Analysis
Remote Access Configuration and Change Management
Remote Access Management, Tools, and Systems
Access Rights and Access Controls in the Remote Access Domain
Remote Access Domain Configuration Validation
VPN Client Definition and Access Controls
TLS VPN Remote Access via a Web Browser
VPN Configuration Management Verification
Adherence to Documented IT Security Policies, Standards, Procedures, and Guidelines
Best Practices for Remote Access Domain Compliance
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 13 ASSESSMENT
CHAPTER 14 Compliance Within the System/Application Domain
Compliance Law Requirements and Business Drivers
Application Software Versus System Software
Protecting Data Privacy
Implementing Proper Security Controls for the System/Application Domain
Software Development Life Cycle (SDLC)
Devices and Components Commonly Found in the System/Application Domain
Computer Room/Data Center
Redundant Computer Room/Data Center
Uninterruptible Power Supplies and Diesel Generators to Maintain Operations
Mainframe Computers
Minicomputers
Server Computers
Data Storage Devices
Applications
Source Code
Databases and Privacy Data
Secure Coding
System and Application Configuration and Change Management
System and Application Management, Tools, and Systems
Access Rights and Access Controls in the System/Application Domain
System Account and Service Accounts
Maximizing C-I-A
Access Controls
Database and Drive Encryption
System/Application Server Vulnerability Management
Operating System Patch Management
Application Software Patch Management
Data Loss Protection
Adherence to Documented IT Security Policies, Standards, Procedures, and Guidelines
Best Practices for System/Application Domain Compliance
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 14 ASSESSMENT
CHAPTER 15 Ethics, Education, and Certification for IT Auditors
Professional Associations and Certifications
Professional Ethics, Code of Conduct, and Integrity of IT Auditors
Ethical Independence
Codes of Conduct for Employees and IT Auditors
Employer-/Organization-Driven Codes of Conduct
Employee Handbook and Employment Policies
Certification and Accreditation for Information Security
Certification and Accreditation for Auditors
IIA
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 15 ASSESSMENT
APPENDIX A Answer Key
APPENDIX B Standard Acronyms
Glossary of Key Terms
References
Index
To access the Link, solve the captcha.
1. Disable the AdBlock plugin. Otherwise, you may not get any links.
2. Solve the CAPTCHA.
3. Click download link.
4. Lead to download server to download.
Data Privacy: A runbook for engineers
2022-02-08
