Book description
The Second Edition of Auditing IT Infrastructures for Compliance provides a unique, in-depth look at recent U.S. based Information systems and IT infrastructures compliance laws in both the public and private sector. Written by industry experts, this book provides a comprehensive explanation of how to audit IT infrastructures for compliance based on the laws and the need to protect and secure business and consumer privacy data. Using examples and exercises, this book incorporates hands-on activities to prepare readers to skillfully complete IT compliance auditing.
Table of contents
- Cover
- Title Page
- Copyright
- Dedication
- Contents
- Preface
- Acknowledgments
-
Part One The Need for Compliance
- Chapter 1 The Need for Information Systems Security Compliance
-
Chapter 2 Overview of U.S. Compliance Laws
- Introduction to Public and Private Sector Regulatory Requirements
- Federal Information Security Management Act
- U.S. Department of Defense Requirements
- Sarbanes-Oxley Act
- Gramm-Leach-Bliley Act
- Health Insurance Portability and Accountability Act
- Children’s Internet Protection Act
- Children’s Online Privacy Protection Act
- Family Educational Rights and Privacy Act
- Payment Card Industry Data Security Standard
- Red Flags Rule
- Chapter Summary
- Key Concepts and Terms
- Chapter 2 Assessment
- Chapter 3 What Is the Scope of an IT Compliance Audit?
-
Part Two Auditing for Compliance: Frameworks, Tools, and Techniques
-
Chapter 4 Auditing Standards and Frameworks
- Why Frameworks Are Important for Auditing
- The Importance of Using Standards in Compliance Auditing
- Service Organization Control Reports
- ISO/IEC Standards
- NIST 800-53
- Cybersecurity Framework
- Developing a Hybrid Auditing Framework or Approach
- Chapter Summary
- Key Concepts and Terms
- Chapter 4 Assessment
-
Chapter 5 Planning an IT Infrastructure Audit for Compliance
- Defining the Scope, Objectives, Goals, and Frequency of an Audit
- Identifying Critical Requirements for the Audit
- Assessing IT Security
- Obtaining Information, Documentation, and Resources
- Mapping the IT Security Policy Framework Definitions to the Seven Domains of a Typical IT Infrastructure
- Identifying and Testing Monitoring Requirements
- Identifying Critical Security Control Points That Must Be Verified Throughout the IT Infrastructure
- Building a Project Plan
- Chapter Summary
- Key Concepts and Terms
- Chapter 5 Assessment
-
Chapter 6 Conducting an IT Infrastructure Audit for Compliance
- Identifying the Minimum Acceptable Level of Risk and Appropriate Security Baseline Definitions
- Identifying All Documented IT Security Policies, Standards, Procedures, and Guidelines
- Conducting the Audit in a Layered Fashion
- Performing a Security Assessment for the Entire IT Infrastructure and Individual Domains
- Incorporating the Security Assessment into the Overall Audit Validating Compliance Process
- Using Audit Tools to Organize Data Capture
- Using Automated Audit Reporting Tools and Methodologies
- Reviewing Configurations and Implementations
- Verifying and Validating Proper Configuration and the Implementation of Security Controls and Countermeasures
- Identifying Common Problems When Conducting an IT Infrastructure Audit
- Validating Security Operations and Administration Roles, Responsibilities, and Accountabilities Throughout the IT Infrastructure
- Chapter Summary
- Key Concepts and Terms
- Chapter 6 Assessment
-
Chapter 7 Writing the IT Infrastructure Audit Report
- Executive Summary of an Audit Report
- Summary of Findings
- IT Security Assessment Results: Risk, Threats, and Vulnerabilities
- Reporting on Implementation of IT Security Controls and Countermeasures
- IT Security Controls and Countermeasure Gap Analysis
- Compliance Assessment Throughout the IT Infrastructure
- Presenting Compliance Recommendations
- Chapter Summary
- Key Concepts and Terms
- Chapter 7 Assessment
-
Chapter 8 Compliance Within the User Domain
- Compliance Law Requirements and Business Drivers
- Items Commonly Found in the User Domain
- Separation of Duties
- Least Privilege
- Need to Know
- Confidentiality Agreements
- Employee Background Checks
- Acknowledgment of Responsibilities and Accountabilities
- Security Awareness and Training for New Employees
- Information Systems Security Accountability
- Adherence to Documented IT Security Policies, Standards, Procedures, and Guidelines
- Best Practices for User Domain Compliance
- Chapter Summary
- Key Concepts and Terms
- Chapter 8 Assessment
-
Chapter 9 Compliance Within the Workstation Domain
- Compliance Law Requirements and Business Drivers
- Devices and Components Commonly Found in the Workstation Domain
- Access Rights and Access Controls in the Workstation Domain
- Maximizing C-I-A
- Workstation Vulnerability Management
- Adherence to Documented IT Security Policies, Standards, Procedures, and Guidelines
- Best Practices for Workstation Domain Compliance
- Chapter Summary
- Key Concepts and Terms
- Chapter 9 Assessment
-
Chapter 10 Compliance Within the LAN Domain
- Compliance Law Requirements and Business Drivers
- Devices and Components Commonly Found in the LAN Domain
- LAN Traffic and Performance Monitoring and Analysis
- LAN Configuration and Change Management
- LAN Management, Tools, and Systems
- Access Rights and Access Controls in the LAN Domain
- Maximizing C-I-A
- Managing the Vulnerability of LAN Components
- Adherence to Documented IT Security Policies, Standards, Procedures, and Guidelines
- Best Practices for LAN Domain Compliance
- Chapter Summary
- Key Concepts and Terms
- Chapter 10 Assessment
-
Chapter 11 Compliance Within the LAN-to-WAN Domain
- Compliance Law Requirements and Business Drivers
- Devices and Components Commonly Found in the LAN-to-WAN Domain
- LAN-to-WAN Traffic and Performance Monitoring and Analysis
- LAN-to-WAN Configuration and Change Management
- LAN-to-WAN Management, Tools, and Systems
- Access Rights and Access Controls in the LAN-to-WAN Domain
- Maximizing C-I-A
- Penetration Testing and Validating LAN-to-WAN Configuration
- Adherence to Documented IT Security Policies, Standards, Procedures, and Guidelines
- Best Practices for LAN-to-WAN Domain Compliance
- Chapter Summary
- Key Concepts and Terms
- Chapter 11 Assessment
-
Chapter 12 Compliance Within the WAN Domain
- Compliance Law Requirements and Business Drivers
- Devices and Components Commonly Found in the WAN Domain
- WAN Traffic and Performance Monitoring and Analysis
- WAN Configuration and Change Management
- WAN Management Tools and Systems
- Access Rights and Access Controls in the WAN Domain
- Maximizing C-I-A
- WAN Service Provider SOC Compliance
- Adherence to Documented IT Security Policies, Standards, Procedures, and Guidelines
- Best Practices for WAN Domain Compliance
- Chapter Summary
- Key Concepts and Terms
- Chapter 12 Assessment
-
Chapter 13 Compliance Within the Remote Access Domain
- Compliance Law Requirements and Business Drivers
- Devices and Components Commonly Found in the Remote Access Domain
- Remote Access and VPN Tunnel Monitoring
- Remote Access Traffic and Performance Monitoring and Analysis
- Remote Access Configuration and Change Management
- Remote Access Management, Tools, and Systems
- Access Rights and Access Controls in the Remote Access Domain
- Remote Access Domain Configuration Validation
- Adherence to Documented IT Security Policies, Standards, Procedures, and Guidelines
- Best Practices for Remote Access Domain Compliance
- Chapter Summary
- Key Concepts and Terms
- Chapter 13 Assessment
-
Chapter 14 Compliance Within the System/Application Domain
- Compliance Law Requirements and Business Drivers
- Devices and Components Commonly Found in the System/Application Domain
- System and Application Traffic and Performance Monitoring and Analysis
- System and Application Configuration and Change Management
- System and Application Management, Tools, and Systems
- Access Rights and Access Controls in the System/Application Domain
- Maximizing C-I-A
- System/Application Server Vulnerability Management
- Adherence to Documented IT Security Policies, Standards, Procedures, and Guidelines
- Best Practices for System/Application Domain Compliance
- Chapter Summary
- Key Concepts and Terms
- Chapter 14 Assessment
-
Chapter 4 Auditing Standards and Frameworks
-
Part Three Beyond Audits
- Chapter 15 Ethics, Education, and Certification for IT Auditors
- Appendix A Answer Key
- Appendix B Standard Acronyms
- Glossary of Key Terms
- References
- Index
Product information
- Title: Auditing IT Infrastructures for Compliance, 2nd Edition
- Author(s):
- Release date: July 2015
- Publisher(s): Jones & Bartlett Learning
- ISBN: 9781284090710
You might also like
book
Auditing IT Infrastructures for Compliance, 3rd Edition
The third edition of Auditing IT Infrastructures for Compliance provides a unique, in-depth look at recent …
book
Information Security Policy Development for Compliance
Although compliance standards can be helpful guides to writing comprehensive security policies, many of the standards …
book
IT Security Risk Control Management: An Audit Preparation Plan
Follow step-by-step guidance to craft a successful security program. You will identify with the paradoxes of …
book
Rational Cybersecurity for Business: The Security Leaders' Guide to Business Alignment
Use the guidance in this comprehensive field guide to gain the support of your top executives …