Auditing IT Infrastructures for Compliance, 3rd Edition

Table of contents

1. Cover
2. Title Page
3. Copyright Page
4. Contents
5. Dedication Page
6. Preface
7. Acknowledgments
8. About the Author
9. CHAPTER 1 The Need for Information Systems Compliance
   1. What Is the Difference Between Information System and Information Security Compliance?
      1. Difference Between Information System and Information Security
      2. Auditing Information Security
   2. What Is the Confidentiality, Integrity, and Availability (CIA) Triad?
   3. What Is Compliance?
   4. Why Are Governance and Compliance Important?
      1. Case Study: Cetera and Cambridge
   5. What If an Organization Does Not Comply with Compliance Laws?
   6. CHAPTER SUMMARY
   7. KEY CONCEPTS AND TERMS
   8. CHAPTER 1 ASSESSMENT
10. CHAPTER 2 Overview of U.S. Compliance Laws
    1. Introduction to Regulatory Requirements
       1. Regulatory Acts of Congress
    2. Federal Information Security Management Act
    3. Red Flag Rules
    4. Cybersecurity Information Sharing Act
    5. Sarbanes-Oxley Act
    6. Gramm-Leach-Bliley Act
    7. Health Insurance Portability and Accountability Act
    8. Children’s Internet Protection Act
    9. Children’s Online Privacy Protection Act
    10. California Consumer Privacy Act
    11. Payment Card Industry Data Security Standard
    12. CHAPTER SUMMARY
    13. KEY CONCEPTS AND TERMS
    14. CHAPTER 2 ASSESSMENT
11. CHAPTER 3 What Is the Scope of an IT Compliance Audit?
    1. What Must Your Organization Do to Be in Compliance?
       1. Business View on Compliance
       2. Protecting and Securing Privacy Data
       3. Designing and Implementing Proper Security Controls
       4. Choosing Between Automated, Manual, and Hybrid Controls
    2. What Are You Auditing Within the IT Infrastructure?
       1. User Domain
       2. Workstation Domain
       3. LAN Domain
       4. LAN-to-WAN Domain
       5. WAN Domain
       6. Remote Access Domain
       7. System/Application Domain
    3. Maintaining IT Compliance
       1. Conducting Periodic Security Assessments
       2. Performing an Annual Security Compliance Audit
       3. Defining Proper Security Controls
       4. Creating an IT Security Policy Framework
       5. Implementing Security Operations and Administration Management
       6. Configuration and Change Management
    4. CHAPTER SUMMARY
    5. KEY CONCEPTS AND TERMS
    6. CHAPTER 3 ASSESSMENT
12. CHAPTER 4 Auditing Standards and Frameworks
    1. Difference Between Standards and Frameworks
    2. Why Frameworks Are Important for Auditing
    3. The Importance of Using Standards in Compliance Auditing
       1. Institute of Internal Auditors
       2. COBIT
    4. Service Organization Control Reports
    5. ISO/IEC Standards
       1. ISO/IEC 27001 Standard
       2. ISO/IEC 27002 Standard
    6. NIST 800-53
    7. Cybersecurity Framework
    8. CHAPTER SUMMARY
    9. KEY CONCEPTS AND TERMS
    10. CHAPTER 4 ASSESSMENT
13. CHAPTER 5 Planning an IT Infrastructure Audit for Compliance
    1. Defining the Scope, Objectives, Goals, and Frequency of an Audit
    2. Identifying Critical Requirements for the Audit
       1. Implementing Security Controls
       2. Protecting Data Privacy
    3. Assessing IT Security
       1. Risk Management
       2. Threat Versus Vulnerability Versus Risk
       3. Vulnerability Analysis
       4. Risk Assessment Analysis: Defining an Acceptable Security Baseline Definition
    4. Obtaining Information, Documentation, and Resources
       1. Existing IT Security Policy Framework Definition
       2. Configuration Documentation for IT Infrastructure
       3. Interviews with Key IT Support and Management Personnel: Identifying and Planning
       4. NIST Standards and Methodologies
    5. Mapping the IT Security Policy Framework Definitions to the Seven Domains of a Typical IT Infrastructure
    6. Identifying and Testing Monitoring Requirements
    7. Identifying Critical Security Control Points That Must Be Verified Throughout the IT Infrastructure
    8. Building a Project Plan
    9. CHAPTER SUMMARY
    10. KEY CONCEPTS AND TERMS
    11. CHAPTER 5 ASSESSMENT
14. CHAPTER 6 Conducting an IT Infrastructure Audit for Compliance
    1. Identifying the Minimum Acceptable Level of Risk and Appropriate Security Baseline Definitions
       1. Preventive Security Control
       2. Detective Security Control
       3. Corrective Security Control
       4. Organization-Wide
       5. Seven Domains of a Typical IT Infrastructure
       6. Business Liability Insurance
       7. Controlling Risk
       8. Gap Analysis for the Seven Domains
    2. Identifying All Documented IT Security Policies, Standards, Procedures, and Guidelines
    3. Conducting the Audit in a Layered Fashion
    4. Performing a Security Assessment for the Entire IT Infrastructure and Individual Domains
    5. Incorporating the Security Assessment into the Overall Audit Validating Compliance Process
    6. Using Audit Tools to Organize Data Capture
    7. Using Automated Audit Reporting Tools and Methodologies
    8. Reviewing Configurations and Implementations
    9. Auditing Change Management
    10. Verifying and Validating Proper Configuration and the Implementation of Security Controls and Countermeasures
    11. Identifying Common Problems When Conducting an IT Infrastructure Audit
    12. Validating Security Operations and Administration Roles, Responsibilities, and Accountabilities Throughout the IT Infrastructure
        1. Separation of Duties
    13. CHAPTER SUMMARY
    14. KEY CONCEPTS AND TERMS
    15. CHAPTER 6 ASSESSMENT
15. CHAPTER 7 Writing the IT Infrastructure Audit Report
    1. Anatomy of an Audit Report
    2. Audit Report Ratings
    3. Audit Report Opinion
    4. Summary of Findings
    5. IT Security Assessment Results: Risk, Threats, and Vulnerabilities
    6. Reporting on Implementation of IT Security Controls and Frameworks
    7. Per Documented IT Security Policy Framework
       1. Privacy Data
    8. IT Security Controls and Countermeasure Gap Analysis
       1. Compliance Requirement
    9. Compliance Assessment Throughout the IT Infrastructure
    10. Presenting Compliance Recommendations
    11. CHAPTER SUMMARY
    12. KEY CONCEPTS AND TERMS
    13. CHAPTER 7 ASSESSMENT
16. CHAPTER 8 Compliance Within the User Domain
    1. User Domain Business Drivers
       1. Social Engineering
       2. Human Mistakes
       3. Insiders
    2. Anatomy of a User Domain
       1. Protecting Privacy Data
       2. Implementing Proper Security Controls for the User Domain
    3. Items Commonly Found in the User Domain
    4. Separation of Duties
    5. Least Privilege
       1. System Administrators
    6. Confidentiality Agreements
    7. Employee Background Checks
    8. Acknowledgment of Responsibilities and Accountabilities
    9. Security Awareness and Training for New Employees
    10. Information Systems Security Accountability
        1. Incorporating Accountability into Annual Employee Performance Reviews
        2. Organization’s Right to Monitor User Actions and Traffic
    11. Best Practices for User Domain Compliance
    12. CHAPTER SUMMARY
    13. KEY CONCEPTS AND TERMS
    14. CHAPTER 8 ASSESSMENT
17. CHAPTER 9 Compliance Within the Workstation Domain
    1. Compliance Law Requirements and Business Drivers
       1. Importance of Policies
       2. Protecting Data Privacy
       3. Implementing Proper Security Controls for the Workstation Domain
       4. Management Systems
    2. Devices and Components Commonly Found in the Workstation Domain
       1. Uninterruptible Power Supplies
       2. Desktop Computers
       3. Laptops/Tablets/Smartphones
       4. Local Printers
       5. Wireless Access Points
       6. Fixed Hard Disk Drives
       7. Removable Storage Devices
    3. Access Rights and Access Controls in the Workstation Domain
    4. Maximizing C-I-A
       1. Maximizing Availability
       2. Maximizing Integrity
       3. Maximizing Confidentiality
    5. Workstation Vulnerability Management
       1. Operating System Patch Management
       2. Application Software Patch Management
    6. Adherence to Documented IT Security Policies, Standards, Procedures, and Guidelines
    7. Best Practices for Workstation Domain Compliance
    8. CHAPTER SUMMARY
    9. KEY CONCEPTS AND TERMS
    10. CHAPTER 9 ASSESSMENT
18. CHAPTER 10 Compliance Within the LAN Domain
    1. LAN Domain Business Drivers
       1. Data Leakage Protection
       2. Encryption of Mobile Devices
       3. Implementing Proper Security Controls for the LAN Domain
    2. Devices and Components Commonly Found in the LAN Domain
       1. Connection Media
       2. Common Network Server and Service Devices
       3. Networking Services Software
    3. LAN Traffic and Performance Monitoring and Analysis
    4. LAN Configuration and Change Management
       1. LAN Domain Policies
       2. Control Standards
       3. Baseline Standards
       4. Guidelines
    5. LAN Management, Tools, and Systems
    6. Maximizing C-I-A
       1. Maximizing Confidentiality
       2. Maximizing Integrity
       3. Maximizing Availability
       4. Patch Management
    7. Adherence to Documented IT Security Policies, Standards, Procedures, and Guidelines
    8. Best Practices for LAN Domain Compliance
    9. CHAPTER SUMMARY
    10. KEY CONCEPTS AND TERMS
    11. CHAPTER 10 ASSESSMENT
19. CHAPTER 11 Compliance Within the LAN-to-WAN Domain
    1. Compliance Law Requirements and Protecting Data Privacy
       1. Implementing Proper Security Controls for the LAN-to-WAN Domain
    2. Devices and Components Commonly Found in the LAN-to-WAN Domain
       1. Routers
       2. Firewalls
       3. Proxy Servers
       4. DMZ
       5. Virtual Private Network Concentrator
       6. Network Address Translation (NAT)
       7. Internet Service Provider Connections and Backup Connections
       8. Cloud Services
       9. Intrusion Detection Systems/Intrusion Prevention Systems
       10. Data Loss/Leak Security Appliances
       11. Web Content Filtering Devices
       12. Traffic-Monitoring Devices
    3. LAN-to-WAN Traffic and Performance Monitoring and Analysis
    4. LAN-to-WAN Configuration and Change Management
    5. LAN-to-WAN Management, Tools, and Systems
       1. FCAPS
       2. Network-Management Tools
    6. Access Rights and Access Controls in the LAN-to-WAN Domain
    7. Maximizing C-I-A
       1. Minimizing Single Points of Failure
       2. Dual-Homed ISP Connections
       3. Redundant Routers and Firewalls
       4. Web Server Data and Hard Drive Backup and Recovery
       5. Use of VPN for Remote Access to Organizational Systems and Data
    8. Penetration Testing and Validating LAN-to-WAN Configuration
       1. External Attacks
       2. Internal Attacks
       3. Intrusive Versus Nonintrusive Testing
       4. Configuration Management Verification
    9. Adherence to Documented IT Security Policies, Standards, Procedures, and Guidelines
    10. Best Practices for LAN-to-WAN Domain Compliance
    11. CHAPTER SUMMARY
    12. KEY CONCEPTS AND TERMS
    13. CHAPTER 11 ASSESSMENT
20. CHAPTER 12 Compliance Within the WAN Domain
    1. Compliance Law Requirements and Business Drivers
       1. Protecting Data Privacy
       2. SD-WAN
       3. Implementing Proper Security Controls for the WAN Domain
    2. Devices and Components Commonly Found in the WAN Domain
       1. WAN Service Providers
       2. Dedicated Lines/Circuits
       3. MPLS/VPN WAN or Metro Ethernet
       4. WAN Layer 2/Layer 3 Switches
       5. WAN Backup and Redundant Links
    3. WAN Traffic and Performance Monitoring and Analysis
    4. WAN Configuration and Change Management
    5. WAN Management Tools and Systems
    6. Incident Response Management Tools
    7. Access Rights and Access Controls in the WAN Domain
    8. Maximizing C-I-A
       1. WAN Service Availability SLAs
       2. WAN Traffic Encryption/VPNs
    9. WAN Service Provider SOC Compliance
    10. Adherence to Documented IT Security Policies, Standards, Procedures, and Guidelines
    11. Best Practices for WAN Domain Compliance
    12. CHAPTER SUMMARY
    13. KEY CONCEPTS AND TERMS
    14. CHAPTER 12 ASSESSMENT
21. CHAPTER 13 Compliance Within the Remote Access Domain
    1. Remote Access Business Drivers
       1. Protecting Data Privacy
       2. Implementing Proper Security Controls for the Remote Access Domain
    2. Devices and Components Commonly Found in the Remote Access Domain
       1. Remote Users
       2. Remote Workstations or Laptops
       3. Remote Access Controls and Tools
       4. Authentication Servers
       5. ISP WAN Connections
    3. Remote Access and VPN Tunnel Monitoring
    4. Remote Access Traffic and Performance Monitoring and Analysis
    5. Remote Access Configuration and Change Management
    6. Remote Access Management, Tools, and Systems
    7. Access Rights and Access Controls in the Remote Access Domain
    8. Remote Access Domain Configuration Validation
       1. VPN Client Definition and Access Controls
       2. TLS VPN Remote Access via a Web Browser
       3. VPN Configuration Management Verification
    9. Adherence to Documented IT Security Policies, Standards, Procedures, and Guidelines
    10. Best Practices for Remote Access Domain Compliance
    11. CHAPTER SUMMARY
    12. KEY CONCEPTS AND TERMS
    13. CHAPTER 13 ASSESSMENT
22. CHAPTER 14 Compliance Within the System/Application Domain
    1. Compliance Law Requirements and Business Drivers
       1. Application Software Versus System Software
       2. Protecting Data Privacy
       3. Implementing Proper Security Controls for the System/Application Domain
       4. Software Development Life Cycle (SDLC)
    2. Devices and Components Commonly Found in the System/Application Domain
       1. Computer Room/Data Center
       2. Redundant Computer Room/Data Center
       3. Uninterruptible Power Supplies and Diesel Generators to Maintain Operations
       4. Mainframe Computers
       5. Minicomputers
       6. Server Computers
       7. Data Storage Devices
       8. Applications
       9. Source Code
       10. Databases and Privacy Data
       11. Secure Coding
    3. System and Application Configuration and Change Management
    4. System and Application Management, Tools, and Systems
    5. Access Rights and Access Controls in the System/Application Domain
       1. System Account and Service Accounts
    6. Maximizing C-I-A
       1. Access Controls
       2. Database and Drive Encryption
    7. System/Application Server Vulnerability Management
       1. Operating System Patch Management
       2. Application Software Patch Management
       3. Data Loss Protection
    8. Adherence to Documented IT Security Policies, Standards, Procedures, and Guidelines
    9. Best Practices for System/Application Domain Compliance
    10. CHAPTER SUMMARY
    11. KEY CONCEPTS AND TERMS
    12. CHAPTER 14 ASSESSMENT
23. CHAPTER 15 Ethics, Education, and Certification for IT Auditors
    1. Professional Associations and Certifications
    2. Professional Ethics, Code of Conduct, and Integrity of IT Auditors
       1. Ethical Independence
    3. Codes of Conduct for Employees and IT Auditors
       1. Employer-/Organization-Driven Codes of Conduct
       2. Employee Handbook and Employment Policies
    4. Certification and Accreditation for Information Security
    5. Certification and Accreditation for Auditors
       1. IIA
    6. CHAPTER SUMMARY
    7. KEY CONCEPTS AND TERMS
    8. CHAPTER 15 ASSESSMENT
24. APPENDIX A Answer Key
25. APPENDIX B Standard Acronyms
26. Glossary of Key Terms
27. References
28. Index