IT Auditing Using Controls to Protect Information Assets, Third Edition, 3rd Edition

IT Auditing Using Controls to Protect Information Assets, Third Edition, 3rd Edition

by Mike Kegerreis, Mike Schiller, Chris Davis
Released October 2019
Publisher(s): McGraw-Hill
ISBN: 9781260453232

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

Secure Your Systems Using the Latest IT Auditing Techniques

Fully updated to cover leading-edge tools and technologies, IT Auditing: Using Controls to Protect Information Assets, Third Edition explains, step by step, how to implement a successful, enterprise-wide IT audit program. New chapters on auditing cybersecurity programs, big data and data repositories, and new technologies are included. This comprehensive guide describes how to assemble an effective IT audit team and maximize the value of the IT audit function. In-depth details on performing specific audits are accompanied by real-world examples, ready-to-use checklists, and valuable templates. Standards, frameworks, regulations, and risk management techniques are also covered in this definitive resource.

• Build and maintain an internal IT audit function with maximum effectiveness and value
• Audit entity-level controls and cybersecurity programs
• Assess data centers and disaster recovery
• Examine switches, routers, and firewalls
• Evaluate Windows, UNIX, and Linux operating systems
• Audit Web servers and applications
• Analyze databases and storage solutions
• Review big data and data repositories
• Assess end user computer devices, including PCs and mobile devices
• Audit virtualized environments
• Evaluate risks associated with cloud computing and outsourced operations
• Drill down into applications and projects to find potential control weaknesses
• Learn best practices for auditing new technologies
• Use standards and frameworks, such as COBIT, ITIL, and ISO
• Understand regulations, including Sarbanes-Oxley, HIPAA, and PCI
• Implement proven risk management practices

Table of contents

  1. Cover
  2. Title Page
  3. Copyright Page
  4. Dedication
  5. About the Author
  6. Contents
  7. Acknowledgments
  8. Introduction
  9. Part I Audit Overview
    1. Chapter 1 Building an Effective Internal IT Audit Function
      1. Why Are We Here? (The Internal Audit Department’s Mission)
      2. Independence: The Great Myth
      3. Adding Value Outside of Formal Audits
      4. Business Advisory Audits
      5. Four Methods for Business Advisory Audits
        1. Early Involvement
        2. Informal Audits
        3. Knowledge Sharing
        4. Self-Assessments
      6. Continuous Auditing
        1. Final Thoughts on Adding Value Outside of Formal Audits
      7. Relationship Building: Partnering vs. Policing
        1. Learning to Build Partnerships
      8. The Role of the IT Audit Team
        1. Application Auditors (or Integrated Auditors)
        2. Data Extraction and Analysis Specialists
        3. IT Auditors
      9. Forming and Maintaining an Effective IT Audit Team
        1. Career IT Auditors
        2. IT Professionals
        3. Career IT Auditors vs. IT Professionals: Final Thoughts
        4. Co-sourcing
      10. Maintaining Expertise
        1. Sources of Learning
      11. Relationship with External Auditors and Internal Assurance Functions
      12. Summary
    2. Chapter 2 The Audit Process
      1. Internal Controls
        1. Types of Internal Controls
        2. Internal Control Examples
      2. Determining What to Audit
        1. Creating the Audit Universe
        2. Ranking the Audit Universe
        3. Determining What to Audit: Final Thoughts
      3. The Stages of an Audit
        1. Planning
        2. Fieldwork and Documentation
        3. Issue Discovery and Validation
        4. Solution Development
        5. Report Drafting and Issuance
        6. Issue Tracking
      4. Standards
      5. Summary
  10. Part II Auditing Techniques
    1. Chapter 3 Auditing Entity-Level Controls
      1. Background
      2. Test Steps for Auditing Entity-Level Controls
      3. Knowledge Base
      4. Master Checklist
    2. Chapter 4 Auditing Cybersecurity Programs
      1. Background
      2. Steps for Auditing Cybersecurity Programs
      3. Knowledge Base
      4. Master Checklist
    3. Chapter 5 Auditing Data Centers and Disaster Recovery
      1. Background
      2. Data Center Auditing Essentials
        1. Physical Security and Environmental Controls
        2. System and Site Resiliency
        3. Data Center Operations
        4. Disaster Preparedness
      3. Test Steps for Auditing Data Centers
        1. Neighborhood and External Risk Factors
        2. Physical Access Controls
        3. Environmental Controls
        4. Power and Electricity
        5. Fire Suppression
        6. Data Center Operations
        7. System Resiliency
        8. Data Backup and Restoration
        9. Disaster Recovery Planning
        10. Knowledge Base
        11. Master Checklists
    4. Chapter 6 Auditing Networking Devices
      1. Background
      2. Network Auditing Essentials
        1. Protocols
        2. OSI Model
        3. Routers and Switches
        4. LANs, VLANs, WANs, and WLANs
        5. Firewalls
      3. Auditing Switches, Routers, and Firewalls
        1. General Network Equipment Audit Steps
        2. Additional Switch Controls: Layer 2
        3. Additional Router Controls: Layer 3
        4. Additional Firewall Controls
        5. Additional Controls for Wireless Network Gear
      4. Tools and Technology
      5. Knowledge Base
      6. Master Checklists
    5. Chapter 7 Auditing Windows Servers
      1. Background
      2. Windows Auditing Essentials
        1. Command-Line Tips
        2. Essential Command-Line Tools
        3. Common Commands
        4. Server Administration Tools
        5. Performing the Audit
      3. Test Steps for Auditing Windows
        1. Initial Steps
        2. Account Management
        3. Permissions Management
        4. Network Security and Controls
        5. Security Monitoring and Other General Controls
      4. Tools and Technology
      5. Knowledge Base
      6. Master Checklist
    6. Chapter 8 Auditing Unix and Linux Operating Systems
      1. Background
      2. Unix and Linux Auditing Essentials
        1. Key Concepts
        2. File System Layout and Navigation
        3. File System Permissions
        4. Users and Authentication
        5. Network Services
      3. Test Steps for Auditing Unix and Linux
        1. Account Management
        2. Permissions Management
        3. Network Security and Controls
        4. Security Monitoring and Other General Controls
      4. Tools and Technology
        1. Network Vulnerability Scanners
        2. NMAP
        3. Malware Detection Tools
        4. Tools for Validating Password Strength
        5. Host-Based Vulnerability Scanners
        6. Shell/Awk/etc
      5. Knowledge Base
      6. Master Checklists
    7. Chapter 9 Auditing Web Servers and Web Applications
      1. Background
      2. Web Auditing Essentials
        1. One Audit with Multiple Components
      3. Part 1: Test Steps for Auditing the Host Operating System
      4. Part 2: Test Steps for Auditing Web Servers
      5. Part 3: Test Steps for Auditing Web Applications
        1. Additional Steps for Auditing Web Applications
      6. Tools and Technology
      7. Knowledge Base
      8. Master Checklists
    8. Chapter 10 Auditing Databases
      1. Background
      2. Database Auditing Essentials
        1. Common Database Vendors
        2. Database Components
        3. NoSQL Database Systems
      3. Test Steps for Auditing Databases
        1. Initial Steps
        2. Operating System Security
        3. Account Management
        4. Permissions Management
        5. Data Encryption
        6. Security Log Monitoring and Management
      4. Tools and Technology
        1. Auditing Tools
        2. Monitoring Tools
        3. Encryption Tools
      5. Knowledge Base
      6. Master Checklist
    9. Chapter 11 Auditing Big Data and Data Repositories
      1. Background
      2. Big Data and Data Repository Auditing Essentials
      3. Test Steps for Auditing Big Data and Data Repositories
      4. Knowledge Base
      5. Master Checklist
    10. Chapter 12 Auditing Storage
      1. Background
      2. Storage Auditing Essentials
        1. Key Storage Components
        2. Key Storage Concepts
      3. Test Steps for Auditing Storage
        1. Initial Steps
        2. Account Management
        3. Storage Management
        4. Encryption and Permissions Management
        5. Security Monitoring and Other General Controls
      4. Knowledge Base
      5. Master Checklists
    11. Chapter 13 Auditing Virtualized Environments
      1. Background
        1. Commercial and Open-Source Projects
      2. Virtualization Auditing Essentials
      3. Test Steps for Auditing Virtualization
        1. Initial Steps
        2. Account Management and Resource Provisioning/Deprovisioning
        3. Virtual Environment Management
        4. Security Monitoring and Additional Security Controls
      4. Knowledge Base
        1. Hypervisors
        2. Tools
      5. Master Checklists
    12. Chapter 14 Auditing End-User Computing Devices
      1. Background
      2. Part 1: Auditing Windows and Mac Client Systems
        1. Windows and Mac Auditing Essentials
        2. Test Steps for Auditing Windows and Mac Client Systems
        3. Tools and Technology
        4. Knowledge Base
      3. Part 2: Auditing Mobile Devices
        1. Mobile Device Auditing Essentials
        2. Test Steps for Auditing Mobile Devices
        3. Additional Considerations
      4. Tools and Technology
      5. Knowledge Base
      6. Master Checklists
    13. Chapter 15 Auditing Applications
      1. Background
      2. Application Auditing Essentials
      3. Test Steps for Auditing Applications
        1. Input Controls
        2. Interface Controls
        3. Audit Trails and Security Monitoring
        4. Account Management
        5. Permissions Management
        6. Software Change Controls
        7. Backup and Recovery
        8. Data Retention and Classification and User Involvement
        9. Operating System, Database, and Other Infrastructure Controls
      4. Master Checklists
    14. Chapter 16 Auditing Cloud Computing and Outsourced Operations
      1. Background
      2. Cloud Computing and Outsourced Operations Auditing Essentials
        1. IT Systems, Software, and Infrastructure Outsourcing
        2. IT Service Outsourcing
        3. Other Considerations for IT Service Outsourcing
        4. Third-Party Reports and Certifications
      3. Test Steps for Auditing Cloud Computing and Outsourced Operations
        1. Initial Steps
        2. Vendor Selection and Contracts
        3. Account Management and Data Security
        4. Operations and Governance
        5. Legal Concerns and Regulatory Compliance
      4. Tools and Technology
      5. Knowledge Base
      6. Master Checklist
    15. Chapter 17 Auditing Company Projects
      1. Background
      2. Project Auditing Essentials
        1. High-Level Goals of a Project Audit
        2. Basic Approaches to Project Auditing
        3. Waterfall and Agile Software Development Methodologies
        4. Seven Major Parts of a Project Audit
      3. Test Steps for Auditing Company Projects
        1. Overall Project Management
        2. Project Startup, Requirements Gathering, and Initial Design
        3. Detailed Design and System Development
        4. Testing
        5. Implementation
        6. Training
        7. Project Wrap-Up
      4. Knowledge Base
      5. Master Checklists
    16. Chapter 18 Auditing New/Other Technologies
      1. Background
      2. New/Other Technology Auditing Essentials
        1. Generalized Frameworks
        2. Best Practices
      3. Test Steps for Auditing New and Other Technologies
        1. Initial Steps
        2. Account Management
        3. Permissions Management
        4. Network Security and Controls
        5. Security Monitoring and Other General Controls
      4. Master Checklists
  11. Part III Frameworks, Standards, Regulations, and Risk Management
    1. Chapter 19 Frameworks and Standards
      1. Introduction to Internal IT Controls, Frameworks, and Standards
      2. COSO
        1. COSO Definition of Internal Control
        2. Key Concepts of Internal Control
        3. Internal Control–Integrated Framework
        4. Enterprise Risk Management–Integrated Framework
        5. Relationship Between Internal Control and Enterprise Risk Management Publications
      3. IT Governance
        1. IT Governance Maturity Model
      4. COBIT
      5. ITIL
        1. ITIL Concepts
      6. ISO 27001
        1. ISO 27001 Concepts
      7. NIST Cyber Security Framework
      8. NSA INFOSEC Assessment Methodology
        1. NSA INFOSEC Assessment Methodology Concepts
        2. Pre-assessment Phase
        3. Onsite Activities Phase
        4. Post-assessment Phase
      9. Frameworks and Standards Trends
        1. Knowledge Base
    2. Chapter 20 Regulations
      1. An Introduction to Legislation Related to Internal Controls
        1. Regulatory Impact on IT Audits
        2. History of Corporate Financial Regulation
      2. The Sarbanes-Oxley Act of 2002
        1. SOX’s Impact on Public Corporations
        2. Core Points of the SOX Act
        3. SOX’s Impact on IT Departments
        4. SOX Considerations for Companies with Multiple Locations
        5. Impact of Third-Party Services on SOX Compliance
        6. Specific IT Controls Required for SOX Compliance
        7. The Financial Impact of SOX Compliance on Companies
      3. Gramm-Leach-Bliley Act
        1. GLBA Requirements
        2. Federal Financial Institutions Examination Council
      4. General Data Protection Regulation
      5. Additional Privacy Regulations
        1. California Security Breach Information Act (SB 1386)
        2. California Consumer Privacy Act
        3. Canadian Personal Information Protection and Electronic Documentation Act
        4. Privacy Law Trends
      6. Health Insurance Portability and Accountability Act
        1. HIPAA Privacy and Security Rules
        2. The HITECH Act
        3. HIPAA’s Impact on Covered Entities
      7. EU Commission and Basel II
        1. Basel II Capital Accord
      8. Payment Card Industry Data Security Standard
        1. PCI Impact on the Payment Card Industry
      9. Other Regulatory Trends
        1. Knowledge Base
    3. Chapter 21 Risk Management
      1. Benefits of Risk Management
      2. Risk Management from an Executive Perspective
        1. Quantitative vs. Qualitative Risk Analysis
      3. Quantitative Risk Analysis
        1. Elements of Risk
        2. Practical Application
        3. Addressing Risk
        4. Common Causes for Inaccuracies
        5. Quantitative Risk Analysis in Practice
      4. Qualitative Risk Analysis
      5. IT Risk Management Life Cycle
        1. Phase 1: Identify Information Assets
        2. Phase 2: Quantify and Qualify Threats
        3. Phase 3: Assess Vulnerabilities
        4. Phase 4: Remediate Control Gaps
        5. Phase 5: Manage Residual Risk
      6. Third-Party Risk
        1. Risk Identification
        2. Risk Assessment
        3. Remediation
        4. Monitoring and Reporting
      7. Summary of Formulas
        1. Knowledge Base
  12. Index

Product information

  • Title: IT Auditing Using Controls to Protect Information Assets, Third Edition, 3rd Edition
  • Author(s): Mike Kegerreis, Mike Schiller, Chris Davis
  • Release date: October 2019
  • Publisher(s): McGraw-Hill
  • ISBN: 9781260453232