Log In
Or create an account ->
Imperial Library
Home
About
News
Upload
Forum
Help
Login/SignUp
Index
Cover
Title Page
Copyright Page
Dedication
About the Author
Contents
Acknowledgments
Introduction
Part I Audit Overview
Chapter 1 Building an Effective Internal IT Audit Function
Why Are We Here? (The Internal Audit Department’s Mission)
Independence: The Great Myth
Adding Value Outside of Formal Audits
Business Advisory Audits
Four Methods for Business Advisory Audits
Early Involvement
Informal Audits
Knowledge Sharing
Self-Assessments
Continuous Auditing
Final Thoughts on Adding Value Outside of Formal Audits
Relationship Building: Partnering vs. Policing
Learning to Build Partnerships
The Role of the IT Audit Team
Application Auditors (or Integrated Auditors)
Data Extraction and Analysis Specialists
IT Auditors
Forming and Maintaining an Effective IT Audit Team
Career IT Auditors
IT Professionals
Career IT Auditors vs. IT Professionals: Final Thoughts
Co-sourcing
Maintaining Expertise
Sources of Learning
Relationship with External Auditors and Internal Assurance Functions
Summary
Chapter 2 The Audit Process
Internal Controls
Types of Internal Controls
Internal Control Examples
Determining What to Audit
Creating the Audit Universe
Ranking the Audit Universe
Determining What to Audit: Final Thoughts
The Stages of an Audit
Planning
Fieldwork and Documentation
Issue Discovery and Validation
Solution Development
Report Drafting and Issuance
Issue Tracking
Standards
Summary
Part II Auditing Techniques
Chapter 3 Auditing Entity-Level Controls
Background
Test Steps for Auditing Entity-Level Controls
Knowledge Base
Master Checklist
Chapter 4 Auditing Cybersecurity Programs
Background
Steps for Auditing Cybersecurity Programs
Knowledge Base
Master Checklist
Chapter 5 Auditing Data Centers and Disaster Recovery
Background
Data Center Auditing Essentials
Physical Security and Environmental Controls
System and Site Resiliency
Data Center Operations
Disaster Preparedness
Test Steps for Auditing Data Centers
Neighborhood and External Risk Factors
Physical Access Controls
Environmental Controls
Power and Electricity
Fire Suppression
Data Center Operations
System Resiliency
Data Backup and Restoration
Disaster Recovery Planning
Knowledge Base
Master Checklists
Chapter 6 Auditing Networking Devices
Background
Network Auditing Essentials
Protocols
OSI Model
Routers and Switches
LANs, VLANs, WANs, and WLANs
Firewalls
Auditing Switches, Routers, and Firewalls
General Network Equipment Audit Steps
Additional Switch Controls: Layer 2
Additional Router Controls: Layer 3
Additional Firewall Controls
Additional Controls for Wireless Network Gear
Tools and Technology
Knowledge Base
Master Checklists
Chapter 7 Auditing Windows Servers
Background
Windows Auditing Essentials
Command-Line Tips
Essential Command-Line Tools
Common Commands
Server Administration Tools
Performing the Audit
Test Steps for Auditing Windows
Initial Steps
Account Management
Permissions Management
Network Security and Controls
Security Monitoring and Other General Controls
Tools and Technology
Knowledge Base
Master Checklist
Chapter 8 Auditing Unix and Linux Operating Systems
Background
Unix and Linux Auditing Essentials
Key Concepts
File System Layout and Navigation
File System Permissions
Users and Authentication
Network Services
Test Steps for Auditing Unix and Linux
Account Management
Permissions Management
Network Security and Controls
Security Monitoring and Other General Controls
Tools and Technology
Network Vulnerability Scanners
NMAP
Malware Detection Tools
Tools for Validating Password Strength
Host-Based Vulnerability Scanners
Shell/Awk/etc
Knowledge Base
Master Checklists
Chapter 9 Auditing Web Servers and Web Applications
Background
Web Auditing Essentials
One Audit with Multiple Components
Part 1: Test Steps for Auditing the Host Operating System
Part 2: Test Steps for Auditing Web Servers
Part 3: Test Steps for Auditing Web Applications
Additional Steps for Auditing Web Applications
Tools and Technology
Knowledge Base
Master Checklists
Chapter 10 Auditing Databases
Background
Database Auditing Essentials
Common Database Vendors
Database Components
NoSQL Database Systems
Test Steps for Auditing Databases
Initial Steps
Operating System Security
Account Management
Permissions Management
Data Encryption
Security Log Monitoring and Management
Tools and Technology
Auditing Tools
Monitoring Tools
Encryption Tools
Knowledge Base
Master Checklist
Chapter 11 Auditing Big Data and Data Repositories
Background
Big Data and Data Repository Auditing Essentials
Test Steps for Auditing Big Data and Data Repositories
Knowledge Base
Master Checklist
Chapter 12 Auditing Storage
Background
Storage Auditing Essentials
Key Storage Components
Key Storage Concepts
Test Steps for Auditing Storage
Initial Steps
Account Management
Storage Management
Encryption and Permissions Management
Security Monitoring and Other General Controls
Knowledge Base
Master Checklists
Chapter 13 Auditing Virtualized Environments
Background
Commercial and Open-Source Projects
Virtualization Auditing Essentials
Test Steps for Auditing Virtualization
Initial Steps
Account Management and Resource Provisioning/Deprovisioning
Virtual Environment Management
Security Monitoring and Additional Security Controls
Knowledge Base
Hypervisors
Tools
Master Checklists
Chapter 14 Auditing End-User Computing Devices
Background
Part 1: Auditing Windows and Mac Client Systems
Windows and Mac Auditing Essentials
Test Steps for Auditing Windows and Mac Client Systems
Tools and Technology
Knowledge Base
Part 2: Auditing Mobile Devices
Mobile Device Auditing Essentials
Test Steps for Auditing Mobile Devices
Additional Considerations
Tools and Technology
Knowledge Base
Master Checklists
Chapter 15 Auditing Applications
Background
Application Auditing Essentials
Test Steps for Auditing Applications
Input Controls
Interface Controls
Audit Trails and Security Monitoring
Account Management
Permissions Management
Software Change Controls
Backup and Recovery
Data Retention and Classification and User Involvement
Operating System, Database, and Other Infrastructure Controls
Master Checklists
Chapter 16 Auditing Cloud Computing and Outsourced Operations
Background
Cloud Computing and Outsourced Operations Auditing Essentials
IT Systems, Software, and Infrastructure Outsourcing
IT Service Outsourcing
Other Considerations for IT Service Outsourcing
Third-Party Reports and Certifications
Test Steps for Auditing Cloud Computing and Outsourced Operations
Initial Steps
Vendor Selection and Contracts
Account Management and Data Security
Operations and Governance
Legal Concerns and Regulatory Compliance
Tools and Technology
Knowledge Base
Master Checklist
Chapter 17 Auditing Company Projects
Background
Project Auditing Essentials
High-Level Goals of a Project Audit
Basic Approaches to Project Auditing
Waterfall and Agile Software Development Methodologies
Seven Major Parts of a Project Audit
Test Steps for Auditing Company Projects
Overall Project Management
Project Startup, Requirements Gathering, and Initial Design
Detailed Design and System Development
Testing
Implementation
Training
Project Wrap-Up
Knowledge Base
Master Checklists
Chapter 18 Auditing New/Other Technologies
Background
New/Other Technology Auditing Essentials
Generalized Frameworks
Best Practices
Test Steps for Auditing New and Other Technologies
Initial Steps
Account Management
Permissions Management
Network Security and Controls
Security Monitoring and Other General Controls
Master Checklists
Part III Frameworks, Standards, Regulations, and Risk Management
Chapter 19 Frameworks and Standards
Introduction to Internal IT Controls, Frameworks, and Standards
COSO
COSO Definition of Internal Control
Key Concepts of Internal Control
Internal Control–Integrated Framework
Enterprise Risk Management–Integrated Framework
Relationship Between Internal Control and Enterprise Risk Management Publications
IT Governance
IT Governance Maturity Model
COBIT
ITIL
ITIL Concepts
ISO 27001
ISO 27001 Concepts
NIST Cyber Security Framework
NSA INFOSEC Assessment Methodology
NSA INFOSEC Assessment Methodology Concepts
Pre-assessment Phase
Onsite Activities Phase
Post-assessment Phase
Frameworks and Standards Trends
Knowledge Base
Chapter 20 Regulations
An Introduction to Legislation Related to Internal Controls
Regulatory Impact on IT Audits
History of Corporate Financial Regulation
The Sarbanes-Oxley Act of 2002
SOX’s Impact on Public Corporations
Core Points of the SOX Act
SOX’s Impact on IT Departments
SOX Considerations for Companies with Multiple Locations
Impact of Third-Party Services on SOX Compliance
Specific IT Controls Required for SOX Compliance
The Financial Impact of SOX Compliance on Companies
Gramm-Leach-Bliley Act
GLBA Requirements
Federal Financial Institutions Examination Council
General Data Protection Regulation
Additional Privacy Regulations
California Security Breach Information Act (SB 1386)
California Consumer Privacy Act
Canadian Personal Information Protection and Electronic Documentation Act
Privacy Law Trends
Health Insurance Portability and Accountability Act
HIPAA Privacy and Security Rules
The HITECH Act
HIPAA’s Impact on Covered Entities
EU Commission and Basel II
Basel II Capital Accord
Payment Card Industry Data Security Standard
PCI Impact on the Payment Card Industry
Other Regulatory Trends
Knowledge Base
Chapter 21 Risk Management
Benefits of Risk Management
Risk Management from an Executive Perspective
Quantitative vs. Qualitative Risk Analysis
Quantitative Risk Analysis
Elements of Risk
Practical Application
Addressing Risk
Common Causes for Inaccuracies
Quantitative Risk Analysis in Practice
Qualitative Risk Analysis
IT Risk Management Life Cycle
Phase 1: Identify Information Assets
Phase 2: Quantify and Qualify Threats
Phase 3: Assess Vulnerabilities
Phase 4: Remediate Control Gaps
Phase 5: Manage Residual Risk
Third-Party Risk
Risk Identification
Risk Assessment
Remediation
Monitoring and Reporting
Summary of Formulas
Knowledge Base
Index
← Prev
Back
Next →
← Prev
Back
Next →