Auditing IT Infrastructures for
Compliance
Chapter 5
Planning an IT Infrastructure
Audit for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Learning Objective
Describe the components and basic
requirements for creating an audit plan to
support business and system
considerations.
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 2
Key Concepts
Identifying key building blocks and critical
requirements of an audit
Identifying critical security control points and
assessing information technology (IT) security
Obtaining information through documentation and
resources
Organizing the IT security policy
Analyzing best practices for testing and
monitoring
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 3
DISCOVER: CONCEPTS
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 4
Defining the Scope, Objectives,
Goals, and Frequency of an Audit
Scope
• Includes area(s) to be
reviewed and the time period
Goals
• Must be aligned with audit
objectives
Objectives
• Should satisfy internal and
external requirements
Frequency
• Is every one, two, or three
years
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 5
Resources in an IT Infrastructure
Data
Apps
Technology
Facilities
Personnel
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 6
Scope Restrictions
Negative Impacts of Scope
Restrictions
Not
providing
enough
resources
Withholding
Preventing
relevant
the
historical
Restricting
Limiting the
discovery of
records or
audit
time frame
audit
procedures information
about past
evidence
incidents
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 7
Security Control Points in an IT
Infrastructure
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 8
DISCOVER: PROCESS
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 9
Enterprise Risk Management
(ERM)
Align risk
appetite and
strategy
Enhance risk
response
decisions
Identify crossenterprise
risks
Seize
opportunities
Reduce
surprises and
losses
Improve
capital
allocations
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 10
Threat Analysis
When undertaking a risk management plan,
a complete threat analysis must be
conducted.
Part of the risk assessment process
requires an examination of those activities
that represent danger.
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 11
Threat Analysis (Continued)
Adversarial
Accidental
Threat
Identification
Structural
Auditing IT Infrastructures for Compliance
Environmental
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 12
Vulnerability Identification
Resources
Vulnerability lists and
databases
Security advisories
Software and security analysis
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 13
Risk Assessment Analysis
Given the previous inputs, the final step is
to determine the level of risk. When pairing
threats and vulnerabilities, risk is
determined primarily by three functions:
• The likelihood of a threat to exploit a given
vulnerability.
• The impact on the organization if that threat
against the vulnerability is achieved.
• The sufficiency of controls to either eliminate or
reduce the risk.
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 14
Risk Assessment Analysis
(Continued)
There are always tradeoffs, and they
include:
• Cost: Are the costs of a control justified by the
reduction of risk?
• Operational impact: Does the control have an
adverse effect on system performance?
• Feasibility: Is the control technically feasible? Will
the control be feasible for the end users?
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 15
DISCOVER: ROLES
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 16
Roles and Responsibilities
Senior
managers
IT managers
IT auditors
Data owners
System
administrators
Risk
managers
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 17
DISCOVER: CONTEXTS
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 18
Information Security Policy Audit
Framework
IT Security Policy
Framework
Policies
Standard
Guidelines
Procedures
Technology
Technology
Technology
Technology
Processes
Processes
Processes
Processes
Personnel
Personnel
Personnel
Personnel
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 19
Information Security Policy Audit
Framework (Continued)
Policies, standards, and guidelines may
cross all domains of an IT infrastructure
The seven domains map across various
high-level areas:
• Access control
• Operations management
• More
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 20
Tools Used in the IT Audit
Process
Electronic work papers
Project management software
Flowcharting software
Open issue tracking software
Audit department Web site
Others
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 21
DISCOVER: RATIONALE
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 22
IT Testing and Monitoring
The most important and beneficial elements
of an IT security program.
Testing and monitoring must be conducted
to know the controls are working.
All frameworks include a control objective
for regularly assessing and monitoring IT
systems and controls.
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 23
IT Testing and Monitoring
(Continued)
Questions that must be answered are:
• Is IT performance measured to detect problems
before it is too late?
• Does management ensure that internal controls
are effective and efficient?
• Can IT performance be linked back to business
goals?
• Are adequate confidentiality, integrity, and
availability controls in place for information
security?
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 24
Summary
Identifying key building blocks and critical
requirements of an audit
Identifying critical security control points and assessing
information technology (IT) security
Obtaining information through documentation and
resources
Organizing the IT security policy
Analyzing best practices for testing and monitoring
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 25
Lab
Defining a Process for Gathering
Information Pertaining to a HIPAA
Compliance Audit
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 26
Auditing IT Infrastructures for
Compliance
Chapter 6
Conducting an IT Infrastructure
Audit for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Learning Objective
Describe the parameters required to
conduct and report on an IT infrastructure
audit for organizational compliance.
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 2
Key Concepts
Parameters for conducting an IT security audit
IT security controls and countermeasure gap
analysis
Auditing in a layered fashion
The general procedure for conducting an IT
security compliance audit
Tools used for conducting IT compliance audits
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 3
DISCOVER: CONCEPTS
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 4
Benefits of Audits
Audits sometimes reveal major risks or
compliance gaps
Final reports may include recommendations
supported by the audit findings:
• Should be logically tied to a finding for which the
problem has also been identified
• Is more valuable to the organization when it is
specific, sensible, and cost effective
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 5
Benefits of Audits (Continued)
Objective is to consider the processes and
inputs up to this point and clearly
communicate the following:
• Recommended actions to lessen control
weaknesses
• Recommended actions to comply with applicable
laws and regulations
• Comparisons and gaps to standards and accepted
frameworks and recommendations to narrow the
gap
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 6
Parameters for Conducting an IT
Infrastructure Audit
An adequate plan
Baseline establishment
Identification an acceptable level of risk
across the organization
The presence of adequate controls or
countermeasures
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 7
Minimum Acceptable Level of Risk
and Security Baseline Definitions
Need to complete risk assessment
Controls based on level of risk to the organization
Organization-wide
• Control framework needs to be relative to the risk
appetite of organization
Seven domains of a typical IT infrastructure
• Consider:
- Value and importance of data
- Risks to IT infrastructure
- Level of expected quality of service
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 8
Balancing Controls with Risk
Controls
Risk
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 9
Gap Analysis
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 10
DISCOVER: PROCESS
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 11
Layered Audit
A layered audit approach is necessary
when systems span across the domains of
an IT infrastructure
Predominant in audits:
• Of a particular process
• An external audit of financial reporting
controls
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 12
Layered Audit (Continued)
Organizational financial systems can:
• Span multiple IT infrastructure domains
• Include third-party providers such as payroll
service providers
Auditor has to verify:
• Controls for the process
• Infrastructure the process uses
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 13
IT Infrastructure Compliance
Audit Procedure
Step 1
Step 2
Step 3
Complete security assessment
Complete IT security audit
Use automated audit reporting tools
Review configurations and implement or change
Step 4 compliance requirements based on findings
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 14
IT Infrastructure Compliance
Audit Procedure (Continued)
Perform additional testing and monitoring to verify
Step 5 and validate
Step 6
Step 7
Implement security controls and countermeasures
Produce new baseline
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 15
DISCOVER: ROLES
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 16
Reviewing Configurations and
Implementations in Compliance
Security configuration management (SCM)
Configuration management is made up of:
• Configuration change control board
• Baseline configuration management
• Configuration change control
• Configuration monitoring and auditing
Most data about systems is contained within a
configuration management database (CMDB)
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 17
DISCOVER: CONTEXTS
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 18
Tools for Identifying Security
Weaknesses
Network scan provides information pertaining
to the environment
Vulnerability scan provides the fundamental
process for managing vulnerabilities
Penetration test provides a hands-on
assessment using methods similar to what a
real-world attacker might use
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 19
Summary
Parameters for conducting an IT security audit
IT security controls and countermeasure gap
analysis
Auditing in a layered fashion
The general procedure for conducting an IT
security compliance audit
Tools used for conducting IT compliance audits
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 20
Lab
Aligning an IT Security Assessment—
Risks, Threats, and Vulnerability—to
Achieve Compliance
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 21
Purchase answer to see full
attachment