Wilmington University Foundation of Good Compliance and Governance Summary

User Generated

Thrfg0910

Computer Science

Wilmington University

Description

Writing Requirements

  • 2 pages in length (excluding abstract, cover page, and reference list)
  • At least 3 cited sources
  • Please make sure to credit all of your sources; no plagiarism! If you fail to credit your sources, you will get no points and no chance to redo
  • APA format

Unformatted Attachment Preview

Auditing IT Infrastructures for Compliance Chapter 5 Planning an IT Infrastructure Audit for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Learning Objective  Describe the components and basic requirements for creating an audit plan to support business and system considerations. Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 2 Key Concepts  Identifying key building blocks and critical requirements of an audit  Identifying critical security control points and assessing information technology (IT) security  Obtaining information through documentation and resources  Organizing the IT security policy  Analyzing best practices for testing and monitoring Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 3 DISCOVER: CONCEPTS Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 4 Defining the Scope, Objectives, Goals, and Frequency of an Audit Scope • Includes area(s) to be reviewed and the time period Goals • Must be aligned with audit objectives Objectives • Should satisfy internal and external requirements Frequency • Is every one, two, or three years Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 5 Resources in an IT Infrastructure Data Apps Technology Facilities Personnel Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 6 Scope Restrictions Negative Impacts of Scope Restrictions Not providing enough resources Withholding Preventing relevant the historical Restricting Limiting the discovery of records or audit time frame audit procedures information about past evidence incidents Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 7 Security Control Points in an IT Infrastructure Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 8 DISCOVER: PROCESS Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 9 Enterprise Risk Management (ERM) Align risk appetite and strategy Enhance risk response decisions Identify crossenterprise risks Seize opportunities Reduce surprises and losses Improve capital allocations Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 10 Threat Analysis  When undertaking a risk management plan, a complete threat analysis must be conducted.  Part of the risk assessment process requires an examination of those activities that represent danger. Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 11 Threat Analysis (Continued) Adversarial Accidental Threat Identification Structural Auditing IT Infrastructures for Compliance Environmental © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 12 Vulnerability Identification Resources Vulnerability lists and databases Security advisories Software and security analysis Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 13 Risk Assessment Analysis  Given the previous inputs, the final step is to determine the level of risk. When pairing threats and vulnerabilities, risk is determined primarily by three functions: • The likelihood of a threat to exploit a given vulnerability. • The impact on the organization if that threat against the vulnerability is achieved. • The sufficiency of controls to either eliminate or reduce the risk. Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 14 Risk Assessment Analysis (Continued)  There are always tradeoffs, and they include: • Cost: Are the costs of a control justified by the reduction of risk? • Operational impact: Does the control have an adverse effect on system performance? • Feasibility: Is the control technically feasible? Will the control be feasible for the end users? Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 15 DISCOVER: ROLES Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 16 Roles and Responsibilities Senior managers IT managers IT auditors Data owners System administrators Risk managers Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 17 DISCOVER: CONTEXTS Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 18 Information Security Policy Audit Framework IT Security Policy Framework Policies Standard Guidelines Procedures Technology Technology Technology Technology Processes Processes Processes Processes Personnel Personnel Personnel Personnel Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 19 Information Security Policy Audit Framework (Continued)  Policies, standards, and guidelines may cross all domains of an IT infrastructure  The seven domains map across various high-level areas: • Access control • Operations management • More Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 20 Tools Used in the IT Audit Process  Electronic work papers  Project management software  Flowcharting software  Open issue tracking software  Audit department Web site  Others Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 21 DISCOVER: RATIONALE Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 22 IT Testing and Monitoring  The most important and beneficial elements of an IT security program.  Testing and monitoring must be conducted to know the controls are working.  All frameworks include a control objective for regularly assessing and monitoring IT systems and controls. Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 23 IT Testing and Monitoring (Continued)  Questions that must be answered are: • Is IT performance measured to detect problems before it is too late? • Does management ensure that internal controls are effective and efficient? • Can IT performance be linked back to business goals? • Are adequate confidentiality, integrity, and availability controls in place for information security? Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 24 Summary  Identifying key building blocks and critical requirements of an audit  Identifying critical security control points and assessing information technology (IT) security  Obtaining information through documentation and resources  Organizing the IT security policy  Analyzing best practices for testing and monitoring Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 25 Lab  Defining a Process for Gathering Information Pertaining to a HIPAA Compliance Audit Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 26 Auditing IT Infrastructures for Compliance Chapter 6 Conducting an IT Infrastructure Audit for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Learning Objective  Describe the parameters required to conduct and report on an IT infrastructure audit for organizational compliance. Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 2 Key Concepts  Parameters for conducting an IT security audit  IT security controls and countermeasure gap analysis  Auditing in a layered fashion  The general procedure for conducting an IT security compliance audit  Tools used for conducting IT compliance audits Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 3 DISCOVER: CONCEPTS Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 4 Benefits of Audits  Audits sometimes reveal major risks or compliance gaps  Final reports may include recommendations supported by the audit findings: • Should be logically tied to a finding for which the problem has also been identified • Is more valuable to the organization when it is specific, sensible, and cost effective Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 5 Benefits of Audits (Continued)  Objective is to consider the processes and inputs up to this point and clearly communicate the following: • Recommended actions to lessen control weaknesses • Recommended actions to comply with applicable laws and regulations • Comparisons and gaps to standards and accepted frameworks and recommendations to narrow the gap Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 6 Parameters for Conducting an IT Infrastructure Audit  An adequate plan  Baseline establishment  Identification an acceptable level of risk across the organization  The presence of adequate controls or countermeasures Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 7 Minimum Acceptable Level of Risk and Security Baseline Definitions  Need to complete risk assessment  Controls based on level of risk to the organization  Organization-wide • Control framework needs to be relative to the risk appetite of organization  Seven domains of a typical IT infrastructure • Consider: - Value and importance of data - Risks to IT infrastructure - Level of expected quality of service Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 8 Balancing Controls with Risk Controls Risk Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 9 Gap Analysis Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 10 DISCOVER: PROCESS Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 11 Layered Audit  A layered audit approach is necessary when systems span across the domains of an IT infrastructure  Predominant in audits: • Of a particular process • An external audit of financial reporting controls Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 12 Layered Audit (Continued)  Organizational financial systems can: • Span multiple IT infrastructure domains • Include third-party providers such as payroll service providers  Auditor has to verify: • Controls for the process • Infrastructure the process uses Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 13 IT Infrastructure Compliance Audit Procedure Step 1 Step 2 Step 3 Complete security assessment Complete IT security audit Use automated audit reporting tools Review configurations and implement or change Step 4 compliance requirements based on findings Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 14 IT Infrastructure Compliance Audit Procedure (Continued) Perform additional testing and monitoring to verify Step 5 and validate Step 6 Step 7 Implement security controls and countermeasures Produce new baseline Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 15 DISCOVER: ROLES Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 16 Reviewing Configurations and Implementations in Compliance  Security configuration management (SCM)  Configuration management is made up of: • Configuration change control board • Baseline configuration management • Configuration change control • Configuration monitoring and auditing  Most data about systems is contained within a configuration management database (CMDB) Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 17 DISCOVER: CONTEXTS Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 18 Tools for Identifying Security Weaknesses  Network scan provides information pertaining to the environment  Vulnerability scan provides the fundamental process for managing vulnerabilities  Penetration test provides a hands-on assessment using methods similar to what a real-world attacker might use Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 19 Summary  Parameters for conducting an IT security audit  IT security controls and countermeasure gap analysis  Auditing in a layered fashion  The general procedure for conducting an IT security compliance audit  Tools used for conducting IT compliance audits Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 20 Lab  Aligning an IT Security Assessment— Risks, Threats, and Vulnerability—to Achieve Compliance Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 21
Purchase answer to see full attachment
User generated content is uploaded by users for the purposes of learning and should be used following Studypool's honor code & terms of service.

Explanation & Answer

Attached.

1

The Foundation of Good Compliance and Governance

Institutional Affiliation
Student Name
Course Name
Date

2
Abstract

Good compliance and governance is the most essential tool when it comes to a compliance
company. Any company pursuing the success of their compliance program should ensure that they are in
a position of assessing the risks involved as well as control them. The organization can also ensure that
the team players in the organization get to understand the whole point of having a compliance program.
This might be through educating them on the same as discussed below. Also, when undertaking
compliance, the management should be on the same page with the compliance team. This will help when
the organization wants to educate the other team players on the roles of compliance in the organization
and the benefits it brings. This is as discussed below. Also, an organization needs to carry out a risk
assessment so as to be able to identify which areas require resources. The fact that resources are scarce,
the organization will know where to focus first so as to control any risk that may arise from the area.

3
The Foundation of Good Compliance and Governance

For a company's compliance program to be effective, the compliance process must be built on a
strong foundation. This is from the initial process of identifying the IT infrastructure to be used and the
actual applying of compliance. As every organiza...


Anonymous
Really useful study material!

Studypool
4.7
Indeed
4.5
Sitejabber
4.4

Similar Content

Related Tags