Wilmington University Auditing IT Infrastructure for Compliance Summary Paper

User Generated

Thrfg0910

Computer Science

Wilmington University

Description

Draft Writing Requirements

  • 2 pages in length (excluding abstract, cover page, and reference list)
  • At least 3 cited sources
  • Please make sure to credit all of your sources; no plagiarism! If you fail to credit your sources, you will get no points and no chance to redo
  • APA format

Unformatted Attachment Preview

Auditing IT Infrastructures for Compliance Chapter 14 Compliance Within the System/Application Domain © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Learning Objective  Describe information security systems compliance requirements within the seven domains of an IT infrastructure. Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 2 Key Concepts  How compliance law requirements relate to business drivers for System/Application Domain  Devices and components found in the System/Application Domain  Application traffic and performance issues, and how to maximize confidentiality, integrity, and availability (C-I-A) for the System/Application Domain  System/Application Domain policies, standards, procedures, and guidelines  Best practices for System/Application Domain compliance Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 3 DISCOVER: CONCEPTS Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 4 System/Application Domain Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 5 Business Drivers and Compliance  System/Application Domain • Provides environment for distributed applications to run • Centralizes core business functions • Supports productivity • Allows for sharing and collaboration Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 6 Business Drivers and Compliance  Data must be protected  Faulty application code presents security holes  Lax access controls result in vulnerabilities  Centralization increases security Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 7 Computers in the System/Application Domain Server computers Minicomputers Mainframe computers Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 8 More Devices in the System/Application Domain Data Storage Devices • Storage area network (SAN) Auditing IT Infrastructures for Compliance • • • • Application Source Code Data storage Data access Business logic User Interface • Programmers create text files for programs called source code • Source code files compiled into programs © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Databases and Privacy Data • Should be center of security control efforts • Restrict access to the sensitive data in database • Use controls provided by database management system Page 9 System/Application Domain Devices in Context Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 10 Access Controls  Protect confidentiality and integrity of data • Operating system enforces the controls Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 11 General Attack Method Access data Steal or delete data Boot computer Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 12 Vulnerability and Change Management  Applications and operating system are susceptible to software vulnerabilities  Patch management “patches” vulnerabilities If you know about a vulnerability, chances are an attacker knows about it, too. Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 13 Software Configuration Management (SCM) SCM Development occurs on a separate server from production Developer completes software changes Changes moved to an isolated testing and quality assurance (QA) environment Testing/QA test software to ensure requirements compliance Approved changes moved to production Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 14 DISCOVER: PROCESS Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 15 Performance Monitoring Tool Selection High level of monitoring and analysis Should provide proactive monitoring Should alert administrator to issues Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 16 Performance Monitoring and Application Traffic Set thresholds for alerts Sample data traffic Analyze packets Readjust thresholds Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 17 DISCOVER: ROLES Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 18 Role of Encryption in System/Application Domain File encryption Folder/directory encryption Volume/drive encryption Application encryption Database encryption Backup encryption Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 19 DISCOVER: RATIONALE Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 20 Best Practices for Compliance Requirements  Establish physical controls to protect the data center.  Use at least one firewall to limit network traffic from other domains to only authorized traffic.  Use network access control (NAC) devices to restrict computers and other devices from connecting to System/Application Domain components. Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 21 Best Practices for Compliance Requirements (Cont.)  Connect critical server computers using highspeed network media.  Define user- or group-based access controls for each computer in the domain.  Use application-defined access controls to limit access to data. Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 22 Best Practices for Compliance Requirements (Cont.)  Allow low-privilege users to establish connections only between the Internet-facing servers in the demilitarized zone (DMZ) and System/Application Domain servers.  Allow only escalated privilege user connections that originate from protected Web servers where users can connect only by using a secure VPN. Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 23 Best Practices for Compliance Requirements (Cont.)  Update operating systems frequently with the latest security patches on all computers.  Update all application software frequently with the latest security patches.  Follow best practices of software development or software modifications. Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 24 Best Practices for Compliance Requirements (Cont.)  Create a BCP and DRP. • Keep documents up to date • Test BCP and DRP at least annually  Protect all backup media in transit and storage.  Ensure all backup media is encrypted. Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 25 Best Practices for Compliance Requirements (Cont.)  Encrypt all sensitive data when it is stored on disks.  Use application-monitoring software to identify performance or availability issues. Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 26 Summary  How Compliance law requirements relate to business drivers for System/Application Domain  Devices and components found in the System/Application Domain  Application traffic and performance issues, and how to maximize confidentiality, integrity, and availability (C-I-A) for the System/Application Domain  System/Application Domain policies, standards, procedures, and guidelines  Best practices for System/Application Domain compliance Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 27 Lab  Auditing the System/Application Domain for Compliance Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 28 Auditing IT Infrastructures for Compliance Chapter 13 Compliance Within the Remote Access Domain © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Learning Objective  Describe information security systems compliance requirements within the seven domains of an IT infrastructure. Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 2 Key Concepts  How compliance law requirements relate to business drivers for Remote Access Domain  Devices and components found in the Remote Access Domain  VPN tunneling and performance, and validating Remote Access Domain configuration  Remote Access Domain policies, standards, procedures, and guidelines  Best practices for Remote Access Domain compliance Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 3 DISCOVER: CONCEPTS Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 4 Remote Access Domain Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 5 Business Drivers and Compliance  Remote users require access to internal network  Organization provides the remote access service  Secure data transmission required by law, such as Health Insurance Portability and Accountability Act (HIPAA) Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 6 Components in Remote Access Domain Remote users Remote workstations or laptops Remote access controls and tools Authentication servers RADIUS TACACS+ VPNs and encryption Internet service provider (ISP) WAN connections Broadband Internet service provider WAN connections Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 7 Adhering to Policies, Standards, Procedures, and Guidelines  Each organization has different needs, uses different controls  Plans should address one or more C-I-A properties  Controls should support organization’s security policy Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 8 Common Compliance Controls Preventive • Proxy server • Firewalls • User-based access controls for all resources • Configuration change control Auditing IT Infrastructures for Compliance Detective • Performance monitoring • Traffic analysis • Configuration settings monitoring • Penetration testing © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Corrective • VPN/remote access component patching • Attack intervention • Business continuity planning (BCP) • Disaster recovery planning (DRP) Page 9 VPN Tunneling Concepts  VPN encrypts traffic transported through VPN tunnel  Encryption is optional  “Private” part of VPN refers to private addressing and not data privacy  Administrator must identify and validate who is using remote access Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 10 DISCOVER: PROCESS Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 11 C-I-A Triad Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 12 Maximizing C-I-A Step 1 Step 2 Step 3 Step 4 Verify that traffic is encrypted. Configure routers for IPSec encryption. Validate packet encryption. Schedule regular check-ups. Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 13 VPN Monitoring  Creation of VPN connection  Remote access connection  Remote computer logon Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 14 Monitoring VPN Traffic Step 1 Step 2 Step 3 Step 4 Monitor data for modification in transit. Verify secure data transmission. Use a proxy filter. Log and review data. Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 15 DISCOVER: ROLES Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 16 Role of Remote Access Tools  Authorize users and nodes  Verify privacy settings  Monitor VPN performance  Change configuration settings  Add necessary controls for security  Maintain components of recovery process  Add, change, and remove hardware components Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 17 Role of Remote Access Tools Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 18 DISCOVER: CONTEXTS Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 19 Remote Access Domain Security Compliance  Three main areas of concern: • Client-side configuration • Server-side configuration • Configuration-management verification Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 20 Remote Access Domain Security Compliance  Evaluate controls for coverage of C-I-A  Validate controls  Ensure data privacy Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 21 Remote Access Domain Configuration Validation  Validate the following: • VPN client definition and access controls • TLS/VPN remote access via a Web browser • VPN configuration management Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 22 DISCOVER: RATIONALE Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 23 Best Practices for Remote Access Domain  Map your proposed remote access architecture, including redundant and backup connections.  Install at least one firewall between your VPN endpoint and your internal network.  Select a VPN provider that your clients can easily access. Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 24 Best Practices for Remote Access Domain (Continued)  Use global user accounts whenever possible.  Use strong authentication for all user accounts.  Create a limited number of administrative accounts with permissions for remote administration. Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 25 Best Practices for Remote Access Domain (Continued)  Develop a backup and recovery plan for each component in the Remote Access Domain.  Implement frequent update procedures for all operating systems, applications, and network device software and firmware in the Remote Access Domain.  Monitor VPN traffic for performance and suspicious content. Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 26 Best Practices for Remote Access Domain (Continued)  Carefully control any configuration setting changes or physical changes to domain nodes.  Require encryption for all communication in the Remote Access Domain.  Enforce anti-malware minimum standards for all remote computers as well as server computers in the Remote Access Domain. Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 27 Summary  How compliance law requirements relate to business     drivers for Remote Access Domain Devices and components found in the Remote Access Domain VPN tunneling and performance, and validating Remote Access Domain configuration Remote Access Domain policies, standards, procedures, and guidelines Best practices for Remote Access Domain compliance Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 28 Lab  Auditing the Remote Access Domain for Compliance Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 29
Purchase answer to see full attachment
User generated content is uploaded by users for the purposes of learning and should be used following Studypool's honor code & terms of service.

Explanation & Answer

Kindly check

1

Auditing IT Infrastructure for Compliance

Institutional Affiliation
Student Name
Course Name
Date

2

Abstract

When planning and auditing the compliance for IT infrastructure, the remote access
domain is an important domain to be put into consideration. This is because it will determine
who accesses an organization's network system from the organization's external environment.
Therefore, compliance laws that relate to business drivers for remote access domains need to be
identified and formulated. The domain should also be configured to validate user access. The
remote access domain policies, standards, guidelines, and the procedures are crucial in this
domain and the auditing team for compliance should have this in mind. The application domain
is also crucial since it contains most of the encryptions and the databases as well. The tools used
in this domain should be well selected to ensure that they achieve the requirements of the
organization as discussed below. Also, the policies set should be applicable and they should
serve their purpose. Backups in the domains should be well encrypted to ensure that they are
accessed when required like in cases of downtime and accessed by authorized people.

3

Auditing IT Infra...


Anonymous
Excellent resource! Really helped me get the gist of things.

Studypool
4.7
Trustpilot
4.5
Sitejabber
4.4

Similar Content

Related Tags