✍️ Rob's Notes

Auditing IT Infrastructures for Compliance

8 min read

PART ONE: The Need for Compliance

CHAPTER 1: The Need for Information Systems Compliance

  • What Is the Difference Between Information System and Information Security Compliance?

    • Difference Between Information System and Information Security
    • Auditing Information Security

  • What Is the Confidentiality, Integrity, and Availability (CIA) Triad?

  • What Is Compliance?

  • Why Are Governance and Compliance Important?

    • Case Study: Cetera and Cambridge

  • What If an Organization Does Not Comply with Compliance Laws?

CHAPTER 2: Overview of U.S. Compliance Laws

  • Introduction to Regulatory Requirements

  • Regulatory Acts of Congress

  • Federal Information Security Management Act

  • Red Flag Rules

  • Cybersecurity Information Sharing Act

  • Sarbanes-Oxley Act

  • Gramm-Leach-Bliley Act

  • Health Insurance Portability and Accountability Act

  • Children’s Internet Protection Act

  • Children’s Online Privacy Protection Act

  • California Consumer Privacy Act

  • Payment Card Industry Data Security Standard (PCI DSS)

CHAPTER 3: What Is the Scope of an IT Compliance Audit?

  • What Must Your Organization Do to Be in Compliance?

  • Business View on Compliance

  • Protecting and Securing Privacy Data

  • Designing and Implementing Proper Security Controls

  • Choosing Between Automated, Manual, and Hybrid Controls

  • What Are You Auditing Within the IT Infrastructure?

  • User Domain

  • Workstation Domain

  • LAN Domain

  • LAN-to-WAN Domain

  • WAN Domain

  • Remote Access Domain

  • System/Application Domain

  • Maintaining IT Compliance

  • Conducting Periodic Security Assessments

  • Performing an Annual Security Compliance Audit

  • Defining Proper Security Controls

  • Creating an IT Security Policy Framework

  • Implementing Security Operations and Administration Management

  • Configuration and Change Management

PART TWO: Auditing for Compliance: Frameworks, Tools, and Techniques

CHAPTER 4: Auditing Standards and Frameworks

  • Difference Between Standards and Frameworks

  • Why Frameworks Are Important for Auditing

  • The Importance of Using Standards in Compliance Auditing

  • Institute of Internal Auditors

  • COBIT

  • Service Organization Control Reports

  • ISO/IEC Standards

  • ISO/IEC 27001 Standard

  • ISO/IEC 27002 Standard

  • NIST 800-53

  • Cybersecurity Framework

CHAPTER 5: Planning an IT Infrastructure Audit for Compliance

  • Defining the Scope, Objectives, Goals, and Frequency of an Audit

  • Identifying Critical Requirements for the Audit

  • Implementing Security Controls

  • Protecting Privacy Data

  • Assessing IT Security

  • Risk Management

  • Threat Versus Vulnerability Versus Risk

  • Vulnerability Analysis

  • Risk Assessment Analysis: Defining an Acceptable Security Baseline Definition

  • Obtaining Information, Documentation, and Resources

  • Existing IT Security Policy Framework Definition

  • Configuration Documentation for IT Infrastructure

  • Interviews with Key IT Support and Management

  • Personnel: Identifying and Planning

  • NIST Standards and Methodologies

  • Mapping the IT Security Policy Framework Definitions to the Seven Domains of a Typical IT Infrastructure

  • Identifying and Testing Monitoring Requirements

  • Identifying Critical Security Control Points That Must Be Verified Throughout the IT Infrastructure

  • Building a Project Plan

CHAPTER 6: Conducting an IT Infrastructure Audit for Compliance

  • Identifying the Minimum Acceptable Level of Risk and Appropriate Security Baseline Definitions

  • Preventive Security Control

  • Detective Security Control

  • Corrective Security Control

  • Organization-Wide

  • Seven Domains of a Typical IT Infrastructure

  • Business Liability Insurance

  • Controlling Risk

  • Gap Analysis for the Seven Domains

  • Identifying All Documented IT Security Policies, Standards, Procedures, and Guidelines

  • Conducting the Audit in a Layered Fashion

  • Performing a Security Assessment for the Entire IT Infrastructure and Individual Domains

  • Incorporating the Security Assessment into the Overall Audit Validating Compliance Process

  • Using Audit Tools to Organize Data Capture

  • Reviewing Configurations and Implementations

  • Using Automated Audit Reporting Tools and Methodologies

  • Auditing Change Management

  • Verifying and Validating Proper Configuration and the Implementation of Security Controls and Countermeasures

  • Identifying Common Problems When Conducting an IT Infrastructure Audit

  • Validating Security Operations and Administration Roles, Responsibilities, and Accountabilities Throughout the IT Infrastructure

  • Separation of Duties

CHAPTER 7: Writing the IT Infrastructure Audit Report

  • Anatomy of an Audit Report

  • Audit Report Ratings

  • Audit Report Opinion

  • Summary of Findings

  • IT Security Assessment Results: Risk, Threats, and Vulnerabilities

  • Controls and Frameworks

  • Reporting on Implementation of IT Security

  • Per Documented IT Security Policy Framework

  • Privacy Data

  • IT Security Controls and Countermeasure Gap Analysis

  • Compliance Requirement

  • Compliance Assessment Throughout the IT Infrastructure

  • Presenting Compliance Recommendations

CHAPTER 8: Compliance Within the User Domain

  • User Domain Business Drivers

  • Social Engineering

  • Human Mistakes

  • Insiders

  • Anatomy of a User Domain

  • Items Commonly Found in the User Domain

  • Protecting Privacy Data

  • Implementing Proper Security Controls for the User Domain

  • Separation of Duties

  • Least Privilege

  • System Administrators

  • Confidentiality Agreements

  • Employee Background Checks

  • Acknowledgment of Responsibilities and Accountabilities

  • Security Awareness and Training for New Employees

  • Information Systems Security Accountability

  • Organization’s Right to Monitor User Actions and Traffic

  • Incorporating Accountability into Annual Employee Performance Reviews

  • Best Practices for User Domain Compliance

CHAPTER 9: Compliance Within the Workstation Domain

  • Compliance Law Requirements and Business Drivers

  • Importance of Policies

  • Protecting Private Data

  • Management Systems

  • Implementing Proper Security Controls for the Workstation Domain

  • Devices and Components Commonly Found in the Workstation Domain

  • Uninterruptible Power Supplies

  • Desktop Computers

  • Laptops/Tablets/Smartphones

  • Local Printers

  • Wireless Access Points

  • Fixed Hard Disk Drives

  • Removable Storage Devices

  • Access Rights and Access Controls in the Workstation Domain

  • Maximizing C-I-A

  • Maximizing Availability

  • Maximizing Integrity

  • Maximizing Confidentiality

  • Workstation Vulnerability Management

  • Operating System Patch Management

  • Application Software Patch Management

  • Adherence to Documented IT Security Policies, Standards, Procedures, and Guidelines

  • Best Practices for Workstation Domain Compliance

CHAPTER 10: Compliance Within the LAN Domain

  • LAN Domain Business Drivers

  • Data Leakage Protection

  • Encryption of Mobile Devices

  • Implementing Proper Security Controls for the LAN Domain

  • Devices and Components Commonly Found in the LAN Domain

  • Connection Media

  • Common Network Server and Service Devices

  • Networking Services Software

  • LAN Traffic and Performance Monitoring and Analysis

  • LAN Configuration and Change Management

  • LAN Domain Policies

  • Control Standards

  • Baseline Standards

  • Guidelines

  • LAN Management, Tools, and Systems

  • Maximizing C-I-A

  • Maximizing Confidentiality

  • Maximizing Integrity

  • Maximizing Availability

  • Patch Management

  • Adherence to Documented IT Security Policies, Standards, Procedures, and Guidelines

  • Best Practices for LAN Domain Compliance

CHAPTER 11: Compliance Within the LAN-to-WAN Domain

  • Compliance Law Requirements and Protecting Data Privacy

  • Implementing Proper Security Controls for the LAN-to-WAN Domain

  • Devices and Components Commonly Found in the LAN-to-WAN Domain

  • Routers

  • Firewalls

  • Proxy Servers

  • DMZ

  • Virtual Private Network Concentrator

  • Network Address Translation (NAT)

  • Internet Service Provider Connections and Backup Connections

  • Cloud Services

  • Intrusion Detection Systems/Intrusion Prevention Systems

  • Data Loss/Leak Security Appliances

  • Web Content Filtering Devices

  • Traffic-Monitoring Devices

  • LAN-to-WAN Traffic and Performance Monitoring and Analysis

  • LAN-to-WAN Configuration and Change Management

  • LAN-to-WAN Management, Tools, and Systems

  • FCAPS

  • Network-Management Tools

  • Access Rights and Access Controls in the LAN-to-WAN Domain

  • Maximizing C-I-A

  • Minimizing Single Points of Failure

  • Dual-Homed ISP Connections

  • Redundant Routers and Firewalls

  • Web Server Data and Hard Drive Backup and Recovery

  • Use of VPN for Remote Access to Organizational Systems and Data

  • Penetration Testing and Validating LAN-to-WAN Configuration

  • External Attacks

  • Internal Attacks

  • Intrusive Versus Nonintrusive Testing

  • Configuration Management Verification

  • Adherence to Documented IT Security Policies, Standards, Procedures, and Guidelines

  • Best Practices for LAN-to-WAN Domain Compliance

CHAPTER 12: Compliance Within the WAN Domain

  • Compliance Law Requirements and Business Drivers

  • Protecting Data Privacy

  • SD-WAN

  • Implementing Proper Security Controls for the WAN Domain

  • Devices and Components Commonly Found in the WAN Domain

  • WAN Service Providers

  • Dedicated Lines/Circuits

  • WAN Layer 2/Layer 3 Switches

  • MPLS/VPN WAN or Metro Ethernet

  • WAN Backup and Redundant Links

  • WAN Traffic and Performance Monitoring and Analysis

  • WAN Configuration and Change Management

  • WAN Management Tools and Systems

  • Incident Response Management Tools

  • Access Rights and Access Controls in the WAN Domain

  • Maximizing C-I-A

  • WAN Service Availability SLAs

  • WAN Traffic Encryption/VPNs

  • WAN Service Provider SOC Compliance

  • Adherence to Documented IT Security Policies, Standards, Procedures, and Guidelines

  • Best Practices for WAN Domain Compliance

CHAPTER 13: Compliance Within the Remote Access Domain

  • Remote Access Business Drivers

  • Protecting Data Privacy

  • Implementing Proper Security Controls for the Remote Access Domain

  • Devices and Components Commonly Found in the Remote Access Domain

  • Remote Users

  • Remote Workstations or Laptops

  • Remote Access Controls and Tools

  • Authentication Servers

  • ISP WAN Connections

  • Remote Access and VPN Tunnel Monitoring

  • Remote Access Traffic and Performance Monitoring and Analysis

  • Remote Access Configuration and Change Management

  • Remote Access Management, Tools, and Systems

  • Access Rights and Access Controls in the Remote Access Domain

  • Remote Access Domain Configuration Validation

  • VPN Client Definition and Access Controls

  • TLS VPN Remote Access via a Web Browser

  • VPN Configuration Management Verification

  • Adherence to Documented IT Security Policies, Standards, Procedures, and Guidelines

  • Best Practices for Remote Access Domain Compliance

CHAPTER 14: Compliance Within the System/Application Domain

  • Compliance Law Requirements and Business Drivers

  • Application Software Versus System Software

  • Protecting Data Privacy

  • Implementing Proper Security Controls for the System/Application Domain

  • Software Development Life Cycle (SDLC)

  • Devices and Components Commonly Found in the System/Application Domain

  • Computer Room/Data Center

  • Redundant Computer Room/Data Center

  • Uninterruptible Power Supplies and Diesel Generators to Maintain Operations

  • Mainframe Computers

  • Minicomputers

  • Server Computers

  • Data Storage Devices

  • Applications

  • Source Code

  • Databases and Privacy Data

  • Secure Coding

  • System and Application Configuration and Change Management

  • System and Application Management, Tools, and Systems

  • Access Rights and Access Controls in the System/Application Domain

  • System Account and Service Accounts

  • Maximizing C-I-A

  • Access Controls

  • Database and Drive Encryption

  • System/Application Server Vulnerability Management

  • Operating System Patch Management

  • Application Software Patch Management

  • Data Loss Protection

  • Adherence to Documented IT Security Policies, Standards, Procedures, and Guidelines

  • Best Practices for System/Application Domain Compliance

PART THREE: Beyond Audits

CHAPTER 15: Ethics, Education, and Certification for IT Auditors

  • Professional Associations and Certifications

  • Professional Ethics, Code of Conduct, and Integrity of IT Auditors

  • Ethical Independence

  • Codes of Conduct for Employees and IT Auditors

  • Employer-/Organization-Driven Codes of Conduct

  • Employee Handbook and Employment Policies

  • Certification and Accreditation for Information Security

  • Certification and Accreditation for Auditors

  • IIA

Graph View