Loading...

Messages

Proposals

Stuck in your homework and missing deadline? Get urgent help in $10/Page with 24 hours deadline

Get Urgent Writing Help In Your Essays, Assignments, Homeworks, Dissertation, Thesis Or Coursework & Achieve A+ Grades.

Privacy Guaranteed - 100% Plagiarism Free Writing - Free Turnitin Report - Professional And Experienced Writers - 24/7 Online Support

It infrastructure audit pdf

28/12/2020 Client: saad24vbs Deadline: 6 Hours

5/28/2018 Strayer University Bookshelf: Auditing IT Infrastructures for Compliance


https://strayer.vitalsource.com/#/books/9781284104387/cfi/6/40!/4/66/4@0:0 1/23


PRINTED BY: juliehalperson@gmail.com. Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted.


Chapter 5 Goals When you complete this chapter, you will be able to:


• Define the scope and frequency of an audit


• Identify the key requirements for an audit


• Understand the importance of risk management in assessing security controls


• Identify the information and resources needed for an IT audit


• Relate the IT security policy framework to the seven domains of IT infrastructure


• Understand why monitoring requirements help with an IT audit


• Identify security control points


• Differentiate between the project management tasks of an IT audit


Defining the Scope, Objectives, Goals, and Frequency of an Audit


The scope, objectives, goals, and frequency of audits are based on a risk assessment. Depending on the risk, the frequency of audits varies. Critical systems controls might need to be monitored more often than noncritical controls. In more high-risk situations, automated or continual audit tests might be considered.


Prior to performing an audit, the auditor should first define the audit scope. The scope includes the area or areas to be reviewed as well as the time period. Experienced auditors know it’s just as important to define what will be audited as it is to define what will not be audited. If scope is not clearly defined, scope creep occurs, likely increasing the auditor’s workload. Scope creep is a term common to projects where the plans or goals expand beyond what was originally intended.


The audit objective is the goal of the audit. Both scope and objective are closely related. For the audit to be effective, the scope must consider the objectives of the audit. Defining scope requires consideration of the personnel, systems, and records relevant to the objective. Time is another consideration dependent upon the objective. The depth and breadth of an audit usually determines the time frame required to meet the objectives.


An external audit of financial controls, for example, will likely have a more narrow scope than an internal audit of information technology (IT) controls. When defining


5/28/2018 Strayer University Bookshelf: Auditing IT Infrastructures for Compliance


https://strayer.vitalsource.com/#/books/9781284104387/cfi/6/40!/4/66/4@0:0 2/23


PRINTED BY: juliehalperson@gmail.com. Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted.


the scope, the auditor should consider the controls and processes across the seven domains of IT infrastructure. This includes relevant resources such as the following:


• Data • Applications


• Technology


• Facilities • Personnel


It is important for auditors to ensure the scope is sufficient to achieve the stated objectives. Restrictions placed on the scope could seriously affect the ability to achieve the stated objective. Examples of restrictions that an organization may place on an auditor that could have such a negative impact include the following:


• Not providing enough resources • Limiting the time frame


• Preventing the discovery of audit evidence


• Restricting audit procedures


• Withholding relevant historical records or information about past incidents


Project Management


An audit is a project. As with any project, proper planning is necessary. Auditors should be familiar with the Project Management Institute (PMI), which has created a standard named A Guide to the Project Management Body of Knowledge (PMBOK). This guide provides a well-known and applied framework for managing successful projects.


A project, such as an audit, has three important characteristics. First, a project is temporary. This means it has an identified start and end date. Unlike operations or a program, a project lasts for a finite time period. Second, a project is unique and produces unique results. At the end of the project, a deliverable is produced. Although projects might be similar, the process, resources, constraints, and risks, for example, will differ. Finally, a project is progressively elaborated. Because each project is unique, the process is more dynamic. Projects will occur in separate steps. As the process continues, the next phase becomes clearer.


Projects require someone to manage them. This position is often given the title of project manager. Large projects and even audits might have a dedicated project manager. Other times, the person managing the project might be the project expert. Project management requires the management of three competing needs to achieve the project objectives. Known as the triple constraint, these include scope, cost, and time. Consider, for example, a project with a large scope, but with little time and cost. More than likely, quality will be compromised. A project manager must be aware of all three constraints at the start of and throughout the project.


5/28/2018 Strayer University Bookshelf: Auditing IT Infrastructures for Compliance


https://strayer.vitalsource.com/#/books/9781284104387/cfi/6/40!/4/66/4@0:0 3/23


PRINTED BY: juliehalperson@gmail.com. Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted.


Planned audit activities also have a defined rate of occurrence, known as the audit frequency. There are two approaches to determine audit frequency. Audits can occur on an annual basis or every two or three years, depending on regulatory requirements and the determined risk. IT audits also are known for not following a predefined frequency, but instead using a continuous risk-assessment process. This is more appropriate given the fast-paced change in technology as well as the threats and vulnerabilities related to IT.


Identifying Critical Requirements for the Audit


The risk assessment will influence the critical requirements for an IT audit. Overall, there are various types of IT audits. In addition to infrastructure audits for compliance, other examples include audits specific to IT processes, such as governance and software development. Another example includes integrated audits, where financial controls are the focus.


Auditing IT infrastructure for compliance incorporates the evaluation of various types of controls. IT organizations today are concerned with controls relating to both security and privacy. Traditionally, privacy and information security activities are separate activities. The two, however, have become more interrelated, and coordination between the two has become a priority for many organizations. Two major factors contributing to this are regulatory issues and the rapid growth and widespread use of the Web. As a result, both privacy and information security are converging, specifically around compliance issues.


Implementing Security Controls


Before an evaluation of controls can begin, the auditor must first identify the critical controls. To do so, the auditor must consider the audit scope and objective along with the risk assessment. Documentation and any preliminary interviews also help to identify the requirements.


Controls can be classified into different groups to aid in understanding how they fit into the overall security of a system. Figure 5-1 illustrates the different dimensions of control classifications. Understanding the classifications provides auditors with a foundation to identify and assess critical controls.


A high-level classification of controls for IT systems includes general and application controls. General controls are also known as infrastructure controls. These types of controls apply broadly to all system components across an organization. Application controls apply to individual application systems. Types of application controls include various transaction controls, such as input, processing, and output controls.


5/28/2018 Strayer University Bookshelf: Auditing IT Infrastructures for Compliance


https://strayer.vitalsource.com/#/books/9781284104387/cfi/6/40!/4/66/4@0:0 4/23


PRINTED BY: juliehalperson@gmail.com. Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted.


FIGURE 5-1 Control classifications.


Three IT security controls covered by the National Institute of Standards and Technology (NIST) include management, operational, and technical controls. The following list provides a description and examples of each of these:


• Management controls—These include controls typically governed by management as part of the overall security program. Examples include the following: • Security policy


• Security program management


• Risk management


• Security and planning in the system development life cycle • Assurance


• Operational controls—These include controls that are implemented by people rather than systems. These controls are often interrelated with both management and technical controls. Examples include the following:


• Personnel and user issues


• Contingency and disaster planning • Incident response and handling


• Awareness, training, and education


• Computer support and operations


5/28/2018 Strayer University Bookshelf: Auditing IT Infrastructures for Compliance


https://strayer.vitalsource.com/#/books/9781284104387/cfi/6/40!/4/66/4@0:0 5/23


• Physical and environmental security


• Technical controls—These include controls that are performed by the IT systems. Examples include the following: • Identification and authorization


• Logical access control


• Audit trails


• Cryptography


5/28/2018 Strayer University Bookshelf: Auditing IT Infrastructures for Compliance


https://strayer.vitalsource.com/#/books/9781284104387/cfi/6/40!/4/66/4@0:0 6/23


PRINTED BY: juliehalperson@gmail.com. Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted.


Controls are further classified as being preventive, detective, or corrective. Preventive controls stop a particular threat in the first place. A door lock on a home is a simple example of a preventive control. A detective control identifies that a threat is present. A home alarm system, for example, is a common detective control. (Some people even advertise they have an alarm system by putting a notice on the door or a sign in the yard. In this case, this also serves as a preventive control.) Finally, a reactive or corrective control can lessen the effects of a threat. A home alarm system that also notifies the police department is an example of a reactive control.


NOTE


Antivirus software is a common control that spans all three controls. It can prevent a system from getting a virus in the first place. It can detect if a virus is on the system. Finally, it can react and correct the situation by removing or quarantining the virus.


Protecting Privacy Data


Audits of IT infrastructure relating to security are common. However, due to recent legislation regarding the need to protect personally identifiable information, audits specific to privacy are more commonplace than before. ISACA defines privacy within the context of information systems as “adherence to trust and obligation in relation to any information relating to an identified or identifiable individual (data subject). Management is responsible to comply with privacy in accordance with its privacy policy or applicable privacy laws and regulations.”


Privacy audits go beyond traditional IT audits in that the entire information lifecycle process needs to be considered. This includes not just the controls relating to how it was gathered and secured, but also how it is collected, used, and retained. Specifically, privacy audits address the following three concerns:


• What type of personal information is processed and stored?


• Where is it stored?


• How is it managed?


Table 5-1 outlines guidance for privacy audits established by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA). This guidance is named Generally Accepted Privacy Principles (GAPP).


A privacy audit should consider what privacy laws apply to the organization. Auditors should consider who has responsibility for privacy within the organization. This includes the roles of legal counsel and whether a chief privacy officer (CPO) role is established. (The CPO is a senior-level position responsible for the overall management of an organization’s privacy program.) Finally, the policies and procedures specific to privacy should be examined.


5/28/2018 Strayer University Bookshelf: Auditing IT Infrastructures for Compliance


https://strayer.vitalsource.com/#/books/9781284104387/cfi/6/40!/4/66/4@0:0 7/23


PRINTED BY: juliehalperson@gmail.com. Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted.


TABLE 5-1 The Generally Accepted Privacy Principles.


PRINCIPLE DESCRIPTION


Management The entity defines, documents, communicates, and assigns accountability for its privacy policies and procedures.


Notice The entity provides notice about its privacy policies and procedures and identifies the purposes for which personal information is collected, used, retained, and disclosed.


Choice of consent


The entity describes the choices available to the individual and obtains implicit or explicit consent with respect to the collection, use, and disclosure of personal information.


Collection The entity collects personal information only for the purposes identified in the notice.


Use and retention


The entity limits the use of personal information to the purposes identified in the notice and for which the individual has provided implicit or explicit consent. The entity retains personal information for only as long as is necessary to fulfill the stated purposes.


Access The entity provides individuals with access to their personal information for review and update.


Disclosure to third parties


The entity discloses personal information to third parties only for the purposes identified in the notice and with the implicit or explicit consent of the individual.


Security for privacy


The entity protects personal information against unauthorized access.


Quality The entity maintains accurate, complete, and relevant personal information for the purposes identified in the notice.


Monitoring and enforcement


The entity monitors compliance with its privacy policies and procedures and has procedures to address privacy-related complaints and disputes.


Assessing IT Security


Examining IT security is a key component of auditing IT infrastructure for compliance. An audit can help identify fraud, ineffective IT practices, improper use of resources, and inadequate security. Assessing IT security is largely about ensuring that adequate controls are in place. Controls cost money, however. The selection and implementation of controls must be a result of a consideration of risk.


Suppose you want to build a fence to protect a cow. Building the fence will cost money. Exactly how much money it will cost might depend upon the quality and size of the fence.


5/28/2018 Strayer University Bookshelf: Auditing IT Infrastructures for Compliance


https://strayer.vitalsource.com/#/books/9781284104387/cfi/6/40!/4/66/4@0:0 8/23


PRINTED BY: juliehalperson@gmail.com. Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted.


How much might you be willing to spend? Of course, you should first understand why you want to protect the cow. How valuable is this cow to you? What are you protecting the cow from? Let’s assume the cow has some type of value to you— otherwise, there would be little reason to spend money on protecting the cow. Is a fence the only solution? Could you tie the cow to a tree instead? If you decide to build the fence, is it strong enough? Is it high enough? Now suppose you decide to have the security of your fence assessed. What you don’t need is for the auditor to come by and tell you what you already know— that you have a fence in place. Rather, what would be useful is a determination of the lack of controls, the ineffectiveness of controls, or even the use of unnecessary controls. If your cow turns out to be a bull, for example, perhaps that fence won’t be so effective. Is the fence effective against someone determined to steal the cow? To understand these issues, consider the following:


• Is a control even required? • How much effort or money should be spent on a control?


• Is the control effective?


Understanding the answers to these questions requires thought about risk. This is why risk management needs to be a key part of organizations and any audit.


Risk Management


Managing and understanding risk is a key operating component of any organization. Risk is about uncertainty. Yet, there will always be uncertainties across organizations. Uncertainty presents both challenges and opportunities for companies. Risk management provides a method for dealing with the uncertainty. This includes identifying which ones to accept and which ones to control. The Committee of Sponsoring Organizations (COSO) of the Treadway Commission, which provides a framework for enterprise risk management (ERM), identifies the following key components of ERM:


• Aligning risk appetite and strategy—This helps the organization to manage the uncertainty with consideration of the goals of the organization.


• Enhancing risk response decisions—This improves the organization’s ability to make decisions about how to better manage risk.


• Reducing operational surprises and losses—This enhances the organization’s ability to identify potential events or threats and react appropriately.


• Identifying and managing multiple and cross-enterprise risks—This helps the organization to consider related risks from across the organization and provides a unified response across the varying risks.


• Seizing opportunities—This helps the organization to recognize events from which new opportunities can be pursued. • Improving deployment of capital—This improves how organizations divide their financial resources to enhance


performance and profitability.


5/28/2018 Strayer University Bookshelf: Auditing IT Infrastructures for Compliance


https://strayer.vitalsource.com/#/books/9781284104387/cfi/6/40!/4/66/4@0:0 9/23


PRINTED BY: juliehalperson@gmail.com. Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted.


An example of an IT risk framework compatible with ERM is ISACA’s Risk IT. The Risk IT framework is completely covered with the Control Objectives for Information and Related Technology (COBIT) framework. Risk IT provides a comprehensive framework not just for assessing risk, but also for governance and response. Combined with Risk IT and another framework, Val IT, COBIT 5 provides a framework of controls to minimize as well as manage risk. Another example of an information security risk management framework is ISO standard ISO/IEC 27005. In addition to providing guidelines for information security risk management, this ISO standard also supports the concepts within ISO/IEC 27001.


The key component of risk management includes a risk assessment. Planning an audit of IT infrastructure depends on this assessment. The audit plan should be prepared only after a risk assessment is complete. The key reason for this is that the audit will focus on those areas with the highest risk.

Homework is Completed By:

Writer Writer Name Amount Client Comments & Rating
Instant Homework Helper

ONLINE

Instant Homework Helper

$36

She helped me in last minute in a very reasonable price. She is a lifesaver, I got A+ grade in my homework, I will surely hire her again for my next assignments, Thumbs Up!

Order & Get This Solution Within 3 Hours in $25/Page

Custom Original Solution And Get A+ Grades

  • 100% Plagiarism Free
  • Proper APA/MLA/Harvard Referencing
  • Delivery in 3 Hours After Placing Order
  • Free Turnitin Report
  • Unlimited Revisions
  • Privacy Guaranteed

Order & Get This Solution Within 6 Hours in $20/Page

Custom Original Solution And Get A+ Grades

  • 100% Plagiarism Free
  • Proper APA/MLA/Harvard Referencing
  • Delivery in 6 Hours After Placing Order
  • Free Turnitin Report
  • Unlimited Revisions
  • Privacy Guaranteed

Order & Get This Solution Within 12 Hours in $15/Page

Custom Original Solution And Get A+ Grades

  • 100% Plagiarism Free
  • Proper APA/MLA/Harvard Referencing
  • Delivery in 12 Hours After Placing Order
  • Free Turnitin Report
  • Unlimited Revisions
  • Privacy Guaranteed

6 writers have sent their proposals to do this homework:

University Coursework Help
Homework Guru
Top Essay Tutor
Helping Hand
Writer Writer Name Offer Chat
University Coursework Help

ONLINE

University Coursework Help

Hi dear, I am ready to do your homework in a reasonable price.

$62 Chat With Writer
Homework Guru

ONLINE

Homework Guru

Hi dear, I am ready to do your homework in a reasonable price and in a timely manner.

$62 Chat With Writer
Top Essay Tutor

ONLINE

Top Essay Tutor

I have more than 12 years of experience in managing online classes, exams, and quizzes on different websites like; Connect, McGraw-Hill, and Blackboard. I always provide a guarantee to my clients for their grades.

$65 Chat With Writer
Helping Hand

ONLINE

Helping Hand

I am an Academic writer with 10 years of experience. As an Academic writer, my aim is to generate unique content without Plagiarism as per the client’s requirements.

$60 Chat With Writer

Let our expert academic writers to help you in achieving a+ grades in your homework, assignment, quiz or exam.

Similar Homework Questions

4.7 k resistor color code - Phased implementation advantages and disadvantages - Standardized instruments in social work practice - Walmart in africa case study pdf - 6-3-2 project 2: research plan and introduction submission - Italian reflexive verbs exercises - 71a bellevue pde allawah - Advantages of living in a multi faith society - Hcl dcl lab report - #1-3. 250 words each, two scholarly sources each due 10/17 - What are prime and composite numbers 1 100 - Malcolm x homemade education essay - Hairy bikers eve's pudding - Article - Assessment 2 – Cost and Quality Management Plans (2 parts) - Changing communities global perspectives questions - NIST Publications and Outcomes - Find a formula for the function graphed - Lil lebowski cafe key west - Dichotomous key examples for plants - Titration simulation iowa - The other side is not dumb by sean blanda - 1800 24 hour time - A genre's iconography consists of - Dinamica de fluidos ejercicios resueltos - Digital Forensics - 2015 medicare levy surcharge threshold - Answer a questions - Island man grace nichols - Http evolve elsevier com mccance - Cleaner performance appraisal template - Check watts with multimeter - National taiwan normal university admission - The magic hat mem fox activities - Personal values and professional values - Postal codes new zealand - Salary inequities at astrazeneca - Linux - Views and values words - Brooks australia smoke alarm how to change battery - Eaton vrla battery pwhr12500w4fr - Union Representation - focuses on attribution theory and how it influences the implementation of innovation technologies. - A class divided video questions answers - Him sight word worksheet - Disadvantages of two way anova - University of kent sds - Financial statement fraud is usually committed by - A smuggler's song comprehension answers - Kick tolerance calculator download - Device tree for dummies - The shape of ideas an illustrated exploration of creativity pdf - Benchmark - Risk Management Program Analysis - Part One - Excel chapter 4 grader project homework - 5 Page paper APA format single spaced - Week 8 Assignment - Samsung 32 layer 3d v nand - Critical thinking and ethics phi - Vce examination score review application - Pka on titration curve - Half and half amy tan sparknotes - Ehr implementation gantt chart - Flock of geese in flight crossword clue - Personal development blueprint - Visual analysis of film - Traffic Design Essay - Ciena 6500 dc power requirements - University of oslo physiotherapy - How to make a light bulb experiment - Stair climbing and power lab answers - 5 components of fitness - Parking near churchill hospital - PPT - Dr ann rhee sunforest - More than meets the eye worksheet answers - The pedestrian by ray bradbury - Find the missing side of each right triangle - Inappropriate footwear centre of gravity - Defence force recruiting aptitude test - Adjust or accustom crossword 6 - Experiences and outcomes hwb - Cardiff university exam results date - Medicare case mix index definition - Discussion-1 MF - The consumer rises (WWII and Its Aftermath, Broadcast Networks & Early Pop Culture) - Essays guru only - Change through persuasion summary - Money taken out of a salary weegy - Stonebridge mental health nottingham - Dodecahedron net with tabs - Write a essay - Cmmi maturity levels ppt - Crisp methodology for data mining pdf - Ben and jerry's distribution channels - Moreton bay green waste bin - Week 5 Discussion Forum: Peer Review For Cultural And Ethical Perspective Inquiry Draft - Learning outcome assignments - Recommendation report sample in technical writing - Kinetic particle theory questions - Response to Week Discussion 7