The title for Chapter 1 of the book. The title is “The Need for Information Systems Compliance.”
The C I A triad which is a model that is used to understand the different layers of controls that exist in an I T infrastructure. C I A stands for Confidentiality, Integrity, and Availability.
The title for Chapter 2 of the book. The title is “Overview of U S Compliance Laws”.
The title for Chapter 3 of the book. The title is “What Is the Scope of an I T Compliance Audit?”
The seven domains of a typical I T infrastructure are the following. User Domain. Workstation Domain. LAN Doman. LAN-to-WAN Doman. WAN Domain. System or Application Domain. Remote Access Domain. A LAN domain consists of a server connected to a switch. A LAN-to-WAN Domain includes a router that is connected to a Firewall. A System or Application Domain includes a Firewall-Router, Mainframe, and Application and Web Servers. A Remote Access Domain involves a computer accessing the LAN-to-WAN domain through Broadband Internet.
A policy framework consists of guidelines, standards, and policies. This is indicated as a triangle with three layers from the base to the apex.
The title for Chapter 4 of the book. The title is “Auditing Standards and Frameworks.”
A figure showing the hierarchy of standards and personnel. A triangle is shown with 4 layers from the base to the apex. 1. Controls. Standards are I S O and I E C 27002, N I S T 800-53. Personnel are Security Managers and Security Operators. 2. Control Objectives. Standard is COBIT. Personnel are I T Leadership and Chief Information Officer. 3. Governance Frameworks. Standards are COSO and COBIT. Personnel are Board of Directors, Senior Management, and Audit Committee. 4. Regulations such as S O X, H I P A A, and G L B A.
A table describing the comparison of S O C reports. The table has 4 rows and 4 columns. It has the following column headings. Blank. S O C 1 Report. S O C 2 Report. S O C 3 Report. The row information in the table are as follows. Row 1: Blank, Controls affected; S O C 1 Report, Financial; S O C 2 Report, Security, availability, processing integrity confidentiality, or privacy; S O C 3 Report, Security, availability, processing integrity, confidentiality, or privacy. Row 2: Blank, Associated attestation standard; S O C 1 Report, A T 801, Reporting on Controls at a Service Organization (Based on S S A E 16); S O C 2 Report, A T 101, Attestation Engagements; S O C 3 Report, A T 101, Attestation Engagements. Row 3: Blank, Guidance and aids; S O C 1 Report, A I C P A Guide, “Service Organizations: Reporting on Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting Guide”; S O C 2 Report, A I C P A Guide, “Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy”; S O C 3 Report, A I C P A Technical Practice Aid, “Trust Services Principles, Criteria, and Illustrations.” Row 4: Blank, Contents of report; S O C 1 Report, Description of system and the auditor’s opinion of the controls. A description of the auditor’s test of the controls and results in a Type 2 report; S O C 2 Report, Description of system and the auditor’s opinion of the controls. A description of the auditor’s test of the controls and results in a Type 2 report; S O C 3 Report, Auditor’s opinion of whether effective controls of the system have been maintained.
The title for Chapter 5 of the book. The title is “Planning an I T Infrastructure Audit for Compliance.”
A table detailing N I S T 800-53 R 5 Cybersecurity and Data Protection Program (C D P P). The table has 20 rows and 4 columns. It has the following column headings. Control Grouping. Policy Number. N I S 800-53 R 5 Control Family. Identifier. The row information in the table are as follows. Row 1: Control Grouping, Management; Policy Number, 1; N I S 800-53 R 5 Control Family, Assessment, Authorization, and Monitoring; Identifier, C A. Row 2: Control Grouping, Management; Policy Number, 2; N I S 800-53 R 5 Control Family, Planning; Identifier, P L. Row 3: Control Grouping, Management; Policy Number, 3; N I S 800-53 R 5 Control Family, Program Management; Identifier, P M. Row 4: Control Grouping, Management; Policy Number, 4; N I S 800-53 R 5 Control Family, Risk Assessment; Identifier, R A. Row 5: Control Grouping, Management; Policy Number, 5; N I S 800-53 R 5 Control Family, System and Services Acquisition; Identifier, S A. Row 6: Control Grouping, Management; Policy Number, 6; N I S 800-53 R 5 Control Family, Supply Chain Risk Management; Identifier, S R. Row 7: Control Grouping, Operational; Policy Number, 7; N I S 800-53 R 5 Control Family, Awareness and Training; Identifier, A T. Row 8: Control Grouping, Operational; Policy Number, 8; N I S 800-53 R 5 Control Family, Contingency Planning; Identifier, C P. Row 9: Control Grouping, Operational; Policy Number, 9; N I S 800-53 R 5 Control Family, Incident Response; Identifier, I R. Row 10: Control Grouping, Operational; Policy Number, 10; N I S 800-53 R 5 Control Family, Media Protection; Identifier, M P. Row 11: Control Grouping, Operational; Policy Number, 11; N I S 800-53 R 5 Control Family, Personnel Security; Identifier, P S. Row 12: Control Grouping, Operational; Policy Number, 12; N I S 800-53 R 5 Control Family, Physical and Environmental Protection; Identifier, P E. Row 13: Control Grouping, Operational; Policy Number, 13; N I S 800-53 R 5 Control Family, Personally Identifiable Information (P I I) Processing and Transparency; Identifier, P T. Row 14: Control Grouping, Technical; Policy Number, 14; N I S 800-53 R 5 Control Family, Access Control; Identifier, A C. Row 15: Control Grouping, Technical; Policy Number, 15; N I S 800-53 R 5 Control Family, Audit and Accountability; Identifier, A U. Row 16: Control Grouping, Technical; Policy Number, 16; N I S 800-53 R 5 Control Family, Configuration Management; Identifier, C M. Row 17: Control Grouping, Technical; Policy Number, 17; N I S 800-53 R 5 Control Family, Identification and Authentication; Identifier, I A. Row 18: Control Grouping, Technical; Policy Number, 18; N I S 800-53 R 5 Control Family, Maintenance; Identifier, M A. Row 19: Control Grouping, Technical; Policy Number, 19; N I S 800-53 R 5 Control Family, System and Communication Protection; Identifier, S C. Row 20: Control Grouping, Technical; Policy Number, 20; N I S 800-53 R 5 Control Family, System and Information Integrity; Identifier, S I.
The title for Chapter 6 of the book. The title is “Conducting an I T Infrastructure Audit for Compliance.”
A graph with a 4 by 4 grid that shows how risk-management strategies are applied. The horizontal axis of the graph measures impact from low to high and the vertical axis measures medium from low to high. The graph shows a 4 by 4 grid. The cells in the top row of the grid are labeled Control and Avoid while the cells int he lower row of the grid are labeled Accept and Share.
A diagram that explains control gap analysis. On one end is the current state of controls and at the opposite end, we have the desired state of controls with a gap in between both. Action is required across the gap.
The title for Chapter 8 of the book. The title is “Compliance Within the User Domain.”
The User Domain which is one of the seven domains of a typical I T infrastructure. The seven domains are the following. User Domain. Workstation Domain. LAN Doman. LAN-to-WAN Doman. WAN Domain. System or Application Domain. Remote Access Domain. A LAN domain consists of a server connected to a switch. A LAN-to-WAN Domain includes a router that is connected to a Firewall. A System or Application Domain includes a Firewall-Router, Mainframe, and Application and Web Servers. A Remote Access Domain involves a computer accessing the LAN-to-WAN domain through Broadband Internet.
A figure depicting alternate controls. One of the P C I D S S requirement is to encrypt stored data. Adding encryption to an application costs money and requires substantial effort. An alternative way would be to use Windows folder encryption which is free and easy to deploy.
The common documentation items in the user domain. Employees are most trusted and have full access. Some trust is necessary for contractors and they have partial access. Guests are least trusted and have limited access.
A diagram explaining the concept of separation of duties. The diagram shows a circle split into three sections representing tasks A, B, and C. Critical business processes are separated into units of work. A different person performs each unit of work.
A table detailing a simple R A C I matrix for an I T audit. The table has 8 rows and 5 columns. It has the following column headings. Task or Role. Management. Project Manager. Auditor. User. The row information in the table are as follows. Row 1: Task or Role, Develop audit plan; Management, A; Project Manger, R; Auditor, C; User, I. Row 2: Task or Role, Develop audit activities schedule; Management, A; Project Manger, R; Auditor, C; User, I. Row 3: Task or Role, Conduct audit activities; Management, Blank; Project Manger, A; Auditor, R; User, C. Row 4: Task or Role, Review audit results; Management, A / R; Project Manger, R; Auditor, R; User, C. Row 5: Task or Role, Identify noncompliant elements; Management, A; Project Manger, I; Auditor, R; User, C. Row 6: Task or Role, Develop plan to address noncompliant elements; Management, A; Project Manger, R; Auditor, C; User, I. Row 7: Task or Role, Develop noncompliant mitigation activities schedule; Management, A; Project Manger, R; Auditor, C; User, C. Row 8: Task or Role, Conduct noncompliant mitigation activities; Management, Blank; Project Manger, A; Auditor, R; User, R.
The title for Chapter 9 of the book. The title is “Compliance Within the Workstation Domain.”
The Workstation Domain which is one of the seven domains of a typical I T infrastructure. The seven domains are the following. User Domain. Workstation Domain. LAN Doman. LAN-to-WAN Doman. WAN Domain. System or Application Domain. Remote Access Domain. A LAN domain consists of a server connected to a switch. A LAN-to-WAN Domain includes a router that is connected to a Firewall. A System or Application Domain includes a Firewall-Router, Mainframe, and Application and Web Servers. A Remote Access Domain involves a computer accessing the LAN-to-WAN domain through Broadband Internet.
The devices and components in the Workstation Domain are the following. Uninterruptible Power Supply or U P S. Desktop P C. Laptop. Tablet or Smartphone. Printer. Modem. External Hard Drive. Universal Serial Bus or U S B Drive.
The C I A triad shown in the sides of a triangle. The sides of the triangle are labeled as Confidentiality, Integrity, and Availability.
The title for Chapter 10 of the book. The title is “Compliance Within the LAN Domain.”
The LAN Domain which is one of the seven domains of a typical I T infrastructure. The seven domains are the following. User Domain. Workstation Domain. LAN Doman. LAN-to-WAN Doman. WAN Domain. System or Application Domain. Remote Access Domain. A LAN domain consists of a server connected to a switch. A LAN-to-WAN Domain includes a router that is connected to a Firewall. A System or Application Domain includes a Firewall-Router, Mainframe, and Application and Web Servers. A Remote Access Domain involves a computer accessing the LAN-to-WAN domain through Broadband Internet.
The common components in the LAN Domain are the following. Connection Media which includes U T P, S T P, Fiber Optic, and Wireless. LAN Devices which include hubs, switches, and routers. Servers and Services which includes File Servers, Print Servers, and Data Access. Network Operating System.
The title for Chapter 11 of the book. The title is “Compliance Within the LAN-to-WAN Domain.”
The LAN-to-WAN Domain which is one of the seven domains of a typical I T infrastructure. The seven domains are the following. User Domain. Workstation Domain. LAN Doman. LAN-to-WAN Doman. WAN Domain. System or Application Domain. Remote Access Domain. A LAN domain consists of a server connected to a switch. A LAN-to-WAN Domain includes a router that is connected to a Firewall. A System or Application Domain includes a Firewall-Router, Mainframe, and Application and Web Servers. A Remote Access Domain involves a computer accessing the LAN-to-WAN domain through Broadband Internet.
A diagram that shows how data is exchanged with a remote service. A laptop makes a request to a web server over the Internet. The web server makes a request to an application server. The application server sends its response back to the web server. The web server then sends the response back to the requesting laptop over the Internet.
A diagram that shows how a network request is made using a proxy server. A laptop with the I P address 192 dot 168 dot 0 dot 1 makes a request to a server. This request goes to a proxy server with the I P address 192 dot 168 dot 0 dot 215. The data in the request indicates that the destination is 1 dot 2 dot 3 dot 4 and the source is 192 dot 168 dot 0 dot 1. The proxy server passes the request to the server. The data in the request indicates that the destination is 1 dot 2 dot 3 dot 4 adn the source is 192 dot 168 dot 0 dot 215.
A diagram that shows a simple D M Z with one firewall. A firewall is bounded by a LAN, the Internet, and a D M Z.
A diagram that shows a D M Z with two firewalls. A firewall is present which is bounded by the Internet and a D M Z. Connected to the D M Z is another firewall. This firewall is also bounded by a LAN.
A diagram that shows an I S P connection single point of failure. An I S P gateway is shown which is connected to the Internet. The gateway is connected to two laptops and a Desktop P C. The I S P gateway serves as a single point of failure.
A table detailing a high-level comparison among I a a S, P a a S, and S a a S. The table has 5 rows and 4 columns. It has the following column headings. Cloud Service. I a a S. P a a S. S a a S. The row information in the table are as follows. Row 1: Cloud Service, Application software; I a a S, Blank; P a a S, Blank; S a a S, Checked. Row 2: Cloud Service, Operating system software; I a a S, Blank; P a a S, Checked; S a a S, Checked. Row 3: Cloud Service, Server hardware and maintenance; I a a S, Checked; P a a S, Checked; S a a S, Checked. Row 4: Cloud Service, Data storage hardware and maintenance; I a a S, Checked; P a a S, Checked; S a a S, Checked. Row 5: Cloud Service, Network hardware and maintenance; I a a S, Checked; P a a S, Checked; S a a S, Checked.
A diagram that shows multiple I S P connections to avoid a single point of failure. The diagram shows I S P gateways A and B which provided connectivity to the Internet for two laptops and a desktop.
The title for Chapter 12 of the book. The title is “Compliance Within the WAN Domain.”
The WAN Domain which is one of the seven domains of a typical I T infrastructure. The seven domains are the following. User Domain. Workstation Domain. LAN Doman. LAN-to-WAN Doman. WAN Domain. System or Application Domain. Remote Access Domain. A LAN domain consists of a server connected to a switch. A LAN-to-WAN Domain includes a router that is connected to a Firewall. A System or Application Domain includes a Firewall-Router, Mainframe, and Application and Web Servers. A Remote Access Domain involves a computer accessing the LAN-to-WAN domain through Broadband Internet.
A diagram that shows the lack of control for data travelling across a WAN. One one end is a sever that is connected to a WAN. The WAN is connected to two Desktop P Cs and a laptop. Data is protected in the server and the desktop P Cs and laptop while it is unprotected in the WAN.
A diagram that shows how WAN traffic is protected using encryption. A network diagram is shown in which a server is connected by a WAN to two desktop P Cs and a laptop. The communication through the WAN occurs through a V P N tunnel. The V P N tunnel protects the data in the WAN.
The different layers in the T C P / I P and O S I reference models. The layers in the T C P / I P reference model are the following. Application. Host-to-host. Internet. Network Access. The layers in the O S I reference model are the following. Application. Presentation. Session. Transport. Network. Data Link. Physical.
Flow of message in the United Nations example is through the following people. 1. U S Ambassador to U S Translator. 2. U S Translator to U S Aide. 3. U S Aide to Mailroom Clerk. 4. Mailroom Clerk to Chinese Aide. 5. Chinese Aide to Chinese Translator. 6. Chinese Translator to Chinese Ambassadot. 7. Message read by Chinese Ambassador. 4. Mailroom Clerk to Russian Aide. 5. Russina Aide to Russian Translator. 6. Russian Translator to Russian Ambassador. 7. Message read by Russian Ambassador. 4. Mailroom Clerk to Italian Aide. 5. Italian Aide to Italian Translator. 6. Italian Translator to Italian Ambassador. 7. Message read by Italian Ambassador.
The title for Chapter 13 of the book. The title is “Compliance Within the Remote Access Domain.”
The Remote Access Domain which is one of the seven domains of a typical I T infrastructure. The seven domains are the following. User Domain. Workstation Domain. LAN Doman. LAN-to-WAN Doman. WAN Domain. System or Application Domain. Remote Access Domain. A LAN domain consists of a server connected to a switch. A LAN-to-WAN Domain includes a router that is connected to a Firewall. A System or Application Domain includes a Firewall-Router, Mainframe, and Application and Web Servers. A Remote Access Domain involves a computer accessing the LAN-to-WAN domain through Broadband Internet.
A network diagram indicating that devices and components are commonly found in the remote access domain. The network diagram shows two remote users, one using a laptop and the other using a desktop P C connected through a V P N tunnel on the Internet to an authentication server. The authentication server is connected to the internal LAN.
The title for Chapter 14 of the book. The title is “Compliance Within the System or Application Domain.”
The System or Application Domain which is one of the seven domains of a typical I T infrastructure. The seven domains are the following. User Domain. Workstation Domain. LAN Doman. LAN-to-WAN Doman. WAN Domain. System or Application Domain. Remote Access Domain. A LAN domain consists of a server connected to a switch. A LAN-to-WAN Domain includes a router that is connected to a Firewall. A System or Application Domain includes a Firewall-Router, Mainframe, and Application and Web Servers. A Remote Access Domain involves a computer accessing the LAN-to-WAN domain through Broadband Internet.
Devices and components commonly found in the system or application domain. 1. Hardware. This includes the following. Mainframe. Minicomputer. File Server. Uninterruptible Power Supply. Storage Device. 2. Software. Application. Source Code. Database Management System. 3. Infrastructure. Data Center. Backup Data Center.
A diagram depicting disaster recovery options. The switchover time for these options ranges from immediate to days or longer in the order listed. The cost ranges from expensive to less expensive in the order listed. The options are the following. Hot Site. Warm Site. Cold Site. Service Level Agreement or S L A. Cooperative Agreement.
A table detailing application architectures. The table has 4 rows and 6 columns. It has the following column headings. Architecture. Service Location: Data Storage. Service Location: Data Access. Service Location: Business Logic. Service Location: User Interface. Comments. The row information in the table are as follows. Row 1: Architecture, Host based; Service Location: Data Storage, Host; Service Location: Data Access, Host; Service Location: Business Logic, Host; Service Location: User Interface, Host; Comments, Everything runs on the host. Host-based applications are easy to maintain and secure but are not very scalable. Row 2: Architecture, Client based; Service Location: Data Storage, Server; Service Location: Data Access, Client; Service Location: Business Logic, Client; Service Location: User Interface, Client; Comments, This architecture is also called diskless workstations. This architecture didn’t last too long because even a few clients can saturate a network with all disk accesses occurring over a network. Row 3: Architecture, Client or server; Service Location: Data Storage, Server; Service Location: Data Access, Server; Service Location: Business Logic, Client; Service Location: User Interface, Client; Comments, This common model attempts to separate application execution from data access and storage. In a classic client server model, the client runs all of the application code. Although workstations have become powerful, this model is slow when the application needs large amounts of data that must be transferred across the network. Row 4: Architecture, Distributed; Service Location: Data Storage, Server; Service Location: Data Access, Server; Service Location: Business Logic, Server; Service Location: User Interface, Client; Comments, Distributed computing attempts to solve the network saturation problem by reducing the amount of information transferred across the network. Large volumes of data can be transferred between a database server and an application server in the data center without having to use the rest of the network. Reduced network usage can result in much better performance. Keeping more data within the data center’s network increases the data’s security as well.
The title for Chapter 15 of the book. The title is “Ethics, Education, and Certification for I T Auditors.”
The title for Chapter 7 of the book. The title is “Writing the I T Infrastructure Audit Report.”
A table summarizing the resulting risks as a product of impact and threat likelihood. The table has 3 rows and 4 columns. It has the following column headings. Threat Likelihood. Low Impact Level (10). Medium Impact Level (50). High Impact Level (100). The row information in the table is as follows. Row 1: Threat Likelihood, High (1.0); Low Impact Level (10), Low. 10 × 1.0 = 10; Medium Impact Level (50), Medium. 50 × 1.0 = 50; High Impact Level (100), High. 100 × 1.0 = 100. Row 2: Threat Likelihood, Medium (0.5); Low Impact Level (10), Low. 10 × 0.5 = 5; Medium Impact Level (50), Medium. 50 × 0.5 = 25; High Impact Level (100), Medium. 100 × 0.5 = 50. Row 3: Threat Likelihood, Low (0.1); Low Impact Level (10), Low. 10 × 0.1 = 1; Medium Impact Level (50), Low. 50 × 0.1 = 5; High Impact Level (100), Low. 100 × 0.1 = 10.
A table detailing the N I T C S F Cybersecurity Framework Mapping for I D. A M-1. The table has 1 row and 4 columns. It has the following column headings. Function. Category. Subcategory. References. The row information in the table is as follows. Row 1: Function, IDENTIFY; Category, Asset Management (I D. A M): The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to business objectives and the organization’s risk strategy; Subcategory, I D. A M-1: Physical devices and systems within the organization are inventoried; References, C C S C S C 1. C C S C S C 1. COBIT 5 B A I 09. 01, B A I 09. 02. I S A 62443-2-1:2009 4.2.3.4. I S A 62443-3-3:2013. SR 7.8. I S O / I E C 27001:2013 A.8.1.1, A.8.1.2. N I S T S P 800-53 Revision 4 C M-8.
A table with details of a sample documented P C I D S S compliance test result. The table has 1 row and 4 columns. It has the following column headings. P C I D S S Requirement. Testing Procedures. Status. Comments. The row information in the table is as follows. Row 1: P C I D S S Requirement, Do not use vendor supplied defaults for system passwords and other security parameters; Testing Procedures, Attempted to log on to a sample of selected critical systems using the default vendor-supplied accounts and passwords taken from
vendor documentation; Status, Compliant; Comments, The point-of-sale systems do not support vendor-supplied default passwords.
The title page for part one of the book. It has the following title. The Need for Compliance. Part one has the following chapters. Chapter 1. The Need for Information Systems Compliance. Chapter 2. Overview of U S Compliance Laws. Chapter 3. What Is the Scope of an I T Compliance Audit?
The title page for part two of the book. It has the following title. Auditing for Compliance: Frameworks, Tools, and Techniques. Part two has the following chapters. Chapter 4. Auditing Standards and Frameworks. Chapter 5. Planning an I T Infrastructure Audit for Compliance. Chapter 6. Conducting an I T Infrastructure Audit for Compliance. Chapter 7. Writing the I T Infrastructure Audit Report. Chapter 8. Compliance Within the User Domain. Chapter 9. Compliance Within the Workstation Domain. Chapter 10. Compliance Within the LAN Domain. Chapter 11. Compliance Within the LAN-to-WAN Domain. Chapter 12. Compliance Within the WAN Domain. Chapter 13. Compliance Within the Remote Access Domain. Chapter 14. Compliance Within the System or Application Domain.
The title page for part three of the book. It has the following title. Beyond Audits. Part three has the following chapter. Chapter 15. Ethics, Education, and Certification for I T Auditors.
Appendix A of the book. It has the following title. Answer Key.
The title for the appendix section of the book listed as “Appendix B.”
The title for the appendix section of the book listed as “Glossary of Key Terms.”
The title for the references section of the book listed as “References.”
The Index page of the book. It has the title, “index.”