© SidorArt/Shutterstock.
Contents
PART ONE The Need for Compliance
CHAPTER 1 The Need for Information Systems Compliance
What Is the Difference Between Information System and Information Security Compliance?
Difference Between Information System and Information Security
What Is the Confidentiality, Integrity, and Availability (CIA) Triad?
Why Are Governance and Compliance Important?
Case Study: Cetera and Cambridge
What If an Organization Does Not Comply with Compliance Laws?
CHAPTER 2 Overview of U.S. Compliance Laws
Introduction to Regulatory Requirements
Federal Information Security Management Act
Cybersecurity Information Sharing Act
Health Insurance Portability and Accountability Act
Children’s Internet Protection Act
Children’s Online Privacy Protection Act
California Consumer Privacy Act
Payment Card Industry Data Security Standard
CHAPTER 3 What Is the Scope of an IT Compliance Audit?
What Must Your Organization Do to Be in Compliance?
Protecting and Securing Privacy Data
Designing and Implementing Proper Security Controls
Choosing Between Automated, Manual, and Hybrid Controls
What Are You Auditing Within the IT Infrastructure?
Conducting Periodic Security Assessments
Performing an Annual Security Compliance Audit
Defining Proper Security Controls
Creating an IT Security Policy Framework
Implementing Security Operations and Administration Management
Configuration and Change Management
PART TWO Auditing for Compliance: Frameworks, Tools, and Techniques
CHAPTER 4 Auditing Standards and Frameworks
Difference Between Standards and Frameworks
Why Frameworks Are Important for Auditing
The Importance of Using Standards in Compliance Auditing
Institute of Internal Auditors
Service Organization Control Reports
CHAPTER 5 Planning an IT Infrastructure Audit for Compliance
Defining the Scope, Objectives, Goals, and Frequency of an Audit
Identifying Critical Requirements for the Audit
Implementing Security Controls
Threat Versus Vulnerability Versus Risk
Risk Assessment Analysis: Defining an Acceptable Security Baseline Definition
Obtaining Information, Documentation, and Resources
Existing IT Security Policy Framework Definition
Configuration Documentation for IT Infrastructure
Interviews with Key IT Support and Management Personnel: Identifying and Planning
NIST Standards and Methodologies
Identifying and Testing Monitoring Requirements
Identifying Critical Security Control Points That Must Be Verified Throughout the IT Infrastructure
CHAPTER 6 Conducting an IT Infrastructure Audit for Compliance
Identifying the Minimum Acceptable Level of Risk and Appropriate Security Baseline Definitions
Seven Domains of a Typical IT Infrastructure
Gap Analysis for the Seven Domains
Identifying All Documented IT Security Policies, Standards, Procedures, and Guidelines
Conducting the Audit in a Layered Fashion
Performing a Security Assessment for the Entire IT Infrastructure and Individual Domains
Incorporating the Security Assessment into the Overall Audit Validating Compliance Process
Using Audit Tools to Organize Data Capture
Using Automated Audit Reporting Tools and Methodologies
Reviewing Configurations and Implementations
Identifying Common Problems When Conducting an IT Infrastructure Audit
CHAPTER 7 Writing the IT Infrastructure Audit Report
IT Security Assessment Results: Risk, Threats, and Vulnerabilities
Reporting on Implementation of IT Security Controls and Frameworks
Per Documented IT Security Policy Framework
IT Security Controls and Countermeasure Gap Analysis
Compliance Assessment Throughout the IT Infrastructure
Presenting Compliance Recommendations
CHAPTER 8 Compliance Within the User Domain
Implementing Proper Security Controls for the User Domain
Items Commonly Found in the User Domain
Acknowledgment of Responsibilities and Accountabilities
Security Awareness and Training for New Employees
Information Systems Security Accountability
Incorporating Accountability into Annual Employee Performance Reviews
Organization’s Right to Monitor User Actions and Traffic
Best Practices for User Domain Compliance
CHAPTER 9 Compliance Within the Workstation Domain
Compliance Law Requirements and Business Drivers
Implementing Proper Security Controls for the Workstation Domain
Devices and Components Commonly Found in the Workstation Domain
Uninterruptible Power Supplies
Access Rights and Access Controls in the Workstation Domain
Workstation Vulnerability Management
Operating System Patch Management
Application Software Patch Management
Adherence to Documented IT Security Policies, Standards, Procedures, and Guidelines
Best Practices for Workstation Domain Compliance
CHAPTER 10 Compliance Within the LAN Domain
Implementing Proper Security Controls for the LAN Domain
Devices and Components Commonly Found in the LAN Domain
Common Network Server and Service Devices
LAN Traffic and Performance Monitoring and Analysis
LAN Configuration and Change Management
LAN Management, Tools, and Systems
Adherence to Documented IT Security Policies, Standards, Procedures, and Guidelines
Best Practices for LAN Domain Compliance
CHAPTER 11 Compliance Within the LAN-to-WAN Domain
Compliance Law Requirements and Protecting Data Privacy
Implementing Proper Security Controls for the LAN-to-WAN Domain
Devices and Components Commonly Found in the LAN-to-WAN Domain
Virtual Private Network Concentrator
Network Address Translation (NAT)
Internet Service Provider Connections and Backup Connections
Intrusion Detection Systems/Intrusion Prevention Systems
Data Loss/Leak Security Appliances
LAN-to-WAN Traffic and Performance Monitoring and Analysis
LAN-to-WAN Configuration and Change Management
LAN-to-WAN Management, Tools, and Systems
Access Rights and Access Controls in the LAN-to-WAN Domain
Minimizing Single Points of Failure
Redundant Routers and Firewalls
Web Server Data and Hard Drive Backup and Recovery
Use of VPN for Remote Access to Organizational Systems and Data
Penetration Testing and Validating LAN-to-WAN Configuration
Intrusive Versus Nonintrusive Testing
Configuration Management Verification
Adherence to Documented IT Security Policies, Standards, Procedures, and Guidelines
Best Practices for LAN-to-WAN Domain Compliance
CHAPTER 12 Compliance Within the WAN Domain
Compliance Law Requirements and Business Drivers
Implementing Proper Security Controls for the WAN Domain
Devices and Components Commonly Found in the WAN Domain
MPLS/VPN WAN or Metro Ethernet
WAN Backup and Redundant Links
WAN Traffic and Performance Monitoring and Analysis
WAN Configuration and Change Management
WAN Management Tools and Systems
Incident Response Management Tools
Access Rights and Access Controls in the WAN Domain
WAN Service Provider SOC Compliance
Adherence to Documented IT Security Policies, Standards, Procedures, and Guidelines
Best Practices for WAN Domain Compliance
CHAPTER 13 Compliance Within the Remote Access Domain
Remote Access Business Drivers
Implementing Proper Security Controls for the Remote Access Domain
Devices and Components Commonly Found in the Remote Access Domain
Remote Workstations or Laptops
Remote Access Controls and Tools
Remote Access and VPN Tunnel Monitoring
Remote Access Traffic and Performance Monitoring and Analysis
Remote Access Configuration and Change Management
Remote Access Management, Tools, and Systems
Access Rights and Access Controls in the Remote Access Domain
Remote Access Domain Configuration Validation
VPN Client Definition and Access Controls
TLS VPN Remote Access via a Web Browser
VPN Configuration Management Verification
Adherence to Documented IT Security Policies, Standards, Procedures, and Guidelines
Best Practices for Remote Access Domain Compliance
CHAPTER 14 Compliance Within the System/Application Domain
Compliance Law Requirements and Business Drivers
Application Software Versus System Software
Implementing Proper Security Controls for the System/Application Domain
Software Development Life Cycle (SDLC)
Devices and Components Commonly Found in the System/Application Domain
Redundant Computer Room/Data Center
Uninterruptible Power Supplies and Diesel Generators to Maintain Operations
System and Application Configuration and Change Management
System and Application Management, Tools, and Systems
Access Rights and Access Controls in the System/Application Domain
System Account and Service Accounts
System/Application Server Vulnerability Management
Operating System Patch Management
Application Software Patch Management
Adherence to Documented IT Security Policies, Standards, Procedures, and Guidelines
Best Practices for System/Application Domain Compliance
CHAPTER 15 Ethics, Education, and Certification for IT Auditors
Professional Associations and Certifications
Professional Ethics, Code of Conduct, and Integrity of IT Auditors
Codes of Conduct for Employees and IT Auditors
Employer-/Organization-Driven Codes of Conduct
Employee Handbook and Employment Policies
Certification and Accreditation for Information Security