INDEX
Please note that index links point to page beginnings from the print edition. Locations are approximate in e-readers, and you may need to page down one or more times after clicking a link to get to the indexed material.
5G security, 526
802.1X standard, 488–489
A
abstraction, 324
ACCA (Association of Chartered Certified Accountants), 6
access. See also access controls
open, 488
service access, 483–484
subject access, 483–484
types of, 483–484
access administrator, 83
access bypass, 517
access control lists (ACLs), 500
access control policy, 31
access controls
client-server applications, 521
concepts, 484
considerations, 200
described, 500
logical. See logical access controls
managing, 460–461
models, 485
relational databases, 306
service access, 483–484
subject access, 483–484
threats, 485–486
user, 570–571
vulnerabilities, 486–487
Wi-Fi, 343
work papers, 144
access logs, 461, 500–501, 556, 574
access management, 569–574
access provisioning, 56–57
access violations, 570
account lockout, 511, 570, 572
accumulation of privileges, 59
ACLs (access control lists), 500
acquisitions, 98
activists, 475
addendums, terms for, 605
Address Resolution Protocol (ARP), 345–346
administrative audits, 129
administrative controls, 122
administrators, 557–558, 567, 568
advanced persistent threats (APTs), 552
agile manifesto, 190
AICPA (American Institute of Certified Public Accountants), 130, 599
ALE (annualized loss expectancy), 49
alerts, 579
American Institute of Certified Public Accountants (AICPA), 130, 599
American National Standards Institute (ANSI), 2
annualized loss expectancy (ALE), 49
annualized rate of occurrence (ARO), 49
ANSI (American National Standards Institute), 2
anti-malware. See also malware
administrative controls, 551–552
considerations, 481
management controls, 552
technical controls, 553–555
application code review, 235
application controls, 245–251
auditing, 256–259
calculations, 249
considerations, 670
data file controls, 249–250
editing, 248–249
examples of, 671
input controls, 245–248
output controls, 250–251
processing controls, 248–250
processing errors, 250
reconciliation, 251
report distribution/receipt, 250–251
retention, 251
special forms, 250
application layer protocols, 354–356
application logic, 487
application programming languages, 209
applications. See also software
auditing, 258
client-server, 362–363, 521–522
cloud-based, 227–229
encryption, 544–545
financial considerations, 69–70
global Internet, 359–360
middleware, 363
networked, 362–363
vulnerabilities, 487
web-based, 363
whitelisting, 520
approved scanning vendor (ASV), 688
APTs (advanced persistent threats), 552
architecture review, 230, 576–577
architecture standards, 34
ARO (annualized rate of occurrence), 49
ARP (Address Resolution Protocol), 345–346
asset controls, 460–461
asset management, 42, 301, 457–459
asset value (AV), 49
assets. See also information assets
auditing asset protection, 567–583
classification, 458–459
collecting/organizing data, 43–44
grouping, 41
hardware assets, 457–458
identifying, 41–44
information. See information assets
inventory, 457–458
policies/procedures, 451
sources of data, 42–43
split custody, 85
Association of Chartered Certified Accountants (ACCA), 6
ASV (approved scanning vendor), 688
Asynchronous Transfer Mode (ATM), 335–336
ATM (Asynchronous Transfer Mode), 335–336
attestations, 595–596
attribute sampling, 139
audit audience, 593
audit charters, 97–98, 606, 661
audit closure, 661–662
audit cycle, 638–642
audit charters, 97–98, 606, 661
audit closure, 661–662
audit engagement, 603–606
audit follow-up, 663–664
audit objectives, 132, 614–615
audit opinions development, 647–649
audit recommendations development, 650
audit results delivery, 652–656
considerations, 591
control testing activities, 632–647
developing audit plan, 613–616
developing test plan, 616–625
documentation management, 650–652
ethics/independence, 607–608
how audit cycle is discussed, 592–594
independent third party, 596
management response, 656–661
organizing test plan, 627–630
overview, 594–595
planning. See audit planning
pre-audit activities, 625–627
project launch, 608–613
project origination, 595–603
resource planning, 631–632
terminology, 593–594
understanding, 592
audit engagement, 603–606, 659
audit evidence. See evidence
audit laws/regulations, 37, 38, 102–106, 597
audit logs, 123, 201, 246, 306
audit management, 97–107
audit charter, 97–98, 606, 661
audit laws/regulations, 37, 38, 102–106, 597
audit planning. See audit planning
audit program, 98
implementing recommendations, 153
preliminary discussions, 609
reliance on work of other auditors, 141–142
staff disagreements, 646, 648, 655
audit methodologies, 611–613
audit objectives, 595, 614–615
audit opinions, 647–649
audit planning, 98–100
audit contents, 127–128
audit procedures, 127
audit scope, 100, 127, 595, 615–616
changes in audit activities, 100
changes in technology, 99
developing audit plan, 613–616
factors affecting audit, 98–99
formal project planning, 131–134
market conditions, 99
mergers/acquisitions, 98
new organization initiatives, 98
for new project, 608–613
organization’s goals/objectives, 98
pre-audit planning, 132
regulatory requirements, 99
resource planning, 100, 127–128
risk analysis. See risk analysis
schedule, 128
audit program, 98
audit projects. See projects
audit reports, 145–147. See also reports/reporting
additional deliverables, 660–661
audiences, 658–659
to audit committees, 658
considerations, 145, 146, 147, 656
contributing to, 654
distribution of, 604–605
electronic, 660
evaluating control effectiveness, 146–147
findings/recommendations, 146
interviewees, 146
preparation of, 133
recommendations, 657
reviewing draft, 659–660
signed, 660
structure, 145–146
from third-party auditors, 141–142
wording issues, 657
writing, 655–656
audit results delivery, 652–656
audit scope, 100, 127, 132, 595, 615–616
audit sponsors, 593
auditing, 97–160. See also IS audits; testing
access logs, 574
access management, 569–574
administrative audits, 129
application controls, 256–259
applications, 258
asset protection, 567–583
audit follow-up, 663–664
audit goals, 98
audit laws/regulations, 37, 38, 102–106, 597
audit management, 97–107
audit objectives, 98, 128, 132
audit opinions, 647–649
audit planning. See audit planning
audit procedures, 127
audit recommendations, 146, 153
audit scope, 100, 127, 595, 615–616
audit subject, 132
automated work papers, 143–144
business continuity planning, 431–435
business controls, 256
change management, 255
closing procedures, 661–662
computer operations, 428
computer-assisted audits, 142–143
configuration management, 255
continuous auditing, 144–145, 258, 640–641
contracts, 89–90
controls and, 121–126
data analytics, 142–145
data entry, 429
database management systems, 425–426
design, 253
detecting fraud/irregularities, 147–148, 644–645
disaster recovery planning, 435–439
documentation. See documentation
employee terminations, 573–574
environmental controls, 580–581
evidence. See evidence
external audits, 100, 130, 663
feasibility studies, 252
feedback/evaluations, 662
file management, 428–429
file systems, 425
final sign-off, 662
financial audits, 129
forensic audits, 129
fraud audits, 129
incident management, 574–575
initial information requests, 613
integrated audits, 129
internal audits. See internal audits
interviewing key personnel, 434
investigative procedures, 574–575
IS audits, 129
IS hardware, 424
ISACA auditing standards, 4, 8–10, 107–115
IT governance, 86–91
IT infrastructure, 424–427
IT operations, 428–430
lights-out operations, 429
logical access controls, 568–576
methodologies, 131–134
monitoring operations, 430
network access controls, 577–578
network change management, 578–579
network infrastructure, 426–427
network operating controls, 427
network security controls, 576–580
objectives, 614–615
observing personnel, 138–139
operating systems, 424–425
operational audits, 128–129, 600
outsourcing, 90–91
password management, 571–572
performing an audit, 126–128
physical access controls, 582–583
physical security controls, 581–583
points of presence, 575–576
post-audit follow-up, 134
pre-audits, 130
preparing audit staff, 631–632
problem management operations, 429–430
procurement, 430–431
program management, 251–252
project management, 251–252
recommendations, 650
re-performance, 138
requirements, 252
reviewing insurance coverage, 434–435
reviewing service provider contracts, 434
risk and. See risk entries
sampling, 139–141
security management, 567–568
service provider audits, 130
software development, 253–254
Systems Development Life Cycle, 251–255
technology and, 101
testing, 254
third-party risk management, 259–260
user access controls, 570–571
user access provisioning, 572–573
vulnerability management, 579–580
walkthroughs, 618
wrap-up tasks, 134
auditors
auditor-auditee relationships, 153
communication plan, 133
ethics/independence, 607–608
handling conflicts, 655
IS auditors, 87, 115–118, 173, 487
IT auditors, 256–257, 434–435, 640
kickoff meetings, 635
objectivity, 145–146
passive observation, 138
project documentation and, 432–433
self-assessments, 152–153
staff, 655
third-party, 141–142
walkthrough interviews, 137–138
authentication
bypassing, 570
network-based, 316
problems, 513
remote access and, 489
user access, 570
Wi-Fi networks, 343
authorization, 200, 246, 247, 491–492
automated testing, 641–642
automated work papers, 143–144
AV (asset value), 49
availability management, 280
B
background verification, 54–55
backup/recovery, 419–423
backup media rotation, 420–421
backup schemes, 420
backup to tape/other media, 419–420
backup tools, 501–502
destruction of, 423
encryption, 423
lost/damaged data, 501
media inventory, 502
media storage, 422–423, 501–502
off-site backups, 422–423
records of, 423
balanced scorecard (BSC), 20, 22–23
batch totals, 218
BCI (Business Community Institute), 401
BCM Institute, 402
BCP (business continuity planning), 364–402
auditing, 431–435
best practices, 401–402
components of, 392–393
continuity plans, 377–393, 399
disasters. See disaster entries
improving recovery/continuity plans, 399
interviewing key personnel, 434
key recovery targets, 377
maintaining recovery/continuity plans, 390, 400, 401
overview, 364
personnel safety procedures, 378–379
planning process, 371–377
project documentation and, 432–433
recovery procedures, 386–387
restoration procedures, 387–388
reviewing prior test results/action plans, 433
testing recovery/continuity plans, 393–399
BCP documentation, 399–400
BCP policy, 371–372
benefits realization, 162–167
BIA (business impact analysis), 372–375
big data architect, 81
blade computers, 297
Bluetooth technology, 344
BMIS (Business Model for Information Security), 673–674
board of directors, 23, 78, 455
BPLC (business process life cycle), 237–240
BPM (business process management), 237
BPR (business process reengineering), 237–239
BSC (balanced scorecard), 20
budgets, 612
buses, 292–293
business case development, 165–166
Business Community Institute (BCI), 401
business continuity planning. See BCP
business continuity requirements, 201
business controls, 256
business impact analysis (BIA), 372–375
Business Model for Information Security (BMIS), 673–674
Business Motivation Model, 667
business objectives, 667
business plan, 197
business process life cycle (BPLC), 237–240
business process management (BPM), 237
business process reengineering (BPR), 237–239
business processes, 237–243
changes to, 195
evaluating for risk, 118–119
impact on, 100
overview, 237
as a service, 69
business records, 118
business resilience, 364–423
business risks, 119–120
C
CA (criticality analysis), 375–376
CAATs (computer-assisted audit techniques), 142–143, 258–259
cables/cabling, 329–333
CAE (chief audit executive), 593
California Consumer Privacy Act (CCPA), 104
campus area network (CAN), 314
CAN (campus area network), 314
Canadian regulations, 106
Capability Maturity Model Integration (CMMI), 75
capability maturity models (CMMs), 240–242, 668–670
capacity management, 75–76, 279–280
career paths, 57
CASB (cloud access security broker), 316, 577
CASE (computer-aided software engineering), 226–227
categorizations, 647
CCO (chief compliance officer), 80, 593
CCPA (California Consumer Privacy Act), 104
CCTA (Central Computer and Telecommunications Agency), 692
Center for Internet Security (CIS), 689–690
Central Computer and Telecommunications Agency (CCTA), 692
central processing unit (CPU), 291–292
certificates, 512–513
certification. See CISA certification
Certified in Risk and Information Systems Control (CRISC) certification, 2
Certified in the Governance of Enterprise IT (CGEIT) certification, 2, 667
Certified Information Systems Auditor. See CISA entries
CFO (chief financial officer), 593
CGEIT (Certified in the Governance of Enterprise IT) certification, 2, 667
change control board, 274
change management
auditing, 255
client-server applications, 521–522
components, 234–235
records, 274–275
unauthorized changes, 235–236
change request, 234
change review, 234
chargeback, 70
Chartered Institute of Management Accountants (CIMA), 6
charters
audit charter, 97–98, 606, 661
considerations, 118
described, 40
program charter, 163
steering committee, 28
checksums, 218
chief audit executive (CAE), 593
chief compliance officer (CCO), 593
chief financial officer (CFO), 593
chief information officer (CIO), 24, 25, 80, 455, 593
chief information risk officer (CIRO), 455
chief information security officer (CISO), 24, 25, 31, 80, 455
chief privacy officer (CPO), 80, 455
chief risk officer (CRO), 80, 593
chief security officer (CSO), 24, 80
chief technical officer (CTO), 80
CIMA (Chartered Institute of Management Accountants), 6
CIO (chief information officer), 24, 25, 80, 455, 593
cipher locks, 564–566
CIRO (chief information risk officer), 455
CIS (Center for Internet Security), 689–690
CIS (continuous and intermittent simulation), 144–145, 259
CIS CSC, 689–690
CISA (Certified Information Systems Auditor)
becoming, 1–18
code of professional ethics, 4, 8
experience substitution/waiver options, 4, 6–7
overview, 1–2
work experience requirements, 5–6
CISA certification
benefits of, 2–3
continuing education, 5, 14–17
life cycle, 4
overview, 1–2
process for, 4–7
retaining, 14–17
revocation of, 17
CISA certification exam, 10–13
after the exam, 13
considerations, 4
day of exam, 13
passing score, 4
practice areas, 5
preparation pointers, 17
resources for, 11–12
CISC (complex instruction set computer), 292
CISO (chief information security officer), 24, 25, 31, 80, 455
classes, 224
classful networks, 350–351
classless networks, 351
cleaning, 564
client organization, 593
clients
client needs, 608–610
client procedures, 617–618
considerations, 594
defined, 593
feedback/evaluations, 662
final sign-off with, 662
internal auditing and, 594
preparedness for an audit, 613–614
project planning with, 632
reports to, 658–659
client-server applications, 362–363, 521–522
cloud access security broker (CASB), 316, 577
cloud computing, 302
cloud, public, 411
cloud-based infrastructure/applications, 227–229
cloud-based services, 316
CM (configuration management), 184, 236–237, 255, 275
CMDB (configuration management database), 236, 275
CMMI (Capability Maturity Model Integration), 75
CMMs (capability maturity models), 240–242, 668–670
COBIT framework, 21, 73, 75–76, 125, 372, 667, 668, 678–680
COCOMO (Constructive Cost Model), 176
collision detection, 333–334
Committee of Sponsoring Organizations of the Treadway Commission. See COSO
communication plan, 133
communications, 391–392
compensating controls, 123, 489, 515, 621–622
compensation baselining, 79
complex instruction set computer (CISC), 292
compliance audits, 129
compliance management, 74
compliance risk, 52–53
compliance testing, 131
component-based development, 224–225
computer operations. See operations
computer security/privacy regulations, 102–106
computer-aided software engineering (CASE), 226–227
computer-assisted audit techniques (CAATs), 142–143, 258–259
computers. See also IS hardware
firmware, 296
hardware architecture, 290–300
multicomputer architectures, 297–298
types of, 288–289
uses for, 289–290
confidence coefficient, 140
confidence level, 140
confidentiality, 469
configuration management (CM), 184, 236–237, 255, 275
configuration management database (CMDB), 236, 275
configuration standards, 34
Constructive Cost Model (COCOMO), 176
continuing professional education (CPE), 5, 14–17
continuous and intermittent simulation. See CIS entries
continuous auditing, 144–145
contractor management, 59, 79–84
control activities/controls, 648–649, 670
control existence, 635–638
control language, 627
control objectives
developing, 621
failures, 620
internal, 124–125
opinions on, 648–649
outdated, 620
control operating effectiveness, 638–642
control owners, 593, 635, 636, 639
control risk, 148
control self-assessment. See CSA
control testing, 592, 598, 636, 663–664. See also auditing
control testing activities, 632–647
controls, 121–126. See also access controls
absence of, 638
administrative controls, 122
application. See application controls
asset controls, 460–461
business controls, 256
categories of, 124
changes to IT environments, 619–620
classes of, 122–123
classification, 121–124
compensating controls, 123, 489, 515, 621–622
considerations, 620–621
corrective controls, 123
data file controls, 249–250
described, 121
deterrent controls, 123
documenting, 671
environmental. See environmental controls
establishing testing cycles, 598–599
evaluating effectiveness of, 146–147
general controls, 126, 670–671
governance, 636
input controls, 245–248
internal control objectives, 124–125
internal controls, 670
IS control objectives, 125
IS controls, 126
IT GC, 681
key controls, 621
logical access. See logical access controls
manual controls, 124
mapping to documentation, 624–625
network security. See network security controls
outdated, 620
output controls, 250–251
overview, 670–671
physical security controls, 564–567
processing controls, 248–250
recovery controls, 123
reviewing existing controls, 599
SOD controls, 85
types of, 121–122
understanding, 622–632
understanding client’s procedures, 617–618
understanding IT environment, 618–619
controls analyst, 82
controls environment, 617–625
controls management, 72–73
corporate governance, 666–667
corrective controls, 123
corroboration, 635
corroborative inquiry, 637
COSO (Committee of Sponsoring Organizations of the Treadway Commission), 21, 674–678
COSO cube, 675 (more)
COSO Internal Control – Integrated Framework, 674–678
CPE (continuing professional education), 5, 14–17
CPM (critical path methodology), 179–182
CPO (chief privacy officer), 80, 455
CPU (central processing unit), 291–292
criminal activity, 644–645
CRISC (Certified in Risk and Information Systems Control) certification, 2
critical path methodology (CPM), 179–182
Critical Security Controls (CSC), 689–690
criticality analysis (CA), 375–376
CRO (chief risk officer), 80, 593
CSA (control self-assessment), 150–153
CSA life cycle, 151–152
CSC (Critical Security Controls), 689–690
CSF (NIST Cybersecurity Framework), 242
CSO (chief security officer), 24, 80
CTO (chief technical officer), 80
customer confidence, 3
customer requirements, 195
customers, 389
Cybersecurity Framework (CSF), 242
cyclical controls testing, 598, 654
D
DAC (Discretionary Access Control), 485
data. See also information
classification, 458–459
destruction of, 32
forensics techniques, 482–483
life cycle, 286–287
offshore data flow, 103
ownership, 568
quality management, 287
stealing, 522
storage, 36–37
structured/unstructured, 36
validation of, 200
data analytics, 142–145
data center reliability, 563–564
data classification policy, 30–31
data communications software, 303. See also networks
data custodians, 568
data entry personnel, 83
data file controls, 249–250
data flow diagrams (DFDs), 36
data integrity, 257
data loss prevention. See DLP
data manager, 81
data migration, 217–218
data protection laws, 522
data storage diagrams, 36–37
database administrator (DBA), 81
database analyst, 81
database architect, 81
database management system (DBMS), 143, 304–307, 425–426
database servers, 289
databases
CMDB, 275
hierarchical databases, 307, 308
NoSQL databases, 306
object databases, 306
RDBMS, 305–306
data-oriented system development (DOSD), 223
DBA (database administrator), 81
DBMS (database management system), 143, 304–307, 425–426
DDoS attacks, 477
defense-in-depth, 344, 510, 549, 553
Deming Cycle, 671–672
Deming, W. Edwards, 671–672
denial-of-service (DoS) attacks, 477
department charters, 136
design
auditing, 253
infrastructure, 231–232
release process, 276–278
SDLC, 206–208
detection risk, 148
detective controls, 122
deterrent controls, 123
developers, 184
development, 277
devices
network devices, 334–335
replacing, 513
TCP/IP devices, 356–357
WAN devices, 341–342
DevSecOps, 222
DFDs (data flow diagrams), 36
digital certificates, 496
digital envelopes, 540–541
digital laws/regulations, 102
digital rights management (DRM), 310–311
digital signatures, 540
digital transformation (DX), 25, 166, 269
disaster recovery, 25
disaster recovery planning (DRP), 74, 403–423
acquiring hardware, 412–413
auditing, 435–439
data backup/recovery, 419–423
developing recovery plans, 418–419
developing recovery strategies, 406–418
evaluating off-site storage, 438
overview, 403
recovery objectives, 403–406
recovery/resilience technologies, 413–417
response team roles/responsibilities, 403
reviewing test results/action plans, 433, 437
risk analysis and, 50
site recovery options, 407–413
testing disaster response plans, 423
third-party recovery sites, 411–412
disaster recovery plans, 618–619
disaster requirements, 202
disasters, 364–371
business continuity and, 364–365, 371
considerations, 364–365
disaster declaration procedures, 379–380
effect on organizations, 370–371
first responders, 382
human-made, 368–369
natural, 365–368
overview, 364–365
physical security, 384
responsibilities, 381–386
types of, 365–369
discovery sampling, 140
Discretionary Access Control (DAC), 485
distributed denial-of-service (DDoS) attacks, 477
DLP (data loss prevention), 520, 554, 577
DLP systems, 556
DNS (Domain Name System), 359, 360, 518
DNS attacks, 517
DNS servers, 360
document review test, 395
documentation
auditing, 87–89
BCP documents, 432–433
business continuity planning, 432–433
client procedures, 617–618
creating, 623–624
disaster recovery plans, 618–619
disaster response operations, 383
draft, 624
electronic, 651–652
employee policy manuals, 55–56
financial audit write-ups, 617
formats, 623
hard copy, 400
instruction manuals, 617
internal audits, 617
IS standards documents, 136
management procedures, 617, 618
managing supporting documentation, 650–652
mapping controls to, 624–625
network/system diagrams, 618
policies, 28
previous audits, 618
processes/procedures, 623–625
project documentation, 183–184
project management, 183–184
project records, 182–183
recovery documentation, 400
sections, 651
soft copy, 400
standard operating procedures, 32–33
storing, 651–652
system documentation, 137
system information, 137
system inventories, 618
technology, 618–619
test results, 398–399
Domain Name System. See DNS
domain names, 575
DOSD (data-oriented system development), 223
DRI International, 402
DRM (digital rights management), 310–311
DRP. See disaster recovery planning
due diligence, 243–244
DX (digital transformation), 25, 166, 269
E
EA (enterprise architecture), 34–37, 311–312
eavesdropping, 485–486, 488, 516, 523, 527
ECC (elliptic curve cryptography), 538
EF (exposure factor), 49
effectiveness measurement, 26
electronic documentation, 651–652
elliptic curve cryptography (ECC), 538
emergencies, 390
emergency changes, 274–275
emergency response, 382
emergency supplies, 391
employee development, 57
employee policy manuals, 55–56
employees. See also personnel management
acceptable behavior, 451
access provisioning, 56–57
background verification, 54–55
career paths, 57
compensation baselining, 79
disgruntled, 476
duties, 469
employment agreements, 469–470
equipment issued to, 470
former, 476
hiring, 54–57
insourcing, 60
interviewing key personnel, 434
job rotation, 556
job titles/descriptions, 57, 79–84, 469
mandatory vacations, 58
moonlighting, 32
new, 572–573
observing, 138–139
outsourcing, 60–67
passive observation of, 138
performance evaluation, 57
policy/discipline, 470
reassignments, 59
recruiting, 79
roles/responsibilities, 78–79, 450, 454–456
safeguards during employment, 470–471
safety procedures, 378–379
screening/background checks, 468–469, 470, 556
security awareness, 24, 138, 451–453, 470
segregation of duties. See segregation of duties
skills/experience, 138
split custody, 484
staff augmentation, 603
staff disagreements, 646, 648, 655
tasks performed, 138
termination of. See terminations
training. See training
transfers, 59, 460, 470, 471, 510
vacations, 58
walkthroughs, 137–138
encryption, 532–545
applications, 544–545
backups, 423
Bluetooth, 344
digital envelopes, 540–541
digital signatures, 540
hashing, 539–540
key management, 542–544
logical access controls, 532–545
networks, 519
overview, 532–533
PKI, 541–542
relational databases, 306
remote access and, 489
requirements, 200
secure key exchange, 536
sensitive information, 474
terms/concepts, 533–535
work papers, 144
encryption applications, 544–545
end users, 172
endpoints, 290–291
end-user computing, 282–283
engagement letters, 603–606, 608, 614–616
enterprise architecture (EA), 34–37, 311–312
Enterprise governance, 666–667
environmental controls, 557–564
audit audience, 580–581
auditing, 580–581
countermeasures, 558–564
threats/vulnerabilities, 552–558
equipment control/use, 32
equipment theft, 477
error handling, 248
Ethernet, 333–335
ethical hackers, 602
ethics, 607–608
European regulations, 106
General Data Protection Regulation (GDPR), 52–53, 99, 104
e-vaulting, 502
evidence, 134–141
chain of custody, 644
characteristics of, 135–136
of fraud/criminal activity, 147–148, 644–645
of irregularities, 147–148
lack of, 619
listed, 146
objective, 135
timing, 135
evidence provider, 135
exam. See CISA certification exam
exception handling, 281
executive support, 450
expected error rate, 140
expenses, 605
exposure factor (EF), 49
external attestations, 595–596
external audits, 100, 130, 663
extreme programming (XP), 191–192
F
fail open/fail close, 484
FAM (file activity monitoring), 236
FDDI (Fiber Distributed Data Interface), 337–338
feasibility studies
auditing, 252
business case development, 165
items included in, 196–197
release process, 276
Federal Information Security Management Act (FISMA), 598
fees, 605
FEMA, 402
Fiber Distributed Data Interface (FDDI), 337–338
file activity monitoring (FAM), 236
file integrity monitoring (FIM), 236
file management, 428–429
files, 303
FIM (file integrity monitoring), 236
financial crime, 473–474
financial management, 42, 69–70, 278–279
fire prevention/detection/suppression, 561–563
firmware, 296
FISMA (Federal Information Security Management Act), 598
folders, 303
forensic audits, 129
forensic investigations, 482–483, 575
forensic rules, 645
FPA (function point analysis), 177
FPs (function points), 177
Frame Relay, 340–341
frameworks, 21, 665, 668, 670, 699
fraud audits, 129
FTP, 354
FTPS, 354
function point analysis (FPA), 177
function points (FPs), 177
functional requirements, 197–198, 231
functional testing, 214
functions, 242
G
GAIT (Guide to the Assessment of IT Risk), 681
Gantt chart, 179
GAS (generalized audit software), 144
gate processes, 278
gateway servers, 289
gateways, 350
GCCs (general computing controls), 126
GDPR (General Data Protection Regulation), 52–53, 99, 104
general computing controls (GCCs), 126
general controls, 670–671
generalized audit software (GAS), 144
GLBA (Gramm-Leach-Bliley Act), 52, 53, 99
global Internet applications, 358–360
Global Technology Audit Guides (GTAG), 680
Good-Cheap-Fast triad, 183
governance. See also IT governance
defined, 19
information security governance, 23–26
outsourcing, 66–67
overview, 666–667
governance controls, 636
Gramm-Leach-Bliley Act (GLBA), 52, 53, 99
GTAG (Global Technology Audit Guides), 680
Guide to the Assessment of IT Risk (GAIT), 681
Guide to the Project Management Body of Knowledge (PMBOK Guide), 693–695
guidelines, 107, 111, 115, 692
H
hardening, 481, 487, 503, 504–507, 579
hardware. See IS hardware
hashing, 539–540
Health Insurance Portability and Accountability Act (HIPAA), 73, 99
helpdesk, 271
helpdesk analyst, 83
HIPAA (Health Insurance Portability and Accountability Act), 73, 99
hiring, 54–57
human resources. See also personnel management
contractor management, 59, 79–84
employee terminations. See terminations
employee transfers, 59, 460, 470, 471, 510
security, 467–471
I
IaaS (Infrastructure-as-a-Service), 2, 68–69, 228
IAs. See internal audits
ICMP (Internet Control Message Protocol), 320–321, 347, 348
identification, 491
identity and access management, 74
IDEs (integrated development environments), 226
IDSs (intrusion detection systems), 481, 519, 570
IEC (International Electrotechnical Commission), 682–684
IGMP, 347
IIA (Institute of Internal Auditors), 597
implementation, 215–219
auditing, 254–255
cutover test, 218–219
described, 234
planning, 215–216
post-implementation, 219–220, 255
training, 217
incident logs, 136
incident management
auditing, 574–575
considerations, 275
incident response
phases, 478–479
testing, 480
incidents. See security incidents
independence issues, 607–608
information. See also data
considerations, 449
described, 457
personal, 461–462
protecting, 500–507
information assets. See also assets
categories, 457
collection/use of, 103
considerations, 42
data classifications, 458
handling procedures, 458–459
protecting, 449–589
information leakage, 555–556
Information Security Forum (ISF), 682–684
information security governance, 23–26
information security management, 449–483
aspects of, 450–454
asset controls, 460–461
asset inventory/classification, 457–459
business alignment, 456
corrective/preventive actions, 454
executive support, 450
forensic investigations, 482–483
human resources security, 467–471
incident response, 454
overview, 449
policies/procedures, 450–451
privacy, 461–462
roles/responsibilities, 450, 454–456, 469
security awareness, 451–453, 470
security incidents. See security incident management
security monitoring/auditing, 453
third-party management, 462–467
Information Security Management System (ISMS), 674
information security policy, 29
information system support, 118
information systems. See IS; IT entries
Information Systems Audit and Control Association. See ISACA entries
Infrared Data Association (IrDA), 345
infrastructure
architecture review, 230
design, 231–232
development/implementation, 229–234
implementation, 234
maintenance, 234
procurement, 232–233
requirements, 231
testing, 233
Infrastructure-as-a-Service (IaaS), 2, 68–69, 228
inherent risk, 148
inheritance, 224
innovation, 195
input controls, 245–248
input validation, 246–247
insourcing, 60
Institute of Internal Auditors (IIA), 597
insurance, 150
insurance coverage, 434–435
integrated audits, 129
integrated development environments (IDEs), 226
Integrated Services Digital Network (ISDN), 341
integrated test facility (ITF), 144, 259
intellectual property, 32
internal auditors. See clients
internal audits (IAs), 597–600
controls review, 599
controls testing, 597–599, 663–664
documentation, 617
new, 100
operational audits, 600
risk assessment, 597
voluntary, 151
internal controls, 670
International Electrotechnical Commission (IEC), 682–684
International Organization for Standardization (ISO), 682–684
Internet communications, 526–532
Internet Control Message Protocol (ICMP), 320–321, 347, 348
Internet layer protocols, 346–349
Internet points of presence, 575–576
Internet Protocol. See IP
interoperability, 231
intrusion detection systems (IDSs), 481, 519, 570
intrusion prevention systems (IPSs), 357, 519, 554, 570
inventories, system, 618
investigative procedures, 574–575
I/O operations, 296–297
IoT security, 520–521
IP (Internet Protocol), 346–347
IP addresses, 349, 352, 358–359
IPsec, 347–349
IPSs (intrusion prevention systems), 357, 519, 554, 570
IPv6, 352–353
IrDA (Infrared Data Association), 345
irregularities, 147–148
IS (information systems)
architecture, 301–311
code of professional ethics, 4, 8
hardware, 287–301
IS vs. IT, 7
maintaining, 234–237
operations. See IS operations
software, 303–304
IS audit cycle. See audit cycle
IS auditors, 87, 115–118, 173, 487. See also auditors
IS audits, 129, 591–664. See also auditing
IS control objectives, 125
IS hardware, 287–301. See also computers
architecture, 290–300
auditing, 424
computer usage, 288–290
configuration, 275
for disaster recovery, 412–413
hardware asset inventory, 457–458
information systems, 287–301
maintenance, 300
monitoring, 300–301
overview, 287
IS operations, 270–287. See also IT operations
data management, 286–287
end-user computing, 282–283
hardware. See IS hardware
IT service management, 271–280
media control, 285–286
operations management/control, 270–271
overview, 270
quality assurance, 284–285
security management, 285
software program library, 283–284
IS standards documents, 136
ISACA audit and assurance guidelines, 111–115
ISACA audit and assurance standards framework. See ITAF
ISACA auditing standards, 4, 8–10, 107–115
ISACA chapter, 17
ISACA Code of Professional Ethics, 4, 8, 107
ISACA online glossary, 666
ISACA Risk IT Framework, 117
ISACA training/conferences, 101
ISDN (Integrated Services Digital Network), 341
ISF (Information Security Forum), 682–684
ISMS (Information Security Management System), 674
ISO (International Organization for Standardization), 682–684
ISO/IEC 9000, 71
ISO/IEC 27001, 21, 75, 682–684
ISO/IEC 38500, 21
ISO/IEC standard, 2, 3, 241, 272, 682–684
IT Assurance Framework. See ITAF entries
IT auditors, 256–257, 434–435, 640. See also auditors
IT balanced scorecard (IT-BSC), 23
IT environments, changes to, 619–620
IT GC (IT general controls), 681
IT general controls (IT GC), 681
IT governance, 20–26
activities, 20–21
auditing, 86–91
balanced scorecard, 22–23
considerations, 667
executive practices, 2026
frameworks, 21
overview, 19–20
problems in, 86–87
security activities, 25–26
IT Governance Institute (ITGI), 666
IT infrastructure, 424–427
IT Infrastructure Library. See ITIL entries
IT life cycle management, 161–267. See also Systems Development Life Cycle
application controls, 245–251
auditing application controls, 256–259
auditing business controls, 256
auditing third-party risk management, 259–260
benefits realization, 162–167
business processes, 237–243
infrastructure, 229–234
maintaining information systems, 234–237
project management. See project management
third-party management, 243–245
IT management, 53–86
change management. See change management
controls management, 72–73
performance management, 75–76
personnel. See personnel management
portfolio management, 72
quality management, 70–72
security management, 72–73
sourcing, 60–67
third-party delivery management, 67–69
IT management practices, 53–86
IT operations, 173, 281, 428–430. See also IS operations
IT organizations, 269
IT outsourcing, 2
IT service desk, 271
IT service management (ITSM), 271–280, 692
IT standards, 33–34
IT steering committee, 24, 27–28, 172
IT strategic planning, 26–28
IT strategy committee, 22
IT Value Delivery (Val IT) framework, 72, 698–699
ITAF (IT Assurance Framework), 8–9, 97, 107–110, 691
ITAF project, 691–692
IT-BSC (IT balanced scorecard), 23
ITF (integrated test facility), 144, 259
ITGI (IT Governance Institute), 666
ITIL (IT Infrastructure Library), 668, 692–693
ITIL framework, 21
IT/IS governance reviews, 602–603
ITSM (IT service management), 271–280, 692
J
job titles/descriptions, 57, 79–84, 469
judgmental sampling, 139
K
Kanban, 190–191
key controls, 621–622
key logging, 551–552
key management, 542–544
key measurements, 71
key performance indicators (KPIs), 22–23, 75, 167
keycard systems, 582
kilo lines of code (KLOC), 175–176
KLOC (kilo lines of code), 175–176
known error, 272
KPIs (key performance indicators), 22–23, 75, 167
L
L2TP (Layer 2 Tunneling Protocol), 346
LAN (local area network), 314, 328–338
laptop computers, 290, 514–515
law enforcement, 475
laws/regulations, 37–38. See also standards
changes in regulation, 194–195
compliance, 52–53
computer security/privacy, 102–106
determining applicability of, 104
digital media, 102
identifying, 37–38
overview, 37–38
penalties for failing to comply, 103
policies/procedures, 451
privacy, 102–106
risk management, 451
security, 102–106
Layer 2 Tunneling Protocol (L2TP), 346
Layer 3 switch, 357
Layer 4 switch, 357
Layer 4-7 switch, 357
least privilege, 236, 484, 500
legal agreements, 195, 465–466
legal protection, 648
life cycle. See IT life cycle management
lighting, 564
lights-out operations, 429
link layer protocols, 345–346
local area network (LAN), 314, 328–338
log files
access logs, 461, 500–501, 556, 574
audit logs, 123, 201, 246, 306
considerations, 639
incident logs, 136
system logs, 638
transaction logs, 250
logic bombs, 486
logical access controls, 483–515. See also access controls
access control concepts, 484–486
access control vulnerabilities, 486–487
access points, 487–490
asset protection, 567–581
auditing, 568–576
client-server applications, 521–522
encryption, 532–545
environmental controls, 557–564
information leakage, 555
Internet, 526–532
IoT security, 520–521
malware, 548–555
mobile computing, 514–515
network security controls, 516–520
overview, 483–484
PBX, 547–548
physical security controls, 564–567, 581–583
protecting stored information, 500–508
user access, 508–514
voice over IP, 545–547
wireless networks, 522–526
logical controls, 121
Long Term Evolution (LTE), 344
LTE (Long Term Evolution), 344
M
MAC (Mandatory Access Control), 485
MAC (Media Access Control), 346
malware, 548–555. See also anti-malware
considerations, 477, 517, 552, 553
exposure to, 488
Internet communications, 527
network, 316–317
overview, 548
threats/vulnerabilities, 548–552
types of, 548–549
vulnerabilities, 550
MAN (metropolitan area network), 314
management, improper actions by, 645–646
management procedure documentation, 617, 618
management projects, 664
management representation letter, 648
management review, 186
Mandatory Access Control (MAC), 485
mandatory vacations, 58
man-in-the-browser (MITB) attacks, 517
man-in-the-middle (MITM) attacks, 517
manual controls, 124
market competition, 100
market conditions, 99
matrix, 147, 627. See also test plans
maturity models, 668–670
maximum tolerable downtime (MTD), 376–377
MDM (mobile device management), 515
Media Access Control (MAC), 346
media control, 285–286
media management systems, 307–308
media manager, 83
media storage, 501–502
media storage sites, 435
memory, 296
mergers, 98
message boards, 518
message digests, 539–540
methodology standards, 34
methods, 224
metrics, 166
metropolitan area network (MAN), 314
MFA (multifactor authentication), 495–496
middleware, 363
military, 475
mission statement, 118
MITB (man-in-the-browser) attacks, 517
mitigating risk, 51, 65–66, 120, 150
mitigation strategies, 50
MITM (man-in-the-middle) attacks, 517
mobile computing, 514–515
mobile device management (MDM), 515
mobile devices, 32, 290–291, 514–515
mobile sites, 410
monitoring
auditing, 430
continuous monitoring, 640–641
hardware, 300–301
MPLS (Multiprotocol Label Switching), 339
MTD (maximum tolerable downtime), 376–377
multicast, 347
multifactor authentication (MFA), 495–496
multiplexors, 341
Multiprotocol Label Switching (MPLS), 339
N
NACs (network access controls), 488–489, 577–578
NAS (network attached storage), 414
NDAs (nondisclosure agreements), 606
Near-Field Communications (NFC), 345
netflow, 520
network access controls (NACs), 488–489, 577–578
network access paths, 569
network administrator, 82
network architect, 82
network attached storage (NAS), 414
network change management, 578–579
network connectivity, 297, 316, 416–417
network devices, 334–335
network engineer, 82
network identifier, 343
network infrastructure, 311–363
architecture, 312–314
auditing, 426–427
enterprise architecture, 311–312
network models, 317–327
network technologies, 328–363
network-based services, 315–317
overview, 311
network management, 82, 317, 360–361
network management tools, 361
network models, 317–327
OSI model, 317–323
TCP/IP model, 323–327
network operating controls, 427
network routing, 359
network security, 516–520
5G security, 526
client-server applications, 521–522
countermeasures, 518–520
encryption. See encryption
Internet communications, 526–532
IoT security, 520–521
network-based threats, 516–518
vulnerable network services, 517–518
wireless networks, 522–526
network security controls, 516–557
auditing, 576–580
countermeasures, 518–520
IoT security, 520
overview, 516–518
network services, 416–417
network technologies, 328–363
network transport protocols, 333–338
network tunneling, 360
networked applications, 362–363
networks, 311–363
described, 311
encryption, 519
infrastructure, 311–363
LANs, 328–338
malware. See malware
managing, 360–361
peer-to-peer networks, 518
security. See network security
switched networks, 519
types of, 313–314
WANs, 338–342
network/system diagrams, 618
NFC (Near-Field Communications), 345
NIST 800-53, 73
NIST CSF (NIST Cybersecurity Framework), 685–687
NIST Cybersecurity Framework (NIST CSF), 242, 685–687
NIST SP 800-53, 684–685
NIST SP 800-53A, 684–685
nondisclosure agreements (NDAs), 606
nonstatistical sampling, 139
O
object breakdown structure (OBS), 169–170, 175
objectivity, 135
object-oriented (OO) system development, 223–224
OBS (object breakdown structure), 169–170, 175
Office of Government Commerce (OGC), 695
offshore data flow, 103
OGC (Office of Government Commerce), 695
onboarding, 243–244
online processing systems, 257–258
OO (object-oriented) system development, 223–224
Open Shortest Path First (OSPF), 346
operating systems, 301–302
auditing, 424–425
data communications software, 303
file systems, 303–304
functions of, 301–302
media management systems, 307–308
process management, 301
storage management, 301
operational audits, 128–129, 600
operations. See also IS operations
auditing, 428
IT operations, 173, 281, 428–430
monitoring. See monitoring
problem management, 429–430
roles/responsibilities, 82–83
tasks, 281
operations analyst, 82
operations manager, 82
organization charts, 76–77, 136
organization structure/responsibilities, 76–86
OSI network model, 317–323, 327
OSPF (Open Shortest Path First), 346
output controls, 250–251
outsourcing, 60–67
auditing, 90–91
benefits of, 62
described, 55
governance, 66–67
popularity of, 2
reasons for, 60–61
risks, 62–66
types of jobs outsourced, 61–62
owners, 78
P
PaaS (Platform-as-a-Service), 2, 68–69, 228
PAN (personal area network), 313
parallel test, 397–398
password management
auditing, 571–572
controls, 511–512
procedures, 510–512
passwords, 493–496
forgotten, 511
guidelines, 493–494, 505, 511, 512
managing. See password management
risks, 494–495
patch management, 486, 502–504, 580
Payment Card Industry Qualified Security Assessor (PCI-QSA) certification, 3
PBC (Provided by Client) lists, 613, 633
PBX (private branch exchange), 547–548
PCAOB (Public Company Accounting Oversight Board), 650–651
PCI Security Standards Council (PCI SSC), 687–689
PCI Self-Assessment Questionnaire (SAQ), 150
PCI SSC (PCI Security Standards Council), 687–689
PCI-QSA (Payment Card Industry Qualified Security Assessor) certification, 3
PDUs (protocol data units), 354
peer-to-peer networks, 518
penetration testing, 503–504, 580
performance optimization, 75
periodic reviews, 85
permissions, 487
personal area network (PAN), 313
personal information, 461–462
personnel management, 53–59. See also employees
access provisioning, 56–57
career paths, 57
contractor management, 59, 79–84
employee development, 57
employee termination. See terminations
employee transfers, 59, 460, 470, 471, 510
hiring, 54–57
insourcing, 60
job titles/descriptions, 57, 79–84, 469
mandatory vacations, 58
outsourcing. See outsourcing
overview, 53–54
performance evaluation, 57
segregation of duties. See segregation of duties
service delivery management, 67–69
sourcing, 60–67
training. See training
phishing, 550
physical access, 564–567
physical access controls, 566–567, 582–583
physical environment, 557–558
physical security controls, 564–567, 581–583
overview, 564
PKI (public key infrastructure), 541–542
Platform-as-a-Service (PaaS), 2, 68–69, 228
PMBOK (Project Management Body of Knowledge), 186–187, 696
PMBOK Guide (Guide to the Project Management Body of Knowledge), 693–695
PMI (Project Management Institute), 693
PMP (Project Management Professional), 693
points of entry, 488–489
points of presence, 575–576
Point-to-Point Protocol (PPP), 346
policies, 28–32
access control policy, 31
data classification policy, 30–31
documentation, 28
information security policy, 29, 450–451
mobile device policy, 32
privacy policy, 30
reviewing, 136
risk management, 451
site classification policy, 31
social media policy, 32
system classification policy, 31
technology-related, 32
topics, 28
polymorphism, 224
population standard deviation, 140
portfolio management, 72
PPP (Point-to-Point Protocol), 346
precision, 140
primary contact, 593
PRINCE (PRojects IN Controlled Environments), 695–696
privacy, 461–462
privacy laws/regulations, 99
privacy policy, 30
privacy requirements, 201–202, 231
private branch exchange (PBX), 547–548
privileges, 236, 484, 500, 506
probability analysis, 47
problem management, 272–273, 275
problem management operations, 429–430
problems, defined, 272
procedures, 32–33, 118, 136, 270
process architecture, 118
process improvement, 25
process objectives, 667
processes
business, 100
development of, 270
management of, 271
overview, 668
processing controls, 248–250
production servers, 289
profiles, 242
program charter, 163
program, described, 98
program (or project) evaluation and review techniques (PERT), 179, 180
program management, 162–164
auditing, 251–252
status reports, 164
program manager, 98
programming languages, 209
programs, 162–163
project charters, 136
project (program) evaluation and review techniques (PERT), 179, 180
project life cycle reviews, 601–602
project management, 167–192
agile manifesto, 190
auditing, 251–252
budgets, 164
change management, 184–185
considerations, 672
developing project objectives, 169–170
documentation, 183–184
estimating/sizing projects, 175–178
extreme programming, 191–192
initiating projects, 168
Kanban, 190–191
managing projects, 171
methodologies, 186–192
organizing projects, 167–168
PMBOK, 186–187
PRINCE2, 187–188
project closure, 185–186
project documentation, 183–184
project kickoff meeting, 168
project planning, 173–186
project records, 182–183
roles/responsibilities, 171–173
scheduling tasks, 164, 178–182
Scrum, 188–190
Scrumban, 191
work breakdown structure, 170
Project Management Body of Knowledge. See PMBOK
Project Management Institute (PMI), 693
Project Management Professional (PMP), 693
project portfolio management, 162, 164–165
project sponsor, 172
project tasks. See tasks
projects
considerations, 672
described, 167
examples of, 672
launching, 608–613
life cycle, 601–602
origination of, 595–603
overview, 672
remediating issues via, 664
resource planning for, 631–632
PRojects IN Controlled Environments. See PRINCE
proof of concept, 233
protocol data units (PDUs), 354
protocol standards, 34
prototyping, 222
Provided by Client (PBC) lists, 613, 633
provisioning, 513
proxy servers, 357
Public Company Accounting Oversight Board (PCAOB), 650–651
public key infrastructure (PKI), 541–542
Q
QA (quality assurance), 84, 172, 284–285
QA manager, 84
QAT (quality assurance testing), 214–215
QC manager, 84
QKD (quantum key distribution), 536
QSA (qualified security assessor), 128–129, 688
qualified security assessor (QSA), 128–129, 688
qualitative risk analysis, 48
qualitative risk assessment, 149
quality assurance. See QA
quality assurance testing (QAT), 214–215
quality management, 70–72
quantitative risk analysis, 48–49
quantitative risk assessment, 149
quantum key distribution (QKD), 536
R
race conditions, 486
RACI matrix, 173
RAD (rapid application development), 223
RAID, 413–414
rapid application development (RAD), 223
RARP (Reverse Address Resolution Protocol), 346
rates, 605
readiness assessment, 625–627
reciprocal sites, 410–411
recommendations, 650
record counts, 218
records, auditing, 87–89
recovery controls, 123
recovery documentation, 400
recovery plans, 388–392
considerations, 388–390
developing, 418–419
testing, 393–399
recovery point objective (RPO), 377, 405–407
recovery procedures, 386–387
recovery time objective (RTO), 377, 403–407
recruiting, 79
reduced instruction set computer (RISC), 292
reduced sign-on, 499
reengineering, 237–239
referential integrity, 306
regression testing, 277
regulations, 37–38. See also laws/regulations
applicability of, 104
Canadian, 106
European, 106
information systems and, 102
other, 106
overview, 37–38
privacy, 99
U.S., 105–106
regulators, 389
regulatory requirements, 99, 199–201, 231
release management, 276–278
release process, 276–278
reliability factor, 140
remote access, 315, 489–490, 578
reperformance, 138, 635, 637–638, 639
replication, 415–416
Report of Compliance (ROC), 688
reports/reporting. See also audit reports
application processing, 250–251
to client management, 658–659
risk reporting, 245
to third parties, 659
reputation, 26
request for information (RFI), 206, 232, 596
request for proposals (RFP), 201–206, 232, 596
requirements definition, 197–206, 276
residual risk, 51, 52, 150, 646–647
resource management, 26, 163, 164, 271
resource planning, 100, 631–632
restoration procedures, 387–388
restoration testing, 502
Reverse Address Resolution Protocol (RARP), 346
reverse engineering, 225–226
RFI (request for information), 206, 232, 596
RFP (request for proposals), 201–206, 232, 596
RISC (reduced instruction set computer), 292
risk
acceptance of, 150
analyzing. See risk analysis
avoidance of, 150
avoiding, 52
changes in, 195
compliance risk, 52–53
control risk, 148
control self-assessment, 150–153
countermeasures, 120–121
detection risk, 148
high-impact events, 50
inherent risk, 148
managing. See risk management
mandatory vacations and, 58
materiality and, 148–149
mitigating, 51, 65–66, 120, 150
monitoring/measuring, 121
outsourcing and, 62–66
overall audit risk, 149
passwords, 494–495
residual, 51, 52, 150, 646–647
software development, 220–221
third parties, 243–245, 259–260, 462–467
transfer of, 150
treatment, 150
user IDs, 494–495
risk acceptance, 52
risk analysis, 44–50
auditing and, 115–121
business threats, 119–120
corporate risk management and, 116–117
countermeasures assessment, 120–121
evaluating business processes, 118–119
identifying business risks, 119–120
ISACA Risk IT Framework, 117
threat analysis, 44–46, 119–120
risk appetite, 38
risk assessment
auditing and, 149–150
considerations, 615
internal audits, 597
performing, 610–611
third parties, 259–260
types of, 149
Risk IT framework, 117, 696–697
risk ledger, 136
risk management, 38–53
asset identification, 41–44
components, 39–40
considerations, 25
corporate program, 116–117
laws/regulations, 451
overview, 38–39
process, 40–50
program, 39–40
risk analysis and, 116–117
risk mitigation, 51, 65–66, 120, 150
risk register, 136
risk reporting, 245
risk transfer, 51
risk treatments, 39, 50–53, 150
ROC (Report of Compliance), 688
roles, 163
rollback planning, 219
rootkits, 549
routers, 356–357
RPO (recovery point objective), 377, 405–407
RTO (recovery time objective), 377, 403–407
S
SaaS (Software-as-a-Service), 2, 68–69, 193, 227
sample mean, 140
sample standard of deviation, 140
sample testing, 639–640
SAN (storage area network), 414
SAQ (Self-Assessment Questionnaire), 150, 688
Sarbanes-Oxley Act (SOX), 99, 104
Sarbanes-Oxley mandated internal audit, 150
Sarbanes-Oxley requirements, 598–599, 635–636
scalability, 312
scanning attacks, 486
SCARF/EAM (systems control audit review file and embedded audit modules), 145, 259
scope
risk management program, 39
screen scraping, 551
script kiddies, 476
Scrum, 188–190
Scrumban, 191
SDLC. See Systems Development Life Cycle
SDN (software-defined networking), 357
search engines, 575
security
employee adherence to, 24, 138, 451–453, 470
human resources, 467–471
information. See information security management
network. See network security controls
physical security controls, 564–567
regulations, 102
roles/responsibilities, 23–25, 83
utility software and, 309
web security, 316
Wi-Fi, 343–344
security administrators, 455
security alerts, 503
security architect, 83
security conferences, 101
security engineer, 83
security governance, 23–26, 74
security incident management, 476–481
security incidents, 272, 476, 480–481
security laws/regulations, 102–106
security management, 74–75, 285, 567–568
security manager, 172
security requirements, 199–201, 231
security steering committee, 455
segregation of duties (SOD), 84–86
controls, 85
issues, 85–86
SDLC and, 601
unauthorized changes and, 235
SEI CMM (Software Engineering Institute Capability Maturity Model), 240–241
self-assessment objectives, 152–153
Self-Assessment Questionnaire (SAQ), 150, 688
senior management, 171
sensitive information, 461–462
considerations, 494
disclosure of, 474–475
encryption, 474–475
protection of, 103
separation of duties. See segregation of duties
server clusters, 297, 302, 416, 417
servers
database, 289
file, 289
gateway, 289
print, 289
production, 289
test, 289
web, 289
service continuity management, 280
service delivery management, 67–69
service desk manager, 83
service level agreements (SLAs), 136
service provider audits, 130
service provider contracts, 434
service-level management, 278
session hijacking, 524
simulations, 396–397
single loss expectancy (SLE), 49
single sign-on (SSO), 499–500, 506
site classification policy, 31
siting/marking, 58–582
situational awareness, 481
SLAs (service level agreements), 136
SLE (single loss expectancy), 49
SLOC (source lines of code), 175–176
smart cards, 496
snapshots, 259
social engineers, 476
social media policy, 32
SOD. See segregation of duties
software. See also applications
data communications software, 303
licensing, 309–310
scanning, 143
updates, 522
utility software, 308–309
versions, 275
virtualization software, 299
software developer, 81, 208–212, 456
software development
approaches/techniques, 221–226
auditing, 253–254
risks, 220–221
roles/responsibilities, 81
software engineer, 81
Software Engineering Institute Capability Maturity Model (SEI CMM), 240–241
software maintenance, 220
software program library, 283–284
software tester, 81
Software-as-a-Service (SaaS), 2, 68–69, 193, 227
software-defined networking (SDN), 357
SONET (Synchronous Optical Networking), 339
SOPs (standard operating procedures), 32–33
source code management, 211–212
source lines of code (SLOC), 175–176
sourcing, 60–67
SOX (Sarbanes-Oxley Act), 99, 104
spam, 550
spam filters, 554
spear phishing, 550
spies/intelligence, 475
split custody, 484
spyware, 549
SSAE 18, 130, 604–605, 635–636
SSO (single sign-on), 499–500, 506
staff augmentation, 603
Standard of Good Practice for Information Security, 682–684
standard operating procedures (SOPs), 32–33
standards. See also laws/regulations
development of, 270
vs. guidelines, 115
identifying, 37–38
ISACA. See ISACA entries
policy pyramid, 28–29
types of, 34
statement of work, 133
statements of impact, 374
statistical sampling, 139
stop-or-go sampling, 139
storage
alternate storage sites, 435, 439
media storage, 435
off-site, 438
storage area network (SAN), 414
storage engineer, 82
strategic planning, 26–28
strategies, 667
stratified sampling, 140
subject, 483–484
subnet masks, 349–350
subnets, 349
substantive testing, 131
supplier standards, 34
suppliers, 389
Synchronous Optical Networking (SONET), 339
system development tools, 226–227
system documentation, 137
system hardening, 481, 487, 503, 504–507, 579
system inventories, 618
system/network diagrams, 618
systems administrator, 82
systems control audit review file and embedded audit modules (SCARF/EAM), 145, 259
systems developers, 172
Systems Development Life Cycle (SDLC), 192–229
agile development, 222
change management, 273–275
cloud-based infrastructure/applications, 227–229
design, 206–208
development approaches/techniques, 221–226
development phase, 208–212
DevSecOps, 222
feasibility studies, 194, 196–197
implementation, 215–219, 273, 274, 277
overview, 192–193
phases, 193–220
post-implementation, 219–220, 255, 278
prototyping, 222
release management, 276–278
requirements definition, 197–206
software development risks, 220–221
system development tools, 226–227
systems development management, 172
systems engineer, 82
systems management, 82
systems operator, 83
T
tailgating, 565
T-Carrier, 339–340
TCP (Transmission Control Protocol), 321–322, 353
TCP/IP devices, 356–357
TCP/IP network model, 323–327
TCP/IP protocols, 345–356
technical requirements, 198–199, 231
technical support analyst, 84
technology
audits and, 101
changes in, 99
documentation, 618–619
policies, 32
understanding, 610
technology standards, 34
telecom engineer, 82
temperature/humidity controls, 558, 560–561
terminal emulation, 315
terminations
actions after, 58–59
auditing, 573–574
employment agreement, 469
test plans, 212–213
contents of, 628–629
control testing activities, 632–647
developing, 616–625
organizing, 627–630
reviewing, 630
test servers, 289
test transactions, 143
testing, 212–215. See also auditing
auditing, 254
automated testing, 641–642
compliance testing, 131
considerations, 610
control existence, 635–638
control operating effectiveness, 638–642
controls testing cycles, 598–599
data integrity, 257
disaster response plans, 423
discovering exceptions, 642–643, 655
discovering serious incidents, 643–646
document review test, 395
documenting test results, 398–399
estimating effort required, 630
functional testing, 214
gathering evidence, 632–634
infrastructure, 233
by inquiry/corroborative inquiry, 637
lack of evidence, 619
launching testing phase, 634–635
materiality of exceptions, 646–647
observation testing, 636–637
online processing systems, 257–258
parallel test, 397–398
penetration testing, 503–504, 580
vs. pre-audits, 626
quality assurance testing, 214–215
recovery/continuity plans, 393–399, 433, 437
regression testing, 277
by reperformance, 637–638, 639
restoration testing, 502
retesting issues, 663–664
sample testing, 639–640
substantive testing, 131
system testing, 214
user acceptance testing, 214–215, 277
testing programs, 641
testing standards, 612
thick client, 289
thin client, 290
third parties
assessing, 244
considerations, 610
contracts, 136
managing. See third-party management
need for, 596
onboarding/due diligence, 243–244
remediation, 244–245
risk, 243–245, 259–260, 462–467
service delivery management, 67–69
third-party disaster recovery sites, 411–412
third-party management, 462–467
assessments, 244
classifications, 244
due diligence, 243–244
legal agreements, 260, 465–466
onboarding, 243–244
overview, 243
remediation, 244–245
risk factors, 243
risk reporting, 245
security policies and, 466
types of access, 463
third-party risk management (TPRM), 26, 68, 74, 466–467
threat analysis, 44–47, 119–120, 375–376
threat hunting, 481
threat management, 504
threat modeling, 44–45
threats
access control threats, 485–486
advanced persistent threats, 552
described, 44
environmental, 557–558
Internet communications, 526–532
network-based, 516–518
physical access, 564–566
types of, 45–46
wireless networks, 523–524
time estimates, 605
time synchronization, 316
timebox management, 182
timing, 135
titles, 163
tolerable error rate, 141
TPRM (third-party risk management), 26, 68, 74, 466–467
training
audience, 217
for auditors, 101
cross-training, 58
disaster recovery and, 399
disaster response and, 386
security awareness, 567–568
transaction authorization, 85
transaction flow, 256–259
Transmission Control Protocol (TCP), 321–322, 353
transport layer protocols, 353–354
Trojan horses, 549
tunneling, 360
U
UAT (user acceptance testing), 214–215, 277
UDP (User Datagram Protocol), 322, 353–354
unit testing, 213–214
Universal Serial Bus (USB), 293, 336–337
U.S. regulations, 106
USB (Universal Serial Bus), 293, 336–337
user acceptance testing (UAT), 214–215, 277
user access controls, 570–571
user access management, 508–510
user access provisioning, 508, 572–573
user account provisioning, 494, 510–511
User Datagram Protocol (UDP), 322, 353–354
user IDs, 492–495, 506, 570–571
users
end-user support, 282–283
IT governance, 86–87
passwords. See passwords
roles/responsibilities, 79
training. See training
utility software, 308–309
V
vacations, 58
VAF (value adjustment factor), 177
Val IT (IT Value Delivery) framework, 72, 698–699
value adjustment factor (VAF), 177
variable sampling, 139
vendor manager, 84
video surveillance, 566
virtual desktop, 290
virtual environments, 507
virtual keyboards, 507
Virtual Networks (VLANs), 351–352
virtual private network (VPN), 489, 490
virtual workstation, 315
virtualization architectures, 298–300
viruses, 548
visitors, 583
VLANs (Virtual Networks), 351–352
voice over IP (VoIP), 545–547
VoIP (voice over IP), 545–547
VPN (virtual private network), 489, 490
vulnerabilities
access controls, 486–487
described, 47
environmental, 557–558
examples of, 47
identifying/managing, 503–504
malware, 550
physical access, 564–566
vulnerability identification, 47
vulnerability management, 74, 481, 579–580
W
walkthroughs, 137–138, 396, 618
WAN devices, 341–342
WAN (wide area network), 314, 337–338
war chalking, 523
war driving, 523
WBS (work breakdown structure), 170, 175
web filtering, 520
web security, 316
web-based application development, 225
web-based applications, 363
weighted results, 647
whaling, 551
wide area network. See WAN
Wi-Fi technology, 342–344
WiMAX, 344
wireless networks, 342–345, 522–526
Wireless USB (WUSB), 345
work breakdown structure (WBS), 170, 175
workflow, 85
workpapers, 143–144, 605, 637, 638, 659
workstations, 290
World Wide Web, 359–360
worms, 549
WUSB (Wireless USB), 345
X
XP (extreme programming), 191–192
Z
Zachman framework, 35
zero trust model, 37