- CISSP in 21 Days Second Edition
- CISSP in 21 Days Second Edition
- Credits
- About the Author
- About the Reviewer
- www.PacktPub.com
- Preface
- 1. Day 1 – Security and Risk Management - Security, Compliance, and Policies
- 2. Day 2 – Security and Risk Management - Risk Management, Business Continuity, and Security Education
- 3. Day 3 – Asset Security - Information and Asset Classification
- 4. Day 4 – Asset Security - Data Security Controls and Handling
- 5. Day 5 – Exam Cram and Practice Questions
- 6. Day 6 – Security Engineering - Security Design, Practices, Models, and Vulnerability Mitigation
- 7. Day 7 – Security Engineering - Cryptography
- 8. Day 8 – Communication and Network Security - Network Security
- An overview of communication and network security
- Network architecture, protocols, and technologies
- Open System Interconnect (OSI) model
- OSI layers and security
- Application layer protocols and security
- Presentation layer protocols and security
- Summary
- Sample questions
- 9. Day 9 – Communication and Network Security - Communication Security
- An overview of communication security
- Security in communication channels
- Attacks on communication networks
- Preventing or mitigating communication network attacks
- Summary
- Sample questions
- 10. Day 10 – Exam Cram and Practice Questions
- 11. Day 11 – Identity and Access Management - Identity Management
- 12. Day 12 – Identity and Access Management - Access Management, Provisioning, and Attacks
- 13. Day 13 – Security Assessment and Testing - Designing, Performing Security Assessment, and Tests
- An overview of security assessment and testing
- Security assessment and test strategies
- Security controls
- Summary
- Sample questions
- 14. Day 14 – Security Assessment and Testing - Controlling, Analyzing, Auditing, and Reporting
- 15. Day 15 – Exam Cram and Practice Questions
- 16. Day 16 – Security Operations - Foundational Concepts
- An overview of operations security
- The physical security design
- Physical and operations security controls
- Operations/facility security
- Protecting and securing equipment
- Computer investigations
- Summary
- Sample questions
- 17. Day 17 – Security Operations - Incident Management and Disaster Recovery
- 18. Day 18 – Software Development Security - Security in Software Development Life Cycle
- 19. Day 19 – Software Development Security - Assessing effectiveness of Software Security
- 20. Day 20 – Exam Cram and Practice Questions
- 21. Day 21 – Exam Cram and Mock Test
Audits provide a method to validate adherence to security policies and procedures by the business. Audits consist of verification and validation actions to identify compliance and non-compliance. The verification process in an audit checks the availability of suitable processes to support policies and procedures. The validation process in an audit to check adequacy, the correctness of a process, and the adequacy of controls.
When a business audits its processes through its internal audit department, then such an exercise is called an internal audit. An internal audit is generally performed by the business using its own resources. The purpose of an internal audit is to regularly validate various business systems for policy and procedural compliance.
In third-party audits, an independent agency or entity that is not associated with the business performs the audit. The auditors are external to the organization. The purpose of third-party audits is twofold. One is the independent verification of security posture. The other one is for certification purposes, such as compliance or standards-related certification.
In both internal and third-party audits, when the audits are performed on information systems, it is important to consider that such audits have a minimum disruption to business processes.
Some of the best practices in information system audit controls include the following:
- The management, agreement, and acceptance for audit requirements
- Agreement on the scope prior to audit
- Confidentiality and Non-Disclosure Agreements (NDA) with auditors
- Unless required for audit process, allowing only read-only access of data to the auditors
- Monitoring all auditor access
- Agreed responsibilities of auditors
- Ensuring that the persons carrying out the audit are independent of the activity being audited
-
No Comment