Please note that index links point to page beginnings from the print edition. Locations are approximate in e-readers, and you may need to page down one or more times after clicking a link to get to the indexed material.
References to figures are in italics.
4GLs, 256
A
abstraction, 348
access administrator, role and responsibilities, 76
access by unauthorized persons, 488
access bypass, 489
access control lists (ACLs), 473
access control logs, 438
access control management, 436–438
access control policy, 30
access controls, 230, 436, 458–461, 473
access logging, 473–474
auditing, 540–541
access management, 101
auditing, 536–540
access points, 462
access provisioning, 51
account lockout, 483
accumulation of privileges, 54, 483
administrative audits, 166
advanced persistent threats (APTs), 521
Agile development, 251
ALE. See annualized loss expectancy (ALE)
alert management, 545
algorithm, 503
annualized loss expectancy (ALE), 44
annualized rate of occurrence (ARO), 44
anti-malware, 340–341, 455, 490
administrative controls, 520–521
management controls, 521
technical controls, 522–524
See also malware
application code review, 263
application controls, 271–273
auditing, 283–286
calculations, 276
controlling special forms, 277–278
data file controls, 277
editing, 276
error handling, 275
input authorization, 273–274
input controls, 273–275
input validation, 274–275
output controls, 277–278
processing controls, 276
processing errors, 277
reconciliation, 278
report distribution and receipt, 278
retention, 278
application firewalls, 381, 500
application layer protocols, 379–381
application penetration testing, 546
application programming languages, 239
application whitelisting, 491
applications, auditing, 285
architecture review, 542–543
architecture standards, 32–33
ARO. See annualized rate of occurrence (ARO)
ARP, 370
asset identification, 36
collecting and organizing asset data, 38–39
grouping assets, 37
sources of asset data, 37–38
asset inventory and classification, 434
hardware asset inventory, 434–435
information assets, 435–436
asset management system, 38
asset owners, 433
asset value (AV), 44
assets, split custody of high-value assets, 78
asymmetric encryption, 504
ATM, 360
atomicity, 284
attestations, 559–560
attribute sampling, 175–176
audit audience, 557
audit committee, 432
audit cycle
external attestations, 559–560
how information systems audit cycle is discussed, 556–558
internal audits, 560–564
management’s need for an independent third party, 560
overview of the IS audit cycle, 558
project origination, 559
understanding, 556
audit hooks, 286
audit logging, 231
audit management, 135
the audit charter, 135
audit program, 136
audit risk and materiality, 183
changes in audit activities, 137–138
communication plan, 170
compliance vs. substantive testing, 167–168
computer security and privacy regulations, 140–144
continuing education, 138–139
continuous auditing, 179–180
establishing audit procedures, 169
factors that affect an audit, 136–137
implementing audit recommendations, 187–188
ISACA auditing standards, 144–153
launching a new audit, 572–577
laws and regulations, 139–140
planning an audit, 572–577
post-audit follow-up, 171
reliance on third-party audit reports, 178
reliance on work of other auditors, 177–178
report preparation, 170
resource planning, 138
resource planning for the audit team, 595–596
and staff disagreements, 618–619
System Control Audit Review File and Embedded Audit Modules (SCARF/EAM), 286
technology, 138–139
wrap-up, 170
audit recommendations, 613–614
management’s responses to, 621
audit reports
to audit committees, 621–622
to client management, 622
contents, 618
contributing to larger audit reports, 617
delivery of the report, 623–624
discussing the auditor’s wording, 620
distribution of audit reports, 569
electronic reports, 624
management response, 620
reviewing the draft report, 623
signed reports, 623
to third parties, 622
writing the report, 619–620
audit sponsors, 557
auditing
of absent employee’s work, 52
access logs, 540–541
access management, 536–540
additional engagement deliverables, 624
administrative audits, 166
application controls, 283–286
of business continuity planning, 123–125
business controls, 283
checklists, 625
client’s preparedness for an audit, 578
closing procedures, 625
compliance audits, 166
computer operations, 413–414
computer-assisted audit techniques (CAATs), 178, 286
computer-assisted audits and automated work papers, 178–180
continuous auditing, 285–286, 604–605
of contracts, 121–122
data entry, 414
database management systems, 411
delivering audit results, 617
detecting fraud, 182–183
developing a test plan, 581–589
developing audit objectives, 578–579
developing audit opinions, 611–612
developing the audit plan, 577–580
disaster recovery planning, 416–420
of documentation and records, 119–121
employee terminations, 539–540
environmental controls, 546–547
evidence, 171–174
feedback and evaluations, 626
file management, 414
file systems, 410–411
final sign-off with the client, 625–626
financial audits, 165–166
follow-up, 626
forensic audits, 166
generalized audit software (GAS), 179
integrated audits, 166
internal and external, 167, 627
interviewing key personnel, 126
investigative procedures, 541
IS audits, 166
IS hardware, 409–410
of IT governance, 118–127
lights-out operations, 414–415
monitoring, 158
monitoring operations, 415
network access controls, 543–544
network access paths, 535–536
network change management, 544–545
network infrastructure, 411–412
network operating controls, 412–413
network security controls, 542–543
observing personnel, 174–175
operating systems, 410
operational audits, 165, 563–564
of outsourced work, 61, 122–123
password management, 538
performing an audit, 163–165
physical access controls, 548
physical security controls, 547–548
points of presence, 541–542
pre-audit planning, 169
problem management operations, 415
procurement, 416
Provided by Client (PBC) lists, 577–578
and quality management, 65
reporting audit results, 180–182
reviewing insurance coverage, 126–127
reviewing service provider contracts, 126
risk analysis, 153–158
risk analysis and corporate risk management program, 153–154
and risk assessment, 184–185
sampling, 175–177
security management, 534–535
service provider audits, 166–167
siting and marking, 547–548
statements of work (SOWs), 169
subject, 168
system development life cycle (SDLC), 278–283
third-party audit reports, 178
user access controls, 536–538
user access provisioning, 539
vulnerability management, 545–546
See also control self-assessment (CSA)
auditors
and project documentation, 217
and self-assessment, 187
authentication, 230, 463, 465, 543
multifactor authentication (MFA), 468–469
troubles, 485
automated testing, 605–606
automated work papers, protecting, 178–179
AV. See asset value (AV)
availability management, 306
B
back doors, 460
background verification, 48–50, 444
backup and recovery
backup media rotation, 406–407
backup schemes, 405–406
backup to tape and other media, 405
encryption, 408
media records and destruction, 408–409
media storage, 407–408
and media storage, 474–475
balanced scorecard (BSC), 21–22
standard IT balanced scorecard (IT-BSC), 22
baselining, 285
batch totals, 247
BCP. 2 business continuity planning
benchmarking, 69
outsourcing, 61
a process, 266–267
benefits realization, 196
business case development, 199–200
measuring business benefits, 200–201
portfolio and program management, 196–199
big data architect, role and responsibilities, 74
blade computers, 322
block cipher, 504
Bluetooth, 369
security responsibilities, 23
bots, 518–519
BSC. See balanced scorecard (BSC)
budgets, managing project budgets, 198
business alignment, 434
business case, defined, 199
business case development, 199–200
business continuity, 24
and outsourcing, 59
Business Continuity Institute (BCI), 117
Business Continuity Management Institute (BCM Institute), 118
business continuity planning, 45, 68
access management, 101
applications, 101
auditing, 123–125
availability of key personnel, 104
command and control, 98
components of a business continuity plan, 108–109
continuing operations, 103
contract information, 102
data and records, 101
database management systems, 101
developing continuity plans, 93
disaster declaration procedures, 94–96
disasters, 80–86
emergency supplies, 104–105
establishing key recovery targets, 92–93
forming a core team, 95
how disasters affect organizations, 85–86
improving recovery and continuity plans, 114–115
information security and privacy, 101
legal and compliance, 99
maintaining recovery and continuity plans, 117
making plans available to personnel when needed, 115–116
maximum tolerable downtime (MTD), 92
network services, 101
networks, 101
off-site storage, 102
overview, 79–80
personnel safety procedures, 94
policy, 88
process life cycle, 87
and project documentation, 217
recovery procedures, 102–103
restoration, 102
restoration procedures, 103–104
scribe, 99
sources for best practices, 117–118
supplies, 100
systems, 101
testing recovery plans, 109–114
training, 102
training personnel, 115
user hardware, 102
See also disasters
business controls, auditing, 283
business functional requirements, 227–228, 258–259
business impact analysis (BIA), 88
inventorying key processes and systems, 88–89
statements of impact, 90
Business Model for Information Security (BMIS), 637–638
business process life cycle (BPLC), 264–267
business process management (BPM), 266
business process reengineering (BPR), 264–267
business processes, 264
evaluating, 155–156
C
CAATs. See computer-assisted audit techniques (CAATs)
cables
coaxial cable, 357
fiber optic cable, 355–356
serial cable, 357
twisted-pair cable, 353–355
call trees, 107
campus area networks (CANs), 338
Candidate Information Guide, 11
Capability Maturity Model Integration (CMMI), 69
capability maturity models, 267–268
overview, 632–633
career paths, 52
CASE. See computer-aided software engineering (CASE)
certificate authority (CA), 509, 511
certificate revocation list (CRL), 512
certificates, 484–485
certification practice statement (CPS), 512
change control board, 300
change management, 61, 63, 261–262, 298–300, 502
auditing, 282
records, 300
channel service unit/digital service unit (CSU/DSU), 366
chargeback, 64
charters, 35
program charters, 196
checksums, 247
chief information officer (CIO), 433
role and responsibilities, 73
security responsibilities, 23
chief information risk officer (CIRO), 433
chief information security officer (CISO), 433
role and responsibilities, 74
security responsibilities, 23
chief privacy officer (CPO), 433
role and responsibilities, 74
chief risk officer (CRO), role and responsibilities, 74
chief security officer (CSO)
role and responsibilities, 74
security responsibilities, 23
chief technical officer (CTO), role and responsibilities, 74
CIO. See chief information officer (CIO)
ciphertext, 503
CIS. See continuous and intermittent simulation (CIS)
CISA certification
applying for, 12–13
benefits of, 2–3
direct work experience, 5
after the exam, 12
exam overview, 9–10
experience requirements, 4
process, 3–4
retaining, 13–16
revocation of certification, 16
substitution of experience, 5–6
Verification of Work Experience form, 13
CISC, 316
CISO. See chief information security officer (CISO)
classful networks, 375
classless networks, 375–376
cleaning, 532
client organizations, 557
clients, 557–558
feedback and evaluations, 626
helping a client understand and identify controls, 586–587
preparedness for an audit, 578
project planning with the client, 596, 597
understanding client’s needs, 573–574
understanding the client’s procedures, 581–582
client-server applications, 386–387
and data protection laws, 493
securing, 491–493
cloud access security broker (CASB), 543–544
cloud computing, 327
cloud sites, 396
controls, 88
controls framework, 162
code generators, 255
Code of Professional Ethics, 7, 144–145
collision detection, 358
communications
and business continuity planning, 99, 105
call trees, 107
compensation baselining, 73
complementary patch testing, 546
compliance audits, 166
compliance management, 68
compliance risk, 47
compliance testing, vs. substantive testing, 167–168
component-based development, 253–254
computer crime
blackmail, 450
categories of, 448–449
computers as instruments of a crime, 447–448
computers as targets of a crime, 447
computers used in support of a crime, 448
disclosure of sensitive information, 450
legal, 450
perpetrators of cyber-crime, 450–452
reputation, 450
sabotage, 450
threats of cyber-crime on organizations, 449–450
computer operations, auditing, 413–414
computer-aided software engineering (CASE), 255
computer-assisted audit techniques (CAATs), 178, 286
computers
bus, 317–318
central processing unit (CPU), 316–317
end-user computing, 308
firmware, 320–321
I/O and networking, 321
main storage, 318–319
multicomputer architectures, 322–323
operating systems, 326
secondary storage, 319–320
types of, 313
uses for, 314–315
virtualization architectures, 323–324
configuration management, 263, 301, 502
auditing, 282–283
and change control, 264
controlling and recording configuration changes, 263–264
and project documentation, 217
configuration management database (CMDB), 301
configuration standards, 32
conflicts, identifying and managing, 198
Constructive Cost Model (COCOMO), 209–210
continuing professional education (CPE), 13
CPE credits, 13–14
for IS auditors, 138–139
maintenance fees, 16
renewal period, 15
sample CPE submission, 15
tracking and submitting CPE credits, 14–15
Continuing Professional Education Policy, 14
continuous and intermittent simulation (CIS), 286
continuous auditing, 285–286, 604–605
contracts
outsourcing, 60
terms for addendums, 570
See also engagement letters
control activities, 612–613
control language, correcting, 591
control managers, 557
control objectives, 613
control owners, 557
control risk, 183
control self-assessment (CSA), 185
advantages and disadvantages, 185
auditors and self-assessment, 187
life cycle, 186
objectives, 187
control testing, 556
cyclical controls testing, 561–562
establishing controls testing cycles, 562–563
reviewing existing controls, 563
controls
automated controls, 600
categories of, 160–161
classes of, 159–160
classification, 158, 159
COBIT 5 controls framework, 162
compensating controls, 585–586
control existence failures, 602
and control objectives, 584–589
evaluating control effectiveness, 181–182
general computing controls (GCCs), 163
governance controls, 600
internal control objectives, 161
IS control objectives, 162
IS controls, 163
mapping controls to documentation, 588–589
overview, 633–635
performing control testing, 596–598
testing of control operating effectiveness, 602–606
tests of control existence, 599–602
types of, 158–159
understanding the controls environment, 581–589
controls analyst, role and responsibilities, 76
controls management, 66–67
COSO Internal Control - Integrated Framework, 638–641
CPE. See continuing professional education (CPE)
CPE credits, see
sample CPE submission, 15
tracking and submitting, 14–15
CPO. See chief privacy officer (CPO)
critical path methodology (CPM), 213–215
criticality of analysis, 91–92
CRO. 2 chief risk officer (CRO)
cryptanalysis, 503
CSA. See control self-assessment (CSA)
CSO. See chief security officer (CSO)
CTO. See chief technical officer (CTO)
cutover, 248
cyber-crime. See computer crime
data classification policy, 29
data communications software, 327
data destruction policy, 31
data entry
auditing, 414
role and responsibilities, 76
data flow diagrams, 271
data integrity testing, 284
data leakage prevention (DLP), 491, 544
data life cycle, 311–312
data management, 311
roles and responsibilities, 74–75
data manager, role and responsibilities, 74
data migration, 247
data quality management, 312
data validation, 230
database administrator (DBA), role and responsibilities, 75
database analyst, role and responsibilities, 75
database architect, role and responsibilities, 75
database management systems, 101, 328–329
auditing, 411
hierarchical database management systems, 332
object database management systems, 331
organization, 329
relational database management systems (RDBMSs), 329–331
data-oriented system development (DOSD), 252
DBA. See database administrator (DBA)
debugging, 240–241
decryption, 503
default gateway, 374–375
demilitarized zone network (DMZ), 500
Deming, W. Edward, 635
Deming Cycle, 635–636
denial of service (DoS) attacks, 488, 498, 520
design, auditing, 280
detection risk, 183
developers, and project documentation, 217
development, auditing, 281
development practices, 27
DevOps, 250–251
DFDs. See data flow diagrams
dial-up modems, 544
digital certificates, 469, 511
digital envelopes, 510–511
digital rights management, 334–335
directory infrastructure, 509
directory services protocols, 381
disaster recovery and business continuity requirements, 231
Disaster Recovery Institute International (DRI International), 118
disaster recovery planning, 24, 68
acquiring additional hardware, 398
auditing, 416–420
data backup and recovery, 404–409
developing recovery plans, 403–404
developing recovery strategies, 393–403
overview, 388–389
recovery and resilience technologies, 399–403
recovery objectives, 389–392
response team’s roles and responsibilities, 389, 390
and risk analysis, 45
site recovery options, 393–397
testing disaster recovery plans, 409
third-party disaster recovery sites, 397
disaster response, auditing, 564–565
disasters, 80
damage assessment, 100
declaration criteria, 95–96
disaster declaration procedures, 94–96
how disasters affect organizations, 85–86
human-made, 83–85
natural, 80–83
physical security, 100
responsibilities, 96–102
salvage, 100
See also business continuity planning
discovery sampling, 176
Discretionary Access Control (DAC), 459
dispute resolution, 60
DNS, 381
documentation
lead sheets, 615–616
managing supporting documentation, 614–615
storing electronic documentation, 615
Domain Name System (DNS), 383
domain registrars, 383
downtime, 92
DSS04, 88
dual power feeds, 528
due diligence, 269
E
eavesdropping, 460, 462, 488, 494, 497
E-Carrier, 364–365
EF. See exposure factor (EF)
effectiveness measurement, 24
electric generators, 528
elliptic curve cryptography, 508
e-mail, 385
e-mail address, 509
e-mail servers, 338
emergency changes, 300
emergency management, 98
call trees, 107
emergency response, 98
emergency supplies, 104–105
employee development, 52
employee integrity, 59
employee policy manuals, 50–51
employees
access provisioning, 51
background verification, 48–50
career advancement, 73
career paths, 52
compensation baselining, 73
hiring, 48–51
job descriptions, 51, 72–77, 445
job titles, 72–77
performance evaluation, 52
recruiting, 73
roles and responsibilities, 433
security responsibilities, 23
termination, 53, 481–482, 539–540
training, 52
transfers and reassignments, 53–54, 482–483
vacations, 52
See also personnel management
encryption, 230, 408, 463, 490, 494
applications, 513–514
exchanging initial encryption keys, 506
overview, 502–503
terms and concepts, 503–505
encryption key, 503
end users, 206
end-user computing, 308
end-user management, 206
engagement letters, 568
rates, time estimates, and fees, 569
enterprise architecture (EA), 270, 336
data flow diagrams, 271
Zachman framework, 270–271, 272
environmental controls, 525–526
auditing, 546–547
countermeasures, 527–528
electric power vulnerabilities, 526
physical environment vulnerabilities, 526–527
equipment control and use policy, 31
estimating effort, 594
Ethernet, 357–360
ethics
and independence, 571–572
evidence, 171–174
gathering testing evidence, 596–598
exception handling, and IT operations, 306–307
exceptions, categorizing or ranking, 611
executive management, 72, 73–74, 432
exposure factor (EF), 44
external audits, 627
F
fail open, fail closed, 458
failover, 402
FDDI, 362
feasibility studies, 199, 224, 226–227, 265, 302
auditing, 279
file and directory sharing protocols, 380
file integrity checking, 263
file management, auditing, 414
file storage, 339
file systems, 327–328
auditing, 410–411
file transfer protocols, 379
files, 328
financial audits, 165–166
write-ups, 581
financial management, 63–64, 304–305
capacity management and, 305
financial system, asset inventory, 37
fire detection, 530
fire prevention, 529
fire suppression, 530–531
First in First Out (FIFO), 406
forensic audits, 166
forensic investigations, 456
chain of custody, 456
techniques and considerations, 457
fourth-generation languages, 256
Frame Relay, 365
frameworks
pointers for successful use of, 656–658
summary, 657
fraud, 498
detecting, 182–183
discovery of, 608–609
FTP, 379
FTPS, 379
function point analysis (FPA), 210–211
functional testing, 244
G
GAIT, 645–646
Gantt charts, 212
gate processes, 302–304
GCCs. See general computing controls (GCCs)
general computing controls (GCCs), 163
generalized audit software (GAS), 179–180
geographic clusters, 402, 403
geographic site selection, 396–397
global Internet, 382
applications, 384–385
Global Technology Audit Guides. See GTAG
goals, defined, 631–632
Good-Cheap-Fast triangle, 216
governance
outsourcing, 60–61
See also IT governance; security governance
Gramm Leach Bliley Act (GLBA), 47
Grandfather-Father-Son, 406–407
GTAG, 644–645
Guide to the Assessment of IT Risk. See GAIT
H
hardware
user hardware, 102
See also IS hardware
hash function, 503
hashing, 509
Health Insurance Portability and Accountability. See HIPAA
helpdesk analyst, role and responsibilities, 77
hierarchical database management systems, 332
HIPAA, security rule, 67
hiring, 48–51
honeynets, 500–501
honeypots, 500–501
HTTP, 380
HTTPS, 380
human resources security, 443–444
during employment, 445–446
employment agreements, 445
equipment, 446
job descriptions, 445
policy and discipline, 446
screening and background checks, 444
transfers and terminations, 446–447
See also personnel management
I
ICMP, 372–373
identification, 464–465
identity and access management, 68
IGMP, 373
IMAP, 379
impact analysis, 42–43
implementation, 244–245
auditing, 281–282
auditing post-implementation, 282
cutover, 248
data migration, 247
planning, 245–246
post-implementation review, 249
problems, 567
training, 246–247
improper actions by management, 609–610
improved compliance, 24
incident management, 67–68, 297–298, 502
capacity management and, 305
change management and, 300
configuration management and, 301
incident prevention, 455–456
auditing, 564–565
phases of, 453–454
testing, 454–455
independence, 571–572
information classification, 435–436
information leakage, 524–525
information security, and privacy, 101
information security management, 427–428
compliance, 432
corrective and preventive actions, 432
executive support, 428
incident response, 431
policies and procedures, 428–429
roles and responsibilities, 432–433
security awareness, 429–430
security monitoring and auditing, 431
information security policy, 28
Information Systems Audit and Control Association. See ISACA
information systems hardware. See IS hardware
information systems operations. See IS operations
Information Technology Assurance Framework (ITAF), 7–9, 144, 648–649
Infrastructure as a Service. See IaaS
infrastructure development and implementation, 257–258
design, 259
evaluation, 260
implementation, 261
maintenance, 261
procurement, 259
requirements, 258–259
review of existing architecture, 258
RFPs, 260
testing, 260
infrastructure penetration testing, 545–546
inherent risk, 183
inheritance, 253
initialization vector (IV), 504
insourcing, 54
instant messaging, 385
instruction manuals, 581
insurance, reviewing coverage, 126–127
integrated audits, 166
integrated development environments (IDEs), 255
integrated test facility (ITF), 286
intellectual property, ownership of, 59
documentation, 581
Internet communications, 497
security countermeasures, 498–502
threats and vulnerabilities, 497–498
Internet layer protocols, 371–373
interoperability, 259
intrusion detection, 456, 490–491, 500, 543
intrusion prevention systems (IPSs), 491, 500, 543
investigative procedures, auditing, 541
IP, 371
special IP addresses, 376–377
IPv4, 373–377
IPv6, 377
IrDA, 370
IS auditors, 206
IS audits, 166
IS governance, reviews, 567
IS hardware, 312
architecture, 315–324
auditing, 409–410
computer usage, 313–315
maintenance, 324–325
mobile devices, 315
monitoring, 325
IS operations
IT service management (ITSM), 296–297
management and control of operations, 296
overview, 295–296
ISACA, 1–2
auditing standards, 144–148
chapter training, 139
Code of Professional Ethics, 7, 144–145
IS standards, 7–9
training and conferences, 138
ISACA audit and assurance guidelines
2001, Audit Charter, 148
2002, Organizational Independence, 148
2003, Professional Independence, 148–149
2004, Reasonable Expectation, 149
2005, Due Professional Care, 149
2006, Proficiency, 149
2007, Assertions, 149
2008, Criteria, 150
2201, Engagement Planning, 150
2202, Risk Assessment in Planning, 150
2203, Performance and Supervision, 150
2204, Materiality, 151
2205, Evidence, 151
2206, Using the Work of Other Experts, 151
2207, Irregularity and Illegal Acts, 151
2208, Audit Sampling, 152
2401, Reporting, 152
2402, Follow-up Activities, 152–153
relationship between standards and guidelines, 152
ISACA audit and assurance standards, 145
1001, Audit Charter, 145
1002, Organizational Independence, 145
1003, Professional Independence, 145
1004, Reasonable Expectation, 145–146
1005, Due Professional Care, 146
1006, Proficiency, 146
1007, Assertions, 146
1008, Criteria, 146
1201, Engagement Planning, 146
1202, Risk Assessment in Planning, 146
1203, Performance and Supervision, 146
1204, Materiality, 146–147
1205, Evidence, 147
1206, Using the Work of Other Experts, 147
1207, Irregularity and Illegal Acts, 147
1401, Reporting, 148
1402, Follow-up Activities, 148
relationship between standards and guidelines, 152
ISACA Risk IT Framework, 154–155
ISDN, 365
ISF Standard of Good Practice for Information Security, 646
ISO/IEC 25010, 268
requirements, 68
ISO/IEC 33001, 268
ISO/IEC 38500, 21
ISO/IEC 9000, 65
IT environments, changes to, 583–584
IT governance, 19
auditing, 118–127
balanced scorecard (BSC), 21–22
frameworks, 21
improved, 24
information security governance, 22–24
IT strategy committee, 21
overview, 20
problems with, 119
reviews, 567
security roles and responsibilities, 23
standard IT balanced scorecard (IT-BSC), 22
See also governance
IT operations, 206
and exception handling, 306–307
and project documentation, 217
IT service desk, 297
IT service management (ITSM), 296–297
IT steering committee, 25–26, 205
IT strategic planning
IT steering committee, 25–26
overview, 25
IT strategy committee, 21
IT systems portfolio, 37
IT Value Delivery. See Val IT
ITAF. See Information Technology Assurance Framework (ITAF)
IT-BSC. See standard IT balanced scorecard (IT-BSC)
J
job descriptions, 51, 72–77, 445
job titles, 72–77
judgmental sampling, 175
jump servers, 544
justification of online presence, 542
K
key encrypting key, 503
key fingerprint, 509
key length, 503
key management, 512–513
key pair, 507
key performance indicators, 200
keylogging, 520
known errors, 297–298
KPIs. See key performance indicators
L
L2TP, 371
laptop controls, 486
laws, regulations, and standards, 33–34
and audits, 139–140
Canadian, 143
changes in regulation, 225
computer security and privacy regulations, 140–144
effect on audits, 136–137
European, 143–144
Gramm Leach Bliley Act (GLBA), 47
and outsourcing, 60
PCI-DSS, 47
in the U.S., 142–143
Layer 3 switch, 382
Layer 4 switch, 382
Layer 4-7 switch, 382
LDAP, 381
lead sheets, 615–616
See also documentation
least privilege access, 263, 458, 473
lights-out operations, auditing, 414–415
link layer protocols, 370–371
local area networks (LANs), 338, 352
cabling types, 353–357
network transport protocols, 357–362
physical network topology, 352–353
logic bombs, 460
logical access controls, 457–458
access control concepts, 458–459
Long Term Evolution. See LTE
LTE, 369
M
machine authentication controls, 490
maintaining information systems, 261–264
malware, 459–460, 462, 488, 497
anti-malware administrative controls, 520–521
anti-malware management controls, 521
anti-malware technical controls, 522–524
the malware industry, 521
overview, 517–518
past attacks, 522
threats and vulnerabilities, 518–520
See also anti-malware
management, security responsibilities, 23
management procedure documentation, 581
management protocols, 380–381
management representation letter, 612
manager, role and responsibilities, 72, 433
Mandatory Access Control (MAC), 459
mandatory vacations, 52
man-in-the-browser (MITB) attacks, 489
man-in-the-middle (MITM) attacks, 489
masquerading, 498
materiality, 183
of exceptions, 610–611
maximum tolerable downtime (MTD), 92
Media Access Control (MAC), 371
media control, 311
media inventory, 475
media management systems, 332
media manager, role and responsibilities, 76
meetings
closing meetings, 625
daily standup, 222
project kickoff meeting, 202
message security, 507–508
See also encryption
message servers, 388
messaging protocols, 379–380
methodology standards, 32
methods of entry, 462
metropolitan area networks (MANs), 338
middleware, 388
milestone tracking, 208
misuse and abuse requirements, 231
mitigation strategies, 44–45
mobile computing, protecting, 485–487
mobile device controls, 486–487
mobile device policy, 30
mobile sites, 396
modems, 366
monitoring, 307
hardware, 325
security monitoring, 307–308
monitoring operations, auditing, 415
moonlighting policy, 31
MPLS, 363
Multicast, 371–372
multicomputer architectures, 322–323
multifactor authentication (MFA), 468–469
multiplexors, 366
Multiprotocol Label Switching. See MPLS
N
Near-Field Communications. See NFC
netflow, 491
network access controls, auditing, 543–544
network access paths, auditing, 535–536
network administrator, role and responsibilities, 75
network analysis, 497
network architect, role and responsibilities, 75
network architecture, 337–338
network change management, auditing, 544–545
network connectivity
and authentication, 340
and services, 402–403
network engineer, role and responsibilities, 75
network infrastructure, 335
auditing, 411–412
enterprise architecture (EA), 336
network architecture, 337–338
network-based services, 338–341
network management, 341
roles and responsibilities, 75
tools, 385–386
network models, 341
OSI network model, 341–347
TCP/IP network model, 348–352
network operating controls, auditing, 412–413
network routing, 384
network security, 487–488
countermeasures, 490–491
vulnerable network-based services, 489
network security controls, auditing, 542–543
network technologies, 352
network tunneling, 385
network-based threats, 488–489
networked applications, 386
client-server, 386–387
middleware, 388
web-based, 387–388
networks, types of, 337–338
NFC, 369–370
NFS, 380
NIST 800-53, 67
NNTP, 380
nondisclosure agreements, 570
nonrepudiation, 505
NTP, 381
O
object, 458
object breakdown structure, 203, 208
object database management systems, 331
object request broker (ORB) gateways, 388
objectives, defined, 631–632
object-oriented system development, 252–253
OBS. See object breakdown structure
online inquiry, 286
open access, 462
operating systems, auditing, 410
operational audits, 165, 563–564
operational practices, 27
operations, roles and responsibilities, 76
operations analyst, role and responsibilities, 76
operations manager, role and responsibilities, 76
OPM incident, 481
organization chart, 70
organizations structure and responsibilities
overview, 69–71
roles and responsibilities, 71
OSI network model, 341–342
application layer, 347
data link layer, 343–344
network layer, 344–345
physical layer, 342–343
presentation layer, 346–347
session layer, 346
and TCP/IP network model, 351–352
transport layer, 345–346
OSPF, 371
outsourcing
benchmarking, 61
benefits of, 56
governance, 60–61
mitigating outsourcing risk, 59–60
overview, 55–56
risks associated with, 56–59
owner, role and responsibilities, 72
P
parallel testing, 285
password management, 483–484
auditing, 538
changing default passwords, 478
using nonpredictable passwords, 478
patch management, 475–476, 546
payment, outsourcing, 60
Payment Card Industry Data Security Standard. See PCI-DSS
PBX. See private branch exchange (PBX)
performance evaluation, 52
performance optimization, 69
periodic reviews, 78
personal area networks (PANs), 337–338
personal information, 438–439
personnel management
access provisioning, 51
career paths, 52
employee development, 52
employment agreements, 445
hiring, 48–51
human resources security, 443–447
insourcing, 54
mandatory vacations, 52
outsourcing, 55–61
overview, 48
performance evaluation, 52
preparing staff for an audit, 595–596
sourcing, 54
staff augmentation, 568
termination, 53
transfers and reassignments, 53–54
See also employees
personnel safety procedures, 94
phishing, 519
physical access
controls and countermeasures, 533–534
threats and vulnerabilities, 532–533
physical access controls, auditing, 548
physical security controls, auditing, 547–548
plaintext, 503
Plan-Do-Study-Act, 635–636
Platform as a Service. See PaaS
PMBOK. See Project Management Body of Knowledge (PMBOK)
points of entry, 462–463
points of presence, auditing, 541–542
policies, 26–27
access control policy, 30
business continuity planning policy, 88
data classification policy, 29
data destruction policy, 31
development practices, 27
equipment control and use policy, 31
information security policy, 28
IT processes, documents, and records, 27
mobile device policy, 30
moonlighting policy, 31
operational practices, 27
privacy policy, 28–29
roles and responsibilities, 27
security policy, 59
site classification policy, 30
social media policy, 30–31
system classification policy, 29
polymorphism, 253
POP, 379
portfolio management, 66
power distribution units (PDUs), 528
PPP, 371
primary contact, 557
PRINCE2. See Projects IN Controlled Environments (PRINCE2)
print servers, 338–339
privacy, 438–439
computer security and privacy regulations, 140–144
and information security, 101
privacy policy, 28–29
privacy requirements, 231–232, 259
private branch exchange (PBX), 516–517
private key cryptosystems, 505–506
probability analysis, 42
problem management, 298
auditing, 415
capacity management and, 305
change management and, 300
configuration management and, 301
procedures. See processes and procedures
process, defined, 264
process groups, 651
process improvement, 24
processes
defined, 632
example process, 632
processes and procedures, 26–27, 31–32
documenting, 587–588
processing facilities, evaluating, 419
procurement, auditing, 416
program (or project) evaluation and review techniques (PERT), 213, 214
program management
program charter, 196
running a program, 197–198
starting a program, 196–197
program manager, 196
project change management, 217–218
project management, 201
auditing, 279
developing project objectives, 202–204
documentation, 216–217
initiating projects, 202
managing projects, 204–205
methodologies, 219–223
object breakdown structure, 203
organizing projects, 201–202
project closure, 218–219
project kickoff meeting, 202
Project Management Body of Knowledge (PMBOK), 219–220
project records, 215–216
Projects IN Controlled Environments (PRINCE2), 220–221
roles and responsibilities, 205–206
scheduling project tasks, 211–215
Scrum, 221–223
work breakdown structure, 203–204
Project Management Body of Knowledge (PMBOK), 219–220, 650–652
project management knowledge areas, 651
project manager, 205
role and responsibilities, 77
project planning, 206–208
project portfolio management, 198–199
project sponsor, 206
project team members, 205
projects
life cycle reviews, 565–567
management projects to remediate issues, 627
overview, 636
Projects IN Controlled Environments (PRINCE2), 220–221, 652–653
proof of concept, 261
protocol data units (PDUs), 378
protocol standards, 32
prototyping, 251
Provided by Client (PBC) lists, 577–578
provisioning, 485
proxy servers, 381
public key cryptography, 504
public key cryptosystems, 506–509
public key infrastructure (PKI), 511–512
public keys, verifying, 509
Q
QA manager, role and responsibilities, 77
QC manager, role and responsibilities, 77
qualitative risk analysis, 43
roles and responsibilities, 77
testing, 244
quality management, 64–65
quantitative risk analysis, 43–44
R
race conditions, 460
RACI matrix, 207
RAID, 399–400
rapid application development (RAD), 252
RARP, 370
rcp, 379
RDP, 380
readiness assessments. See pre-audits
reciprocal sites, 396
record counts, 247
recovery point objective (RPO), 93, 391
pricing capabilities, 392
publishing figures, 391
recovery procedures, 102–103
testing recovery plans, 109–114
recovery time objective (RTO), 93, 389–391
pricing capabilities, 392
publishing figures, 391
recruiting, 73
reduced sign-on, 472
referential integrity, 284, 330
registration authority (RA), 511
regulations
See also laws, regulations, and standards
relational database management systems (RDBMSs), 329–331
release management, 301–304
reliability, classification of, 531
remote access, 339, 463–464, 544
replication, 400–401
reports, status reports, 198
request for proposals. See RFP process
requirements, auditing, 279–280
assessing, 610–611
restoration procedures, 103–104
restoration testing, 475
reverse engineering, 254
RISC, 316
risk
associated with outsourcing, 56–59
associated with third-party access, 441
audit risk and materiality, 183
compliance risk, 47
defined, 39
reducing risk with mandatory vacations, 52
residual risk, 46, 47, 610–611
and third parties, 439–440
third-party risk, 68
with user IDs and passwords, 468
risk analysis, 39
in the context of an audit, 153–158
countermeasures assessment, 157–158
and disaster recovery planning, 45
evaluating business processes, 155–156
high-impact events, 45
identifying business risks, 156–157
impact analysis, 42–43
ISACA Risk IT Framework, 154–155
mitigation strategies, 44–45
possible threats, 40–41
probability analysis, 42
qualitative risk analysis, 43
quantitative risk analysis, 43–44
threat analysis, 40
vulnerability identification, 42
risk appetite, 34
risk assessment, 67
auditing and, 184–185
performing, 574–575
risk evaluation, 36
risk governance, 36
Risk IT, 6535
risk management, 24
asset identification, 36–39
overview, 34
process, 36
program, 34–35
mitigating outsourcing risk, 59–60
risk reduction, 184
risk response, 36
risk treatments, 34, 45–46, 184–185
rlogin, 380
roles and responsibilities, 23, 27, 60, 71–72
rootkits, 518
RPC, 380
RPC gateways, 388
S
sampling, 175–177
sampling risk, 183
Sarbanes-Oxley Act, 142
scalability, 506
scanning attacks, 460
schedules
monitoring project schedules, 197–198
and outsourcing, 60
scheduling project tasks, 211–215
SCP, 379
Scrum, 221–223
Secure Electronic Transaction (SET), 514
secure key exchange, 506
Secure Sockets Layer/Transport Layer Security (SSL/TLS), 513–514
security
awareness, 429–430
information security governance, 22–24
information security policy, 28
monitoring and auditing, 431
relational databases, 331
roles and responsibilities, 23
security and HR procedure testing, 598
and utilities, 333–334
Wi-Fi, 367–368
security administrators, 433
security analyst, 433
role and responsibilities, 76
security and regulatory requirements, 228–229, 259
security architect, role and responsibilities, 76
security auditor, role and responsibilities, 76–77
security auditors, 433
security awareness training, 502
security engineer, role and responsibilities, 76
security governance, 67
activities and results, 24–25
reasons for, 24
See also security governance
security incident management, 452–453
security management, 67–68, 310
auditing, 534–535
security manager, 206
security monitoring, 307–308
security operational requirements, 231
security operations, roles and responsibilities, 76–77
security policy, 59
addressing third-party security in, 443
security steering committee, 433
segregation of duties, 175, 263, 458–459
controls, 78–79
overview, 77–78
senior management, 205
server clusters, 322–323, 326–327, 402
service continuity management, 305–306
See also business continuity planning; disaster recovery planning
service desk, 297
roles and responsibilities, 77
service desk manager, role and responsibilities, 77
service level agreements, 59, 61
service providers
audits, 166–167
reviewing contracts, 126
service-level management, 304
capacity management and, 305
session hijacking, 495
session protocols, 380
SFTP, 379
S-HTTP, 514
single loss expectancy (SLE), 44
single sign-on, 473
site classification policy, 30
siting and marking, auditing, 547–548
situational awareness, 455
SLAs. See service level agreements
SLE. See single loss expectancy (SLE)
SLOC. See source lines of code
SMART, 202
smart cards, 469
smartphone controls, 486
S/MIME, 514
SMS tokens, 469
SMTP, 379
SMTPS, 379
snapshots, 286
sniffers, 386
SNMP, 380
social media policy, 30–31
SOD. See segregation of duties
soft tokens, 469
software
audit software, 179
data communications, 327
licensing, 334
maintenance, 249
utility software, 332–333
software acquisition, auditing, 280
Software as a Service. See SaaS
software developers, 433
software development
alternative approaches and techniques, 250
risks, 249–250
roles and responsibilities, 74
software engineer/developer, role and responsibilities, 74
Software Engineering Institute Capability Maturity Model (SEI CMM), 267–268
software mapping, 285
software program library management, 309–310
software projects, estimating and sizing, 208–211
software tester, role and responsibilities, 74
software-defined networking (SDN), 382
SONET, 363
source code management, 241
source lines of code, 208
sourcing, 54
spam, 519
spear phishing, 520
split custody, 459
sprint, 222
spyware, 518
standard IT balanced scorecard (IT-BSC), 22
See also balanced scorecard (BSC)
See also laws, regulations, and standards
statement of impact, 43
statements of work (SOWs), 60–61
for audits, 169
statistical sampling, 175
status reports, 198
steering committee, security responsibilities, 23
stop-or-go sampling, 176
storage
backup and media storage, 474–475
evaluating off-site storage, 419
off-site storage, 102
visiting media storage and alternate processing sites, 127
storage engineer, role and responsibilities, 75
strategic planning. See IT strategic planning
strategies, defined, 631
stratified sampling, 176
stream cipher, 504
subject, 458
subnet masks, 374
substantive testing, vs. compliance testing, 167–168
supplier standards, 32
support, and project documentation, 216
switched networks, 490
symmetric encryption, 504
Synchronous Optical Networking. See SONET
system classification policy, 29
System Control Audit Review File and Embedded Audit Modules (SCARF/EAM), 286
system development life cycle (SDLC), 223
acquiring cloud-based infrastructure and applications, 256–257
Agile development, 251
application programming languages, 239
auditing, 278–283
business functional requirements, 227–228
component-based development, 253–254
computer-aided software engineering (CASE), 255
data-oriented system development, 252
debugging, 240–241
design, 236–238
development, 238–241
development in a software acquisition setting, 239–240
DevOps, 250–251
disaster recovery and business continuity requirements, 231
feasibility studies, 224, 226–227
fourth-generation languages, 256
implementation, 244–248
integrated development environments (IDEs), 255
object-oriented system development, 252–253
organizing and reviewing requirements, 232
phases, 223–224
post-implementation, 248–249
privacy requirements, 231–232
prototyping, 251
rapid application development (RAD), 252
requirements definition, 227–236
reverse engineering, 254
RFP process, 232–236
security and regulatory requirements, 229–231
software and business capabilities imagined, 224–226
software development risks, 249–250
software maintenance, 249
source code management, 241
system development tools, 255
technical requirements and standards, 228–229
testing, 241–244
web-based application development, 254
system development tools, 255
system hardening, 455–456, 477
changing default passwords, 478
changing systems from multifunction to single-function, 477
limiting functionality or privilege of necessary services, 478
reducing or eliminating interserver trust, 479
reducing user privileges, 479
removal of unnecessary services, 478
removing nonessential user IDs, 478–479
using nonpredictable passwords, 478
system testing, 243–244
systems administrator, role and responsibilities, 75
systems analyst, 433
role and responsibilities, 74
systems architect, role and responsibilities, 74, 75
systems developers, 206
systems development management, 206
systems engineer, role and responsibilities, 75
systems management, roles and responsibilities, 75
systems operator, role and responsibilities, 76
T
targeted attacks, 497
tasks
dependencies, 208
estimation, 207
identification, 207
milestone tracking, 208
resources, 207
scheduling project tasks, 211–215
task tracking, 208
T-Carrier, 363–365
TCP, 377–378
TCP/IP network devices, 381–382
TCP/IP network model, 348
application layer, 351
Internet layer, 349
link layer, 349
and OSI network model, 351–352
transport layer, 349–351
TCP/IP protocols and devices, 370–381
technical requirements and standards, 228–229, 259
technical support analyst, role and responsibilities, 77
technology
familiarity with, 461
understanding the technology environment, 582–583
technology standards, 32
telecom engineer, role and responsibilities, 75
telnet, 380
temperature and humidity controls, 529
terminal emulation, 339–340
termination, 53
test batches, 285
testing, 241–242
auditing, 281
automated, 605–606
compliance vs. substantive testing, 167–168
of control operating effectiveness, 602–606
data integrity testing, 284
debugging, 240–241
developing a test plan, 581–589
disaster recovery plans, 409
discovering incidents requiring immediate attention, 607–610
discovering testing exceptions, 606–607
functional testing, 244
incident response, 454–455
infrastructure development and implementation, 260
by inquiry and corroborative inquiry, 601
launching the testing phase, 599
online processing systems, 284–285
organizing a test plan, 591–594
parallel testing, 285
programs, 605
quality assurance testing (QAT), 244
restoration testing, 475
retesting issues in succeeding periods, 626–627
security and HR procedure testing, 598
system testing, 243–244
test plans, 242
test scripts, 606
tests of control existence, 599–602
through reperformance, 601–602, 603
user acceptance testing (UAT), 244
testing recovery plans, 109–110
cutover test, 114
document review, 111
documenting test results, 114
parallel testing, 113–114
reviewing prior test results and action plans, 125
simulation, 112–113
test preparation, 110–111
walkthroughs, 111–112
third-party management, 268, 439
access countermeasures, 441–442
addressing third-party security in legal agreements, 442–443
addressing third-party security in security policy, 443
assessment, 270
auditing, 286–287
classification, 269–270
onboarding and due diligence, 269
remediation, 270
risk factors, 268–269
risks associated with third-party access, 441
third parties and risk, 439–440
types of third-party access, 440
third-party risk, 68
third-party service delivery management, 61–62
threat analysis, 40
threat modeling, 477
threats
access control threats, 459–460
advanced persistent threats (APTs), 521
of cyber-crime on organizations, 449–450
defined, 40
network-based, 488–489
TIA-942 Telecommunications Infrastructure Standards for Data Centers, 531
time synchronization, 340
timebox management, 215
Token Ring, 360–361
Towers of Hanoi, 407
training, 52, 102, 246–247, 485
cross-training, 52
for disaster response and business continuity, 115
transaction authorization, 78
transaction flow, 283
transaction processing (TP) monitors, 388
transaction tracing, 285
transport layer protocols, 377–379
Trojan horses, 518
tunneling, 385
U
UDP, 378–379
uninterruptible power supplies (UPSs), 527
Universal Serial Bus (USB), 361–362
U.S. Cybersecurity Framework, 68
U.S. Department of Defense (DoD), employee requirements, 2–3
U.S. Federal Emergency Management Agency (FEMA), 118
U.S. National Fire Protection Agency (NFPA), 117–118
U.S. National Institute of Standards and Technology (NIST), 117
U.S. Office of Personnel Management (OPM), 481
user, role and responsibilities, 72
user acceptance testing (UAT), 244
user access controls, auditing, 536–538
user access management, 480
employee termination, 481–482
employee transfers, 482–483
user access provisioning, 480–481
user access provisioning, auditing, 539
user account provisioning, 467–468
user authentication controls, 490
removing nonessential user IDs, 478–479
users, and project documentation, 216
utilities, and security, 333–334
utility software, 332–333
V
vacations, 52
value adjustment factor (VAF), 210
variable sampling, 176
vendor manager, role and responsibilities, 77
Verification of Work Experience form, 13
virtual networks (VLANs), 376
virtual workstations, 340
virtualization architectures, 323–324
virtualization environments, securing, 479–480
viruses, 518
Voice over IP (VoIP), 515–516
access control, 460–461
defined, 42
vulnerability and threat monitoring, 455
vulnerability identification, 42
vulnerability management, 68, 455, 476–477
auditing, 545–546
W
walkthroughs, 582
WAN switch, 366
war chalking, 494
war driving, 494
warranty, 60
WBS. See work breakdown structure
web filtering, 543
web security, 340
web-based application development, 254
web-based applications, 387–388
website filtering, 491
wide area networks (WANs), 338, 362
devices, 366
protocols, 363–365
wide area transmission modes, 362–363
Wi-Fi, 367–368
access points, 544
WiMAX, 368–369
wireless networks, 366–367
Bluetooth, 369
countermeasures, 495–496
IrDA, 370
LTE, 369
NFC, 369–370
securing, 493–496
threats and vulnerabilities, 493–495
Wi-Fi, 367–368
WiMAX, 368–369
Wireless USB (WUSB), 369
Wireless USB (WUSB), 369
work breakdown structure, 203–204, 208
work orders, 60–61
workflow, 78
workpapers, ownership of, 570
World Wide Web, 384
worms, 518
X
X.25, 365
X.500, 381
Z