Index

A

AAA (authentication, authorization, and accounting), 121

access control lists (ACLs), 117, 211

access controls, 36, 84, 255-259

access points (APs), 263, 267-268, 270

account management

Unix and Linux operating systems, 173-182, 203-204

Windows Server, 146-149

ACLs (access control lists), 117, 211

action plans list, in audit report, 54

activity monitoring, database, 238-239

Acunetix, 217, 221

Administration Tools Pack (adminpak), 161

administrative threats, identifying, 363

adversarial relationships, 18

air conditioning, 86, 93

alarms

burglar, 84, 96

chemical, 85

fire, 84, 96-97

gas, 85

humidity, 85, 97-98

power fluctuation, 85

water, 85

Alerter utility, 145

analytical skills, of IT auditors, 27

annual rate of occurrence (ARO), 364

anonymous access, 159

anonymous File Transfer Protocol (FTP), 192-193

antennas, 272

antivirus programs, 141-142, 157

Application Layer Gateway Service, 145

application proxies, 117

application-level firewalls, 117

applications auditing, 247-262

best practices, 250-252

applying defense in depth, 250

avoiding security by obscurity, 251

detecting intrusions and keep logs, 251

establishing secure defaults, 251

failing safely, 250-251

keeping security simple, 251

master checklists, 261

never trusting infrastructure and services, 251

overview, 250

running with least privilege, 251

using open standards, 252

using positive security model, 250

generalized frameworks, 247-250

overview, 247

people, processes, tools, and measures (PPTM), 248

planning, design, implementation, and operations (PDIO), 250

STRIDE, 248-250

master checklists, 262

overview, 21, 247

performing, 252-261

access controls, 255-259

audit trails, 255

backup and recovery, 260

data retention and classification, 260-261

input controls, 252-254

interface controls, 254-255

operating system, database, and other infrastructure controls, 261

overview, 252

software change controls, 259-260

approving new projects, 66

APs (access points), 263, 267-268, 270

ARO (annual rate of occurrence), 364

assets, 352

assigning information criticality values to, 359

failure to identify, 354-355

identifying, 356-359

assigning information criticality values to information assets, 359

defining information criticality values, 357

identifying business functions, 357-358

mapping information processes, 358-359

overview, 356-357

moving and disposal procedures, 76

procurement process, 76

tracking, 76

atjobs, 187-188

audit committee, 4, 6

audit logs

master checklist, 205

test steps, 196-199

audit process, 33-58

determining what to audit, 36-41

creating audit universe, 37-38

overview, 36

ranking audit universe, 39-41

internal controls, 33-36

examples of, 35-36

overview, 33-34

types of, 34-35

overview, 33

stages of audit, 41-57

field work and documentation, 44-45

issue discovery and validation, 45-46

issue tracking, 55-57

overview, 41

planning, 42-44

report drafting and issuance, 50-55

solution development, 46-50

standards, 57-58

audit reports. See report drafting and issuance

audit scope, in audit report, 303

audit trails, 255

audit universe

creating, 36-37

business applications, 38

centralized IT functions, 37

decentralized IT functions, 38

regulatory compliance, 38

ranking, 39-41

auditees, use of term, 20

authentication, 255-256

devices for, in data center, 91

mechanism of, 256

security of authentication method, 268-269

Unix and Linux operating systems auditing, 170-171

overview, 170

Unix Group File, 171

Unix Password File, 170

Unix Shadow File, 170-171

authentication, authorization, and accounting (AAA), 121

authority, 63

authorization controls, 215

Autologin, 159

autoruns tool, 139

autorunsc tool, 139

autoruns(c) utility, 143