|
IT Auditing. Using Controls to Protect Information Assets Authors: Davis C., Schiller M., Wheeler K. Published year: 2004 Pages: 138-141/159 |
 |
Index
F
facility monitoring procedures, 102-103
facility-based controls, data center auditing, 84-85
access-control systems, 84
alarm systems, 84-85
fire-suppression systems, 85
overview, 84
Fax Service, 145
FCPA (Foreign Corrupt Practices Act of 1977), 307
Federal Deposit Insurance Corporation Act (FDICIA), 328
Federal Financial Institutions Examination Council (FFIEC), 340
field work, 44-45
file security and controls
See also permissions
master checklist, 204
test steps, 182-188
file system layout and navigation, 167-169
File Transfer Protocol (FTP), anonymous, 192-193
finance audit manager, 6
financial auditors , 22-23
financial threats, 361
fire alarms, 84, 96-97
fire suppression, 85, 98-100
firewalls, 116-117, 157
additional controls, 130-131, 134
application proxies, 117
application-level firewalls, 117
overview, 116-117
packet-filtering firewalls, 117
stateful packet inspection (SPI) firewalls, 117
flame sensors, 97
flood elevations , 89
floors, of data center, 91
Foreign Corrupt Practices Act of 1977 (FCPA), 307
formal training, 29
Fport tool, 139, 144, 161
frameworks and standards, 307-325
Committee of Sponsoring Organizations (COSO), 308-315
definition of internal control, 309
enterprise risk management-integrated framework, 311-315
key concepts of internal control, 309
overview, 308-309
Control Objectives for Information and Related Technologies (CoBIT), 315-319
concepts, 316-317
connection with COSO, 319
IT governance, 318-319
overview, 315
International Organization for Standardization (ISO) 27001/ISO 17799/BS 7799, 322-323
IT Infrastructure Library (ITIL), 319-322
National Security Agency Infosec Assessment Methodology (NSA IAM), 323-325
concepts, 323
on-site activities phase, 324-325
overview, 323
post-assessment phase, 325
pre-assessment phase, 324
overview, 307-308
trends, 325
FTP (File Transfer Protocol), anonymous, 192-193
Index
G
gas alarms, 85
gateways, 117
generators, 85, 95-96
GLBA (Gramm-Leach-Bliley Act), 338-340
Federal Financial Institutions Examination Council (FFIEC), 340
overview, 338
requirements, 338-339
customer privacy provisions, 338
internal control requirements, 339
overview, 338
Gramm-Leach-Bliley Act. See GLBA
ground to earth, 85, 94
Group File, Unix, 171
groups, 147-148, 178-179
guest accounts, 159
Index
H
hands-on training, 29
hardware
procurement and movement of, 76
redundancy, 106
standards, 67
hashes, password, 174
hazardous materials handling and storage, 99
Health Insurance Portability and Accountability Act of 1996. See HIPAA
heat sensors, 97
heating, 86, 93
HIPAA (Health Insurance Portability and Accountability Act) of 1996, 342-345
ensuring effective policies exist for compliance with, 71-72
impact on covered entities, 344-345
overview, 342
privacy and security rules, 343-344
hiring procedures, 75-76
home directories, 181
host-based vulnerability scanning, 155-156, 199
hotfixes, 158-159
human resources (HR) policies, 70, 75-76
humidity, 85, 93, 97-98
Index
I
IBM, 225
identity spoofing, 248
IIA (Institute of Internal Auditors ), 79
IIS, 159
IISLockdown, 210
IMAPI CD-Burning COM Service, 145
IMS (Information Management System), 225
incentives for employees , 70
"independence" of internal audit department, 5-7
Indexing Service Wireless, 145
indices, 228
industrial areas, data center proximity to, 90
informal audits , 11-14
information criticality values
assigning to information assets, 359
defining, 357
information disclosure, 249
Information Management System (IMS), 225
Information Systems Audit and Control Association (ISACA), 29, 79
information technology (IT) audit function, internal. See internal information technology (IT) audit function
infrastructure control, 261
injection attacks, 218
input controls, 252-254
Institute of Internal Auditors (IIA), 79
interface controls, 254-255
internal control-integrated framework, 309-311
component relationships, 311
control activities, 310
control environment, 310
information and communication, 310-311
monitoring, 311
overview, 309-310
risk assessment, 310
internal controls, 33-36
See also internal control-integrated framework
defined, 5
examples of, 35-36
access controls, 35
backups and disaster-recovery plans, 36
overview, 35
software change controls, 35
legislation related to, 327-328
history of corporate financial regulation, 328
overview, 327
regulatory impact on IT audit, 327-328
overview, 33-34
types of, 34-35
detective controls, 35
overview, 34
preventive controls, 34-35
reactive controls (corrective controls), 35
internal information technology (IT) audit function, 3-31
early involvement, 9-11
forming and maintaining effective IT audit team, 23-28
career IT auditors, 23-28
cosourcing, 28
IT professionals, 25-26
overview, 23
informal audits, 11-14
knowledge sharing, 14-16
common issues, best practices, and innovative solutions, 15-16
control guidelines, 14-15
overview, 14
tools, 16
maintaining expertise, 28-30
overview, 28
sources of learning, 29-30
mission of internal audit department, 3-5
overview, 3
relationship building, 17-20
building partnerships, 19-20
overview, 17-18
relationship with external auditors, 30-31
role of IT audit team, 20-23
information systems auditors, 22
IT auditors, 22-23
overview, 20-21
support for financial auditors, 22
self-assessments, 17
whether internal audit department is independent, 5-7
International Organization for Standardization (ISO) 27001/ISO 17799/BS 7799, 322-323
international privacy laws, 341-342
Canadian Personal Information Protection and Electronic Document Act (PIPEDA), 341-342
European Directive on the Protection of Personal Data, 341
overview, 341
Intersite Messaging, 145
intranet, 14
intrusion detection and prevention, 154, 200
inventory of all equipment, 76
ISACA (Information Systems Audit and Control Association), 29, 79
ISAPI filters, 213
ISO (International Organization for Standardization) 27001/ISO 17799/BS 7799, 322-323
issue discovery and validation, 45-46
issue tracking, 55-57
issues list, in audit report, 51-54
IT (information technology) audit function, internal. See internal information technology (IT) audit function
IT audit manager, 6
IT organization structure, 62-63
IT professionals, 22-26
vs. career IT auditors, 27-28
overview, 25-26
sources for, 26
IT risk scenario, 353-354
IT strategic planning process, 64-65
ITIL (IT Infrastructure Library), 319-322
|
IT Auditing. Using Controls to Protect Information Assets Authors: Davis C., Schiller M., Wheeler K. Published year: 2004 Pages: 138-141/159 |
|