radio frequency identification (RFID) chips, 91
RAID (redundant array of inexpensive drives), 106
rating system, in audit reports, 302-303
rcrack utility, 149
reactive controls (corrective controls), 35
recommendation approach, to solution development, 46-47
recovery. See backup and recovery
redundant array of inexpensive drives (RAID), 106
redundant power feeds, 85, 94
regulations, 327-347
EU Commission and Basel II, 345
Gramm-Leach-Bliley Act (GLBA), 338-340
Federal Financial Institutions Examination Council (FFIEC), 340
overview, 338
requirements, 338-339
Health Insurance Portability and Accountability Act (HIPAA) of 1996, 342-345
impact on covered entities, 344-345
overview, 342
privacy and security rules, 343-344
legislation related to internal controls, 327-328
history of corporate financial
regulation, 328
overview, 327
regulatory impact on IT audit, 327-328
overview, 327
Payment Card Industry (PCI) Data Security Standard, 346-347
privacy regulations
California SB 1386, 340-341
international privacy laws, 341-342
trends, 342
Sarbanes-Oxley Act of 2002, 328-338
considerations for companies with multiple locations, 332
core points of, 329-331
financial impact of Sarbanes Oxley compliance on companies, 337-338
impact of third-party services on compliance, 332-333
impact on IT departments, 331-332
impact on public corporations, 329
overview, 328-329
specific IT controls required for compliance, 333-337
trends, 347
regulatory compliance, 38
regulatory threats, 362
relationship building, 17-20
learning to build partnerships, 19-20
attitude of collaboration and cooperation, 20
formal audit liaisons with different IT organizations, 19
getting invited to key meetings, 19
overview, 19
updates and meetings with IT management, 19
overview, 17-18
remote access, 75, 151, 188
remote journaling, 107
report drafting and issuance, 50-55
distributing audit report, 55
essential elements of audit report, 51-54
closed items, 54
executive summary, 51
key controls, 54
list of issues and action plans, 51-54
minor issues, 54
overview, 51, 54
statement of audit scope, 51
overview, 50-51
repudiation, 249
requirements
for audits, 300
for projects, 291-292
research time, 29
resource constraints, 12
Resource Kit tools, 138, 161
retention, data, 260-261
Retina Scanner, 154-155, 161
reuse of media, 77-78
RFID (radio frequency identification) chips, 91
.rhosts file, 182, 190-192
risk analysis, 351-355
common causes for inaccuracies in, 354-355
failure to identify assets, threats, or vulnerabilities, 354-355
inaccurate estimations, 355
overview, 354
elements of risk, 351-352
assets, 352
overview, 351
threats, 352
vulnerabilities, 352
overview, 351
risk management, 351-368
benefits of, 351
life cycle, 356-368
overview, 356
phase 1: identifying information assets, 356-359
phase 2: quantifying and qualifying threats, 359-364
phase 3: assessing vulnerabilities, 364-366
phase 4: control gap remediation, 366-367
phase 5: managing ongoing risk, 367-368
overview, 351
risk analysis, 351-355
common causes for inaccuracies in, 354-355
elements of risk, 351-352
overview, 351
practical application, 353-354
in practice, 354
summary of formulas, 368
risk-assessment processes, 69-70
risk-based audit scheduling, 12
rogue access points, 270
role of IT audit team, 20-23
information systems auditors, 22
IT auditors, 22-23
overview, 20-21
support for financial auditors, 22
root kits, 242
rotation of auditors, 27, 40
routers, 116, 129-130, 133
routing updates, authentication of, 129-130
rsop.msc tool, 139