AAA (authentication, authorization, and accounting), 121
access control lists (ACLs), 117, 211
access controls, 36, 84, 255-259
access points (APs), 263, 267-268, 270
account management
Unix and Linux operating systems, 173-182, 203-204
Windows Server, 146-149
ACLs (access control lists), 117, 211
action plans list, in audit report, 54
activity monitoring, database, 238-239
Acunetix, 217, 221
Administration Tools Pack (adminpak), 161
administrative threats, identifying, 363
adversarial relationships, 18
air conditioning, 86, 93
alarms
burglar, 84, 96
chemical, 85
fire, 84, 96-97
gas, 85
humidity, 85, 97-98
power fluctuation, 85
water, 85
Alerter utility, 145
analytical skills, of IT auditors, 27
annual rate of occurrence (ARO), 364
anonymous access, 159
anonymous File Transfer Protocol (FTP), 192-193
antennas, 272
antivirus programs, 141-142, 157
Application Layer Gateway Service, 145
application proxies, 117
application-level firewalls, 117
applications auditing, 247-262
best practices, 250-252
applying defense in depth, 250
avoiding security by obscurity, 251
detecting intrusions and keep logs, 251
establishing secure defaults, 251
failing safely, 250-251
keeping security simple, 251
master checklists, 261
never trusting infrastructure and services, 251
overview, 250
running with least privilege, 251
using open standards, 252
using positive security model, 250
generalized frameworks, 247-250
overview, 247
people, processes, tools, and measures (PPTM), 248
planning, design, implementation, and operations (PDIO), 250
STRIDE, 248-250
master checklists, 262
overview, 21, 247
performing, 252-261
access controls, 255-259
audit trails, 255
backup and recovery, 260
data retention and classification, 260-261
input controls, 252-254
interface controls, 254-255
operating system, database, and other infrastructure controls, 261
overview, 252
software change controls, 259-260
approving new projects, 66
APs (access points), 263, 267-268, 270
ARO (annual rate of occurrence), 364
assets, 352
assigning information criticality values to, 359
failure to identify, 354-355
identifying, 356-359
assigning information criticality values to information assets, 359
defining information criticality values, 357
identifying business functions, 357-358
mapping information processes, 358-359
overview, 356-357
moving and disposal procedures, 76
procurement process, 76
tracking, 76
atjobs, 187-188
audit committee, 4, 6
audit logs
master checklist, 205
test steps, 196-199
audit process, 33-58
determining what to audit, 36-41
creating audit universe, 37-38
overview, 36
ranking audit universe, 39-41
internal controls, 33-36
examples of, 35-36
overview, 33-34
types of, 34-35
overview, 33
stages of audit, 41-57
field work and documentation, 44-45
issue discovery and validation, 45-46
issue tracking, 55-57
overview, 41
planning, 42-44
report drafting and issuance, 50-55
solution development, 46-50
standards, 57-58
audit reports. See report drafting and issuance
audit scope, in audit report, 303
audit trails, 255
audit universe
creating, 36-37
business applications, 38
centralized IT functions, 37
decentralized IT functions, 38
regulatory compliance, 38
ranking, 39-41
auditees, use of term, 20
authentication, 255-256
devices for, in data center, 91
mechanism of, 256
security of authentication method, 268-269
Unix and Linux operating systems auditing, 170-171
overview, 170
Unix Group File, 171
Unix Password File, 170
Unix Shadow File, 170-171
authentication, authorization, and accounting (AAA), 121
authority, 63
authorization controls, 215
Autologin, 159
autoruns tool, 139
autorunsc tool, 139
autoruns(c) utility, 143