The McGraw-Hill Companies
McGraw-Hill books are available at special quantity discounts to use as premiums and sales promotions, or for use in corporate training programs. For more information, please write to the Director of Special Sales, Professional Publishing, McGraw-Hill, Two Penn Plaza, New York, NY 10121-2298. Or contact your local bookstore.
© 2007 The McGraw-Hill Companies.
1234567890 FGR FGR 019876
Sponsoring Editor Jane Brownlow
Editorial Supervisor Janet Walden
Project Manager Madhu Bhardwaj
Acquisitions Coordinator Jennifer Housh
Technical Editors Barbara Anderson, Tim Breeding, Michael Cox, Subesh Ghose and Keith Loyd
Copy Editor Jim Madru
Proofreader Ragini Pandey
Indexer Kevin Broccoli
Production Supervisor George Anderson
Composition International Typesetting and Composition
Illustration International Typesetting and Composition
Art Director, Cover Jeff Weeks
Information has been obtained by McGraw-Hill from sources believed to be reliable. However, because of the possibility of human or mechanical error by our sources, McGraw-Hill, or others, McGraw-Hill does not guarantee the accuracy, adequacy, or completeness of any information and is not responsible for any errors or omissions or the results obtained from the use of such information.
To my unbelievably awesome wife Sarah and son Joshua Michael,
I love you.
To Steph, Grant and Kate-This book was possible only because of your love, patience, and support.
I'm amazed every day by how lucky
I am and by the joy you bring to my life.
To my wife Sandra; the love of my life, whose tireless encouragement and patience have sustained me through this process, to our beautiful child Heather, and to my lord who made all of this possible through His blessings.
About the Authors
Chris Davis, CISA, CISSP, leverages his experience auditing IT systems for Texas Instruments. Mr. Davis has trained and presented in information security, advanced computer forensic analysis, and hardware security design. He actively teaches auditing and certification curriculum for Southern Methodist University and is the author and contributor to several books and publications. His contributions include projects and presentations for SANS, Gartner, Harvard, BlackHat, and 3GSM. He has enjoyed positions at Texas Instruments, Austin Microsoft Technology Center, and Cisco Systems. He holds a bachelor's degree in nuclear engineering technologies from Thomas Edison, and a master's in business from the University of Texas at Austin. Chris was a U.S. Navy submariner, and served on the deep dive Submarine NR-1 and the ballistic missile OHIO class USS Nebraska, SSBN 739, Blue Crew. Go Big Red!
Mike Schiller, CISA, has 14 years of experience in the IT audit field, most recently as the worldwide IT audit manager at Texas Instruments(TI). Prior to that, Mike served as the IT audit manager at The Sabre Group, where he served as the company's first-ever IT audit manager, creating the IT audit function, team, and processes from the ground up. Mike also has several years of experience as a senior IT auditor, programmer/analyst, and manager of IT support teams. He is involved in multiple industry IT audit organizations and has been a presenter at IT conferences such as ASUG (Americass' SAP Userss' Group). In addition to his years of experience in corporate management, Mike is also heavily involved in leadership at his church, Richardson East Church of Christ. He has a bachelor's degree in business analysis from Texas A&M University. Mike enjoys watching baseball in his spare time and has attended games in every major league stadium. His baseball allegiance is to the Texas Rangers and Cincinnati Reds. Mike's son Grant is a well-known baseball blogger (see http://www.texasrangerstrades.blogspot.com) and was named 2005 Texas Rangers Fan of the Year.
Kevin Wheeler, CISA, CISSP, NSA IAM/IEM, is the founder and CEO of InfoDefense, an information security consultancy. Mr. Wheeler's project and employment portfolio includes organizations such as Bank of America, EDS, McAfee, Southern Methodist University and the State of Texas. He has performed information security audits and assessments as well as information security design, computer incident response, business continuity planning, and IT security training for both government and commercial entities in the financial services, healthcare, and IT services industries. He holds a bachelor of business administration degree from Baylor University and is an active member of ISSA, ISACA, Infragard, the North Texas Electronic Crimes Task Force, and Greater Dallas Chamber of Commerce.
About the Contributing Authors
Stacey Hamaker, CIA, CISA, is the president of Shamrock Technologies, which provides enterprise-class IT consulting to Fortune 500 companies, midsized firms, and the public sector. Ms. Hamaker has been heavily involved in regulatory compliance initiatives since the inception of the Sarbanes-Oxley Act of 2002. She serves on the board of the North Texas chapter of ISACA (formerly Information Systems Audit and Control Association) and is active in the Institute of Internal Auditors (IIA). Her numerous articles on Enterprise and IT Governance have been published in such industry publications as the IS Control Journal. Ms. Hamaker's speaking engagements span local, national, and international venues. She received her MBA in MIS from the University of Texas at Arlington and her undergraduate degree in accounting from Marietta College in Ohio.
Aaron Newman is the founder and chief technology officer of Application Security, Inc. (AppSecInc). Widely regarded as one of the world's foremost database security experts, Aaron coauthored the Oracle Security Handbook for Oracle Press and holds patents in database encryption and monitoring. Prior to founding AppSecInc, Aaron founded several other companies in the technology area, including DbSecure, the pioneers in database security vulnerability assessment, and ACN Software Systems, a database security consulting firm. Aaron has spent the last decade managing and designing database security solutions, researching database vulnerabilities, and pioneering new markets in database security. Aaron has held several other positions in technology consulting with Price Waterhouse, Internet Security Systems, Intrusion Detection Inc., and Banker's Trust.
About the Technical Reviewers
Barbara Anderson, CCSP, CCNP, has extensive experience in network and security planning, design, implementation, and operations. She currently serves as a senior network security engineer who provides consulting and support for LAN, WAN, and security design, including information security consulting, product implementation and training. Ms. Anderson proudly served her country for four and a half years in the U.S. Air Force. She has enjoyed positions at EDS, SMU, Fujitsu, ACS, and Fishnet Security.
Tim Breeding, CISA, currently serves as the director of Information Systems Audit at Wal-Mart Stores, Inc. His responsibilities include oversight of project teams that assess information technology risks and mitigation strategies from both an audit and consulting capacity. Prior to joining Wal-Mart, Tim served Southwest Airlines as Information Systems Audit Manager for six and a half years. While there, Tim presided over substantial growth of the IS audit function. Before joining Southwest Airlines, Tim served over 13 years in several capacities at Texas Instruments. His responsibilities included computer operations, software development, software quality assurance, and IS audit.
Michael Cox currently works as a network security engineer for Texas Instruments, where he has also worked as an IT auditor developing numerous audit programs and automated audit tools. Prior to this, he worked as a network engineer for Nortel, and he enjoys doing Linux sysadmin work whenever he can get it. Michael holds the CISSP certification and has a bachelor of arts degree in history from Abilene Christian University.
Subesh Ghose worked for eight years in the IT audit industry for a Fortune 500 semi-conductor manufacturing company, where he led audits reviewing the internal controls of various data centers, ERP implementations, and infrastructure environments. As part of his role, he was responsible for designing and implementing audit methodologies for various technical platforms and performing project reviews to provide internal control guidance early in the project development life cycle. He is currently a manager in IT Security where he oversees the architecture/process development for securing external collaborative engagements and development of security controls in enterprise projects. In addition, he is responsible for disaster recovery processes for the enterprise data center. Subesh has an M.S. in computer science from Southern University.
Keith Loyd, CISSP, CISA, worked for seven years in the banking industry where he developed technology solutions for stringent legislative business requirements. As part of his role, he was responsible for implementing and testing networking solutions, applications, hardened external-facing platforms, databases, and layered mechanisms for detecting intrusion. Now in the manufacturing industry, Keith primarily deals with vulnerability and quality testing new applications and projects, worldwide incident response, and civil investigations. He has a B.S. in information technology from Cappella University and an M.S. in information assurance from Norwich University.
The excitement of learning separates youth from old age.
As long as you're learning you're not old.
-Rosalyn S. Yalow
We simply could not have done this without the help of many, many people. It was an amazing challenge coordinating the necessary depth of corporate, legal, and technical expertise across so many subjects. Many old and new friends, organizations such as ISACA and OWASP, and many others donated knowledge, time, techniques, tools, and much more to make this project a success.
Writing this book required tireless hours of writing, research, and corroboration among the authors, contributing authors, technical editors, industry peers, copy editors, layout team, and publisher leadership team while our loved ones took the brunt of our efforts. It is only appropriate that we thank and acknowledge those that supported and carried us despite ourselves. We are truly grateful to each of you.
The wonderful and overworked team at McGraw-Hill/Osborne is simply outstanding. We sincerely appreciate your dedication, coaching, and long hours during the course of this project. Jane Brownlow, this book is a result of your tireless dedication to the completion of this project. We congratulate you on your new baby and wish you the best. We look forward to working with you again in the future. We would also like to extend a big round of thanks to Jennifer Housh, our acquisitions coordinator, for her coordination and work with the technical editors. Thank you so much for being a part of this. We also would like to thank the wonderful efforts of project manager Madhu Bhardwaj; copy editor Jim Madru; proofreader Ragini Pandey; indexer Kevin Broccoli; editorial supervisor Janet Walden; production supervisor George Anderson; art director, cover, Jeff Weeks; and compositor and illustrator, International Typesetting and Composition.
A special thank you goes to Barbara Anderson, Tim Breeding, Michael Cox, Subesh Ghose, Donna Hutcheson, Austin Hutton, and Keith Loyd for their contributing works and deep reviews. Your involvement truly made the difference. Your reviews were wonderful, detailed, and significant in providing a useful product for the readers. Additionally, thank you Michael Cangemi for taking the time to deliver an incredible introduction to this work. Your words are thoughtful, kind, relevant, and illustrate the experience you have in this industry. And Doug Dexter-thank you for coming through at the last minute. We appreciate your quick turn-around and very kind review.
In particular, Keith Loyd-you went way above and beyond, and came to the table with excellent contributions and reviews. Michael Cox and Subesh Ghose, with all that you have going on, thank you for taking the time on this project. We know the readers will appreciate your expertise. Tim Breeding, you did an outstanding job contributing to the project auditing chapter. Barbara Anderson, you juggled multiple responsibilities including your home life and extensive work responsibilities to work on this book in the last hours. We thank you for that time and know the readers will appreciate the effort you put into this project.
There are two organizations that allowed us to borrow content to which we are truly grateful. We would like to thank the people at ISACA for bringing a cohesive knowledge set to the auditing field and the CISA certification. There is still much work to be done, and we as a team would like to encourage our peers to contribute to this wonderful knowledge base. Likewise, thank you Jeff Williams and Mark Curphey for founding and contributing to OWASP. Your selfless investments are helping thousands of professionals worldwide, and many more that would never know where to start securing their website. Thank you.
Thank you Sarah. This book would not exist without you. You've sacrificed so many late evenings for me to finish this. I'm thankful to have you as my wife and look forward to the many wonderful years we have left. I love you! Little Joshua, as your mom and I call you, we love you so much and can't wait to share this life with you. Not a day goes by that I don't think about sharing, teaching, and helping you to grow and mature into your own. Thanks to our Lord and Savior, for the many opportunities and blessings you've so generously given us.
Mike and Kevin, thank you for sharing the load, and investing your time into this work. You are good friends, and I appreciate the opportunity to learn from you. Through all of this project's challenges, between the three of us, we pulled it off. Barbara Anderson, Tim Breeding, Michael Cox, Subesh Ghose, and Keith Loyd-thank you for your generous time and reviews. Many of you balanced active work and home lives to fit this into your schedule. Thank you for your tremendous help.
To the crew at McGraw-Hill/Osborne, especially Jane Brownlow and Jennifer Housh, you're a wonderful group to work with. I am grateful for the outstanding guidance and continual support. You're an amazing team, and I'm blessed for having worked with you.
A special thank you goes to my family for their love and support. Rob, David, and Jon, you are excellent examples of work ethic and wisdom. I'm grateful to have you as brothers and mentors. Thank each of you for your wisdom, love, support, and guidance.
Thank you Alan Bain, Michael Landewe, and Gord Boyce at ForeScout Technologies for allowing me to work on this project while getting up to speed on a new product in a hot field.
Finally, a special thank you goes to friends who convinced us to move forward with the project in the beginning stages. Thank you to all the friends and influences along the way, the Texas Instruments security and audit teams for your wealth of knowledge and opportunities to learn, Chris McAbee of Dallas, Texas for always being there for anything, and many, many others. I sincerely appreciate you all.
I would like to thank my good friends Tim Breeding, Michael Cox, and Subesh Ghose for helping with this book and making it better than we could have made it on our own. You're each not only outstanding auditors but also outstanding friends.
I would also like to thank my coauthors, Chris Davis and Kevin Wheeler, for their excellent work. Thanks especially to Chris for involving me in this book and for all of his hard work in coordinating this project. Thanks also go to Chris for helping me with visuals and being an excellent overall sounding board and reviewer. Extra thanks go to Kevin for the healthy debates and insight that helped us enhance the overall quality of the book.
Thanks to Mike Curry for his help in writing some of the audit steps in Chapters 3 and 4. Thanks also to Jane Brownlow and Jennifer Housh of McGraw-Hill/Osborne for their support of this project and dedication to making it happen. And I would like to express appreciation to Edward Dorsey, whose Unix auditing class (via the MIS Training Institute and Automated Design Enterprises, Inc.) way back in 1997 was very influential to me and inspired a lot of the content in Chapter 7 (especially Table 7-3).
I would also like to thank the many people who have worked on audit teams that I managed. It was an honor to work with you and there's a piece of each of you in this book. To Shawn Irving for your continued friendship throughout the years. To Jon Mays and Nancy Jones for putting up with me in my first management position. To Sally West and Andrea Khan for enhancing my knowledge of project auditing. To Chris Speegle, Steve Holt, Kylonnie Jackson, Dottie Vo, Dean Irwin, Gus Coronado, Hans Baartmans, Prabha Nandakumar, and all the others who worked with me on the TI teams I managed-it was a pleasure and I learned from you all.
To Kirk Tryon and Jay Blanchard for being my friends and peers for so many years. It was fun. A lot of our discussions are reflected in this book. Thanks also to Richard Hudson and Geoff Sloma for giving me the chance to learn and grow as a manager.
Of course, thanks go to God and Jesus Christ for my salvation and for the many blessings in my life.
Most of all, thanks to my family. To Mom and Dad, the perfect parents, for all your love and guidance throughout my life. To David, for not only being a great brother, but one of my best friends. To Kate, for all the new energy and happiness you've brought into our lives. To Grant, my pal, for being patient about this book (even when it was hard), for how proud you make me, and for how much fun we have together. And the absolute biggest thanks go to my wonderful wife Stephanie, for believing in me and supporting me, for being my proofreader, and for being my best friend. I couldn't have done this without you.
I would like to thank Jane Brownlow and Jennifer Housh for being so patient with me, Chris Davis for including me in this project, his authoring guidance and encouragement, and my other coauthor Mike Schiller for the many hours of work that he put into this project. I would also like to thank contributing author Stacey Hamaker for providing a tremendous amount of expertise on Chapters 13 and 14, and technical editor Keith Loyd for the insight and depth of experience that he utilized while editing my chapters.
Next, I would like to thank my former employers and clients who provided opportunities for me to gain the IT audit experience required to write this book.
I would like to thank my Lord and Savior Jesus Christ for the many blessings including the opportunity to write this book.
Lastly, I would like to thank my wife Sandra for her continual support, encouragement, and incredible proofreading abilities; my mother and late father who have encouraged me throughout the years; and my sisters and brother-in-law who have graciously and unconditionally offered their support to me when I needed it most.