IT Auditing: Using Controls to Protect Information Assets

Features

• Cover Type: Paperback with 387 pages
• Published by: McGraw-Hill Osborne Media
• Edition: 1st Edition December 22, 2006
• Written in: English
• ISBN 10 Number: 0072263431
• ISBN 13 Number: 978-0072263435
• Book Dimensions: 9.1 x 7.2 x 1.1 inches
• Weighs: 1.5 pounds

Product Description
Protect Your Systems with Proven IT Auditing Strategies

 "A must-have for auditors and IT professionals."  -Doug Dexter, CISSP-ISSMP, CISA, Audit Team Lead, Cisco Systems, Inc.

Plan for and manage an effective IT audit program using the in-depth information contained in this comprehensive resource. Written by experienced IT audit and security professionals, IT Auditing: Using Controls to Protect Information Assets covers the latest auditing tools alongside real-world examples, ready-to-use checklists, and valuable templates. Inside, you'll learn how to analyze Windows, UNIX, and Linux systems; secure databases; examine wireless networks and devices; and audit applications. Plus, you'll get up-to-date information on legal standards and practices, privacy and ethical issues, and the CobiT standard. 

Build and maintain an IT audit function with maximum effectiveness and value

• Implement best practice IT audit processes and controls
• Analyze UNIX-, Linux-, and Windows-based operating systems
• Audit network routers, switches, firewalls, WLANs, and mobile devices
• Evaluate entity-level controls, data centers, and disaster recovery plans
• Examine Web servers, platforms, and applications for vulnerabilities
• Review databases for critical controls
• Use the COSO, CobiT, ITIL, ISO, and NSA INFOSEC methodologies
• Implement sound risk analysis and risk management practices
• Drill down into applications to find potential control weaknesses

About The Author


Chris Davis, CISA, CISSP, shares his experience from architecting, hardening, and auditing systems. He has trained auditors and forensic analysts. Davis is the coauthor of the bestselling Hacking Exposed: Computer Forensics.

Mike Schiller, CISA, has 14 years of experience in the IT audit field, most recently as the worldwide IT Audit Manager at Texas Instruments.

Kevin Wheeler, CISA, CISSP, NSA IAM/IEM, is the founder and CEO of InfoDefense and has over ten years of IT security experience. 

 

Reader Reviews
I have no experience with auditing in the formal sense described by IT Auditing. I am familiar with the technical aspects of host and network security, but I wanted to know more about the goals and views of those who audit enterprises from a security standpoint. IT Auditing succeeds when it discusses the profession of auditing but I found some of the technical details lacking. Therefore, I recommend focusing on chapters 1-3 and 12-15, while using the technical chapters as indicators for outside research. Chapter 1 makes clear that IT Auditing is written for internal audit teams. The author argues that involvement is better than "independence," since adhering to the later business approach is a recipe for outsourcing the audit function. I liked the beginning and end of IT Auditing because they emphasized how internal audit teams should work with business IT functions. These chapters answered questions on whether or not audit should review andupon projects before completion (yes) and related "soft" topics. The middle of IT Auditing concentrates on how to audit data centers, infrastructure, operating systems, Web servers, databases, applications, and wireless/mobile devices. I found these chapters less appealing. When I read "it's much more common to find SNMP Version 2 in most corporate environment" (sic, p 121) or see mention of "Universal Data Ports (UDPs)" (sic, p 172) I question the validity of the technical recommendations. Other examples include equating NAT with proxies (p 117) and the statement that "network vulnerability scanning... is probably the most important type of security discovery or monitoring in most environments" I begin to understand the horror stories I hear from some who are audited. When it came to understanding the audit mindset, I think IT Auditing really helped me. It seems auditors are far more likely to be interested in reviewing paperwork than really assessing effectiveness of security controls. Repeatedly I read statements like "evaluate the effectiveness of the security personnel function" by looking at documentation. In a few areas auditors seem to understand the value of real tests, e.g., trying to restore a backup rather than reviewing logs saying backups were completed. This focus on validating paperwork over operational activity is the single biggest problem with audits. It's clear a "system" could pass all its audit checks with flying colors while still being completely compromised. (Yes, p 201-2 mentions Chkrootkit, but that program is only effective in limited scenarios.) Audit is configuration and paperwork validation, not system integrity assessment. I recommend reading IT Auditing if you want to get a better idea of how your auditors think and what they want to inspect. If you're an auditor who wants authoritative technical guidance you will probably learn more from dedicated system and network hardening books designed for administrators. IT Auditing's checklists can at least put you in the ballpark, however.