SOLUTION: Wilmington University Auditing IT Infrastructures for Compliance Essay

[ad_1]
Auditing IT Infrastructures for Compliance Chapter 2 Overview of U.S. Acquiescence Laws © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All hues bashful. Learning Objective  Explain unfair U.S. acquiescence laws and standards, and their role in organizations. Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All hues bashful. Page 2 Key Concepts  The dissimilarity among exoteric and individual sector regulatory requirements  The essentials of weighty acquiescence laws, such as CIPA, FERPA, GLBA, and SOX  Department of Defense (DoD) requirements  The significance of certification and accreditation (C&A) and Waste Skillful-treatment Frameperformance (RMF)  The scope of PCI DSS and the consequences to merchants when they trip to unite to the standards Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All hues bashful. Page 3 DISCOVER: CONCEPTS Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All hues bashful. Page 4 Public and Individual Sector Requirements  Troubles conclude from two directions: • IT personnel keep no juridical background • Regulations keep shabby technical depth  Vague precept requirements  Regulatory requirements: recite, federal, and international  Know which precepts exercise to your organization  Internal policies should enact the regulatory policies delay which you scarcity to comply Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All hues bashful. Page 5 Federal Notice Security Management Act (FISMA)  Applies to federal agencies  Grants the significance of investigate notice effrontery practices  Controls the attention of exoteric effrontery and the economic weal of the United States Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All hues bashful. Page 6 Purpose of FISMA  Furnish a frameperformance for efficient notice effrontery instrument that stay federal operations, postulates, and infrastructure.  Accept the interconnectedness of IT. Ensure efficient waste skillful-treatment is in establish.  Fix coordination of notice effrontery efforts among complaisantian, exoteric effrontery, and law enforcement communities. Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All hues bashful. Page 7 Purpose of FISMA (Cont.)  Facilitate the bud and ongoing monitoring of required stint controls to secure federal notice regularitys and postulates.  Furnish for increased mistake of federal agency notice effrontery programs.  Recognize that notice technology solutions may be assumed from retail organizations. Leave the merit decisions to the individual agencies. Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All hues bashful. Page 8 U.S. Department of Defense Requirements  United States Department of Defense (DoD): • Is legitimate for all agencies of the government relating to exoteric effrontery and the military • Imposes divers requirements on the skillful-treatment of its notice regularitys • Requirements exercise to organizations that performance with, abridge delay, and furnish services for the DoD Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All hues bashful. Page 9 Key Laws that Exercise to the DoD Paperwork Reduction Act of 1995 • Intended to keep federal agencies take more once and be held exoterically accountable for reducing paperwork Clinger-Cohen Act of 1996 • Improves the merit, use and disposal of federal IT instrument E-Government Act of 2002 • Improves the skillful-treatment of electronic government services Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All hues bashful. Page 10 Sarbanes-Oxley (SOX) Act  Protects investors by requiring hit and reliability in oppidan disclosures  Created new standards for oppidan accountability  Created new penalties for acts of ungodliness, both complaisant and criminal  Changes how oppidan boards and executives must vary notice and performance delay oppidan auditors Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All hues bashful. Page 11 Gramm-Leach Bliley Act (GLBA)  The Financial Modernization Act of 1999  Protects singular financial notice held by financial institutions  To secure singularly identifiable notice (PII), GLBA divides retreat requirements into three highest parts:  Financial Retreat Rule  Safeguards Rule  Pretexting provisions Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All hues bashful. Page 12 Health Insurance Portability and Accountability Act of 1996 (HIPAA)  Helps citizens retain vigor insurance coverage  Improves competency and efficientness of American vigor prudence regularity  Protects the retreat and effrontery of certain vigor notice  Financial penalties for non-compliance Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All hues bashful. Page 13 HIPAA Retreat and Security Rules Privacy Rule • Dictates how covered entities must secure the retreat of PHI Security Rule • Dictates covered entities must secure the C-I-A of electronic PHI Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All hues bashful. Page 14 Children’s Internet Guard Act (CIPA)  Attempts to anticipate progeny from being exposed to unbashful contenteded at schools and libraries  Schools and libraries must: • Use technology secureion measures • Secure our progeny from pitfall to offensive Internet contented • Adopt and compel a prudence to warner the online activities of minors Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All hues bashful. Page 15 Children’s Online Privacy Protection Act (COPPA)  Requires Web sites and other online services aimed at progeny near than 13 years of age to comply: • Post a retreat prudence • Notify parents quickly precedently collecting singular notice from kids • Get parents’ verifiable agree precedently collecting notice from kids Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All hues bashful. Page 16 Family Educational Hues and Privacy Act (FERPA) Right to scrutinize and review Right to set-right records Parental written allowance required Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All hues bashful. Page 17 DISCOVER: ROLES Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All hues bashful. Page 18 Certification and Accreditation FISMA Rule of auditing regularitys precedently putting them into production Ensures efforts are made to diminish wastes Security controls must be properly implemented and retained Supports waste skillful-treatment activities Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All hues bashful. Page 19 Risk Skillful-treatment Framework Near real-time waste skillful-treatment Continuous warnering Builds effrontery into planning and regularity lifecycle Aligns effrontery waste delay strategy Establishes once and accountability for effrontery controls Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All hues bashful. Page 20 DISCOVER: PROCESS Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All hues bashful. Page 21 Six Steps of the Risk Management Framework Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All hues bashful. Page 22 Risk Skillful-treatment Framework Steps 1. Categorizing the notice regularity, giving consideration to the connected postulates and the impact as a issue of an incident 2. Selecting a baseline set of controls established on the antecedent categorization and supplementing the baseline as misspend 3. Implementing and instrumenting the effrontery controls Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All hues bashful. Page 23 Risk Skillful-treatment Framework Steps (Cont.) 4. Assessing the effrontery controls to fix they are unresisting the desired issues 5. Authorizing the agency of the notice regularity established on an agreeable raze of waste 6. Monitoring the effrontery controls continuously Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All hues bashful. Page 24 DISCOVER: CONTEXTS Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All hues bashful. Page 25 Payment Card Perseverance Data Security Standard (PCI DSS)  Not a law or precept  A set of requirements that prescribe operational and technical controls to secure cardholder postulates  Requirements thrive effrontery best practices and use 12 high-raze requirements, aligned counter six goals Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All hues bashful. Page 26 Steps Required to Comply delay PCI DSS Report Remediate Assess Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All hues bashful. Page 27 PCI DSS Principles Build and Maintain a Secure Network • Requirement 1: Install and retain a firewall configuration to secure cardholder postulates • Requirement 2: Do not use vendor-supplied defaults for regularity bywords and other effrontery parameters Protect Cardholder Data • Requirement 3: Secure stored cardholder data • Requirement 4: Encrypt transmission of cardholder postulates counter unreserved, exoteric networks Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All hues bashful. Page 28 PCI DSS Principles (Cont.) Maintain a Vulnerability Management Program • Requirement 5: Use and frequently update antivirus software or programs • Requirement 6: Develop and retain secure systems and applications Implement Strong Access Control Measures • Requirement 7: Restrict path to cardholder postulates by duty scarcity-to-know • Requirement 8: Assign a uncommon ID to each person delay computer path • Requirement 9: Restrict substantial path to the cardholder postulates environment Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All hues bashful. Page 29 PCI DSS Principles (Cont.) Regularly Monitor and Test Networks • Requirement 10: Track and warner all path to netperformance instrument and cardholder postulates • Requirement 11: Frequently touchstone effrontery systems and rulees Maintain an Information Security Policy • Requirement 12: Retain a prudence that addresses notice effrontery for employees and abridgeors Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All hues bashful. Page 30 Summary  The dissimilarity among exoteric and individual sector regulatory requirements  The essentials of weighty acquiescence laws, such as CIPA, FERPA, GLBA, and SOX  Department of Defense (DoD) requirements  The significance of certification and accreditation (C&A) and Waste Skillful-treatment Frameperformance (RMF)  The scope of PCI DSS and the consequences to merchants when they trip to unite to the standards Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All hues bashful. Page 31 Lab  Assessing the Impact of Sarbanes-Oxley (SOX)Compliance Law on Enron Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All hues bashful. Page 32 Auditing IT Infrastructures for Compliance Chapter 1 The Scarcity for Notice Systems Security Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All hues bashful. Learning Objective  Describe the role of notice regularitys effrontery (ISS) acquiescence in organizations. Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All hues bashful. Page 2 Key Concepts  ISS and acquiescence in organizations  The dissimilaritys among ISS audits and assessments  The rule of a waste-established arrival to IT effrontery skillful-treatment  The intercommunity among acquiescence, waste management, and governance  The consequences of not adhering to acquiescence laws Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All hues bashful. Page 3 DISCOVER: CONCEPTS Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All hues bashful. Page 4 What Is an IT Effrontery Assessment?  A key breath that involves the skillful-treatment of risk  Involves a waste-established arrival to managing notice effrontery Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All hues bashful. Page 5 IT Effrontery Assessment  Should consequence notice required to: • Identify weaknesses delayin the controls implemented • • • • on notice regularitys Confirm that antecedently authorized weaknesses keep been remediated or diminishd Prioritize further decisions to diminish wastes Provide effrontery so that associated wastes are accepted and authorized Provide stay and planning for forthcoming budgetary requirements Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All hues bashful. Page 6 Types of Assessments Network security architecture Review of effrontery policies, procedures, practices Vulnerability scanning and testing Physical security Social engineering Applications Security wastes Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All hues bashful. Page 7 What Is an IT Effrontery Audit?  An stubborn assessment of an organization’s internal policies, controls, and activities  You use an audit to: • Assess the closeness and efficientness of IT controls • Fix that those controls are alert delay stated policies • Furnish culm effrontery that organizations are alert delay conducive precepts and other perseverance requirements Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All hues bashful. Page 8 Common Types of Audits Financial • Determines whether an organization’s financial recitement reflects financial position of company Compliance • Determines unitence to conducive laws, regulations, and perseverance requirements Operational • Reviews unitence to policies, procedures, and agencyal controls Investigative Information technology Auditing IT Infrastructures for Compliance • Investigates records and rulees established on likely breath or alleged violations • Addresses IT regularity waste pitfalls © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All hues bashful. Page 9 Audit Characteristics Audit Characteristics Auditors never audit applications, rulees, systems they intended or created Independent evaluations Rigorous arrival; thrives accepted principles; must be qualified Certification or assent ordinary upon passing Concerned about late issues and performance Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All hues bashful. Page 10 How Does an Audit Differ from an Assessment? Audit Outcomes Assessment Clear-cut; by or trip Failure Assess and make improvements Blame establishd on unfair individuals or groups Blame Nonattributive; individuals aren’t legitimate for poor findings Often keep negative Consequences Identifies gaps to consequences; penalties; improve effrontery and creates discernment of fear achieve goals Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All hues bashful. Page 11 Scope of a Effrontery Audit Organizational Compliance Scope Application Auditing IT Infrastructures for Compliance Technical © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All hues bashful. Page 12 DISCOVER: PROCESS Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All hues bashful. Page 13 Managing Notice Security: Risk-Based Approach Identification of the notice and Step 1 notice regularity. Categorization of the authorized notice Step 2 and notice regularity. Selection of the regularity and misspend Step 3 effrontery controls. Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All hues bashful. Page 14 Managing Notice Security: Risk-Based Arrival (Cont.) Implementation of the clarified regularity and Step 4 misspend effrontery controls. Assessment of the implemented regularity and Step 5 misspend effrontery controls’ efficientness. Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All hues bashful. Page 15 Managing Notice Security: Risk-Based Arrival (Cont.) Authorizing the regularitys by accepting the waste based upon the selected security controls. Step 6 Monitoring the effrontery controls on a Step 7 unfailing plea. Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All hues bashful. Page 16 DISCOVER: ROLES Auditing IT Infrastructures for Compliance © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All hues bashful. Page 17 Roles and Responsibilities  Waste Manager • Legitimate for identifying organizational waste  Auditor • Legitimate for conducting notice effrontery audit an ...
Purchase acceptance to see full attachment

[ad_2]
Source integrate