Auditing IT Infrastructures for

Compliance

Lesson 5
Planning an IT Infrastructure
Audit for Compliance

© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com
All rights reserved.
 Learning Objective
▪ Describe the components and basic
requirements for creating an audit plan to
support business and system
considerations.

© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Auditing IT Infrastructures for Compliance www.jblearning.com Page 2
All rights reserved.
 Key Concepts
▪ Identifying key building blocks and critical
requirements of an audit
▪ Identifying critical security control points and
assessing information technology (IT) security
▪ Obtaining information through documentation and
resources
▪ Organizing the IT security policy
▪ Analyzing best practices for testing and
monitoring

© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Auditing IT Infrastructures for Compliance www.jblearning.com Page 3
All rights reserved.
 Defining the Scope, Objectives,
Goals, and Frequency of an Audit
• Includes area(s) to be
Scope reviewed and the time period

• Must be aligned with audit

Goals objectives

• Should satisfy internal and

Objectives external requirements

• Is every one, two, or three

Frequency years

© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Auditing IT Infrastructures for Compliance www.jblearning.com Page 4
All rights reserved.
 Resources in an IT Infrastructure

Data Apps

Technology Facilities

Personnel

© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Auditing IT Infrastructures for Compliance www.jblearning.com Page 5
All rights reserved.
 Scope Restrictions

Negative Impacts of Scope

Restrictions
Withholding
Preventing relevant
Not
the Restricting historical
providing Limiting the
discovery of audit records or
enough time frame
audit procedures information
resources
evidence about past
incidents

© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Auditing IT Infrastructures for Compliance www.jblearning.com Page 6
All rights reserved.
 Security Control Points in an IT
Infrastructure

Preventive
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Auditing IT Infrastructures for Compliance www.jblearning.com Page 7
All rights reserved.
 Privacy Audits
▪ Privacy audits address the following three
concerns:
• What type of personal information is
processed and stored?
• Where is it stored?
• How is it managed?

© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Auditing IT Infrastructures for Compliance www.jblearning.com Page 8
All rights reserved.
 Assessing IT Security Controls

Is it
effective?

Is it
required?

How much effort

or money
should be
spent?

© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Auditing IT Infrastructures for Compliance www.jblearning.com Page 9
All rights reserved.
 Enterprise Risk Management
(ERM)
Align risk Enhance risk
appetite and response
strategy decisions

Identify cross-
Seize
enterprise
opportunities
risks

Reduce Improve
surprises and capital
losses allocations

© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Auditing IT Infrastructures for Compliance www.jblearning.com Page 10
All rights reserved.
 Threat Analysis
▪ When undertaking a risk management plan,
a complete threat analysis must be
conducted.
▪ Part of the risk assessment process
requires an examination of those activities
that represent danger.

© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Auditing IT Infrastructures for Compliance www.jblearning.com Page 11
All rights reserved.
 Threat Analysis (Continued)

Adversarial Accidental

Threat
Identification

Structural Environmental

© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Auditing IT Infrastructures for Compliance www.jblearning.com Page 12
All rights reserved.
 Vulnerability Identification
Resources
Vulnerability lists and
databases

Security advisories

Software and security analysis

© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Auditing IT Infrastructures for Compliance www.jblearning.com Page 13
All rights reserved.
 Risk Assessment Analysis
▪ Given the previous inputs, the final step is
to determine the level of risk. When pairing
threats and vulnerabilities, risk is
determined primarily by three functions:
• The likelihood of a threat to exploit a given
vulnerability.
• The impact on the organization if that threat
against the vulnerability is achieved.
• The sufficiency of controls to either eliminate or
reduce the risk.

© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Auditing IT Infrastructures for Compliance www.jblearning.com Page 14
All rights reserved.
 Risk Assessment Analysis
(Continued)
▪ There are always tradeoffs, and they
include:
• Cost: Are the costs of a control justified by the
reduction of risk?
• Operational impact: Does the control have an
adverse effect on system performance?
• Feasibility: Is the control technically feasible? Will
the control be feasible for the end users?

© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Auditing IT Infrastructures for Compliance www.jblearning.com Page 15
All rights reserved.
 Obtaining Information,
Documentation, and Resources
▪ Information spans many areas of an
organization

• Must understand organization

• Must understand security in
Auditor place
• Must know industry best
practices

© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Auditing IT Infrastructures for Compliance www.jblearning.com Page 16
All rights reserved.
 Information Gathering

▪ Types of documentation:
• Administrative documentation
• System documentation
• Procedural documentation
• Network architecture diagrams
• Vendor support access documents and
agreements

© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Auditing IT Infrastructures for Compliance www.jblearning.com Page 17
All rights reserved.
 Necessary Documentation

Organization’s written policies

Administrative documentation

System documentation

© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Auditing IT Infrastructures for Compliance www.jblearning.com Page 18
All rights reserved.
 Necessary Documentation
(Cont.)

Procedural documentation

Network architecture diagrams

Vendor support access documents and

agreements

© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Auditing IT Infrastructures for Compliance www.jblearning.com Page 19
All rights reserved.
 Existing IT Security Policy
Framework Definition
▪ Frameworks exist to help with risk management
programs, security programs, and policy creation
▪ Ensure compliance across the IT infrastructure
▪ Important for the auditor to know upon what framework an
organization has based its policy
▪ Allows better alignment between the organization’s policy
and the audit

© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Auditing IT Infrastructures for Compliance www.jblearning.com Page 20
All rights reserved.
 Configuration Documentation
Examples of documents auditor should gather include:
▪ System configuration documentation
• Internet Protocol (IP) addresses
• Operating system
• Patch level
• Hardware specifications
• Installed software
• Protocols
• Service configuration
• User accounts
• Password settings
• Audit log settings
▪ Applications configuration documentation

© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Auditing IT Infrastructures for Compliance www.jblearning.com Page 21
All rights reserved.
 Configuration Documentation
(Con’t)
▪ Network documentation for applications and systems
being audited
▪ Standard configuration documents for role specific
systems:
• Firewalls
• Web servers
• Mail servers
• Domain Name System (DNS) servers
• File Transfer Protocol (FTP) servers

© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Auditing IT Infrastructures for Compliance www.jblearning.com Page 22
All rights reserved.
 Audit Interview Framework
Preparing

Scheduling

Opening

Conducting

Closing

Recording

© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Auditing IT Infrastructures for Compliance www.jblearning.com Page 23
All rights reserved.
 NIST Standards and
Methodologies
▪ NIST 800-53 and NIST 800-53A are two important and
widely used standards
▪ NIST provides a catalog of security controls and a
framework to assess the controls
▪ Many organizations base their policies on NIST
▪ The Computer Security Division (CSD) of NIST provides
several popular publications, including:
• Special Publications
• NIST Internal Reports (NISTIR)
• Information Technology Laboratory (ITL) Bulletins
• Federal Information Processing Standards (FIPS)

© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Auditing IT Infrastructures for Compliance www.jblearning.com Page 24
All rights reserved.
 Information Security Policy Audit
Framework
IT Security Policy
Framework

Policies Standard Guidelines Procedures

Technology Technology Technology Technology

Processes Processes Processes Processes

Personnel Personnel Personnel Personnel

© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Auditing IT Infrastructures for Compliance www.jblearning.com Page 25
All rights reserved.
 Information Security Policy Audit
Framework (Continued)
▪ Policies, standards, and guidelines may
cross all domains of an IT infrastructure
▪ The seven domains map across various
high-level areas:
• Access control
• Operations management
• More

© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Auditing IT Infrastructures for Compliance www.jblearning.com Page 26
All rights reserved.
 IT Testing and Monitoring
▪ The most important and beneficial elements
of an IT security program.
▪ Testing and monitoring must be conducted
to know the controls are working.
▪ All frameworks include a control objective
for regularly assessing and monitoring IT
systems and controls.

© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Auditing IT Infrastructures for Compliance www.jblearning.com Page 27
All rights reserved.
 IT Testing and Monitoring
(Continued)
▪ Questions that must be answered are:
• Is IT performance measured to detect problems
before it is too late?
• Does management ensure that internal controls
are effective and efficient?
• Can IT performance be linked back to business
goals?
• Are adequate confidentiality, integrity, and
availability controls in place for information
security?
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Auditing IT Infrastructures for Compliance www.jblearning.com Page 28
All rights reserved.
 Identifying Critical Security
Control Points
▪ Adequate controls should be in place to
meet high-level defined control objectives
▪ Organizational risk assessment plays an
important role in identifying high-risk areas
▪ Consensus Audit Guidelines (CAG)
• Published by SANS
▪ Aka the SANS Top 20 Critical Security
Controls (renamed to CIS Critical Security Controls)
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Auditing IT Infrastructures for Compliance www.jblearning.com Page 29
All rights reserved.
 Tools Used in the IT Audit
Process
▪ Electronic work papers
▪ Project management software
▪ Flowcharting software
▪ Open issue tracking software
▪ Audit department Web site
▪ Others

© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Auditing IT Infrastructures for Compliance www.jblearning.com Page 30
All rights reserved.
 Summary
▪ Identifying key building blocks and critical
requirements of an audit
▪ Identifying critical security control points and assessing
information technology (IT) security
▪ Obtaining information through documentation and
resources
▪ Organizing the IT security policy
▪ Analyzing best practices for testing and monitoring

© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Auditing IT Infrastructures for Compliance www.jblearning.com Page 31
All rights reserved.
 Lab
▪ Defining a Process for Gathering
Information Pertaining to a HIPAA
Compliance Audit

© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Auditing IT Infrastructures for Compliance www.jblearning.com Page 32
All rights reserved.