Scribd Logo
Upload

Welcome to Scribd!

  • Auditing2e ppt15 l04

    Uploaded by

    Lamanary Pina
    2 views23 pages
    Auditing IT Infrastructures for Compliance Lesson 4: Auditing Standards and Frameworks

    Original Title

    auditing2e_ppt15_l04

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Auditing IT Infrastructures for Compliance Lesson 4: Auditing Standards and Frameworks

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    2 views23 pages

    Auditing2e ppt15 l04

    Uploaded by

    Lamanary Pina
    Auditing IT Infrastructures for Compliance Lesson 4: Auditing Standards and Frameworks

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 23

    Auditing IT Infrastructures for

    Compliance

    Lesson 4
    Auditing Standards and Frameworks

    © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company


    www.jblearning.com
    All rights reserved.
    Learning Objective
    ▪ Explain the scope of an IT audit for
    compliance and the use of standards and
    frameworks.

    © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company


    Auditing IT Infrastructures for Compliance www.jblearning.com Page 2
    All rights reserved.
    Key Concepts
    ▪ What a framework is and why it's important for
    auditing IT security compliance
    ▪ The importance of using standards in compliance
    auditing
    ▪ The role of control objectives and control activities
    ▪ IT security standards and frameworks, such as NIST,
    ISO27000, Control Objectives for Information and
    Related Technology (COBIT), Service Organization
    Control (SOC) reports, and Committee of Sponsoring
    Organizations (COSO)
    ▪ Selecting a standard for auditing security compliance

    © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company


    Auditing IT Infrastructures for Compliance www.jblearning.com Page 3
    All rights reserved.
    Framework

    ▪ A conceptual set of rules and ideas that provide


    structure to a complex and tough situation
    ▪ May be rigid in structure but provides flexibility
    ▪ Can guide content and provide consistency
    ▪ Includes distinct components: Introduction,
    learning objectives, headings, and a summary

    © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company


    Auditing IT Infrastructures for Compliance www.jblearning.com Page 4
    All rights reserved.
    Control Objectives/Activities

    Control Objectives
    • High level, remain almost constant
    • Describe organizational goals
    Control Activities
    • More specific
    • Describe how to achieve goals

    © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company


    Auditing IT Infrastructures for Compliance www.jblearning.com Page 5
    All rights reserved.
    Auditing—Standards and
    Frameworks

    Conduct audits and assessments with a standard

    Control objectives remain constant

    Control activities achieve goals of control objectives

    © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company


    Auditing IT Infrastructures for Compliance www.jblearning.com Page 6
    All rights reserved.
    Framework Controls

    Descriptive
    • High level
    • Align IT with business goals
    Prescriptive
    • More specific
    • Standardize IT operations and tasks

    © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company


    Auditing IT Infrastructures for Compliance www.jblearning.com Page 7
    All rights reserved.
    Standard and Framework
    Attributes

    Industry
    acceptance
    Prioritization
    Reasoning
    Flexibility
    Depth and
    breadth

    © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company


    Auditing IT Infrastructures for Compliance www.jblearning.com Page 8
    All rights reserved.
    Information Security Policy Framework

    Policies Standards

    Policy
    Framework

    Guidelines Procedures

    © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company


    Auditing IT Infrastructures for Compliance www.jblearning.com Page 9
    All rights reserved.
    Selecting a Standard

    Evaluate Select Employ

    © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company


    Auditing IT Infrastructures for Compliance www.jblearning.com Page 10
    All rights reserved.
    Hierarchy of Standards and
    Personnel

    Controls
    ISO 27001, NIST 800-53

    © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company


    Auditing IT Infrastructures for Compliance www.jblearning.com Page 11
    All rights reserved.
    Standards and Frameworks -
    COSO

    ▪ Used for improving organizational


    performance and governance, and reducing
    fraud in organizations

    © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company


    Auditing IT Infrastructures for Compliance www.jblearning.com Page 12
    All rights reserved.
    Standards and Frameworks –
    COSO (Con’t)
    COSO Internal environment
    enterprise
    risk Objective setting
    management
    (ERM) Event identification
    framework
    Risk assessment
    Risk response
    Control activities
    Information and communication
    Monitoring

    © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company


    Auditing IT Infrastructures for Compliance www.jblearning.com Page 13
    All rights reserved.
    Standards and Frameworks:
    COBIT

    © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company


    Auditing IT Infrastructures for Compliance www.jblearning.com Page 14
    All rights reserved.
    COBIT 5
    Meeting stakeholder needs

    Covering the enterprise end to end

    Applying a single integrated framework

    Enabling a holistic approach

    Separating governance from management

    © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company


    Auditing IT Infrastructures for Compliance www.jblearning.com Page 15
    All rights reserved.
    Using COBIT to Align
    Requirements

    Mapping Classifying IT Identifying Defining the


    controls to activities into the key IT framework
    key business a process resources to for control
    requirements model be controlled objectives

    © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company


    Auditing IT Infrastructures for Compliance www.jblearning.com Page 16
    All rights reserved.
    Service Organization Controls
    (SOC)
    ▪ SOC Reports
    • Help customers understand adequate controls and
    processes are in place
    • Auditing Standards Board of the American
    Institute of Certified Public Accountants (AICPA)
    issues and maintains auditing standards
    • Stakeholders include user entities, service
    organizations, and auditors

    © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company


    Auditing IT Infrastructures for Compliance www.jblearning.com Page 17
    All rights reserved.
    Standards and Frameworks

    ▪ International Organization for


    Standardization (ISO) 27000 series
    • Focuses on management and processes
    • Relies on other standards
    - ISO
    - International Electrotechnical Commission
    (IEC) 27002

    © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company


    Auditing IT Infrastructures for Compliance www.jblearning.com Page 18
    All rights reserved.
    Standards and Frameworks

    ▪ NIST 800-53
    • Provides a comprehensive catalog of
    security controls
    • Targeted to federal government but widely
    used in corporations
    • Controls include management, technical,
    and operational
    • Catalog of controls is grouped into 18
    families of controls
    © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
    Auditing IT Infrastructures for Compliance www.jblearning.com Page 19
    All rights reserved.
    NIST Cybersecurity Framework

    Core Profile

    Implementation
    Tiers

    © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company


    Auditing IT Infrastructures for Compliance www.jblearning.com Page 20
    All rights reserved.
    Hybrid Auditing Framework
    ▪ Uses same approach for internal and
    external audits (COSO and COBIT)
    ▪ Allows operations-focused audits to
    combine with IT-focused audits

    ▪ Select appropriate frameworks


    ▪ Adopt risk-based approaches
    ▪ Map business processes to IT processes

    © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company


    Auditing IT Infrastructures for Compliance www.jblearning.com Page 21
    All rights reserved.
    Summary
    ▪ What a framework is and why it's important for
    auditing IT security compliance
    ▪ The importance of using standards in compliance
    auditing
    ▪ The role of control objectives and control activities
    ▪ IT security standards and frameworks, such as
    27001, Control Objectives for Information and
    Related Technology (COBIT), Service Organization
    Controls (SOC) reports, and Committee of
    Sponsoring Organizations (COSO)
    ▪ Selecting a standard for auditing security compliance

    © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company


    Auditing IT Infrastructures for Compliance www.jblearning.com Page 22
    All rights reserved.
    Lab
    ▪ Aligning Auditing Frameworks for a Business Unit
    within DoD

    © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company


    Auditing IT Infrastructures for Compliance www.jblearning.com Page 23
    All rights reserved.

    You might also like