Auditing IT Infrastructures for

Compliance

Lesson 3
What Is the Scope of an
IT Compliance Audit?

© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com
All rights reserved.
 Learning Objective
▪ Explain the scope of an IT audit for
compliance and the use of standards and
frameworks.

© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Auditing IT Infrastructures for Compliance www.jblearning.com Page 2
All rights reserved.
 Key Concepts
▪ The business challenges that exist in compliance
▪ The ISS domains that are audited within an IT
infrastructure
▪ The organizational barriers to maintaining IT
compliance
▪ The organizational involvement in maintaining IT
compliance
▪ Proper security controls, such as configuration
and change management

© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Auditing IT Infrastructures for Compliance www.jblearning.com Page 3
All rights reserved.
 What Must Your Organization Do
to Be in Compliance?
▪ Start with an organizational governance
framework
• Example: ISO27k, NIST, COBIT, SANS
▪ Implement controls
▪ Have sound policies in place
▪ Perform a gap analysis

© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Auditing IT Infrastructures for Compliance www.jblearning.com Page 4
All rights reserved.
 Business Challenges to the
Organization for Compliance
• Standards/regulations change
• Organizational policies change
External

• Standards can interfere with

operations
Internal • Gaining acceptance is
challenging

© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Auditing IT Infrastructures for Compliance www.jblearning.com Page 5
All rights reserved.
 Privacy Management
Privacy Management – “The rights and obligations of individuals and
organizations with respect to the collection, use, disclosure, and retention of
personal information.”

Social
Name Security Address
number

Physical
E-mail
characteristics

© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Auditing IT Infrastructures for Compliance www.jblearning.com Page 6
All rights reserved.
 Protecting Privacy Data
▪ Develop appropriate privacy policies
▪ Establish a privacy officer
▪ Conduct training and awareness around data handling,
identity theft, and social engineering
▪ Establish data retention and data destruction controls
▪ Conduct regular risk assessments of access controls
▪ Limit data to only that which is required
▪ Consider security technologies (encryption)
▪ US privacy laws and regulations: HIPAA, GLBA, COPPA,
DNC Registry, and more
▪ EU privacy laws and regulations: GDPR

© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Auditing IT Infrastructures for Compliance www.jblearning.com Page 7
All rights reserved.
 Designing and Implementing
Security Controls
Assess Authorize Monitor
Discover Select Implement
Discover Security Implement Assess Authorize Monitor the
and controls security security the controls
classify controls controls controls
data and
information
systems

© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Auditing IT Infrastructures for Compliance www.jblearning.com Page 8
All rights reserved.
 What Are You Auditing Within
the IT Infrastructure?
▪ Examine the existence of relevant and
appropriate security policies and
procedures.
▪ Verify the existence of controls supporting
the policies.
▪ Verify the effective implementation and
ongoing monitoring of the controls.

© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Auditing IT Infrastructures for Compliance www.jblearning.com Page 9
All rights reserved.
 Domain Audit Objectives

Examine
Verify controls
security
that support
policies and
the policies
procedures

Verify
implementation
and ongoing
monitoring of
the controls

© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Auditing IT Infrastructures for Compliance www.jblearning.com Page 10
All rights reserved.
 Seven Domains of a Typical IT
Infrastructure

© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Auditing IT Infrastructures for Compliance www.jblearning.com Page 11
All rights reserved.
 Auditing ISS Domains

User Domain
Acceptable use policy (AUP),
Anyone accessing
system access policy, Internet Authentication methods
organizations info
access policy, e-mail policy

Workstation Domain
Desktops, laptops, printers,
End user’s computing Maintenance of system
scanners, mobile devices,
environment hardware and software
wireless devices

© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Auditing IT Infrastructures for Compliance www.jblearning.com Page 12
All rights reserved.
 Auditing ISS Domains (con’t)

LAN Domain
Access to centralized Logon access control,
Computing and networking resources (file servers, hardening, configuration,
equipment printers), administration, backup procedures, network
physical connections power supply

LAN-to-WAN Domain
Routers, firewalls, intrusion Public IP addresses; high
WAN connects multiple LANs
detection devices level of security required

© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Auditing IT Infrastructures for Compliance www.jblearning.com Page 13
All rights reserved.
 Auditing ISS Domains (con’t)

WAN Domain
Routers, firewalls, intrusion Channel service unit/data
End-to-end connectivity detection system, service unit, codecs,
between LANs telecommunications backbone circuits, Internet,
components untrusted zone

Remote Access Domain

Access organization
resources remotely
Remote access solutions,
Unsecured transports,
VPNs, encryption, two-factor
Internet, dial-up modem
authentication

© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Auditing IT Infrastructures for Compliance www.jblearning.com Page 14
All rights reserved.
 Auditing ISS Domains (con’t)

System/Application Domain
Mainframes, application Harden servers to authorized
Systems and software servers, Web servers, baseline, configured to
applications that users access proprietary software, and policies and standards with
applications controls

Audit preparedness!!

© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Auditing IT Infrastructures for Compliance www.jblearning.com Page 15
All rights reserved.
 What Must Your Organization Do
to Maintain IT Compliance?
Conduct periodic security
assessments

Perform an annual security

compliance audit

Define proper security controls

© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Auditing IT Infrastructures for Compliance www.jblearning.com Page 16
All rights reserved.
 Defining Proper Security
Controls

Defined roles and responsibilities

Configuration and change management

Environments for development test and production

Segregation of duties

© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Auditing IT Infrastructures for Compliance www.jblearning.com Page 17
All rights reserved.
 Defining Proper Security
Controls (Cont.)

Identity and authentication

Principle of least privilege

Monitoring, measuring, and reporting

Appropriate documentation

© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Auditing IT Infrastructures for Compliance www.jblearning.com Page 18
All rights reserved.
 Creating an IT Security Policy
Framework

© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Auditing IT Infrastructures for Compliance www.jblearning.com Page 19
All rights reserved.
 Configuration and Change
Management
▪ Process of systems control throughout their
life cycle
▪ Making sure that systems are operating
correctly and as intended in accordance
with security policies and standards

© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Auditing IT Infrastructures for Compliance www.jblearning.com Page 20
All rights reserved.
 Organizational Barriers to IT
Compliance
▪ Lack of alignment to the business
objectives and strategy
▪ General misunderstanding on the rationale
for IT compliance
▪ Funding shortfalls
▪ Support from top management
▪ Misconception of what the IT compliance
will do for the organization
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Auditing IT Infrastructures for Compliance www.jblearning.com Page 21
All rights reserved.
 Security Controls, Configuration
and Change Management
Security
Apply across the IT infrastructure
Controls

Configuration Ensures changes are requested,

Management evaluated, and authorized

Change Provides method for tracking

Management unauthorized changes

© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Auditing IT Infrastructures for Compliance www.jblearning.com Page 22
All rights reserved.
 Configuration and Change
Management Process

Identify and Evaluate

Decision
request change
response
change request

Implement
Monitor
approved
change
change

© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Auditing IT Infrastructures for Compliance www.jblearning.com Page 23
All rights reserved.
 Summary
▪ The business challenges that exist in compliance
▪ The ISS domains that are audited within an IT
infrastructure
▪ The organizational barriers to maintaining IT
compliance
▪ The organizational involvement in maintaining IT
compliance
▪ Proper security controls, such as configuration
and change management

© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Auditing IT Infrastructures for Compliance www.jblearning.com Page 24
All rights reserved.