Term Paper: Planning an IT Infrastructure Audit for Compliance
CIS349: Information Technology Audit and Control
“Definition of IT review – An IT review can be characterized as any review that envelops audit and assessment of computerized data preparing frameworks, related non-automated forms and the interfacing among them. Arranging the IT review includes two major steps. The primary step is to accumulate data and do a few arranging the moment step is to pick up an understanding of the existing internal control structure. Increasingly organizations are moving to a risk-based review approach which is utilized to evaluate hazard and makes a difference an IT reviewer make the choice as to whether to perform compliance testing or substantive testing. In a risk-based approach, IT evaluators are depending on inside and operational controls as well as the information of the company or the business. This sort of chance evaluation choice can offer assistance relate the cost-benefit investigation of the control to the known risk. Within the “Gathering Information” step the IT evaluator must recognize five items:
• Knowledge of trade and industry
• Prior year’s review results
• Recent money related information
• Regulatory statutes
• Inherent hazard assessments”
The two inspecting systems or solidifying rules / security checklists utilized by the DoD. How a security evaluation tending to cutting edge day dangers, dangers, and vulnerabilities all through the 7-domains of a ordinary IT foundation can offer assistance an organization accomplish compliance. How to accumulate and get required data to perform a GLBA Money related Protection & Shields Rules compliance review and what must be secured. The beat workstation space dangers, dangers, and vulnerabilities which cannot as it were incorporate conceivable causes, but mitigations as to anticipate these issues from happening. The best LAN – to – Faded dangers, dangers, and vulnerabilities which cannot as it were incorporate conceivable causes, but mitigations as to how we are able avoid these issues from happening. The beat Inaccessible Get to Space dangers, dangers, and vulnerabilities as well as ways to relieve these sorts of issues. The beat Frameworks / Application Space dangers, dangers, and vulnerabilities as well as ways to moderate these sorts of issues.
There are distinctive measures when examining the necessities inside a DoD review, such as:
– All reviewing administrations performed by the DoD must comply with GAGAS (Government Inspecting Standards) – In spite of the fact that GAGAS may be congruous and still utilized in conjunction with other reviewing guidelines in case there are any sort of clashes inside the reviews themselves, the GAGAS necessities will overrule any other sources. – There’s moreover a single review standard and necessity which sets forward a fundamental set of measures for consistency and consistency over the diverse government organizations for any non-federal review substances exhausting government awards.
– The DoD direction states that all issuances distinguish the necessities which are interesting to the DoD and auditors have to be be mindful of such extra necessities when they are performing any examining administrations for the government, particularly the DoD.
Management of the DoD Review Organization:
The office heads for the examining committee must create and keep up the components for their individual organizations, such as:
– Tone at the beat: this states that the head of the review organization must get it and set a tone that underpins the esteem and responsibility the review work brings to the DoD component. – Organizational autonomy: this states that the review organization must reports them comes about objectively.
– Autonomy disability based on arrangement: states that an AO ought to never report to a zone inside the organization that seem conceivably be audited. – Autonomy disability based on announcing: states that the head of a utilitarian zone is able to rate, survey, or assess the review organization’s authority at that point an organizational freedom disability has happened, which in turn implies that the review report may be detailed equitably since of the conceivable influence.
– Organizational administration: the AO must be free, take after benchmarks, and have a quality control program that complies with GAGAS.
We must to begin with know what the 7-domains comprise of an IT framework and how they can be made compliant: – Client space: usually the weakest link in an IT infrastructure because usually the client themselves. perfect way”
>The most perfect way to guarantee compliance is by preparing all workers as well as holding periodical preparing sessions to guarantee they are taking after protocol. – Workstation space: usually where most clients interface to a company’s network.
>These comprise of desktops, portable workstations, PDA’s, cell phones. These can be made compliant by ensuring users as it were having get to the right organizers / records they ought to do their day by day jobs.
> LAN space: this is often a collection of computers associated to one another or to a common association medium. perfect way”
>The most perfect way to guarantee this space is compliant is by making beyond any doubt all security (anti-virus) assurances are executed and patches are up to date.
– LAN-to-WAN space: this is often where the IT foundation joins to the wide range arrange and the web. A way to keep this compliant is to guarantee the ports from coming into the LAN from the Faded are appropriately designed to keep from any sort of open-port attacks – Faded space: typically, the association to the “outside world” (I.E. web). perfect way”
>The most perfect way to keep this compliant is by guaranteeing the company’s firewall is set to allow only work-related locales get to to the company network. – Framework / Application space: this is where the servers are held and perfect way”
>the most perfect way to guarantee this is often compliant is by making beyond any doubt all program upgrades as well as anti-virus security patches are up to date. – Farther Get to space: this is where clients interface from an area exterior the arrange onto the companies organize. perfect way”
>The most perfect way to guarantee this space is compliant is by issuing as it were those that require get to resets their passwords on a 30-day premise and they are to never deliver out their info.
In arrange to be compliant with the GLBA law, we must to begin with know who can be qualified for this and what the secured by taking after questions and knowing the rules they set forth:
Who gets a privacy notice?
• Consumers who are not customers
• General obligations
2. Limits on reuse and re-disclosure of NPI
• General obligations
• Restrictions on reuse and re-disclosure if NPI is received under the section 14 or 15 exceptions
• Restrictions on reuse and re-disclosure if NPI is received outside the section 14 or 15 exceptions
3. Disclosure of account numbers is prohibited
4. Other issues
• The fair credit reporting act
5. Further guidance
When talking about the dangers, dangers, and vulnerabilities inside a workstation space, we must not as it were knowing the potential issues, but we must too know what can be done to reduce those issues. Hazard, Risk, or Powerlessness Relief. Need of client mindfulness Conduct security mindfulness preparing. Client unresponsiveness toward arrangements Conduct yearly security mindfulness preparing, execute worthy utilize approach, overhaul staff manual and handbooks. Security arrangement infringement Put worker on probation. CDs and USB drives cripple all CD drives and USB ports. Record sharing Impair all websites to where as it were work relates destinations can be gotten to. Passwords guarantee all passwords are kept secure and secure by preparing all workers. E-mail as it were permits those clients who require get to to send & get emails exterior the arrange. Moreover, prepare clients to not open those emails for whom they don’t know.
When examining the dangers, dangers, and vulnerabilities inside a LAN – to – Pale space, we must not as it were knowing the potential issues, but we must too know what can be done to reduce those issues. There are numerous diverse issues that we are able confront when talking almost a LAN – to – Faded setup. Sometime recently we must to begin with know what the contrasts between the two are and how they can be protected: LAN: A neighborhood region arrange supplies organizing capability to a gather of computers in near vicinity to each other such as in an office building, school, or a domestic. Security required for the LAN is rapidly characterized by:
security issues range from:
physical threats (I.E. weather)
PCs are vulnerable with: access points, USB ports, CDROM drives
WAN: A wide area network is a network that covers a broad area using private or public network transports.
Protections needed to safeguard the WAN are:
In arrange to to begin with talk about any dangers, dangers, or vulnerabilities, we must to begin with know what the meaning of the Inaccessible Get to Space and what it does. The Inaccessible Get to Space benchmarks are anything related to VPN associations and multi-factor verification. Essentially typically when somebody interfaces to the organize from an exterior area (I.E. when a representative works from domestic they will farther into the network). When managing with an inaccessible association, we must not fair think that once we provide a client get to, that everything will be alright. The arrange is vulnerable to assaults from programmers, Trojan infections, malware, worms, indeed misfortune of information. A few of these dangers, dangers, or vulnerabilities and ways to moderate these issues are:
1. Brute-force client ID and secret word attacks – Set up a client ID and watchword approach which needs the client to alter this each 30 day. To prepare clients to get it that they are to NEVER donate their secret word out to anybody at any time.
2. Different logon retries and get to control attacks – A good way to halt this can be by setting an programmed lockout for clients (or in this case unauthorized clients) to bolt them out after a certain number of tries.
3. Unauthorized farther get to to IT frameworks, applications, and data – We seem apply different levels of security by the client ID and watchword and next utilizing tokens, biometrics, and savvy cards to guarantee the security of company information.
4. Private information or secret information is compromised remotely – A great way to guarantee the security of company information is by making beyond any doubt all information is scrambled inside the database and / or difficult drive. This can be especially great since in case the information is ever stolen, at that point the misplaced difficult drive cannot be gotten to do to the increased security.
In arrange to to begin with talk about any dangers, dangers, or vulnerabilities, we must to begin with know what the meaning of the Frameworks / Application Space and what it does. The Frameworks / Application Space could be a component utilized inside the common language framework to disconnect executed computer program applications from one another so that they don’t influence each other. As with anything computer related, there are continuously dangers, dangers, and vulnerabilities, but behind those issues there must be a way to relieve them and underneath are a list of a few.
1. Unauthorized get to to information centers, computer rooms, and wiring closets – Ways to relieve this would be to apply arrangements, measures, strategies, and rules for staff and guests to secure facilities
2. Servers must some of the time be closed down to perform maintenance – By making a framework to tie servers, capacity gadgets, and the arrange together
3. Server working frameworks vulnerability – By guaranteeing all window server working framework situations are characterized with the correct patches
4. Cloud computing virtual situations are by default not secure – By setting up virtual firewalls and server sections on partitioned VLANs will offer assistance lighten any sort of failure.