|
|
|
|
|
|
IT Auditing: Using Controls to Protect Information Assets
written by Chris Davis, Mike Schiller, Kevin Wheeler
Studio : McGraw-Hill Osborne Media
by McGraw-Hill Osborne Media
Publisher : McGraw-Hill Osborne Media
Released : 2006-12-22
Availability : Usually ships in 1-2 business days
Number of Items : 1
EAN : 9780072263435
Avg. Customer Rating: (based on 2 reviews)
List Price : $59.99
Our Price : $33.33
|
|
| |
|
Product Description |
|
Protect Your Systems with Proven IT Auditing Strategies "A must-have for auditors and IT professionals." -Doug Dexter, CISSP-ISSMP, CISA, Audit Team Lead, Cisco Systems, Inc. Plan for and manage an effective IT audit program using the in-depth information contained in this comprehensive resource. Written by experienced IT audit and security professionals, IT Auditing: Using Controls to Protect Information Assets covers the latest auditing tools alongside real-world examples, ready-to-use checklists, and valuable templates. Inside, you'll learn how to analyze Windows, UNIX, and Linux systems; secure databases; examine wireless networks and devices; and audit applications. Plus, you'll get up-to-date information on legal standards and practices, privacy and ethical issues, and the CobiT standard. Build and maintain an IT audit function with maximum effectiveness and value Implement best practice IT audit processes and controls Analyze UNIX-, Linux-, and Windows-based operating systems Audit network routers, switches, firewalls, WLANs, and mobile devices Evaluate entity-level controls, data centers, and disaster recovery plans Examine Web servers, platforms, and applications for vulnerabilities Review databases for critical controls - Use the COSO, CobiT, ITIL, ISO, and NSA INFOSEC methodologies
Implement sound risk analysis and risk management practices Drill down into applications to find potential control weaknesses
|
| |
|
| |
|
Excellent practical coverage of IT Auditing |
This is by far the most useful book I've seen covering the subject matter of IT Audits in more than 20 years of IT Auditing. I noticed that ISACA picked up this book as part of their bookstore. The narrative is easy to read throughout the book and the book is laid out and formatted thoughtfully.
I now manage the IT Audit function for a large US-based bank and found the first three chapters (Building an Effective IT Audit Function; The Audit Process; and Auditing Entity Level Controls) particularly well done for understanding how to build the IT Audit team into your environment technically and politically.
The next section of the book, Chapters 4-12 (Data Centers/DR; Switches, Routers, Firewalls; Windows; UNIX and Linux; Web Servers; Databases; Applications; WLAN/Mobile; Company Projects) is solid, very well done, and consistent with other checklists we've used. The checklists are written from an auditor's perspective and contain an excellent level of detail covering what you should do, why, and how. Any more detail and a real world audit would never get completed before it was time to move on to the next audit. IT Audits provided my team members excellent guidance on two recent audits. My team liked the book's layout and level of detail. It's written at an appropriate and realistic level that an auditor can work his or her way through a checklist without getting overwhelmed.
Finally, the last section of the book (Frameworks and Standards; Regulations; and Risk Management) provides a good overview of the several standards and regulations we deal with every day. The chapter on Risk Management is one of the best reviews on that topic in a while.
Overall I think this is an exceptional book and I wouldn't hesitate to recommend this to someone in the IT Audit field.
|
| |
|
Good if you focus on the auditing profession but ignore some tech details |
I have no experience with auditing in the formal sense described by IT Auditing. I am familiar with the technical aspects of host and network security, but I wanted to know more about the goals and views of those who audit enterprises from a security standpoint. IT Auditing succeeds when it discusses the profession of auditing but I found some of the technical details lacking. Therefore, I recommend focusing on chapters 1-3 and 12-15, while using the technical chapters as indicators for outside research.
Chapter 1 makes clear that IT Auditing is written for internal audit teams. The author argues that involvement is better than "independence," since adhering to the later business approach is a recipe for outsourcing the audit function. I liked the beginning and end of IT Auditing because they emphasized how internal audit teams should work with business IT functions. These chapters answered questions on whether or not audit should review and comment upon projects before completion (yes) and related "soft" topics.
The middle of IT Auditing concentrates on how to audit data centers, infrastructure, operating systems, Web servers, databases, applications, and wireless/mobile devices. I found these chapters less appealing. When I read "it's much more common to find SNMP Version 2 in most corporate environment" (sic, p 121) or see mention of "Universal Data Ports (UDPs)" (sic, p 172) I question the validity of the technical recommendations. Other examples include equating NAT with proxies (p 117) and the statement that "network vulnerability scanning... is probably the most important type of security discovery or monitoring in most environments" I begin to understand the horror stories I hear from some who are audited.
When it came to understanding the audit mindset, I think IT Auditing really helped me. It seems auditors are far more likely to be interested in reviewing paperwork than really assessing effectiveness of security controls. Repeatedly I read statements like "evaluate the effectiveness of the security personnel function" by looking at documentation. In a few areas auditors seem to understand the value of real tests, e.g., trying to restore a backup rather than reviewing logs saying backups were completed. This focus on validating paperwork over operational activity is the single biggest problem with audits. It's clear a "system" could pass all its audit checks with flying colors while still being completely compromised. (Yes, p 201-2 mentions Chkrootkit, but that program is only effective in limited scenarios.) Audit is configuration and paperwork validation, not system integrity assessment.
I recommend reading IT Auditing if you want to get a better idea of how your auditors think and what they want to inspect. If you're an auditor who wants authoritative technical guidance you will probably learn more from dedicated system and network hardening books designed for administrators. IT Auditing's checklists can at least put you in the ballpark, however. |
| |
|
|
|
