The IT Regulatory and Standards Compliance Handbook
eBook - ePub

The IT Regulatory and Standards Compliance Handbook

How to Survive Information Systems Audit and Assessments

  1. 750 pages
  2. English
  3. ePUB (mobile friendly)
  4. Available on iOS & Android
eBook - ePub

The IT Regulatory and Standards Compliance Handbook

How to Survive Information Systems Audit and Assessments

About this book

The IT Regulatory and Standards Compliance Handbook provides comprehensive methodology, enabling the staff charged with an IT security audit to create a sound framework, allowing them to meet the challenges of compliance in a way that aligns with both business and technical needs. This "roadmap" provides a way of interpreting complex, often confusing, compliance requirements within the larger scope of an organization's overall needs.- The ulitmate guide to making an effective security policy and controls that enable monitoring and testing against them- The most comprehensive IT compliance template available, giving detailed information on testing all your IT security, policy and governance requirements- A guide to meeting the minimum standard, whether you are planning to meet ISO 27001, PCI-DSS, HIPPA, FISCAM, COBIT or any other IT compliance requirement- Both technical staff responsible for securing and auditing information systems and auditors who desire to demonstrate their technical expertise will gain the knowledge, skills and abilities to apply basic risk analysis techniques and to conduct a technical audit of essential information systems from this book- This technically based, practical guide to information systems audit and assessment will show how the process can be used to meet myriad compliance issues

Frequently asked questions

Yes, you can cancel anytime from the Subscription tab in your account settings on the Perlego website. Your subscription will stay active until the end of your current billing period. Learn how to cancel your subscription.
No, books cannot be downloaded as external files, such as PDFs, for use outside of Perlego. However, you can download books within the Perlego app for offline reading on mobile or tablet. Learn more here.
Perlego offers two plans: Essential and Complete
  • Essential is ideal for learners and professionals who enjoy exploring a wide range of subjects. Access the Essential Library with 800,000+ trusted titles and best-sellers across business, personal growth, and the humanities. Includes unlimited reading time and Standard Read Aloud voice.
  • Complete: Perfect for advanced learners and researchers needing full, unrestricted access. Unlock 1.4M+ books across hundreds of subjects, including academic and specialized titles. The Complete Plan also includes advanced features like Premium Read Aloud and Research Assistant.
Both plans are available with monthly, semester, or annual billing cycles.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Yes! You can use the Perlego app on both iOS or Android devices to read anytime, anywhere — even offline. Perfect for commutes or when you’re on the go.
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app.
Yes, you can access The IT Regulatory and Standards Compliance Handbook by Craig S. Wright in PDF and/or ePUB format, as well as other popular books in Computer Science & Cyber Security. We have over one million books available in our catalogue for you to explore.

Information

Publisher
Syngress
Year
2008
Print ISBN
9781597492669
eBook ISBN
9780080560175
Topic
Computer Science
Subtopic
Cyber Security
Index
Computer Science
Chapter 1. Introduction to IT Compliance

Solutions in this chapter:

▪ Does Security Belong within IT?
▪ What are Audits, Assessments, and Reviews?
Summary

Introduction

This book provides comprehensive methodology, enabling the staff charged with an IT security audit to create a sound framework, allowing them to meet the challenges of compliance in a way that aligns with both business and technical needs. This “roadmap” provides a way of interpreting complex, often confusing, compliance requirements within the larger scope of an organization's overall needs.
Data held on IT systems is valuable and critical to the continued success of any organization. We all rely on information systems to store and process information, so it is essential that we maintain Information Security. The goal of this book is to define an economical and yet secure manner of meeting an organization's compliance needs for IT. To do this we need to understand the terminology that we have based this on and hence the focus of this chapter. We first need to define what security itself is.
The purpose of information security is to preserve:
Confidentiality Data is only accessed by those with the right to view the data.
Integrity Data can be relied upon to be accurate and processed correctly.
Availability Data can be accessed when needed.
Consequently, the securing of information and thus the role of the Security professional requires the following tasks to be completed in a competent manner:
1 The definition and maintenance of security policies/strategies.
2 Implementing and ensuring compliance to Policies and Procedures within the organization:
a The IT security organization needs a clear statement of mission and strategy. Definition of security roles and processes.
b Users, administrators, and managers should have clearly defined roles/responsibilities and be aware of them.
c Users/support staff may require training to be able to assume the responsibilities assigned to them.
3 Effective use of mechanisms and controls to enforce security.
4 Well-defined Technical Guidelines and controls for the systems used within the organization.
5 Assurance (audits and regular risk assessments).
IT security is not about making a perfect system, it is about making a system that is resilient and that can survive the rigors it is exposed to. Compliance comes down to due diligence. If you can show that your system is resilient to attack and that it has a baseline of acceptable controls, you will be compliant with nearly any standard or regulation.

Does Security Belong within IT?

The simple answer is yes. The more developed answer is that information security affects all aspects of an organization, not just IT. Security needs to be the concern of all within an organization from the simple user to senior management.

Management Support

If management does not succeed in the establishment of a sound security infrastructure (including policy, communication, processes, standards, and even culture) within the organization, then there is little likelihood of an organization being able to remain secure. Standards, guidelines, and procedures are developed using the Security Policy. Without these, security cannot be maintained. Without management support there cannot be enforcement, liability, or coordination of incidents. Management support for Information Security controls is fundamental to the continuing security of any organization.
Management can facilitate education and awareness strategies with the organization. Good awareness processes and management support will help in the overall security of an organization because:
1 An organization's personnel cannot be held responsible for their actions unless it can be demonstrated that they were aware of the policy prior to any enforcement attempts.
2 Education helps mitigate corporate and personal liability, avoidance concerning breaches of criminal and civil law, statutory, regulatory, or contractual obligations, and any security requirement.
3 Awareness training raises the effectiveness of security protection and controls; it helps reduce fraud and abuse of the computing infrastructure, and increases the return on investment of the organization's investments in both security as well as in computing infrastructure in general.

Job Roles and Responsibilities

Depending on the size of an organization, responsibility may be divided into the following defined roles. It is important that responsibility is apparent and is supported by management. To achieve this, the accountable persons must actually assume their accountabilities (i.e. they have powers necessary to make corresponding decisions and the experience/knowledge to make the right decisions). Management and Human Resources should ensure that the necessary roles are correctly implemented.
Board and Executives The Board of Directors and the managing director or CEO (or equivalent) are ultimately responsible for security strategy and must make the necessary resources available to combat business threats. This group is ultimately responsible for disseminating strategy and establishing security-aware customs within the organization. They have the mandate to protect and insure for continuity of the corporation and to protect and insure for profitability of the corporation. Information Security plays a crucial role in both of these aspects of senior management's roles.
Business process / data / operation owner This person is directly responsible for a particular process or business unit's data and reports directly to top management. He/she analyses the impact of security failures and specifies classification and guidelines/processes to ensure the security of the data for which he/she is responsible. There should not be any influence on auditing.
Process Owner The process owner is responsible for the process design, not for the performance of the process itself. The process owner is additionally responsible for the metrics linked to the process feedback systems, the documentation of the process, and the education of the process performers in its structure and performance. The process owner is accountable for sustaining the development of the process and for identifying opportunities to improve the process. The process owner is the individual ultimately accountable for improving a process.
IT Security manager/director This person is responsible for the overall security within the organization. The IT security manager(s) defines IT security guidelines together with the process owner. He/she is also responsible for security awareness and advising management correctly on security issues. He/she may also carry out risk analyses. It is important that this person be up-to-date on the latest security problems/risks/solutions. Coordination with partner companies, security organizations, and industry groups is also important.
System supplier The system supplier installs and maintains systems. A service level agreement should exist defining the customer/supplier roles and responsibilities. The supplier may be, for example, an external contracting company or the internal datacenter or System/Security administrator. This person is responsible for the correct use of security mechanisms.
System designer The persons who develop a system have a key role in ensuring that a system can be used securely. New development projects must consider security requirements at an early stage.
Project Leaders These people ensure that Security guidelines are adhered to in projects.
Line Managers These managers ensure that their personnel are fully aware of security policies and do not provide objectives that conflict with policy. He/she enforces policy and checks actual progress.
Users Users, or “information processors/operators,” are responsible for their actions. They are aware of company security policy, understand what the consequences of their actions are, and act accordingly. They have effective mechanisms at their disposal so that they can operate with the desired level of security. Should users receive confidential information that is not classified, they are responsible for the classifying and distribution of this information.
Auditor The auditor is an independent person, within or outside the company, who checks the status of IT security, much in the same way as a Financial Auditor verifies the validity of accounting records. It is important that the Auditor be independent, not being involved in security administration. Often external consultants fulfill this role, since they can offer a more objective view of policies, processes, organizations, and mechanisms.

What Are Audits, Assessments, and Reviews?

The initial thing we need to do is develop a common term...

Table of contents

  1. Cover image
  2. Table of Contents
  3. Lead Author
  4. Technical Editors
  5. Chapter 1. Introduction to IT Compliance
  6. Chapter 2. Evolution of Information Systems
  7. Chapter 3. The Information Systems Audit Program
  8. Chapter 4. Planning
  9. Chapter 5. Information Gathering
  10. Chapter 6. Security Policy Overview
  11. Chapter 7. Policy Issues and Fundamentals
  12. Chapter 8. Assessing Security Awareness and Knowledge of Policy
  13. Chapter 9. An Introduction to Network Audit
  14. Chapter 10. Auditing Cisco Routers and Switches
  15. Testing the Firewall
  16. Chapter 12. Auditing and Security with Wireless Technologies
  17. Chapter 13. Analyzing the Results
  18. Chapter 14. An Introduction to Systems Auditing
  19. Chapter 15. Database Auditing
  20. Chapter 16. Microsoft Windows Security and Audits
  21. Chapter 17. Auditing UNIX and Linux
  22. Chapter 18. Auditing Web-Based Applications
  23. Chapter 19. Other Systems
  24. Chapter 20. Risk Management, Security Compliance, and Audit Controls
  25. Chapter 21. Information Systems Legislation
  26. Chapter 22. Operations Security
  27. Index