IT Auditing: Using Controls to Protect Information Assets [Paperback]

Chris Davis (Author), Mike Schiller (Author), Kevin Wheeler (Author)

Book Description

Publication Date: December 22, 2006 | ISBN-10: 0072263431 | ISBN-13: 978-0072263435 | Edition: 1

Protect Your Systems with Proven IT Auditing Strategies

 "A must-have for auditors and IT professionals."  -Doug Dexter, CISSP-ISSMP, CISA, Audit Team Lead, Cisco Systems, Inc.

Plan for and manage an effective IT audit program using the in-depth information contained in this comprehensive resource. Written by experienced IT audit and security professionals, IT Auditing: Using Controls to Protect Information Assets covers the latest auditing tools alongside real-world examples, ready-to-use checklists, and valuable templates. Inside, you'll learn how to analyze Windows, UNIX, and Linux systems; secure databases; examine wireless networks and devices; and audit applications. Plus, you'll get up-to-date information on legal standards and practices, privacy and ethical issues, and the CobiT standard. 

Build and maintain an IT audit function with maximum effectiveness and value

• Implement best practice IT audit processes and controls
• Analyze UNIX-, Linux-, and Windows-based operating systems
• Audit network routers, switches, firewalls, WLANs, and mobile devices
• Evaluate entity-level controls, data centers, and disaster recovery plans
• Examine Web servers, platforms, and applications for vulnerabilities
• Review databases for critical controls
• Use the COSO, CobiT, ITIL, ISO, and NSA INFOSEC methodologies
• Implement sound risk analysis and risk management practices
• Drill down into applications to find potential control weaknesses

Editorial Reviews

About the Author

Chris Davis, CISA, CISSP, shares his experience from architecting, hardening, and auditing systems. He has trained auditors and forensic analysts. Davis is the coauthor of the bestselling Hacking Exposed: Computer Forensics.

Mike Schiller, CISA, has 14 years of experience in the IT audit field, most recently as the worldwide IT Audit Manager at Texas Instruments.

Kevin Wheeler, CISA, CISSP, NSA IAM/IEM, is the founder and CEO of InfoDefense and has over ten years of IT security experience. 

 

Product Details

• Paperback: 387 pages
• Publisher: McGraw-Hill Osborne Media; 1 edition (December 22, 2006)
• Language: English
• ISBN-10: 0072263431
• ISBN-13: 978-0072263435
• Product Dimensions: 9.2 x 7.4 x 0.9 inches
• Shipping Weight: 1.5 pounds
• Average Customer Review: 4.4 out of 5 stars  See all reviews (8 customer reviews)
• Amazon Best Sellers Rank: #578,140 in Books (See Top 100 in Books)

Customer Reviews

Most Helpful Customer Reviews

16 of 17 people found the following review helpful:

4.0 out of 5 stars Good if you focus on the auditing profession but ignore some tech details, May 6, 2007

By 

Richard Bejtlich "TaoSecurity" (Metro Washington, DC) - See all my reviews
(REAL NAME)   

This review is from: IT Auditing: Using Controls to Protect Information Assets (Paperback)

I have no experience with auditing in the formal sense described by IT Auditing. I am familiar with the technical aspects of host and network security, but I wanted to know more about the goals and views of those who audit enterprises from a security standpoint. IT Auditing succeeds when it discusses the profession of auditing but I found some of the technical details lacking. Therefore, I recommend focusing on chapters 1-3 and 12-15, while using the technical chapters as indicators for outside research.

Chapter 1 makes clear that IT Auditing is written for internal audit teams. The author argues that involvement is better than "independence," since adhering to the later business approach is a recipe for outsourcing the audit function. I liked the beginning and end of IT Auditing because they emphasized how internal audit teams should work with business IT functions. These chapters answered questions on whether or not audit should review and comment upon projects before completion (yes) and related "soft" topics.

The middle of IT Auditing concentrates on how to audit data centers, infrastructure, operating systems, Web servers, databases, applications, and wireless/mobile devices. I found these chapters less appealing. When I read "it's much more common to find SNMP Version 2 in most corporate environment" (sic, p 121) or see mention of "Universal Data Ports (UDPs)" (sic, p 172) I question the validity of the technical recommendations. Other examples include equating NAT with proxies (p 117) and the statement that "network vulnerability scanning... is probably the most important type of security discovery or monitoring in most environments" I begin to understand the horror stories I hear from some who are audited.

When it came to understanding the audit mindset, I think IT Auditing really helped me. It seems auditors are far more likely to be interested in reviewing paperwork than really assessing effectiveness of security controls. Repeatedly I read statements like "evaluate the effectiveness of the security personnel function" by looking at documentation. In a few areas auditors seem to understand the value of real tests, e.g., trying to restore a backup rather than reviewing logs saying backups were completed. This focus on validating paperwork over operational activity is the single biggest problem with audits. It's clear a "system" could pass all its audit checks with flying colors while still being completely compromised. (Yes, p 201-2 mentions Chkrootkit, but that program is only effective in limited scenarios.) Audit is configuration and paperwork validation, not system integrity assessment.

I recommend reading IT Auditing if you want to get a better idea of how your auditors think and what they want to inspect. If you're an auditor who wants authoritative technical guidance you will probably learn more from dedicated system and network hardening books designed for administrators. IT Auditing's checklists can at least put you in the ballpark, however.

13 of 14 people found the following review helpful:

5.0 out of 5 stars Excellent practical coverage of IT Auditing, June 7, 2007

By 

Katie Watson - See all my reviews

This review is from: IT Auditing: Using Controls to Protect Information Assets (Paperback)

This is by far the most useful book I've seen covering the subject matter of IT Audits in more than 20 years of IT Auditing. I noticed that ISACA picked up this book as part of their bookstore. The narrative is easy to read throughout the book and the book is laid out and formatted thoughtfully.

I now manage the IT Audit function for a large US-based bank and found the first three chapters (Building an Effective IT Audit Function; The Audit Process; and Auditing Entity Level Controls) particularly well done for understanding how to build the IT Audit team into your environment technically and politically.

The next section of the book, Chapters 4-12 (Data Centers/DR; Switches, Routers, Firewalls; Windows; UNIX and Linux; Web Servers; Databases; Applications; WLAN/Mobile; Company Projects) is solid, very well done, and consistent with other checklists we've used. The checklists are written from an auditor's perspective and contain an excellent level of detail covering what you should do, why, and how. Any more detail and a real world audit would never get completed before it was time to move on to the next audit. IT Audits provided my team members excellent guidance on two recent audits. My team liked the book's layout and level of detail. It's written at an appropriate and realistic level that an auditor can work his or her way through a checklist without getting overwhelmed.

Finally, the last section of the book (Frameworks and Standards; Regulations; and Risk Management) provides a good overview of the several standards and regulations we deal with every day. The chapter on Risk Management is one of the best reviews on that topic in a while.

Overall I think this is an exceptional book and I wouldn't hesitate to recommend this to someone in the IT Audit field.

2 of 2 people found the following review helpful:

5.0 out of 5 stars A great reference!, September 28, 2009

By 

IT auditor (Texas) - See all my reviews

This review is from: IT Auditing: Using Controls to Protect Information Assets (Paperback)

I want to start off by saying this is a very comprehensive book. This book provides you with good tools to ask your IT folks and things to look for. The subjects this book covers starts from the top to bottom. (entity level controls all the way down to application level controls). The book guides you to what is potentially important (to include in an audit report) and items that are housekeeping. Not only does it provide audit test steps, but it will provide you on how to tackle it. This book has advanced topics that directly deal with the status of IT presence in the corporate function. One thing that stood out to me was the powerful introduction the book provides about the role of Internal Audit and more specifically IT. This is a fun read! Hard to believe right?