The Guide to IT Auditing

“The Guide” is a comprehensive I.T. Risk and Security Audit Program based on the thematic consistencies present in almost all risk and regulatory frameworks. In addition, the Guide is intended to provide detailed information for the I.T. professional to identify, design, and audit their I.T. environment.

Contents:

1. I.T. Audit Background and Risk Frameworks
1.1 – A Brief History of I.T. Audit
1.2 – Top 10 Risk Frameworks
1.3 – Advice for taking the CISA exam
1.3 – Advice for taking the CISSP exam

2. I.T. Audit Techniques
2.1 – Inquiry, Observation, Inspection, Reperformance
2.2 – Preparing and Information Request List (PBC List)
2.3 – Can I Use a Screenshot as Audit Evidence?
2.4 – Create and IT Risk Dashboard in Excel

The Framework

3. Policies and Procedures
3.1 – Password Policies
3.2 – Information Security Training

4. Regulatory Environment
4.1 – Deploying a HIPAA Compliant Encryption Policy

5. Staff and Personnel
5.1 – Information Security Training Example

6. Physical and Environmental Security
6.1- Performing a Physical Security Audit
6.2 – Performing an Environmental Security Audit
6.3 – What does a data center look like?

7. Network Security
7.1 – Auditing Administrators in Active Directory
7.2 – Commonly Missed Administrator Accounts in Active Directory
7.3 – Active Directory Management Tools
7.4 – Understanding how a Stateful Firewall Works
7.5 – Creating an Application Whitelist in the Enterprise (AppLocker)
7.6 – Understanding Secure Network Segmentation

8. Logical Access
8.1 – The Principle of Least Privilege 

9: Change Management
9.1 – Change Management: Internally Initiated Changes & Control Environment
9.2 – Change Management: Externally Initiated Changes & Control Environment
9.3 – Scrum (Agile) Development Explained
9.4 – Change Management: How to Verify Population Completeness

10. Backup and Disaster Recovery
10.1 – How to Design a Disaster Recovery Plan
10.2 – Are clustering and mirroring backup solutions?

11. Vendor Management
11.1 – How to Read a SOC Report
11.2 – Vendor Selection Matrix (.pdf)

12. Risk Assessment
12.1 – Application Risk Assessment
12.2 – How to Build an ERM System (series)

Note: This guide is a living document and will continue to grow as we add posts.


risk3sixty-lets-grab-coffee