I objectivity, 47–48
I objectivity, 47–48
IAASB. See International Auditing and Assurance as organizational capability, 46–55 Standards Board (IAASB)
overview, 45–46
IACIS. See International Association of Computer
planning, 153–154
Investigative Specialists (IACIS) Internal Control—Integrated Framework, 107–108, IACRB. See Information Assurance Certification
Review Board (IACRB)
Internal controls, 4–6
IEC. See International Electrotechnical Commission
administrative controls, 5–6
(IEC)
categorizing, 5–6, 6b
IEEE. See Institute of Electrical and Electronics
defined, 4–5
Engineers (IEEE)
examples, 6t
IFAC. See International Federation of Accountants
operational auditing, 89
(IFAC)
physical controls, 5–6
IIA. See Institute of Internal Auditors (IIA)
technical controls, 5–6
Independence International Accounting Standards Board (IASB), external auditing, 68–70
internal auditing, 47–48 International Association of Computer Investigative Industry standards, compliance, 97
Specialists (IACIS), 216
Information, use in audit reports, 160 International Auditing and Assurance Standards Information Assurance Certification Review Board
Board (IAASB), 169–171
(IACRB), 216 International Council of E-Commerce Consultants Information security
(EC-Council), 216
certification, 143–144 International Electrotechnical Commission (IEC), Information security management system (ISMS),
17–20, 143–144, 177 International Federation of Accountants (IFAC), audit in, 19–20
Information Systems Audit and Control Association
audit standards, 206
(ISACA), 199, 206–208 International Federation of Accountants (IFAC) audit standards, 206
Code of Ethics, 48
certifications, 207–208 International health data privacy protection laws, Information Technology Infrastructure Library
(ITIL), 2–3, 119–120, 139, 182–183, 183f, 184t International Information Systems Security Information Technology Management Reform Act
Certification Consortium (ISC), 213–214 of 1996, 139
certifications, 214
242 Index
International Organisation of Supreme Audit ISSAI. See International Standards of Supreme Institutions (INTOSAI), 204–205
Audit Institutions (ISSAI) audit standards, 205
ISSAI 5310, 188
International Organization for Standardization ITAF. See IT Assurance Framework (ITAF) (ISO), 5–6, 141, 177, 178f, 183–185, 185t,
IT assets, auditing, 112–119, 113t 208–209
decomposition, 114–119 audit standards, 208–209
databases, 116 International Professional Practices Framework
data centers, 118 (IPPF), 45, 163, 173–177, 175f, 176t
hardware, 116–117 International Society for Automation (ISA) standard
interfaces, 119 62443, 93
networks, 117 International Society of Forensic Computer
operating systems, 116 Examiners (ISFCE), 216
storage, 117
International Standards of Supreme Audit systems and applications, 115 Institutions (ISSAI), 10, 188
virtualized environments, 118–119 International Standards on Auditing (ISA), 18, 47,
IT Assurance Framework (ITAF), 178–179 169–172, 171t
IT Audit Framework (ISACA), 163 INTOSAI. See International Organisation of
IT Examination Handbook, 53–54 Supreme Audit Institutions (INTOSAI)
IT governance, 2–5, 129 IPPF. See International Professional Practices
audit in, 4–5
Framework (IPPF)
defined, 2
ISA. See International Standards on Auditing (ISA) and management frameworks ISACA. See Information Systems Audit and Control
COBIT®, 178–180, 180f, 181t Association (ISACA)
ITIL ® , 182–183, 183f, 184t ISACA’s Code of Professional Ethics, 48
processes and controls, 3 ISC. See International Information Systems
IT Governance Institute, 4–5 Security Certification Consortium (ISC)
ITIL. See Information Technology Infrastructure ISFCE. See International Society of Forensic
Library (ITIL)
Computer Examiners (ISFCE) “ITIL certification,”, 183 ISMS. See Information security management
IT operations, 120–121 system (ISMS)
IT-specific auditing, 98–102 ISO. See International Organization for
information systems controls, 100–102 Standardization (ISO)
process maturity, 98–99 ISO 9000, 94
provision of services, 99–100 ISO 9001, 14, 15f, 142–143 ISO 19011, 162–163, 177
ISO/IEC 7498-1, 114, 127 Laws and regulations, 130–141, 131t ISO/IEC 12207, 114, 127
European Council Directive 2006/43/EC, 133 ISO/IEC 15288, 124
Graham-Leach-Bliley Act, 133 ISO/IEC 15504, 11
government sector laws, 139–141 ISO/IEC 17799, 143
Federal Information Security Management ISO/IEC 20000, 99–100, 144, 183–185
Act, 140
ISO/IEC 27000, 143, 189 Privacy Act, 140–141 ISO/IEC 27001, 18–19, 19f, 143, 177, 189
health industry-specific laws, 133 ISO/IEC 27002, 18, 111
Health Information Technology for Economic security clauses and categories, 190t
and Clinical Health Act, 134–135 ISO/IEC 27005, 6
Health Insurance Portability and ISO/IEC 27007, 177
Accountability Act of 1996, 134 ISO/IEC 31000, 6
international health data privacy protection ISO/IEC 38500, 183–185
laws, 135
ISO/IEC/IEEE 42010, 114, 127 securities industry, 131–133 ISO/IEC 38500 standard, 3–4
Sarbanes-Oxley Act of 2002, 132
Index 243
Securities and Exchange Commission, 132 policies, processes, and procedures, 89–90 security and privacy laws, 135–138
program or project-focused, 91 Computer Fraud and Abuse Act of 1986, 137
Operational effectiveness, 144–145 Electronic Communications Privacy Act, 138
Organizational controls, 111–112, 111f European Council Directive 95/46/EC,
Organizational participation, external auditing, 136–137
state security and privacy laws, 138 OWASP. See Open Web Application Security Legal compliance, 96
Project (OWASP)
Methodologies and frameworks, 167
Path analysis, 114, 115f
COSO, 172–173, 173f, 174t Payment Card Industry Data Security Standards GAAS, 169, 170t
(PCI DSS), 97–98, 215–216
government-focused methodologies, 185–188 PCAOB. See Public Company Accounting FISCAM, 186, 187f, 187t
Oversight Board (PCAOB)
ISSAI, 188 PCI DSS. See Payment Card Industry Data Security IPPF, 173–177, 175f, 176t
Standards (PCI DSS)
ISA, 169–172, 171t Performance. See Audit performance ISO, 177, 178f, 183–185, 185t
Plan-do-check-act (PDCA), 15–16, 16f, 149, IT governance and management frameworks
COBIT®, 178–180, 180f, 181t
Planning. See Audit planning
ITIL ® , 182–183, 183f, 184t PMBOK. See PMI Project Management Body of overview, 167, 168t
Knowledge (PMBOK)
relevant source material, 193–194 PMI Project Management Body of Knowledge security control assessment frameworks, 188–193
(PMBOK), 126
ISO/IEC 27000 series, 189
Preliminary data gathering
NIST security control assessment guidance,
audit preparation and, 152
191–192, 192t
Privacy Act of 197, 140–141 Process. See Audit process(es)
Production phase, of SDLC, 124–125 National Commission on Fraudulent Financial
National Institute of Standards and Technology
defined, 49b
(NIST), 6b, 140, 163
establishing, 48–55
risk management framework, 8–9, 9f and project management, 121–122 security control assessment guidance, 191–192,
responsibilities, 53–55
192t
Programmatic auditing, 87
Special Publication 800-30, 10 Program or project-focused auditing, 91 Networks, 117
Program responsibilities, internal auditing, 53–55 New York Stock Exchange, 9–10
Project-focused auditing. See Program or project- NIST. See National Institute of Standards and
focused auditing
Technology (NIST) Public Company Accounting Oversight Board (PCAOB), 11–12, 68–69, 132
Objectivity, internal auditing, 47–48
Open Systems Interconnection model, 114
Quality assurance, 14–17, 129
Open Web Application Security Project (OWASP), and continuous improvement, 145 215
defined, 14
Operating systems, 116
Quality certification, 142–143
Operational auditing, 87–91
Quality management, 14–17
internal controls, 89
audit in, 17
244 Index
Electronic Communications Privacy Act, 138 Recommended Security Controls for Federal
European Council Directive 95/46/EC, 136–137 Information Systems and Organizations, 140
Security control assessment frameworks, 188–193 Regulatory auditors, 78–79
ISO/IEC 27000 series, 189 Reporting findings, audit processes, 158–161
NIST security control assessment guidance, findings vs. conclusions, 159
191–192, 192t responding to audit results, 160–161
Security management, 93–94 using information in audit reports, 160
SEI. See Software Engineering Institute (SEI) Reporting on Controls at a Service Organization,
Service management, 92–93 53–54
certification standards, 144 Resource allocation, in audit preparation, 151–152
Service Organization Control (SOC) reports, 75–76, Results, audit, 160–161
93, 143
Retirement phase, of SDLC, 126
SERVQUAL, 14
Risk, defined, 5–6
Six Sigma, 14, 142
Risk assessment, 9–10 Software Assurance Maturity Model (SAMM), 215 Risk management, 5–10, 108–109, 129
Software Engineering Institute (SEI), 212 audit in, 9–10
SSCP. See Systems Security Certified Practitioner components, 8–9
(SSCP) Statements on Auditing Standards (SAS), 200, 202t