Auditing It Infrastructures for Compliance

In: Computers and Technology

Submitted By duss87
Words 2140
Pages 9
Introduction:
For this final paper, I am to assemble the executive reports for which I have completed over the last 5 weeks and combine them into one final report. These reports will consist of:
- The two auditing frameworks or hardening guidelines / security checklists used by the DoD.
- How a security assessment addressing modern day risks, threats, and vulnerabilities throughout the 7-domains of a typical IT infrastructure can help an organization achieve compliance.
- How to gather and obtain needed information to perform a GLBA Financial Privacy & Safeguards Rules compliance audit and what must be covered.
- The top workstation domain risks, threats, and vulnerabilities which will not only include possible causes, but mitigations as to prevent these issues from happening.
- The top LAN – to – WAN risks, threats, and vulnerabilities which will not only include possible causes, but mitigations as to how we can prevent these issues from happening.
- The top Remote Access Domain risks, threats, and vulnerabilities as well as ways to mitigate these types of issues.
- The top Systems / Application Domain risks, threats, and vulnerabilities as well as ways to mitigate these types of issues.

Part 1:
Purpose:
The purpose of part 1 for this lab is to develop an executive summary in regards to either the two auditing frameworks or hardening guidelines/security checklists used by the DoD. For this, I have chosen to discuss the two auditing frameworks.

Background:
A little background about the AF (Auditing Framework) for the DoD is that it provides a foundation for developing and representing descriptions that ensure a common denominator for understanding, comparing, and integration across organizational, joint, and multinational boundaries. All U.S. DoD weapons and information technology system acquisitions are required to develop and document an…...

Similar Documents

Infrastructure

...India Power Sector Reforms Update ____________________________________________________________ __________________________ India Power Sector Reforms Update Issue IV August 2002 (Updates in the period: June 2002 to August 2002) India power sector reforms update is a joint initiative of Prayas, an Indian NGO based in Pune, working on power sector issues for a decade and Public Services International (PSI) which is an international trade union federation, uniting public sector workers in more than 500 trade unions in over 140 countries. Our aim is to monitor the power sector developments in three Indian states of Orissa, Andhra Pradesh and Uttar Pradesh. This is the fourth issue of the update covering three months period from June 2002 to August 2002. First issue was a detailed historical overview covering up to October 2001; second update covered the period from October 2001 to January 2002 while the third update covered February 2002 to May 2002. For better understanding it would be desirable if readers also read the earlier updates. Please direct your suggestions and comments to PSI at psiru@psiru.org. Contents Part I: Overview of the Indian Power Sector Part II: Orissa 1. 2. 3. 4. State Overview Regulatory Intervention Private Sector Generation Private Sector Distribution Part III: Andhra Pradesh 1. 2. 3. 4. 5. State Overview Regulatory Intervention State and Central Utilities Private sector Generation Employees and CSIs Part IV: Uttar Pradesh 1...

Words: 5753 - Pages: 24

Infrastructure

...INFRATSRUCTURE The Eleventh Five Year Plan emphasized the need for removing infrastructure bottlenecks for sustained growth. It, therefore, proposed an investment of US $500 billion in infrastructure sectors through a mix of public and private sectors to reduce deficits in identified infrastructure sectors. As a percentage of the gross domestic product (GDP), investment in infrastructure was expected to increase to around 9 per cent. For the first time the contribution of the private sector in total investment in infrastructure was targeted to exceed 30 per cent. Total investment in infrastructure during the Eleventh Plan is estimated to increase to more than 8 per cent of GDP in the terminal year of the Plan --higher by 2.47 percentage point s a s c ompa red t o the Tenth Pl an. The private sector is expected t o be contributing nearly 36 per cent of this investment. RAILWAYS Some of the major goals set for Vision 2020 in the document include (a) laying of 25,000 km of new lines; (b) quadrupling of the 6,000 km network with segregation of passenger and freight lines; (c) electrification of 14,000 km; (d) completion of gaugeconversion; (e) upgradation of speed to 160-200 kmph for passenger trains; and (f) construction of 2,000 km of high-speed rail lines. • Freight performance: Freight loading on Indian Railways during April-November 2011 was 618.0 MT as compared to 593.4 MT in April-November 2010, an increase of 4.14 per cent...

Words: 1202 - Pages: 5

Infrastructure

... publishes a Plan and the system is willing to be tested and criticised against its performance or non-performance. When the Planning Commission announced the 11th Plan figures, there was general scepticism. As the 11th Plan has come to an end, we have exceeded the planned $500-billion spend on infrastructure. A lot of capital investment in infrastructure is not officially captured. An irrigation canal is often written away as a revenue expenditure of the department rather than treating it as a balance sheet item in the books. There is a lot of capital asset building at the rural level, which does not come into the capital formation statistics. There are metros that are happening, flyovers, storm water drains, if all of those were added up, the figure is likely to exceed $600 billion Along with that there has been significant capacity building – model concession agreements, creation of new institutions such as NHAI, IDFC, IIFC, viability gap funding, increased allocation in Budget . With the current investment climate the government might find it impossible to attract investments of $1 trillion for developing infrastructure in the country. The government hopes to tap private and foreign investors to raise around $5000 Billion during the 12th Five Year Plan and would try and pinch in with the rest .But this plan could face some serious hurdles with India’s image taking a hit due to lack of investment friendly policies and the negative global sentiment about India .Moreover......

Words: 1722 - Pages: 7

Compliance Auditing

... evaluated, decide how to recognize when a deviation has occurred, and how to evaluate evidence obtained through audit tests. This means that the auditor must figure out, for each event to be tested, just what evidence signifies compliance and what evidence signifies noncompliance. In addition, it is important for the auditor to find out the degree of deviation from standards that is considered tolerable by the audit sponsor. Detailed information about key compliance audit questions often exists in the form of independently published compliance audit guidelines and generally accepted auditing standards. Otherwise, the auditor should make sure that key questions and issues are clarified with the audit sponsor. Assessing compliance may be simple, requiring a brief inspection to find out whether rules were followed or not. At the other extreme, making a judgment may require extensive research of regulatory requirements, interpretations, and technical materials before a valid conclusion about one event or a single transaction can be made. If the auditor is not sufficiently experienced in very specialized compliance topics then the opinions of an expert should be sought. The auditor will usually choose a sample of events or transactions for testing when it is not practical to examine every one that falls within the scope of the audit. Compliance audit tests can incorporate statistical sampling techniques and measure sampling risk when the following conditions can be reasonably...

Words: 1780 - Pages: 8

Infrastructure

... countries. Supporting infrastructure development in developing countries by advanced countries is extremely important field. This can be inferred from the fact that many international organizations such as World Bank and OECD are actively promoting the improvement of infrastructure by providing various support programs to developing countries. However, the precise relationship between infrastructure and economic growth is still frequently debated. Good infrastructure helps to raise productivity and lower costs in the directly productive activities of the economy, but it has to be expanded fast enough to meet the demand for infrastructure in the early stage of development. Construction expense for infrastructure such as energy and transportation sector is enormous and construction period is also long. Prediction of demand pattern and investment allocation, which are the key factors of infrastructure development planning, must be based on a long term economic development trend and land use planning, which predicts the country’s temporal and spatial demographics and economic structure. Postwar, Japan and Korea had received a large amount of concessional loans and grants from the US and international organizations for rebuilding economic infrastructures. These valuable experiences give * Graduate School of International Cooperation Studies, Kobe University e-mail: kim_byoungki@hotmail.com 1 Il Sakong (1993) emphasized that the late developers can draw valuable lessons......

Words: 11379 - Pages: 46

Auditing It Infrastructures for Compliance

...Introduction: For this final paper, I am to assemble the executive reports for which I have completed over the last 5 weeks and combine them into one final report. These reports will consist of: - The two auditing frameworks or hardening guidelines / security checklists used by the DoD. - How a security assessment addressing modern day risks, threats, and vulnerabilities throughout the 7-domains of a typical IT infrastructure can help an organization achieve compliance. - How to gather and obtain needed information to perform a GLBA Financial Privacy & Safeguards Rules compliance audit and what must be covered. - The top workstation domain risks, threats, and vulnerabilities which will not only include possible causes, but mitigations as to prevent these issues from happening. - The top LAN – to – WAN risks, threats, and vulnerabilities which will not only include possible causes, but mitigations as to how we can prevent these issues from happening. - The top Remote Access Domain risks, threats, and vulnerabilities as well as ways to mitigate these types of issues. - The top Systems / Application Domain risks, threats, and vulnerabilities as well as ways to mitigate these types of issues. Part 1: Purpose: The purpose of part 1 for this lab is to develop an executive summary in regards to either the two auditing frameworks or hardening guidelines/security checklists used by the DoD. For this, I have chosen to discuss the two auditing frameworks. Background...

Words: 2140 - Pages: 9

Auditing Ethics and Compliance

... behaviour that comes to the attention of professional bodies, such as CPA Australia and the Institute of Chartered Accountants, who jointly issue a Code of Professional Conduct for the guidance of their members. There is sufficient truth in this scenario to explain, but not to justify, the minimal attention that is given to ethics in the training of accountants and auditors, despite the growing international literature on the subject (Albrecht 1992; Maurice 1996; Morse & Blake 1998), and the absence of ethical debate and concern within the profession. Provided the expertise is there, it is assumed that ordinary moral sensibility, together with the good example of senior colleagues, can take care of the ethical side of the business. Attention to the ethics of auditing engages the professional firms only with respect to risk minimisation in relation to the serious illegal activities of the occasional ‘bad apple’ and the likelihood of legal liabilities and a general concern for their reputation. In these circumstances, it is understandable that research into the ethics of accountants and auditors is focussed on discovering how to maximise compliance with generally accepted principles of professional conduct. If this analysis of professional attitudes is now somewhat out of date (see, for instance, Howieson, Chapter 13; Duska & Duska 2003), this is because of the exceptional publicity given to auditing failures revealed in the disastrous collapses of major corporations, whose...

Words: 5555 - Pages: 23

Auditing It Infrastructures Compliance

...In the given table, you need to fill in the name of the laws, and correspondingly, fill the sector related to each law. You need to provide a rationale of compliance laws with which a public or a private organization may have to comply. |Compliance Laws |Description of Compliance Law |Rationale for Using this Law | | |This act is the result of public company account |Corporate accountability and responsibility act. | | |reform and investor protection act. | | | |This act mandate many reforms to enhance corporate | | |Sarbanes-Oxley Act (SOX) |responsibility, financial disclosure, and prevent | | | |fraud. | | |Health Insurance Portability and |Provides for helping citizens maintain their health |Health care | |Accountability Act (HIPPA) |insurance coverage. |Protection of health insurance coverage | | |Improves efficiency and effectiveness of the...

Words: 414 - Pages: 2

Infrastructure

... digital certificate. When I receive it, I can use your public key to decrypt it (2006, October). Here's a table that restates it:  To do this | Use whose | Kind of key | Send an encrypted message | Use the receiver's | Public key | Send an encrypted signature | Use the sender's | Private key | Decrypt an encrypted message | Use the receiver's | Private key | Decrypt an encrypted signature (and authenticate the sender) | Use the sender's | Public key | Enforcement: Any employee found violating or to have violated the company’s Acceptable Use Policy (AUP) will be dealt with to the fullest extent that the local laws will permit. IDI identifies six levels of response to violations: * issue warnings: written or verbal * reduce Member's access to the network, depending on the violation * suspend the Member's account * terminate the Member's account * bill the Member for administrative costs and/or reactivation charges * terminate employment and bring legal action to enjoin violations and/or to collect damages, if any, caused by violations. ("Acceptable use policy," 2013). Employee Training: Last but not least, once we have ensured that all network infrastructures has been standardized in all offices, to include all the hardware/software, group policies, access control policies, and security policies, we must ensure all employees are trained on the network proper policies, and procedures. All current and future employees...

Words: 3151 - Pages: 13

Auditing and Compliance Lab 4

... messageHandler property of the control. By manipulating the messageHandler's attributes an attacker can force a dangling pointer to be reused after it has been freed. An attacker can leverage this vulnerability to execute code under the context of the current process. 11. What is a Zero Day attack and how does this relate to an organization's vulnerability window? A zero-day attack or threat is an attack that exploits a previously unknown vulnerability in a computer application, one that developers have not had time to address and patch. It is called a "zero-day" because the programmer has had zero days to fix the flaw. 12. How can you mitigate the risk from users and employees from clicking on an embedded URL link or e-mail attachment from unknown sources? Continue with the controls that the government organization already has in place to combat malicious e-mail. Connect to the Internet via a Trusted Internet Connection. Take measures to protect the actual PCs used by users. Use tools to monitor user behavior so that a check can be made on whether policy is being observed. Install the latest web browsers on PCs; they are likely to have better security controls than older browsers. Make users aware of the risks involved and give them examples of the types of attack. Make users aware of the organization’s AUP. Make users aware of the legal issues. Repeat awareness development and training at regular intervals. 13. When auditing an organization for......

Words: 1109 - Pages: 5

Infrastructure

...; conditionally poor roads, railways, ports and weak information and communication technology services. * The depressing situation of infrastructure deficiencies is also combined with the unpredicted urban growth which resulted in the explosion of informal settlements (slums) all over the African continent (Blinde and mayor, 2001). * Another characteristic of urbanization in SSA is that it’s happening without development, which results in a rapid increase in urban poverty which is clear and manifested in the formation of slums (Arimah, 2010). * Taken as a whole, all these constraints corrode Africa’s competitiveness and make exporting African goods and services to the global marketplace nearly impossible. According to the World Bank’s 2009 doing business, most SSA countries with few exceptions, rank in the bottom 40% of all countries in trading across the national borders. Literature review Definition and key infrastructure sectors: * Characteristics of infrastructure: A. Public, nonexclusive goods accessible to all people. B. It has long payback periods. C. Its output is paid for by local currency. D. Sensitive to corruption and political power centralization. * The definition of infrastructure is not being shifted from only focusing on physical assets such as roads, airports, sea ports, telecommunication systems and water distribution systems; as it is now often include “softer” types of infrastructure such as the information......

Words: 2755 - Pages: 12

Lab 6: Auditing the Workstation Domain for Compliance

...Lab 6: Auditing the Workstation Domain for Compliance Question 1 – What are some common risks, threats, vulnerabilities commonly found in the Remote Access Domain that must be mitigated through a layered security strategy? a. Some common risks, threats, or vulnerabilities are company laptop stolen, software keyloggers being put on computers and having passwords and user accounts stolen, data leakage, and unauthorized access to the network. Question 2 – File-sharing utilities and client-to-client communication applications can provide the ability to share files with other users (i.e. Peer-to-Peer networking or Sharing). What risk and/or vulnerabilities are introduced with these applications? a. A lot of these are shared through clear text. If a user uses the same password for logging into one of these utilities as they do for their network login or any other data sensitive login the password can be easily compromised. Question 3 – Explain how confidentiality can be achieved within the Workstation Domain with security controls and security countermeasures. a. You can achieve this by using GPO’s and WMI filters. This will help push Workstation security policies to the computers such as if the computer is idle for more than 5 minutes it locks, or access to different parts of the computer like control panel are blocked. Question 4 – Explain how data integrity can be achieved within the Workstation Domain with security controls and security countermeasures. a. Security...

Words: 951 - Pages: 4

Ethics, Compliance Auditing, and Emerging Issues

... Obligations of Companies - Resources - Business Ethics - Focus Areas - Markkula Center for Applied Ethics - Santa Clara University. Retrieved from https://www.scu.edu/ethics/focus-areas/business-ethics/resources/cyber-security-and-the-obligations-of-companies/ Stucke, M. E. (2014). In Search of Effective Ethics & Compliance Programs. The Journal Of Corporation Law, 39769. Trevino, L. K.. (1986). Ethical Decision Making in Organizations: A Person-Situation Interactionist Model. The Academy of Management Review, 11(3), 601–617. Retrieved from http://www.jstor.org/stable/25831 Trevino, L. K., & Nelson, K. A. (1995). Managing Ethics in the Organization. In Managing business ethics: Straight talk about how to do it right (5th ed., pp. 155-156). New York, NY: J. Wiley & Sons. Usnick, L., & Usnick, R. (2013). Compliance program auditing: The growing need to insure that compliance programs themselves comply. Southern Law Journal, 23(2), 311-327. Retrieved from the EBSCOhost database....

Words: 1669 - Pages: 7

Threat to Compliance with Fundamental Principles on Auditing

...Threats to Compliance With The Fundamental Principles 1. Self-interest threat – the threat that a financial or other interest will inappropriately influence the professional accountant’s judgment or behavior. Examples of the circumstances that may create self-interest threat include: a. A direct financial interest or material indirect financial interest in a client b. A loan or guarantee to or from a client or any of its directors or officers c. Undue independence on total fees from a particular client d. Concern about the possibility of losing the engagement e. Having a close business relationship with a client f. Potential employment with a client g. Contingent fees relating to an engagement 2. Self-review threat – the threat that a professional accountant will not appropriately evaluate the results of a previous judgment made or service performed in forming a conclusion about the subject matter of the engagement. Examples of the circumstances that may create self-review threat include: a. A member of the engagement team being, or having recently been, a director or officer of the firm. b. A member of the engagement team being, of having recently been, an employee of the client in a position to exert direct and significant influence over the subject matter of the engagement. c. Performing services for a client that directly affect the subject matter of the engagement. d. Preparation of original data used to generate...

Words: 690 - Pages: 3

Term Paper: Planning an It Infrastructure Audit for Compliance

...Term Paper: Planning an IT Infrastructure Audit for Compliance Due Week 10 and worth 200 points GET FULL SOLUTION http://adobehub.com/downloads/term-paper-planning-infrastructure-audit-compliance-2/ Note: Chapter 5 of the required textbook may be helpful in the completion of the assignment. The audit planning process directly affects the quality of the outcome. A proper plan ensures that resources are focused on the right areas and that potential problems are identified early. A successful audit first outlines the objectives of the audit, the procedures that will be followed, and the required resources. Choose an organization you are familiar with and develop an eight to ten (8-10) page IT infrastructure audit for compliance in which you: 1. Define the following items for an organization you are familiar with: a. Scope b. Goals and objectives c. Frequency of the audit d. Duration of the audit 2. Identify the critical requirements of the audit for your chosen organization and explain why you consider them to be critical requirements. 3. Choose privacy laws that apply to the organization, and suggest who is responsible for privacy within the organization. 4. Develop a plan for assessing IT security for your chosen organization by conducting the following: a. Risk management b. Threat analysis c. Vulnerability analysis d. Risk assessment analysis 5. Explain how to obtain information, documentation, and resources for the audit. 6. Analyze how each of the...

Words: 535 - Pages: 3