III

SEC 4302, Planning and Audits 1

Course Learning Outcomes for Unit III At the end of this unit, you should be able to:

2. Create documentation for planning security procedures. 2.1 Describe the process of establishing and maintaining security baselines. 2.2 Explain the importance of documented policies, standards, procedures, and guidelines in

maintaining security. 2.3 Explain the importance of reviewing system configurations and implementations in IT audits.

3. Develop an information systems security auditing plan.

3.3 Discuss the scope, objectives, goals, and frequency of an audit. 3.4 Explain how the security policy framework definitions map to the seven domains of IT

infrastructure. 3.5 Describe the alignment of security policy frameworks with the specific needs of an

organization's IT infrastructure. Required Unit Resources Chapter 5: Planning an IT Infrastructure Audit for Compliance (ULOs 2.1, 2.2, and 2.3) Chapter 6: Conducting an IT Infrastructure Audit for Compliance (ULOs 3.1 and 3.2) Chapter 7: Writing the IT Infrastructure Audit Report (ULOs 3.1, 3.2, and 3.4) Unit Lesson Lesson: Steps of IT Audit Compliance (ULOs 2.1, 2.2, 2.3, 3.3, 3.4, and 3.5) This lesson focuses on IT audit planning and audit. The planning stage is the first step and takes place before any of the detailed audit work begins. A proper plan ensures that resources are focused on the right areas and that potential problems are identified early. We will learn about minimum acceptable levels of risk and appropriate security baseline definitions, various types of controls, gap analyses, and what needs to be identified throughout the seven domains of a typical IT infrastructure. Attention is also given to performing a security assessment, use of audit tools, reviewing configurations and implementations, auditing the process of change management, and verifying and validating configuration of controls.

Audit Planning Audit planning is the first and most important phase of an IT audit process as it establishes a basis for the audit. This way, significant resources are used correctly, and potential problems are addressed beforehand, which helps create a detailed and efficient audit.

IT Audit Interview Framework Conducting interviews with key IT support and management personnel is a crucial step in gathering valuable insights for planning and improving IT strategies. This process involves identifying the right personnel, preparing questions, and planning the interview sessions effectively.

UNIT III STUDY GUIDE Steps of IT Audit Compliance

SEC 4302, Planning and Audits 2

UNIT x STUDY GUIDE Title

Audit Interview Framework

1. Preparing

2. Scheduling

3. Opening

4. Conducting

5. Closing

6. Recording

Seven Domains of an IT Infrastructure An IT security policy framework that is the best fit for a typical organization’s function consists of seven domains and can help to cover all the potential risks, compliance requirements, and security threats that may exist in an organization’s IT environment.

• User Domain • Workstation Domain • LAN Domain • LAN-to-WAN Domain • WAN Domain • Remote Access Domain • System/Application Domain

User Domain This domain refers to all those users that have equal direct access to the organization’s IT domain regardless of whether they are employees, contractors, or vendors. For example: The passwords must be updated on 90-day time basis and a strong password cannot be less than 12 digits with a combination of letters, numbers, and special characters. Workstation Domain This domain entails all the network end-user device including the desktop, laptops, as well as mobile devices. For example: Every personal computer used in the organization must have the standard antivirus software installed and scheduled to work every day. LAN Domain This domain entails physical and logical networks that connect switches, routers, wireless access points, and other infrastructure inside the organization. For example: You can only connect an authorized device to the internal network, and all Wi-Fi networks must be encrypted with WPA3. LAN-to-WAN Domain This domain focuses on the different interfaces and different connections with the outside world including the internet. For example: Users have to connect to the internal network with the VPN two-factor authentication for external connections to the internal network. WAN Domain This domain includes all the organization's wide-area network (WAN) infrastructure, that interconnects various sites and different far-off places. For example: Data to be transferred over the WAN must be encrypted in the TLS or IPsec protocol.

SEC 4302, Planning and Audits 3

UNIT x STUDY GUIDE Title

Remote Access Domain This domain covers policies and enforcement of technologies that allow an organization’s network access from remote locations. For example: Remote access is allowed strictly via the organization’s VPN, which necessitates multi-factor authentication and must scan the endpoint for malware. System/Application Domain This section is a collection of all servers, applications, databases, and other IT systems that are relevant. For example: In this process, it is essential to ensure that all applications being deployed are thoroughly tested for security to ensure they meet the set standards of security to deal with the potential threats, and the data being collected must be encrypted when stored as well as in transit.

Security Baselines Establishing and maintaining security baselines is an intricate and dynamic process that demands continuous vigilance and adaptation. The first step must always be the assessment of the current security environment in order to understand its potential, strengths, and weaknesses. As part of this, there will be the need to review all the hardware and software systems, network configuration, and user rights. Therefore, it is necessary to establish a set of security policies and procedures to address all the identified issues. Such policies should define the fundamental guidelines that every system and user should meet in terms of data security and protection of other concerns like passwords and encrypted information. Once these policies are developed, it is critical to ensure that they are installed throughout the organization. This may include installation of software updates, altering the network settings, as well as educating the staff on new safety measures. However, implementation is not a one-time event but an ongoing process. Ongoing surveillance is required to guarantee that the prescribed security measures are followed to the letter. This involves periodic updates, configuration reviews, checking for known vulnerabilities, and testing for new ones. Moreover, it means that security baselines should be checked from time to time, as the technology and the threat environments change. This means that one should always update themselves regarding the current trends in security and the various related threats to adopt the right measures. This builds a strong and flexible security environment that can safeguard the organization properties and its information against numerous threats that are inevitable in the present age. Documented Policies, Standards, Procedures, and Guidelines in Maintaining Security Documented policies, standards, procedures, and guidelines ensure that all security measures are applied uniformly across the organization. This standardization minimizes the risk of security breaches because everyone follows the same rules and procedures, making the digital environment safer and more predictable. Risk Management Clear documentation acts like a detailed map, guiding how to handle different security threats and vulnerabilities. It helps in identifying potential risks early and provides a step-by-step approach to managing them, ensuring that everyone knows what to do in various security scenarios. Accountability and Responsibility Policies and procedures make it clear who is responsible for what in terms of security. Just like in a group project, knowing each person's role helps ensure that everyone understands their duties and the consequences of not fulfilling them. This clarity fosters a sense of accountability among all employees. Training and Awareness Regular training sessions based on these documents can significantly boost everyone's security awareness and practices.

SEC 4302, Planning and Audits 4

UNIT x STUDY GUIDE Title

Continuous Improvement Regularly reviewed and updated documentation ensures that security measures keep pace with new threats and technological advancements. This continuous improvement is essential for maintaining a strong and effective security posture.

Reference Johnson, R., Weiss, M. M., & Solomon, M. G. (2024). Auditing IT infrastructures for compliance (3rd ed.).

Jones & Bartlett Learning.

SEC 4302, Planning and Audits 1

Course Learning Outcomes for Unit III At the end of this unit, you should be able to:

2. Create documentation for planning security procedures. 2.1 Describe the process of establishing and maintaining security baselines. 2.2 Explain the importance of documented policies, standards, procedures, and guidelines in

maintaining security. 2.3 Explain the importance of reviewing system configurations and implementations in IT audits.

3. Develop an information systems security auditing plan.

3.3 Discuss the scope, objectives, goals, and frequency of an audit. 3.4 Explain how the security policy framework definitions map to the seven domains of IT

infrastructure. 3.5 Describe the alignment of security policy frameworks with the specific needs of an

organization's IT infrastructure. Required Unit Resources Chapter 5: Planning an IT Infrastructure Audit for Compliance (ULOs 2.1, 2.2, and 2.3) Chapter 6: Conducting an IT Infrastructure Audit for Compliance (ULOs 3.1 and 3.2) Chapter 7: Writing the IT Infrastructure Audit Report (ULOs 3.1, 3.2, and 3.4) Unit Lesson Lesson: Steps of IT Audit Compliance (ULOs 2.1, 2.2, 2.3, 3.3, 3.4, and 3.5) This lesson focuses on IT audit planning and audit. The planning stage is the first step and takes place before any of the detailed audit work begins. A proper plan ensures that resources are focused on the right areas and that potential problems are identified early. We will learn about minimum acceptable levels of risk and appropriate security baseline definitions, various types of controls, gap analyses, and what needs to be identified throughout the seven domains of a typical IT infrastructure. Attention is also given to performing a security assessment, use of audit tools, reviewing configurations and implementations, auditing the process of change management, and verifying and validating configuration of controls.

Audit Planning Audit planning is the first and most important phase of an IT audit process as it establishes a basis for the audit. This way, significant resources are used correctly, and potential problems are addressed beforehand, which helps create a detailed and efficient audit.

IT Audit Interview Framework Conducting interviews with key IT support and management personnel is a crucial step in gathering valuable insights for planning and improving IT strategies. This process involves identifying the right personnel, preparing questions, and planning the interview sessions effectively.

UNIT III STUDY GUIDE Steps of IT Audit Compliance

SEC 4302, Planning and Audits 2

UNIT x STUDY GUIDE Title

Audit Interview Framework

1. Preparing

2. Scheduling

3. Opening

4. Conducting

5. Closing

6. Recording

Seven Domains of an IT Infrastructure An IT security policy framework that is the best fit for a typical organization’s function consists of seven domains and can help to cover all the potential risks, compliance requirements, and security threats that may exist in an organization’s IT environment.

• User Domain • Workstation Domain • LAN Domain • LAN-to-WAN Domain • WAN Domain • Remote Access Domain • System/Application Domain

User Domain This domain refers to all those users that have equal direct access to the organization’s IT domain regardless of whether they are employees, contractors, or vendors. For example: The passwords must be updated on 90-day time basis and a strong password cannot be less than 12 digits with a combination of letters, numbers, and special characters. Workstation Domain This domain entails all the network end-user device including the desktop, laptops, as well as mobile devices. For example: Every personal computer used in the organization must have the standard antivirus software installed and scheduled to work every day. LAN Domain This domain entails physical and logical networks that connect switches, routers, wireless access points, and other infrastructure inside the organization. For example: You can only connect an authorized device to the internal network, and all Wi-Fi networks must be encrypted with WPA3. LAN-to-WAN Domain This domain focuses on the different interfaces and different connections with the outside world including the internet. For example: Users have to connect to the internal network with the VPN two-factor authentication for external connections to the internal network. WAN Domain This domain includes all the organization's wide-area network (WAN) infrastructure, that interconnects various sites and different far-off places. For example: Data to be transferred over the WAN must be encrypted in the TLS or IPsec protocol.

SEC 4302, Planning and Audits 3

UNIT x STUDY GUIDE Title

Remote Access Domain This domain covers policies and enforcement of technologies that allow an organization’s network access from remote locations. For example: Remote access is allowed strictly via the organization’s VPN, which necessitates multi-factor authentication and must scan the endpoint for malware. System/Application Domain This section is a collection of all servers, applications, databases, and other IT systems that are relevant. For example: In this process, it is essential to ensure that all applications being deployed are thoroughly tested for security to ensure they meet the set standards of security to deal with the potential threats, and the data being collected must be encrypted when stored as well as in transit.

Security Baselines Establishing and maintaining security baselines is an intricate and dynamic process that demands continuous vigilance and adaptation. The first step must always be the assessment of the current security environment in order to understand its potential, strengths, and weaknesses. As part of this, there will be the need to review all the hardware and software systems, network configuration, and user rights. Therefore, it is necessary to establish a set of security policies and procedures to address all the identified issues. Such policies should define the fundamental guidelines that every system and user should meet in terms of data security and protection of other concerns like passwords and encrypted information. Once these policies are developed, it is critical to ensure that they are installed throughout the organization. This may include installation of software updates, altering the network settings, as well as educating the staff on new safety measures. However, implementation is not a one-time event but an ongoing process. Ongoing surveillance is required to guarantee that the prescribed security measures are followed to the letter. This involves periodic updates, configuration reviews, checking for known vulnerabilities, and testing for new ones. Moreover, it means that security baselines should be checked from time to time, as the technology and the threat environments change. This means that one should always update themselves regarding the current trends in security and the various related threats to adopt the right measures. This builds a strong and flexible security environment that can safeguard the organization properties and its information against numerous threats that are inevitable in the present age. Documented Policies, Standards, Procedures, and Guidelines in Maintaining Security Documented policies, standards, procedures, and guidelines ensure that all security measures are applied uniformly across the organization. This standardization minimizes the risk of security breaches because everyone follows the same rules and procedures, making the digital environment safer and more predictable. Risk Management Clear documentation acts like a detailed map, guiding how to handle different security threats and vulnerabilities. It helps in identifying potential risks early and provides a step-by-step approach to managing them, ensuring that everyone knows what to do in various security scenarios. Accountability and Responsibility Policies and procedures make it clear who is responsible for what in terms of security. Just like in a group project, knowing each person's role helps ensure that everyone understands their duties and the consequences of not fulfilling them. This clarity fosters a sense of accountability among all employees. Training and Awareness Regular training sessions based on these documents can significantly boost everyone's security awareness and practices.

SEC 4302, Planning and Audits 4

UNIT x STUDY GUIDE Title

Continuous Improvement Regularly reviewed and updated documentation ensures that security measures keep pace with new threats and technological advancements. This continuous improvement is essential for maintaining a strong and effective security posture.

Reference Johnson, R., Weiss, M. M., & Solomon, M. G. (2024). Auditing IT infrastructures for compliance (3rd ed.).

Jones & Bartlett Learning.