81,99 €
Mehr erfahren.
- Herausgeber: John Wiley & Sons
- Kategorie: Fachliteratur
- Serie: Wiley Corporate F&A
- Sprache: Englisch
A comprehensive guide to understanding and auditing modern information systems The increased dependence on information system resources for performing key activities within organizations has made system audits essential for ensuring the confidentiality, integrity, and availability of information system resources. One of the biggest challenges faced by auditors is the lack of a standardized approach and relevant checklist. Understanding and Conducting Information Systems Auditing brings together resources with audit tools and techniques to solve this problem. Featuring examples that are globally applicable and covering all major standards, the book takes a non-technical approach to the subject and presents information systems as a management tool with practical applications. It explains in detail how to conduct information systems audits and provides all the tools and checklists needed to do so. In addition, it also introduces the concept of information security grading, to help readers to implement practical changes and solutions in their organizations. * Includes everything needed to perform information systems audits * Organized into two sections--the first designed to help readers develop the understanding necessary for conducting information systems audits and the second providing checklists for audits * Features examples designed to appeal to a global audience Taking a non-technical approach that makes it accessible to readers of all backgrounds, Understanding and Conducting Information Systems Auditing is an essential resource for anyone auditing information systems.
Sie lesen das E-Book in den Legimi-Apps auf:
Seitenzahl: 389
Veröffentlichungsjahr: 2013
Ähnliche
Founded in 1807, John Wiley & Sons is the oldest independent publishing company in the United States. With offices in North America, Europe, Asia, and Australia, Wiley is globally committed to developing and marketing print and electronic products and services for our customers' professional and personal knowledge and understanding.
The Wiley Corporate F&A series provides information, tools, and insights to corporate professionals responsible for issues affecting the profitability of their company, from accounting and finance to internal controls and performance management.
Understanding and Conducting Information Systems Auditing
VEENA HINGARH ARIF AHMED
Cover Image: © Olena Timashova/iStockphoto Cover Design: John Wiley & Sons, Inc.
Copyright © 2013 by John Wiley & Sons Singapore Pte. Ltd.
Published by John Wiley & Sons Singapore Pte. Ltd. 1 Fusionopolis Walk, #07-01, Solaris South Tower, Singapore 138628 All rights reserved.
No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as expressly permitted by law, without either the prior written permission of the Publisher, or authorization through payment of the appropriate photocopy fee to the Copyright Clearance Center. Requests for permission should be addressed to the Publisher, John Wiley & Sons Singapore Pte. Ltd., 1 Fusionopolis Walk, #07-01, Solaris South Tower, Singapore 138628, tel: 65-6643-8000, fax: 65-6643-8008, e-mail: [email protected].
Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.
Other Wiley Editorial Offices
John Wiley & Sons, 111 River Street, Hoboken, NJ 07030, USA John Wiley & Sons, The Atrium, Southern Gate, Chichester, West Sussex, P019 8SQ, United Kingdom John Wiley & Sons (Canada) Ltd., 5353 Dundas Street West, Suite 400, Toronto, Ontario, M9B 6HB, Canada John Wiley & Sons Australia Ltd., 42 McDougall Street, Milton, Queensland 4064, Australia Wiley-VCH, Boschstrasse 12, D-69469 Weinheim, Germany
Library of Congress Cataloging-in-Publication Data
ISBN 978-1-118-34374-6 (Hardcover) ISBN 978-1-118-34375-3 (ePDF) ISBN 978-1-118-34376-0 (Mobi) ISBN 978-1-118-34377-7 (ePub)
Families that bind the world
CONTENTS
Preface
Acknowledgments
Part One: Conducting an Information Systems Audit
Chapter 1: Overview of Systems Audit
Information Systems Audit
Information Systems Auditor
Legal Requirements of an Information Systems Audit
Systems Environment and Information Systems Audit
Information Systems Assets
Classification of Controls
The Impact of Computers on Information
The Impact of Computers on Auditing
Information Systems Audit Coverage
Chapter 2: Hardware Security Issues
Hardware Security Objective
Peripheral Devices and Storage Media
Client-Server Architecture
Authentication Devices
Hardware Acquisition
Hardware Maintenance
Management of Obsolescence
Disposal of Equipment
Problem Management
Change Management
Network and Communication Issues
Chapter 3: Software Security Issues
Overview of Types of Software
Elements of Software Security
Control Issues during Installation and Maintenance
Licensing Issues
Problem and Change Management
Chapter 4: Information Systems Audit Requirements
Risk Analysis
Threats, Vulnerability, Exposure, Likelihood, and Attack
Information Systems Control Objectives
Information Systems Audit Objectives
System Effectiveness and Efficiency
Information Systems Abuse
Asset Safeguarding Objective and Process
Evidence Collection and Evaluation
Logs and Audit Trails as Evidence
Chapter 5: Conducting an Information Systems Audit
Audit Program
Audit Plan
Audit Procedures and Approaches
System Understanding and Review
Compliance Reviews and Tests
Substantive Reviews and Tests
Audit Tools and Techniques
Sampling Techniques
Audit Questionnaire
Audit Documentation
Audit Report
Auditing Approaches
Sample Audit Work-Planning Memo
Sample Audit Work Process Flow
Chapter 6: Risk-Based Systems Audit
Conducting a Risk-Based Information Systems Audit
Risk Assessment
Risk Matrix
Risk and Audit Sample Determination
Audit Risk Assessment
Risk Management Strategy
Chapter 7: Business Continuity and Disaster Recovery Plan
Business Continuity and Disaster Recovery Process
Business Impact Analysis
Incident Response Plan
Disaster Recovery Plan
Types of Disaster Recovery Plans
Emergency Preparedness Audit Checklist
Business Continuity Strategies
Business Resumption Plan Audit Checklist
Recovery Procedures Testing Checklist
Plan Maintenance Checklist
Vital Records Retention Checklist
Forms and Documents
Chapter 8: Auditing in the E-Commerce Environment
Introduction
Objectives of an Information Systems Audit in the E-Commerce Environment
General Overview
Auditing E-Commerce Functions
E-Commerce Policies and Procedures Review
Impact of E-Commerce on Internal Control
Chapter 9: Security Testing
Cybersecurity
Cybercrimes
What Is Vulnerable to Attack?
How Cyberattacks Occur
What Is Vulnerability Analysis?
Cyberforensics
Digital Evidence
Chapter 10: Case Study: Conducting an Information Systems Audit
Important Security Issues in Banks
Implementing an Information Systems Audit at a Bank Branch
Special Considerations in a Core Banking System
Part Two: Information Systems Auditing Checklists
Chapter 11: ISecGrade Auditing Framework
Introduction
Licensing and Limitations
Methodology
Domains
Grading Structure
Selection of Checklist
Format of Audit Report
Using the Audit Report Format
Chapter 12: ISecGrade Checklists
Checklist Structure
Information Systems Audit Checklists
Chapter 13: Session Quiz
Chapter 1: Overview of Systems Audit
Chapter 2: Hardware Security Issues
Chapter 3: Software Security Issues
Chapter 4: Information Systems Audit Requirements
Chapter 5: Conducting an Information Systems Audit
Chapter 6: Risk-Based Systems Audit
Chapter 7: Business Continuity and Disaster Recovery Plan
Chapter 8: Auditing in THE E-Commerce Environment
Chapter 9: Security Testing
About the Authors
About the Website
Index
EULA
List of Tables
Chapter 2
Table 2.1
Chapter 4
Table 4.1
Chapter 5
Table 5.1
Table 5.2
Chapter 6
Table 6.1
Table 6.2
Chapter 8
Table 8.1
Chapter 11
Table 11.1
Table 11.2
Chapter 12
Table 12.1
List of Illustrations
Chapter 2
Figure 2.1 Route Command
Chapter 3
Figure 3.1 Windows Task Manager
Chapter 4
Figure 4.1 Trail of Events
Figure 4.2 Error Log
Chapter 6
Figure 6.1 Risk Matrix
Figure 6.2 Audit Risk Framework
Chapter 7
Exhibit 7.1 Alternative Site Procedure Sample Format
Exhibit 7.2 Communication Resources Sample Format
Exhibit 7.3 Contingency Log Sample Format
Exhibit 7.4 Contingency Plan Contact Information Sample Format
Exhibit 7.5 Documentation List Sample Format
Exhibit 7.6 Emergency Procedures Sample Format
Exhibit 7.7 External Support Agreements Sample Format
Exhibit 7.8 Hardware Inventory Sample Format
Exhibit 7.9 Information Asset Usage Procedure Sample Format
Exhibit 7.10 Layout Inventory Sample Format
Exhibit 7.11 Software Inventory Sample Format
Exhibit 7.12 Team Staffing and Task Sample Format
Exhibit 7.13 Vendor Contact List Sample Format
Chapter 8
Figure 8.1 Sample Flowchart
Chapter 9
Figure 9.1 Example of a Phishing E-mail
Figure 9.2 Example of a Phishing Website
Figure 9.3 Image of the Genuine Website
Figure 9.4 Screenshot of an Update Management Screen
Chapter 12
Exhibit 12.1 Audit Plan Checklist
Exhibit 12.2 Access Control Checklist—Logical Access
Exhibit 12.3 Antivirus Audit Checklist
Exhibit 12.4 Application Development Checklist
Exhibit 12.5 Asset Classification and Control Checklist
Exhibit 12.6 Authentication Devices Checklist
Exhibit 12.7 Business Strategy Checklist
Exhibit 12.8 Change Management (Hardware and Software) Checklist
Exhibit 12.9 Client-Server Checklist
Exhibit 12.10 Communication Software/Devices Checklist
Exhibit 12.11 Data Communication (Router) Checklist
Exhibit 12.12 Disaster Recovery Plan Checklist
Exhibit 12.13 Electronic Funds Transfer Checklist
Exhibit 12.14 File and Directory Protection Checklist
Exhibit 12.15 Human Resources, Job Definition, Resourcing, and Training Checklist
Exhibit 12.16 Implementation of Information Systems Security Policy Checklist
Exhibit 12.17 Internet Security Checklist
Exhibit 12.18 Information Systems Security Policy Checklist
Exhibit 12.19 Local Area Network Checklist
Exhibit 12.20 Legal Compliance Checklist
Exhibit 12.21 Long-term Information Technology Strategy Checklist
Exhibit 12.22 Maintenance Questionnaire Checklist
Exhibit 12.23 Management Control System Checklist
Exhibit 12.24 Operating System Checklist
Exhibit 12.25 Packaged Software Implementation Checklist
Exhibit 12.26 Parameter Settings Checklist
Exhibit 12.27 Peripheral Devices and Storage Media Checklist
Exhibit 12.28 Physical Access Control Checklist
Exhibit 12.29 Physical Environment Checklist
Exhibit 12.30 Problem Management Checklist
Exhibit 12.31 Security Management Checklist
Exhibit 12.32 Segregation of Duties Checklist
Exhibit 12.33 Short-Range Information Technology Plan Checklist
Exhibit 12.34 Software License Checklist
Exhibit 12.35 System Conversion and Reconciliation Checklist
Exhibit 12.36 System Software Controls Checklist
Exhibit 12.37 Third-Party and Vendor Services Review Checklist
Exhibit 12.38 Transaction Processing Checklist
Exhibit 12.39 Utility Program Checklist
Exhibit 12.40 Wireless Network Audit Checklist
Guide
Cover
Table of Contents
1
Pages
xv
xi
xii
xiii
1
3
4
5
6
7
8
9
10
11
12
13
14
15
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
115
116
117
118
119
120
121
122
123
124
125
126
127
128
130
131
132
133
139
140
141
142
143
144
145
147
148
149
150
151
152
153
154
155
156
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
199
200
201
202
203
206
207
208
209
210
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
303
304
305
306
307
308
309
310
311
312
313
314
315
316
Preface
THIS BOOK FOCUSES ON an information systems audit as a management control and not a technology-driven subject. Complete with resources to understand the subject, definitions of technical terms, ready checklists to conduct an information systems audit, and multiple-choice questions to review the level of understanding, the book is designed to be an indispensable resource for the information systems practitioner and aspirant alike. Readers will find enough resources for their audit needs, examination needs, and even continuing professional education requirements.
Lesen Sie weiter in der vollständigen Ausgabe!
Lesen Sie weiter in der vollständigen Ausgabe!
Lesen Sie weiter in der vollständigen Ausgabe!
Lesen Sie weiter in der vollständigen Ausgabe!
Lesen Sie weiter in der vollständigen Ausgabe!
Lesen Sie weiter in der vollständigen Ausgabe!
Lesen Sie weiter in der vollständigen Ausgabe!
Lesen Sie weiter in der vollständigen Ausgabe!
Lesen Sie weiter in der vollständigen Ausgabe!
Lesen Sie weiter in der vollständigen Ausgabe!
Lesen Sie weiter in der vollständigen Ausgabe!
Lesen Sie weiter in der vollständigen Ausgabe!
Lesen Sie weiter in der vollständigen Ausgabe!
Lesen Sie weiter in der vollständigen Ausgabe!
Lesen Sie weiter in der vollständigen Ausgabe!
Lesen Sie weiter in der vollständigen Ausgabe!
Lesen Sie weiter in der vollständigen Ausgabe!
Lesen Sie weiter in der vollständigen Ausgabe!
Lesen Sie weiter in der vollständigen Ausgabe!
Lesen Sie weiter in der vollständigen Ausgabe!
