Average Reviews:
(More customer reviews)Are you looking to buy IT Auditing Using Controls to Protect Information Assets, 2nd Edition? Here is the right place to find the great deals. we can offer discounts of up to 90% on IT Auditing Using Controls to Protect Information Assets, 2nd Edition. Check out the link below:
>> Click Here to See Compare Prices and Get the Best Offers
IT Auditing Using Controls to Protect Information Assets, 2nd Edition ReviewI have no experience with auditing in the formal sense described by IT Auditing. I am familiar with the technical aspects of host and network security, but I wanted to know more about the goals and views of those who audit enterprises from a security standpoint. IT Auditing succeeds when it discusses the profession of auditing but I found some of the technical details lacking. Therefore, I recommend focusing on chapters 1-3 and 12-15, while using the technical chapters as indicators for outside research.Chapter 1 makes clear that IT Auditing is written for internal audit teams. The author argues that involvement is better than "independence," since adhering to the later business approach is a recipe for outsourcing the audit function. I liked the beginning and end of IT Auditing because they emphasized how internal audit teams should work with business IT functions. These chapters answered questions on whether or not audit should review and comment upon projects before completion (yes) and related "soft" topics.
The middle of IT Auditing concentrates on how to audit data centers, infrastructure, operating systems, Web servers, databases, applications, and wireless/mobile devices. I found these chapters less appealing. When I read "it's much more common to find SNMP Version 2 in most corporate environment" (sic, p 121) or see mention of "Universal Data Ports (UDPs)" (sic, p 172) I question the validity of the technical recommendations. Other examples include equating NAT with proxies (p 117) and the statement that "network vulnerability scanning... is probably the most important type of security discovery or monitoring in most environments" I begin to understand the horror stories I hear from some who are audited.
When it came to understanding the audit mindset, I think IT Auditing really helped me. It seems auditors are far more likely to be interested in reviewing paperwork than really assessing effectiveness of security controls. Repeatedly I read statements like "evaluate the effectiveness of the security personnel function" by looking at documentation. In a few areas auditors seem to understand the value of real tests, e.g., trying to restore a backup rather than reviewing logs saying backups were completed. This focus on validating paperwork over operational activity is the single biggest problem with audits. It's clear a "system" could pass all its audit checks with flying colors while still being completely compromised. (Yes, p 201-2 mentions Chkrootkit, but that program is only effective in limited scenarios.) Audit is configuration and paperwork validation, not system integrity assessment.
I recommend reading IT Auditing if you want to get a better idea of how your auditors think and what they want to inspect. If you're an auditor who wants authoritative technical guidance you will probably learn more from dedicated system and network hardening books designed for administrators. IT Auditing's checklists can at least put you in the ballpark, however.IT Auditing Using Controls to Protect Information Assets, 2nd Edition Overview
Secure Your Systems Using the Latest IT Auditing Techniques
Fully updated to cover leading-edge tools and technologies, IT Auditing: Using Controls to Protect Information Assets, Second Edition, explains, step by step, how to implement a successful, enterprise-wide IT audit program. New chapters on auditing cloud computing, outsourced operations, virtualization, and storage are included. This comprehensive guide describes how to assemble an effective IT audit team and maximize the value of the IT audit function. In-depth details on performing specific audits are accompanied by real-world examples, ready-to-use checklists, and valuable templates. Standards, frameworks, regulations, and risk management techniques are also covered in this definitive resource.
Build and maintain an internal IT audit function with maximum effectiveness and value
Audit entity-level controls, data centers, and disaster recovery
Examine switches, routers, and firewalls
Evaluate Windows, UNIX, and Linux operating systems
Audit Web servers and applications
Analyze databases and storage solutions
Assess WLAN and mobile devices
Audit virtualized environments
Evaluate risks associated with cloud computing and outsourced operations
Drill down into applications to find potential control weaknesses
Use standards and frameworks, such as COBIT, ITIL, and ISO
Understand regulations, including Sarbanes-Oxley, HIPAA, and PCI
Implement proven risk management practices
Want to learn more information about IT Auditing Using Controls to Protect Information Assets, 2nd Edition?
>> Click Here to See All Customer Reviews & Ratings Now
0 comments:
Post a Comment