Chapter 5 of the required textbook may be helpful in the completion of the assignment. Chapter 5 Attached for your review.The audit planning process directly affects the quality of the outcome. A proper plan ensures that resources are focused on the right areas and that potential problems are identified early. A successful audit first outlines the objectives of the audit, the procedures that will be followed, and the required resources.Choose an organization you are familiar with and develop an eight to ten page IT infrastructure audit for compliance in which you write a ten (10) to twelve (12) page paper:
Define the following items for an organization you are familiar with:
Goals and objectives
Frequency of the audit
Duration of the audit
Identify the critical requirements of the audit for your chosen organization and explain why you consider them to be critical requirements.
Choose privacy laws that apply to the organization, and suggest who is responsible for privacy within the organization.
Develop a plan for assessing IT security for your chosen organization by conducting the following:
Risk assessment analysis
Explain how to obtain information, documentation, and resources for the audit.
Analyze how each of the seven (7) domains aligns within your chosen organization.
Align the appropriate goals and objectives from the audit plan to each domain and provide a rationale for your alignment.
Develop a plan that:
Examines the existence of relevant and appropriate security policies and procedures.
Verifies the existence of controls supporting the policies.
Verifies the effective implementation and ongoing monitoring of the controls.
Identify the critical security control points that must be verified throughout the IT infrastructure, and develop a plan that includes adequate controls to meet high-level defined control objectives within this organization.
Use at least five (5) quality resources in this assignment. Note: Wikipedia and similar Websites do not qualify as quality resources.Leverage graphical illustrations to explain the concepts and solution in your paper. Paper must include a minimum of one (1) Figure and (1) table illustration.
Must follow these formatting requirements:
Be typed, double spaced, using Times New Roman font (size 12), with one-inch margins on all sides; citations and references must follow APA.
The specific course learning outcomes associated with this assignment are:
Describe the parameters required to conduct and report on IT infrastructure audit for organizational compliance.
Describe the components and basic requirements for creating an audit plan to support business and system considerations
Develop IT compliance audit plans
Use technology and information resources to research issues in security strategy and policy formation.
Write clearly and concisely about topics related to information technology audit and control using proper writing mechanics and technical style conventions.
Unformatted Attachment Preview
Planning an IT Infrastructure Audit for Compliance
AUDIT PLANNING SHOULD NOT BE OVERLOOKED. What goes into the planning process
directly affects the quality of the outcome. The planning stage is the first step and takes place
before any of the detailed audit work begins. A proper plan ensures that resources are focused on
the right areas and that potential problems are identified early. A successful audit first outlines
whatâ??s supposed to be achieved as well as what procedures will be followed and the required
resources to carry out the procedures.
Although each audit will vary, the plan and approach to each audit follow similar characteristics.
Despite the best plans, however, circumstances do change, and plans need to be adjusted. As a
result, flexibility must be considered. Significant errors, suspected fraud, and misrepresentation
can all have a considerable effect upon the initial plan. Regardless, proper planning helps ensure
an effective and timely audit.
Chapter 5 Topics
This chapter covers the following topics and concepts:
â?¢ How to define the scope, objectives, goals, and frequency of an audit
â?¢ What the critical requirements for an audit are
â?¢ How to assess IT security
â?¢ How to obtain information, documentation, and resources
â?¢ How to map the security policy framework definitions to the seven domains of IT
â?¢ How to identify and test monitoring requirements
â?¢ How to identify critical security control points that must be verified throughout the IT
â?¢ How to build a project plan
Chapter 5 Goals
When you complete this chapter, you will be able to:
â?¢ Define the scope and frequency of an audit
â?¢ Identify the key requirements for an audit
â?¢ Understand the importance of risk management in assessing security controls
â?¢ Identify the information and resources needed for an IT audit
â?¢ Relate the IT security policy framework to the seven domains of IT infrastructure
â?¢ Understand why monitoring requirements help with an IT audit
â?¢ Identify security control points
â?¢ Differentiate between the project management tasks of an IT audit
Defining the Scope, Objectives, Goals, and Frequency of an Audit
The scope, objectives, goals, and frequency of audits are based on a risk assessment. Depending
on the risk, the frequency of audits varies. Critical systems controls might need to be monitored
more often than noncritical controls. In more high-risk situations, automated or continual audit
tests might be considered.
Prior to performing an audit, the auditor should first define the audit scope. The scope includes
the area or areas to be reviewed as well as the time period. Experienced auditors know itâ??s just as
important to define what will be audited as it is to define what will not be audited. If scope is not
clearly defined, scope creep occurs, likely increasing the auditorâ??s workload. Scope creep is a
term common to projects where the plans or goals expand beyond what was originally intended.
The audit objective is the goal of the audit. Both scope and objective are closely related. For the
audit to be effective, the scope must consider the objectives of the audit. Defining scope requires
consideration of the personnel, systems, and records relevant to the objective. Time is another
consideration dependent upon the objective. The depth and breadth of an audit usually
determines the time frame required to meet the objectives.
An external audit of financial controls, for example, will likely have a more narrow scope than
an internal audit of information technology (IT) controls. When defining the scope, the auditor
should consider the controls and processes across the seven domains of IT infrastructure. This
includes relevant resources such as the following:
It is important for auditors to ensure the scope is sufficient to achieve the stated objectives.
Restrictions placed on the scope could seriously affect the ability to achieve the stated objective.
Examples of restrictions that an organization may place on an auditor that could have such a
negative impact include the following:
â?¢ Not providing enough resources
â?¢ Limiting the time frame
â?¢ Preventing the discovery of audit evidence
â?¢ Restricting audit procedures
â?¢ Withholding relevant historical records or information about past incidents
An audit is a project. As with any project, proper planning is necessary. Auditors should be
familiar with the Project Management Institute (PMI), which has created a standard named A
Guide to the Project Management Body of Knowledge (PMBOK). This guide provides a wellknown and applied framework for managing successful projects.
A project, such as an audit, has three important characteristics. First, a project is temporary. This
means it has an identified start and end date. Unlike operations or a program, a project lasts for a
finite time period. Second, a project is unique and produces unique results. At the end of the
project, a deliverable is produced. Although projects might be similar, the process, resources,
constraints, and risks, for example, will differ. Finally, a project is progressively elaborated.
Because each project is unique, the process is more dynamic. Projects will occur in separate
steps. As the process continues, the next phase becomes clearer.
Projects require someone to manage them. This position is often given the title of project
manager. Large projects and even audits might have a dedicated project manager. Other times,
the person managing the project might be the project expert. Project management requires the
management of three competing needs to achieve the project objectives. Known as the triple
constraint, these include scope, cost, and time. Consider, for example, a project with a large
scope, but with little time and cost. More than likely, quality will be compromised. A project
manager must be aware of all three constraints at the start of and throughout the project.
Planned audit activities also have a defined rate of occurrence, known as the audit frequency.
There are two approaches to determine audit frequency. Audits can occur on an annual basis or
every two or three years, depending on regulatory requirements and the determined risk. IT
audits also are known for not following a predefined frequency, but instead using a continuous
risk-assessment process. This is more appropriate given the fast-paced change in technology as
well as the threats and vulnerabilities related to IT.
Identifying Critical Requirements for the Audit
The risk assessment will influence the critical requirements for an IT audit. Overall, there are
various types of IT audits. In addition to infrastructure audits for compliance, other examples
include audits specific to IT processes, such as governance and software development. Another
example includes integrated audits, where financial controls are the focus.
Auditing IT infrastructure for compliance incorporates the evaluation of various types of
controls. IT organizations today are concerned with controls relating to both security and
privacy. Traditionally, privacy and information security activities are separate activities. The
two, however, have become more interrelated, and coordination between the two has become a
priority for many organizations. Two major factors contributing to this are regulatory issues and
the rapid growth and widespread use of the Web. As a result, both privacy and information
security are converging, specifically around compliance issues.
Implementing Security Controls
Before an evaluation of controls can begin, the auditor must first identify the critical controls. To
do so, the auditor must consider the audit scope and objective along with the risk assessment.
Documentation and any preliminary interviews also help to identify the requirements.
Controls can be classified into different groups to aid in understanding how they fit into the
overall security of a system. Figure 5-1 illustrates the different dimensions of control
classifications. Understanding the classifications provides auditors with a foundation to identify
and assess critical controls.
A high-level classification of controls for IT systems includes general and application controls.
General controls are also known as infrastructure controls. These types of controls apply broadly
to all system components across an organization. Application controls apply to individual
application systems. Types of application controls include various transaction controls, such as
input, processing, and output controls.
FIGURE 5-1 Control classifications.
Three IT security controls covered by the National Institute of Standards and Technology (NIST)
include management, operational, and technical controls. The following list provides a
description and examples of each of these:
â?¢ Management controlsâ??These include controls typically governed by management as part of
the overall security program. Examples include the following:
â?¢ Security policy
â?¢ Security program management
â?¢ Risk management
â?¢ Security and planning in the system development life cycle
â?¢ Operational controlsâ??These include controls that are implemented by people rather than
systems. These controls are often interrelated with both management and technical controls.
Examples include the following:
â?¢ Personnel and user issues
â?¢ Contingency and disaster planning
â?¢ Incident response and handling
â?¢ Awareness, training, and education
â?¢ Computer support and operations
â?¢ Physical and environmental security
â?¢ Technical controlsâ??These include controls that are performed by the IT systems. Examples
include the following:
â?¢ Identification and authorization
â?¢ Logical access control
â?¢ Audit trails
Controls are further classified as being preventive, detective, or corrective. Preventive controls
stop a particular threat in the first place. A door lock on a home is a simple example of a
preventive control. A detective control identifies that a threat is present. A home alarm system,
for example, is a common detective control. (Some people even advertise they have an alarm
system by putting a notice on the door or a sign in the yard. In this case, this also serves as a
preventive control.) Finally, a reactive or corrective control can lessen the effects of a threat. A
home alarm system that also notifies the police department is an example of a reactive control.
Antivirus software is a common control that spans all three controls. It can prevent a system
from getting a virus in the first place. It can detect if a virus is on the system. Finally, it can react
and correct the situation by removing or quarantining the virus.
Protecting Privacy Data
Audits of IT infrastructure relating to security are common. However, due to recent legislation
regarding the need to protect personally identifiable information, audits specific to privacy are
more commonplace than before. ISACA defines privacy within the context of information
systems as â??adherence to trust and obligation in relation to any information relating to an
identified or identifiable individual (data subject). Management is responsible to comply with
Privacy audits go beyond traditional IT audits in that the entire information lifecycle process
needs to be considered. This includes not just the controls relating to how it was gathered and
secured, but also how it is collected, used, and retained. Specifically, privacy audits address the
following three concerns:
â?¢ What type of personal information is processed and stored?
â?¢ Where is it stored?
â?¢ How is it managed?
Table 5-1 outlines guidance for privacy audits established by the American Institute of Certified
Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA). This
guidance is named Generally Accepted Privacy Principles (GAPP).
A privacy audit should consider what privacy laws apply to the organization. Auditors should
consider who has responsibility for privacy within the organization. This includes the roles of
legal counsel and whether a chief privacy officer (CPO) role is established. (The CPO is a
senior-level position responsible for the overall management of an organizationâ??s privacy
program.) Finally, the policies and procedures specific to privacy should be examined.
TABLE 5-1 The Generally Accepted Privacy Principles.
The entity defines, documents, communicates, and assigns accountability for
its privacy policies and procedures.
The entity provides notice about its privacy policies and procedures and
identifies the purposes for which personal information is collected, used,
retained, and disclosed.
The entity describes the choices available to the individual and obtains
implicit or explicit consent with respect to the collection, use, and disclosure
of personal information.
The entity collects personal information only for the purposes identified in the
The entity limits the use of personal information to the purposes identified in
the notice and for which the individual has provided implicit or explicit
consent. The entity retains personal information for only as long as is
necessary to fulfill the stated purposes.
The entity provides individuals with access to their personal information for
review and update.
The entity discloses personal information to third parties only for the
purposes identified in the notice and with the implicit or explicit consent of
The entity protects personal information against unauthorized access.
The entity maintains accurate, complete, and relevant personal information
for the purposes identified in the notice.
The entity monitors compliance with its privacy policies and procedures and
has procedures to address privacy-related complaints and disputes.
Assessing IT Security
Examining IT security is a key component of auditing IT infrastructure for compliance. An audit
can help identify fraud, ineffective IT practices, improper use of resources, and inadequate
security. Assessing IT security is largely about ensuring that adequate controls are in place.
Controls cost money, however. The selection and implementation of controls must be a result of
a consideration of risk.
Suppose you want to build a fence to protect a cow. Building the fence will cost money. Exactly
how much money it will cost might depend upon the quality and size of the fence. How much
might you be willing to spend? Of course, you should first understand why you want to protect
the cow. How valuable is this cow to you? What are you protecting the cow from? Letâ??s assume
the cow has some type of value to youâ??otherwise, there would be little reason to spend money
on protecting the cow. Is a fence the only solution? Could you tie the cow to a tree instead? If
you decide to build the fence, is it strong enough? Is it high enough? Now suppose you decide to
have the security of your fence assessed. What you donâ??t need is for the auditor to come by and
tell you what you already knowâ??that you have a fence in place. Rather, what would be useful is
a determination of the lack of controls, the ineffectiveness of controls, or even the use of
unnecessary controls. If your cow turns out to be a bull, for example, perhaps that fence wonâ??t be
so effective. Is the fence effective against someone determined to steal the cow? To understand
these issues, consider the following:
â?¢ Is a control even required?
â?¢ How much effort or money should be spent on a control?
â?¢ Is the control effective?
Understanding the answers to these questions requires thought about risk. This is why risk
management needs to be a key part of organizations and any audit.
Managing and understanding risk is a key operating component of any organization. Risk is
about uncertainty. Yet, there will always be uncertainties across organizations. Uncertainty
presents both challenges and opportunities for companies. Risk management provides a method
for dealing with the uncertainty. This includes identifying which ones to accept and which ones
to control. The Committee of Sponsoring Organizations (COSO) of the Treadway Commission,
which provides a framework for enterprise risk management (ERM), identifies the following
key components of ERM:
â?¢ Aligning risk appetite and strategyâ??This helps the organization to manage the uncertainty
with consideration of the goals of the organization.
â?¢ Enhancing risk response decisionsâ??This improves the organizationâ??s ability to make
decisions about how to better manage risk.
â?¢ Reducing operational surprises and lossesâ??This enhances the organizationâ??s ability to identify
potential events or threats and react appropriately.
â?¢ Identifying and managing multiple and cross-enterprise risksâ??This helps the organization to
consider related risks from across the organization and provides a unified response across the
â?¢ Seizing opportunitiesâ??This helps the organization to recognize events from which new
opportunities can be pursued.
â?¢ Improving deployment of capitalâ??This improves how organizations divide their financial
resources to enhance performance and profitability.
An example of an IT risk framework compatible with ERM is ISACAâ??s Risk IT. The Risk IT
framework is completely covered with the Control Objectives for Information and Related
Technology (COBIT) framework. Risk IT provides a comprehensive framework not just for
assessing risk, but also for governance and response. Combined with Risk IT and another
framework, Val IT, COBIT 5 provides a framework of controls to minimize as well as manage
risk. Another example of an information security risk management framework is ISO standard
ISO/IEC 27005. In addition to providing guidelines for information security risk management,
this ISO standard also supports the concepts within ISO/IEC 27001.
The key component of risk management includes a risk assessment. Planning an audit of IT
infrastructure depends on this assessment. The audit plan should be prepared only after a risk
assessment is complete. The key reason for this is that the audit will focus on those areas with
the highest risk.
There are several methodologies for assessing risk specific to IT environments. NIST 800-30,
â??Risk Management Guide for Information Technology Systems,â? is one such example. This
guide provides a practical nine-step process, as follows:
â?¢ System characterizationâ??Identify and understand the systems and their operating
â?¢ Threat identificationâ??Identify potential methods or situations that could exploit a weakness.
â?¢ Vulnerability identificationâ??Identify flaws or weaknesses that can be triggered or exploited,
which might result in a breach.
â?¢ Control analysisâ??Analyze controls to reduce the likelihood of a threat successfully exploiting
â?¢ Likelihood determinationâ??Determine the likelihood of an attack by considering the
motivation and capability of the threat source along with the nature of the vulnerability in
relation to the current controls.
â?¢ Impact analysisâ??Determine the impact of a successful attack on a vulnerability by a threat.
Consider the mission of a system, data criticality, and data sensitivity.
â?¢ Risk determinationâ??Consider the likelihood, magnitude of impact, and adequacy of controls
as an equation of risk.
â?¢ Control recommendationsâ??Consider controls to reduce the level of risk to an acceptable level.
â?¢ Results documentationâ??Document for management the observations on threats and
Purchase answer to see full
Why Work with Us
Top Quality and Well-Researched Papers
We always make sure that writers follow all your instructions precisely. You can choose your academic level: high school, college/university or professional, and we will assign a writer who has a respective degree.
Professional and Experienced Academic Writers
We have a team of professional writers with experience in academic and business writing. Many are native speakers and able to perform any task for which you need help.
Free Unlimited Revisions
If you think we missed something, send your order for a free revision. You have 10 days to submit the order for review after you have received the final document. You can do this yourself after logging into your personal account or by contacting our support.
Prompt Delivery and 100% Money-Back-Guarantee
All papers are always delivered on time. In case we need more time to master your paper, we may contact you regarding the deadline extension. In case you cannot provide us with more time, a 100% refund is guaranteed.
Original & Confidential
We use several writing tools checks to ensure that all documents you receive are free from plagiarism. Our editors carefully review all quotations in the text. We also promise maximum confidentiality in all of our services.
24/7 Customer Support
Our support agents are available 24 hours a day 7 days a week and committed to providing you with the best customer experience. Get in touch whenever you need any assistance.
Try it now!
How it works?
Follow these simple steps to get your paper done
Place your order
Fill in the order form and provide all details of your assignment.
Proceed with the payment
Choose the payment system that suits you most.
Receive the final file
Once your paper is ready, we will email it to you.
No need to work on your paper at night. Sleep tight, we will cover your back. We offer all kinds of writing services.
No matter what kind of academic paper you need and how urgent you need it, you are welcome to choose your academic level and the type of your paper at an affordable price. We take care of all your paper needs and give a 24/7 customer care support system.
Admission Essays & Business Writing Help
An admission essay is an essay or other written statement by a candidate, often a potential student enrolling in a college, university, or graduate school. You can be rest assurred that through our service we will write the best admission essay for you.
Our academic writers and editors make the necessary changes to your paper so that it is polished. We also format your document by correctly quoting the sources and creating reference lists in the formats APA, Harvard, MLA, Chicago / Turabian.
If you think your paper could be improved, you can request a review. In this case, your paper will be checked by the writer or assigned to an editor. You can use this option as many times as you see fit. This is free because we want you to be completely satisfied with the service offered.