IT Auditing, Second Edition Reviews
“This guidance will enable an auditor to properly determine the scope of the control
environment and residual risks. The authors present the information in an easy-toconsume but comprehensive format that generates both thought and action.”
—Kurt Roemer, Chief Security Strategist
Citrix
“IT Auditing, Second Edition is a must-have resource for auditors in today’s complex
computing world. This book is filled with the essential how-to guidance necessary to
effectively audit today’s technology.”
—Shawn Irving, Sr Manager IT Security Standards & Compliance
Southwest Airlines – Information Technology
“Traditional IT audits have focused on enterprise systems using enterprise-based tools. As
enterprise systems move to outsourced and cloud-based services, new cloud-based tools
are needed to audit these distributed systems. Either enterprise vendors will rewrite their
tools to address cloud-based systems or new and existing cloud-based tools will be used
to assist auditors with these distributed systems. The book gives good insights on how to
address these new challenges and provides recommendations on auditing cloud-based
services.”
—Matthew R. Alderman, CISSP, Director, Product Management
Qualys, Inc.
“An essential contribution to the security of Information Systems in the dawn of a
wide-spread virtualized computing environment. This book is crucial reading for anyone
responsible for auditing information systems.”
—Peter Bassill CISSP, CITP
ISACA Security Advisory Group and CISO of Gala Coral Group
“We used the first edition in the graduate IT Audit and Risk Management class during
the past year, and it was an outstanding resource for students with diverse backgrounds.
I am excited about the second edition as it covers new areas like cloud computing and
virtualized environments, along with updates to reflect emerging issues. The authors have
done a great job at capturing the essence of IT risk management for individuals with all
levels of IT knowledge.”

—Mark Salamasick, Director of Center for Internal Auditing Excellence
University of Texas at Dallas School of Management
“This book is indispensible. It is comprehensive, well laid out, and easy to follow, with
clear explanations and excellent advice for the auditor. This new edition is timely and will
be particularly useful for those encountering the latest developments of the industry as it
continues to evolve.”
—Mark Vincent, CISSP
ISO for Gala Coral Group


This page intentionally left blank


IT Auditing: Using
Controls to Protect
Information Assets
Second Edition

Chris Davis
Mike Schiller
with Kevin Wheeler

New York • Chicago • San Francisco • Lisbon
London • Madrid • Mexico City • Milan • New Delhi
San Juan • Seoul • Singapore • Sydney • Toronto


Copyright © 2011 by The McGraw-Hill Companies. All rights reserved. Except as permitted under the United States Copyright Act of 1976, no
part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the
prior written permission of the publisher.

ISBN: 978-0-07-174239-9
MHID: 0-07-174239-5
The material in this eBook also appears in the print version of this title: ISBN: 978-0-07-174238-2,
MHID: 0-07-174238-7.
All trademarks are trademarks of their respective owners. Rather than put a trademark symbol after every occurrence of a trademarked name,
we use names in an editorial fashion only, and to the benefit of the trademark owner, with no intention of infringement of the trademark. Where
such designations appear in this book, they have been printed with initial caps.
McGraw-Hill eBooks are available at special quantity discounts to use as premiums and sales promotions, or for use in corporate training
programs. To contact a representative please e-mail us at
Information has been obtained by McGraw-Hill from sources believed to be reliable. However, because of the possibility of human or
mechanical error by our sources, McGraw-Hill, or others, McGraw-Hill does not guarantee the accuracy, adequacy, or completeness of any
information and is not responsible for any errors or omissions or the results obtained from the use of such information.
TERMS OF USE
This is a copyrighted work and The McGraw-Hill Companies, Inc. (“McGrawHill”) and its licensors reserve all rights in and to the work. Use of
this work is subject to these terms. Except as permitted under the Copyright Act of 1976 and the right to store and retrieve one copy of the work,
you may not decompile, disassemble, reverse engineer, reproduce, modify, create derivative works based upon, transmit, distribute, disseminate,
sell, publish or sublicense the work or any part of it without McGraw-Hill’s prior consent. You may use the work for your own noncommercial
and personal use; any other use of the work is strictly prohibited. Your right to use the work may be terminated if you fail to comply with these
terms.
THE WORK IS PROVIDED “AS IS.” McGRAW-HILL AND ITS LICENSORS MAKE NO GUARANTEES OR WARRANTIES AS
TO THE ACCURACY, ADEQUACY OR COMPLETENESS OF OR RESULTS TO BE OBTAINED FROM USING THE WORK,
INCLUDING ANY INFORMATION THAT CAN BE ACCESSED THROUGH THE WORK VIA HYPERLINK OR OTHERWISE, AND
EXPRESSLY DISCLAIM ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. McGraw-Hill and its licensors do not warrant or guarantee that the
functions contained in the work will meet your requirements or that its operation will be uninterrupted or error free. Neither McGraw-Hill nor
its licensors shall be liable to you or anyone else for any inaccuracy, error or omission, regardless of cause, in the work or for any damages
resulting therefrom. McGraw-Hill has no responsibility for the content of any information accessed through the work. Under no circumstances
shall McGraw-Hill and/or its licensors be liable for any indirect, incidental, special, punitive, consequential or similar damages that result from
the use of or inability to use the work, even if any of them has been advised of the possibility of such damages. This limitation of liability shall
apply to any claim or cause whatsoever whether such claim or cause arises in contract, tort or otherwise.



Stop Hackers in Their Tracks

Hacking Exposed,
6th Edition

Hacking Exposed
Malware & Rootkits

Hacking Exposed Computer
Forensics, 2nd Edition

24 Deadly Sins of
Software Security

Hacking Exposed Wireless,
2nd Edition

Hacking Exposed:
Web Applications, 3rd Edition

Hacking Exposed Windows,
3rd Edition

Hacking Exposed Linux,
3rd Edition

Hacking Exposed Web 2.0


IT Auditing,
2nd Edition

IT Security Metrics

Gray Hat Hacking,
3rd Edition

Available in print and ebook formats
Follow us on Twitter @MHComputing


REGULATIONS
STANDARDS
ANDGUIDELINES


!CROSSCOUNTRIES



 OVERLAPPINGCONTROLS

7EATHER THE#OMPLIANCE3TORM

4HE5NIFIED#OMPLIANCE&RAMEWORK ISTHEONLY
COMPLIANCEDATABASETHATREDUCESTHEREGULATORY
WHIRLWINDTOAMUCHSMALLERSETOFHARMONIZED
CONTROLSTHATCLEARLYSHOWTHEMANYPOINTSWHERE
GLOBAL

STATE
ANDINDUSTRYREGULATIONSOVERLAP

-EETINGYOURCOMPLIANCEREQUIREMENTS
HASNEVERBEENTHISSTRAIGHTFORWARD

6ISITOURWEBSITEANDCHECKOUTTHE5#&FOR&REE


WWWUNIFIEDCOMPLIANCECOM


To *my Sarah* and our wonderful children Joshua, Caleb, and Kelsea.
This project is the culmination of far too many hours away from you.
Thank you for your incredible love and support. I love you!
—Chris

To Steph, Grant, and Kate—this book was possible
only because of your love, patience, and support.
I’m amazed every day by how lucky I am
and by the joy you bring to my life.
—Mike


ABOUT THE AUTHORS
Chris Davis, MBA, CISA, CISSP, CCNP, has trained and presented in information security, forensic analysis, hardware security design, auditing, and certification curriculum
for government, corporate, and university requirements. He was part of the writing
teams responsible for Hacking Exposed Computer Forensics (McGraw-Hill Professional,
2009, 2004), Anti-Hacker Toolkit (McGraw-Hill Professional, 2006, 2003), and the first
edition of IT Auditing (McGraw-Hill Professional, 2006). He also contributed to other
titles, such as Digital Crime and Forensic Science in Cyberspace (Idea Group Publishing,

2006) and Computer Security Handbook, 5th Edition (Wiley, 2009). His contributions
include projects and presentations for PCI-SSC Virtualization Special Interest Group,
ISACA, Spice World, SANS, Gartner, Harvard, Black Hat, CEIC, and 3GSM. He is an
adjunct professor for Southern Methodist University and has enjoyed positions at
Accudata Systems, ForeScout, and Texas Instruments. Chris holds a bachelor’s degree in
nuclear engineering technologies from Thomas Edison State College and a master’s in
business from the University of Texas at Austin, where he specialized in information
security. Chris served eight years in the U.S. Naval Submarine Fleet onboard the
“special projects” submarine NR-1 and the ballistic missile submarine USS Nebraska,
where delivery was guaranteed in 30 minutes or less.
Mike Schiller, CISA, has more than 15 years of experience in the IT audit field, including positions as the worldwide IT audit manager at Texas Instruments (TI) and as the IT
audit manager at The Sabre Group. He is an active speaker on IT auditing, including
conferences such as CACS, InfoSec World, and ASUG (Americas’ SAP Users’ Group),
and has been an instructor of IT audit curriculum at Southern Methodist University.
Mike is currently a leader of IT operations at Texas Instruments, with responsibility for
the company’s server, database, and storage infrastructure organization. He also has led
departments such as the company’s data center operations, IT asset management, central help desk, web application support, and PC support functions. In addition to his
years of experience in corporate management, Mike is also involved in leadership at his
church, Richardson East Church of Christ. He has a bachelor’s degree in business analysis from Texas A&M University. Mike enjoys watching baseball in his spare time and
has attended games in every major league stadium. His baseball allegiance is to the
Texas Rangers and Cincinnati Reds. Mike’s son, Grant, is a well-known baseball blogger
(see ) and was named 2005 Texas Rangers Fan
of the Year. Mike’s daughter, Kate, is a soon-to-be-famous artist.

About the Contributing Authors
Stacey Hamaker, CIA, CISA, is the president of Shamrock Technologies, which provides enterprise-class IT consulting to Fortune 500 companies, midsized firms, and the
public sector. Stacey has been heavily involved in regulatory compliance initiatives
since the inception of the Sarbanes-Oxley Act of 2002. She serves on the board of the
North Texas chapter of ISACA (formerly Information Systems Audit and Control Association) and is active in the Institute of Internal Auditors (IIA). Her numerous articles
on Enterprise and IT Governance have been published in such industry publications as



the IS Control Journal. Stacey’s speaking engagements span local, national, and international venues. She received her MBA in MIS from the University of Texas at Arlington
and her undergraduate degree in accounting from Marietta College in Ohio.
Aaron Newman is the founder and chief technology officer of Application Security, Inc.
(AppSecInc). Widely regarded as one of the world’s foremost database security experts,
Aaron coauthored the Oracle Security Handbook for Oracle Press and holds patents in database encryption and monitoring. Prior to founding AppSecInc, Aaron founded several
other companies in the technology area, including DbSecure, the pioneers in database
security vulnerability assessment, and ACN Software Systems, a database security consulting firm. Aaron has spent the last decade managing and designing database security solutions, researching database vulnerabilities, and pioneering new markets in database
security. Aaron has held several other positions in technology consulting with Price Waterhouse, Internet Security Systems, Intrusion Detection Inc., and Banker’s Trust.
Kevin Wheeler, CISA, CISSP, NSA IAM/IEM, is the founder and CEO of InfoDefense, an
information security consultancy. Kevin’s project and employment portfolio includes
organizations such as Bank of America, EDS, McAfee, Southern Methodist University,
and the State of Texas. He has performed information security audits and assessments
as well as information security design, computer incident response, business continuity
planning, and IT security training for both government and commercial entities in the
financial services, healthcare, and IT services industries. He holds a bachelor of business
administration degree from Baylor University and is an active member of ISSA, ISACA,
Infragard, the North Texas Electronic Crimes Task Force, and Greater Dallas Chamber
of Commerce.

About the Second Edition Technical Reviewers
Michael Cox currently works as a network security engineer for Texas Instruments,
where he has also worked as an IT auditor developing numerous audit programs and
automated audit tools. Prior to this, he worked as a network engineer for Nortel, and
he enjoys doing Linux sysadmin work whenever he can get it. Michael holds the CISSP
certification and has a bachelor of arts degree in history from Abilene Christian University. Michael also served as a technical reviewer for the first edition of this book.
Mike Curry, CISA, has more than 15 years of service at Texas Instruments, the last 12 of
which have been spent performing internal audits. Working as a Senior IT Auditor, he
is responsible for leading audits evaluating internal controls and security over operating systems, database management systems, networks, system applications and related

processes, and assessing compliance with relevant standards and regulations.
Vishal Mehra is currently responsible for the engineering and strategy of server, storage,
security, and database infrastructure at Texas Instruments and holds the title of senior
member of technical staff. He has worked at the company for more than 10 years and
has held numerous positions ranging from web application development, to complex
application/infrastructure architectures, to global infrastructure operations. As part of
his current role, Vishal is also heavily involved in operating system, computing, storage,
virtualization, and data protection strategies for Texas Instruments. Vishal has an MS in
computer science from University of Houston, Clear Lake.


About the First Edition Technical Reviewers
Barbara Anderson, CCSP, CISSP, CCNP, CCDP, has worked in the information technology industry as a network and server security professional for more than 12 years.
During that time, she has acted as a senior network security engineer, providing consulting and support for all aspects of network and security design. Barbara comes from
a strong network security background and has extensive experience in enterprise design, implementation, and lifecycle management. Barbara proudly served her country
for four years in the United States Air Force and has enjoyed successful positions at
EDS, SMU Fujitsu, ACS, and Fishnet Security. These experiences and interactions have
allowed her to become an expert in enterprise security, product deployment, and product training.
Tim Breeding, CISA, CGEIT, currently serves as senior director of U.S. Transformation
Systems at Wal-Mart Stores, Inc., where his responsibilities include ensuring U.S. business user engagement in the software development lifecycle and user readiness to receive major transformational systems. Previously, Tim served as the director of
information systems audit at Wal-Mart Stores, Inc. His responsibilities included oversight of project teams that assess information technology risks and mitigation strategies
from both an audit and consulting capacity. Prior to joining Wal-Mart, Tim served
Southwest Airlines as systems audit manager for more than 6 years. At Southwest Airlines, Tim presided over substantial growth of the IS audit function. Before joining
Southwest Airlines, Tim served more than 13 years in several capacities at Texas Instruments. His responsibilities included computer operations, software development, software quality assurance, and IS audit.
Subesh Ghose has worked for Texas Instruments for the past 13 years in various IT
roles. Starting in IT audit, he led audits reviewing the internal controls of various data
centers, ERP implementations, and infrastructure environments. As part of his role, he
was responsible for designing and implementing audit methodologies for various technical platforms and performing project reviews to provide internal control guidance
early in the project development lifecycle. Since then, he has managed functions in IT
security and security infrastructure, where he oversaw the architecture/process development for securing external collaborative engagements, development of security controls

in enterprise projects, and operations supporting Texas Instruments’ enterprise identity
management systems. Currently, Subesh manages the infrastructure supporting Texas
Instruments’ global manufacturing operations. Subesh has an MS in computer science
from Southern University.
Keith Loyd, CISSP, CISA, worked for 7 years in the banking industry, where he developed technology solutions for stringent legislative business requirements. He was responsible for implementing and testing networking solutions, applications, hardened
external-facing platforms, databases, and layered mechanisms for detecting intrusion.
After moving to Texas Instruments, Keith primarily dealt with vulnerability and quality
testing new applications and projects, worldwide incident response, and civil investigations. He earned a BS in information technology from Cappella University and an MS
in information assurance from Norwich University. Keith passed away after the first
edition of this book was published and is greatly missed.


CONTENTS AT A GLANCE

Part I

Audit Overview

...................................

Chapter 1

Building an Effective Internal IT Audit Function

Chapter 2

The Audit Process

PART II


1

...............

3

......................................

35

Auditing Techniques

................................
............................

61

Chapter 3

Auditing Entity-Level Controls

Chapter 4

Auditing Data Centers and Disaster Recovery

Chapter 5

Auditing Routers, Switches, and Firewalls

Chapter 6


Auditing Windows Operating Systems

Chapter 7

Auditing Unix and Linux Operating Systems

.................

171

Chapter 8

Auditing Web Servers and Web Applications

.................

219

Chapter 9

Auditing Databases

.....................................

237

.......................................

263


................

85

....................

119

......................

143

Chapter 10

Auditing Storage

Chapter 11

Auditing Virtualized Environments

Chapter 12

Auditing WLAN and Mobile Devices

Chapter 13

Auditing Applications

Chapter 14


Auditing Cloud Computing and Outsourced Operations

Chapter 15

Auditing Company Projects

PART III

63

..........................

279

.......................

295

....................................

315

.......

337

...............................

367


Frameworks, Standards, and Regulations

Chapter 16

Frameworks and Standards

Chapter 17

Regulations

Chapter 18

Risk Management

. . . . . . . . . . . . . . . . 391

...............................

393

............................................

415

.......................................

439

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .


459

ix


This page intentionally left blank


CONTENTS
Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiii
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxvii

Part I
Chapter 1

Chapter 2

Audit Overview

...................................

Building an Effective Internal IT Audit Function

1

...............

3


Independence: The Great Myth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Consulting and Early Involvement . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Four Methods for Consulting and Early Involvement . . . . . . . . . . . . .
Early Involvement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Informal Audits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Knowledge Sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Self-Assessments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Final Thoughts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Relationship Building: Partnering vs. Policing . . . . . . . . . . . . . . . . . . .
Learning to Build Partnerships . . . . . . . . . . . . . . . . . . . . . . . . . . .
The Role of the IT Audit Team . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Application Auditors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Extraction and Analysis Specialists . . . . . . . . . . . . . . . . . . .
IT Auditors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Forming and Maintaining an Effective IT Audit Team . . . . . . . . . . . . .
Career IT Auditors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
IT Professionals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Career IT Auditors vs. IT Professionals: Final Thoughts . . . . . . .
Cosourcing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Maintaining Expertise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Sources of Learning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Relationship with External Auditors . . . . . . . . . . . . . . . . . . . . . . . . . . .
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

5
7
9
9
11

14
16
17
17
18
21
22
23
24
25
25
27
28
30
30
31
33
34

The Audit Process

......................................

35

Internal Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Types of Internal Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Internal Control Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Determining What to Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Creating the Audit Universe . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Ranking the Audit Universe . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Determining What to Audit: Final Thoughts . . . . . . . . . . . . . . . .

35
36
37
38
38
40
42

xi


IT Auditing: Using Controls to Protect Information Assets, Second Edition

xii

PART II
Chapter 3

Chapter 4

Chapter 5

The Stages of an Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Fieldwork and Documentation . . . . . . . . . . . . . . . . . . . . . . . . . .
Issue Discovery and Validation . . . . . . . . . . . . . . . . . . . . . . . . . .
Solution Development . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Report Drafting and Issuance . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Issue Tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

43
43
46
47
48
52
58
59
59

Auditing Techniques

61

.....................................

Auditing Entity-Level Controls

............................

63

Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Test Steps for Auditing Entity-Level Controls . . . . . . . . . . . . . . . . . . . .
Knowledge Base . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Master Checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Auditing Entity-Level Controls . . . . . . . . . . . . . . . . . . . . . . . . . . .

63
64
82
82
82

Auditing Data Centers and Disaster Recovery

................

85

Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Center Auditing Essentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Physical Security and Environmental Controls . . . . . . . . . . . . . .
System and Site Resiliency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Center Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Disaster Preparedness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Test Steps for Auditing Data Centers . . . . . . . . . . . . . . . . . . . . . . . . . . .
Neighborhood and External Risk Factors . . . . . . . . . . . . . . . . . .
Physical Access Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Environmental Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Power and Electricity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Fire Suppression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Center Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
System Resiliency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Backup and Restore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Disaster Recovery Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Knowledge Base . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Master Checklists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Auditing Data Centers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

85
85
87
88
89
89
89
90
93
98
100
103
106
111
112
113
115
116
116

Auditing Routers, Switches, and Firewalls

....................

119


Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Network Auditing Essentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
OSI Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Routers and Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

119
120
120
121
122
124


Contents

xiii
Auditing Switches, Routers, and Firewalls . . . . . . . . . . . . . . . . . . . . . . .
General Network Equipment Audit Steps . . . . . . . . . . . . . . . . . .
Additional Switch Controls: Layer 2 . . . . . . . . . . . . . . . . . . . . . .
Additional Router Controls: Layer 3 . . . . . . . . . . . . . . . . . . . . . .
Additional Firewall Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Tools and Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Knowledge Base . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Master Checklists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
General Network Equipment Audit Steps . . . . . . . . . . . . . . . . . .
Auditing Layer 2 Devices: Additional Controls for Switches . . .
Auditing Layer 3 Devices: Additional Controls for Routers . . . .

Auditing Firewalls: Additional Controls . . . . . . . . . . . . . . . . . . .

Chapter 6

Chapter 7

Auditing Windows Operating Systems

126
126
133
136
138
139
140
140
140
141
142
142

......................

143

Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Windows Auditing Essentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Command-Line Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Essential Command-Line Tools . . . . . . . . . . . . . . . . . . . . . . . . . .
Common Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Server Administration Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Performing the Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Test Steps for Auditing Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Setup and General Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Review Services, Installed Applications, and Scheduled Tasks . .
Account Management and Password Controls . . . . . . . . . . . . . .
Review User Rights and Security Options . . . . . . . . . . . . . . . . . .
Network Security and Controls . . . . . . . . . . . . . . . . . . . . . . . . . .
Network Vulnerability Scanning and Intrusion Prevention . . . .
How to Perform a Simplified Audit of a Windows Client . . . . . . . . . .
Tools and Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Knowledge Base . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Master Checklists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Auditing Windows Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Auditing Windows Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

143
144
145
145
146
146
148
148
148
151
154
158
159
162

164
167
168
168
169
170

Auditing Unix and Linux Operating Systems

.................

171

Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Unix and Linux Auditing Essentials . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Key Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
File System Layout and Navigation . . . . . . . . . . . . . . . . . . . . . . .
File System Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Users and Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Network Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Test Steps for Auditing Unix and Linux . . . . . . . . . . . . . . . . . . . . . . . . .
Account Management and Password Controls . . . . . . . . . . . . . .
File Security and Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Network Security and Controls . . . . . . . . . . . . . . . . . . . . . . . . . .

171
172
173
173
176

177
180
180
181
191
197


IT Auditing: Using Controls to Protect Information Assets, Second Edition

xiv

Chapter 8

Chapter 9

Audit Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Security Monitoring and General Controls . . . . . . . . . . . . . . . . .
Tools and Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Nessus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
NMAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Chkrootkit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Crack and John the Ripper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Tiger and TARA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Shell/Awk/etc . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Knowledge Base . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Master Checklists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Auditing Account Management and Password Controls . . . . . .
Auditing File Security and Controls . . . . . . . . . . . . . . . . . . . . . . .
Auditing Network Security and Controls . . . . . . . . . . . . . . . . . . .

Auditing Audit Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Auditing Security Monitoring and General Controls . . . . . . . . .

207
210
212
212
213
213
213
213
213
214
215
215
216
216
217
217

Auditing Web Servers and Web Applications

.................

219

Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Web Auditing Essentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
One Audit with Multiple Components . . . . . . . . . . . . . . . . . . . .
Part 1: Test Steps for Auditing the Host Operating System . . . . . . . . . .

Part 2: Test Steps for Auditing Web Servers . . . . . . . . . . . . . . . . . . . . . .
Part 3: Test Steps for Auditing Web Applications . . . . . . . . . . . . . . . . .
Additional Steps for Auditing Web Applications . . . . . . . . . . . .
Tools and Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Knowledge Base . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Master Checklists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Auditing Web Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Auditing Web Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

219
219
220
221
221
224
232
234
235
236
236
236

Auditing Databases

.....................................

237

Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Database Auditing Essentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Common Database Vendors . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Database Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Test Steps for Auditing Databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Setup and General Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Operating System Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Account and Permissions Management . . . . . . . . . . . . . . . . . . . .
Data Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Monitoring and Management . . . . . . . . . . . . . . . . . . . . . . . . . . .
Tools and Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Auditing Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Monitoring Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Knowledge Base . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

237
238
238
241
245
246
247
249
255
256
258
258
258
259


Contents


xv
Master Checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Auditing Databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Chapter 10

Chapter 11

Chapter 12

Auditing Storage

261
261

.......................................

263

Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Storage Auditing Essentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Key Storage Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Key Storage Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Test Steps for Auditing Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Setup and General Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Account Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Storage Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Additional Security Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Knowledge Base . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Master Checklists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

263
264
264
267
269
270
271
272
274
276
277

Auditing Virtualized Environments

..........................

279

Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Commercial and Open Source Projects . . . . . . . . . . . . . . . . . . . .
Virtualization Auditing Essentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Test Steps for Auditing Virtualization . . . . . . . . . . . . . . . . . . . . . . . . . . .
Setup and General Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Account and Resource Provisioning and Deprovisioning . . . . .
Virtual Environment Management . . . . . . . . . . . . . . . . . . . . . . .
Additional Security Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Knowledge Base . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Hypervisors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Master Checklists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

279
280
280
282
282
284
285
288
292
292
292
293

Auditing WLAN and Mobile Devices

.......................

295

Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
WLAN Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data-Enabled Mobile Devices Background . . . . . . . . . . . . . . . . .
WLAN and Mobile Device Auditing Essentials . . . . . . . . . . . . . . . . . . .
Test Steps for Auditing Wireless LANs . . . . . . . . . . . . . . . . . . . . . . . . . .
Part 1: WLAN Technical Audit . . . . . . . . . . . . . . . . . . . . . . . . . . .
Part 2: WLAN Operational Audit . . . . . . . . . . . . . . . . . . . . . . . . .
Test Steps for Auditing Mobile Devices . . . . . . . . . . . . . . . . . . . . . . . . .

Part 1: Mobile Device Technical Audit . . . . . . . . . . . . . . . . . . . . .
Part 2: Mobile Device Operational Audit . . . . . . . . . . . . . . . . . .
Additional Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Tools and Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Knowledge Base . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Master Checklists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Auditing Wireless LANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Auditing Mobile Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

295
295
298
298
299
299
304
306
307
309
311
311
312
312
312
312


IT Auditing: Using Controls to Protect Information Assets, Second Edition

xvi

Chapter 13

Chapter 14

Chapter 15

Auditing Applications

....................................

315

Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Application Auditing Essentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Generalized Frameworks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Test Steps for Auditing Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Input Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Interface Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Audit Trails . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Access Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Software Change Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Backup and Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Retention and Classification and User Involvement . . . . .
Operating System, Database, and Other Infrastructure
Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Master Checklists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Application Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Auditing Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .


315
316
316
319
321
321
323
324
325
329
331
332

Auditing Cloud Computing and Outsourced Operations

333
334
334
334

.......

337

Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
IT Systems and Infrastructure Outsourcing . . . . . . . . . . . . . . . . .
IT Service Outsourcing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Other Considerations for IT Service Outsourcing . . . . . . . . . . . .
SAS 70 Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Test Steps for Auditing Cloud Computing and Outsourced

Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Preliminary and Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Vendor Selection and Contracts . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Legal Concerns and Regulatory Compliance . . . . . . . . . . . . . . . .
Knowledge Base . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Master Checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Auditing Cloud Computing and Outsourced Operations . . . . .

337
338
343
344
345

Auditing Company Projects

346
346
349
351
358
362
364
365
365

...............................


367

Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Project Auditing Essentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
High-Level Goals of a Project Audit . . . . . . . . . . . . . . . . . . . . . . .
Basic Approaches to Project Auditing . . . . . . . . . . . . . . . . . . . . .
Seven Major Parts of a Project Audit . . . . . . . . . . . . . . . . . . . . . .
Test Steps for Auditing Company Projects . . . . . . . . . . . . . . . . . . . . . . .
Overall Project Management . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Project Start-up: Requirements Gathering and Initial Design . .
Detailed Design and System Development . . . . . . . . . . . . . . . . .
Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

367
368
368
369
370
371
371
375
380
381


Contents

xvii
Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Project Wrap-up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Knowledge Base . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Master Checklists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Auditing Overall Project Management . . . . . . . . . . . . . . . . . . . . .
Auditing Project Startup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Auditing Detailed Design and System Development . . . . . . . . .
Auditing Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Auditing Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Auditing Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Auditing Project Wrap-up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

PART III
Chapter 16

Chapter 17

Frameworks, Standards, and Regulations
Frameworks and Standards

384
386
387
387
387
388
388
389
389
389
390

390

. . . . . . . . . . . . . . . . 391

...............................

393

Introduction to Internal IT Controls, Frameworks, and Standards . . .
COSO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
COSO Definition of Internal Control . . . . . . . . . . . . . . . . . . . . .
Key Concepts of Internal Control . . . . . . . . . . . . . . . . . . . . . . . .
Internal Control—Integrated Framework . . . . . . . . . . . . . . . . . .
Enterprise Risk Management—Integrated Framework . . . . . . . .
Relationship Between Internal Control and Enterprise
Risk-Management Publications . . . . . . . . . . . . . . . . . . . . . . . .
COBIT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
COBIT Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
IT Governance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
IT Governance Maturity Model . . . . . . . . . . . . . . . . . . . . . . . . . .
The COSO-COBIT Connection . . . . . . . . . . . . . . . . . . . . . . . . . .
COBIT 5.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ITIL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ITIL Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ISO 27001 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ISO 27001 Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
NSA INFOSEC Assessment Methodology . . . . . . . . . . . . . . . . . . . . . . .
NSA INFOSEC Assessment Methodology Concepts . . . . . . . . . .
Pre-assessment Phase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
On-Site Activities Phase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Post-assessment Phase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Frameworks and Standards Trends . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

393
394
395
395
395
397

Regulations

............................................

415

An Introduction to Legislation Related to Internal Controls . . . . . . . .
Regulatory Impact on IT Audits . . . . . . . . . . . . . . . . . . . . . . . . . .
History of Corporate Financial Regulation . . . . . . . . . . . . . . . . .

415
416
416

400
401
401
403
404

405
405
407
408
408
409
410
410
410
411
411
411
412