Understanding and Conducting Information Systems Auditing -- Copyright -- Contents -- Preface -- Acknowledgments -- Part One: Conducting an Information Systems Audit -- Chapter 1: Overview of Systems Audit -- Information Systems Audit -- Information Systems Auditor -- Legal Requirements of an Information Systems Audit -- Systems Environment and Information Systems Audit -- Information Systems Assets -- Classification of Controls -- General Controls -- Application Controls -- Objective-Based Control Classification -- The Impact of Computers on Information -- The Impact of Computers on Auditing -- Information Systems Audit Coverage -- Chapter 2: Hardware Security Issues -- Hardware Security Objective -- Asset Classification and Control -- Physical Equipment Placement and Protection -- Power Supplies -- Cabling Security -- Physical Access and Service Disruption -- Other Concerns -- Information Systems Facilities -- Peripheral Devices and Storage Media -- Management of Peripheral Devices -- Management of Removable Computer Media -- Client-Server Architecture -- Authentication Devices -- Hardware Acquisition -- Hardware Maintenance -- Management of Obsolescence -- Disposal of Equipment -- Problem Management -- Change Management -- Network and Communication Issues -- Policy on Use of Network and Network Services -- Enforced Path -- User Authentication for External Connections -- Node Authentication -- Segregation of Networks -- Network Connection Control -- Network Routing Control -- Security of Network Services -- Other Network Controls -- Network Integrity -- Network Equipment -- Change Control Procedure -- Network Monitoring -- Protection during Transmission -- Network Availability -- Wireless Network Considerations -- Chapter 3: Software Security Issues -- Overview of Types of Software -- System Software -- Operating Software.

Memory Resident Programs -- Utility Programs -- Application Software -- Communication Software -- Database Management Systems -- Elements of Software Security -- Access Control -- Operational Controls -- Protection against Malicious Software -- Information Backup -- Operator's Log -- Control Issues during Installation and Maintenance -- Preimplementation Issues -- Postimplementation Issues -- Licensing Issues -- Problem and Change Management -- Chapter 4: Information Systems Audit Requirements -- Risk Analysis -- Threats, Vulnerability, Exposure, Likelihood, and Attack -- Information Systems Control Objectives -- Information Systems Audit Objectives -- System Effectiveness and Efficiency -- Information Systems Abuse -- Asset Safeguarding Objective and Process -- Evidence Collection and Evaluation -- Techniques of Audit Evidence Collection -- Categories of Audit Evidence -- Logs and Audit Trails as Evidence -- Audit Trails -- System Logs -- Chapter 5: Conducting an Information Systems Audit -- Audit Program -- Audit Checklists -- Resource Planning -- Consistency -- Audit Plan -- Engagement Letter -- Background Overview -- Materiality Level -- Techniques Used for Information Systems Planning -- Audit Procedures and Approaches -- System Understanding and Review -- Compliance Reviews and Tests -- Substantive Reviews and Tests -- Audit Tools and Techniques -- Testing Computer Application Program Controls -- Selecting/Monitoring Data Processing Transactions -- Data Verification -- Analyzing Application Programs -- Other Tools and Techniques -- Sampling Techniques -- Audit Questionnaire -- Audit Documentation -- Audit Report -- Auditing Approaches -- Auditing around the Computer -- Auditing with the Computer -- Auditing through the Computer -- Sample Audit Work-Planning Memo -- Audit Objectives and Scope -- Audit Process -- Testing Techniques.

Audit Team Assignment -- Activities and Deliverables -- Sample Audit Work Process Flow -- Chapter 6: Risk-Based Systems Audit -- Conducting a Risk-Based Information Systems Audit -- Risk Assessment -- Risk Matrix -- Risk and Audit Sample Determination -- Sample Selection -- Audit Risk Assessment -- Audit Process and Audit Risk -- Populating a Risk Matrix -- Risk Management Strategy -- Chapter 7: Business Continuity and Disaster Recovery Plan -- Business Continuity and Disaster Recovery Process -- Business Impact Analysis -- Impact Analysis -- Requirements for Recovery -- Incident Response Plan -- Disaster Recovery Plan -- Types of Disaster Recovery Plans -- Emergency Preparedness Audit Checklist -- Business Continuity Strategies -- Business Resumption Plan Audit Checklist -- Recovery Procedures Testing Checklist -- Plan Maintenance Checklist -- Vital Records Retention Checklist -- Forms and Documents -- Alternative Site Procedure -- Communication Resources -- Contingency Log -- Contingency Plan Contact Information -- Documentation List -- Emergency Procedures -- External Support Agreement -- Hardware Inventory -- Information Asset Usage Procedure -- Layout Inventory -- Software Inventory -- Team Staffing and Tasks -- Vendor Contact List -- Chapter 8: Auditing in the E-Commerce Environment -- Introduction -- Objectives of an Information Systems Audit in the E-Commerce Environment -- General Overview -- Auditing E-Commerce Functions -- Preliminary Review -- Implementation -- Policies and Procedures -- Administration -- Accounting and Processing -- Legal and Regulatory Matters -- Internet Security Administration -- E-Commerce Policies and Procedures Review -- Impact of E-Commerce on Internal Control -- Chapter 9: Security Testing -- Cybersecurity -- Cybercrimes -- What Is Vulnerable to Attack? -- How Cyberattacks Occur -- What Is Vulnerability Analysis?.

Steps of Vulnerability Analysis -- Types of Vulnerability -- Conducting a Vulnerability Analysis -- Cyberforensics -- Digital Evidence -- Presenting Digital Evidence in a Court of Law -- Acceptability Tests -- Chapter 10: Case Study: Conducting an Information Systems Audit -- Important Security Issues in Banks -- User Access Management -- User Registration -- Authentication of Users -- Password Management System -- Limiting Sign-On Attempts -- Unattended Terminals -- Information Access Restriction -- Use of System Utilities -- Limitation of Connection Time -- Warning -- External Users -- Audit Trails -- Fault Logging -- Logging and Reviewing of Events -- Implementing an Information Systems Audit at a Bank Branch -- Special Considerations in a Core Banking System -- Migration Controls -- Day-End Controls -- Control over Periodical/Mass-Runs (System Generated Transactions) -- Control over Inter-SOL Transactions -- Control over Proxy/Parking Transactions -- Mapping of Accounts -- Application Control Review -- Database and System Administration -- Firewalls -- Help Desk -- Information Security -- Logs of Activity -- Departure from Normal Patterns -- Management Practices -- Operational Activities -- Part Two: Information Systems Auditing Checklists -- Chapter 11: ISecGrade Auditing Framework -- Introduction -- Licensing and Limitations -- Methodology -- Domains -- Grading Structure -- Selection of Checklist -- Format of Audit Report -- Using the Audit Report Format -- Chapter 12: ISecGrade Checklists -- Checklist Structure -- Information Systems Audit Checklists -- Chapter 13: Session Quiz -- Chapter 1: Overview of Systems Audit -- Chapter 2: Hardware Security Issues -- Chapter 3: Software Security Issues -- Chapter 4: Information Systems Audit Requirements -- Chapter 5: Conducting an Information Systems Audit -- Chapter 6: Risk-Based Systems Audit.

Chapter 7: Business Continuity and Disaster Recovery Plan -- Chapter 8: Auditing in the E-Commerce Environment -- Chapter 9: Security Testing -- About the Authors -- About the Website -- Index.