Planning an IT Infrastructure Audit for Compliance

33

Requirement

Outline PLANNING AN IT INFRASTRUCURE AUDIT FOR COMPLIANCE

Solution

Introduction

In this paper, we have been represented the IT infrastructure audit plan. The main motive of this paper is to evaluate the recent and future technology trends of information technology industry of USA. It prepared through use of secondary research sources and various other published information. This paper is highly concentrated towards defining the IT infrastructure followed within the US IT industry and different measures of the company to avoid risk and maintain privacy. With the help of this paper, the target audience who are interested in Information Technology industry can gain significant knowledge about the IT Infrastructure audit for compliance.

Identifying Critical Requirements for the Audit

The information technology audit is considered as an audit of operations, IT systems, management, and related processes of different organizations. The IT audit is critically required to implement the security controls and control classifications. With the help of the IT audit, Information technology companies able to manage the general application, management, technical, and operational control over different functions (Audit, 2015). Apart from this, the IT audit is necessary for the organizations because it gives assurance that their IT systems are working in the right context and provide the reliable information required by users and other concerned stakeholders. Apart from this, it can also say that the IT audit manages both implementations of the security controls and classifications to reduce risks of data tampering, and poor management of IT systems.

Protecting Privacy Data

The Information Technology organizations of US utilize the generally accepted privacy principles to ensure the appropriate protection of the available security assets and database. These principles mainly contain following:

• The first and foremost generally accepted privacy principle used by the IT industry of USA is management. According to this privacy principle, the organizations define their documents, perform communication, and assign accountability for its procedures and policies (Bik, 2018). 

• The second principle is notice. The organizations provide notice about its privacy procedures and policies to inform their employees. 

• Apart from this, the other generally accepted principles followed by IT industry of USA includes choice and consent, retention, access, security for privacy, quality, and disclosure to third parties. 

Assessing IT Security

In order to assess and maintain the IT security, the Information technology industry of USA utilizes a large number of methods and techniques. The first and foremost way utilizes for the IT security assessment is Enterprise Risk Management. ERM is a fundamental approach to the management of an organization. This approach launches an integrated framework which helps the IT organizations in the maintenance of IT security as well as compliance with the US Sarbanes-Oxley Act (Chou, 2015). Apart from this, other assessment tools contain impact and likelihood assessment. With the both of these assessment tools, the IT organizations can estimate the degree of overall harm or loss that occur as a result of the exploitation of a security vulnerability. Moreover, the likelihood assessment gives necessary information about the probability of a threat occurring.

IT Risk Framework Compatible with ERM is ISACA’s Risk IT

The USA information technology companies can also assess IT security through use of ISACA risk IT framework. It is completely compatible with ERM and delivers the best evaluation of IT security. The ISACA framework provides the basic Risk IT principle with which the evaluation can significantly perform by the IT organizations of US. The Risk IT principles propounded by the ISACA framework includes connect to business objectives, alignment of IT Risk Management with ERM, Balance cost, promote fair and open communication, establish tone at the accountability, function as part of the daily activities (Graham, 2015). All these principles ensure better IT security analysis that will prove fruitful for the organization. The following figure is defining the IT risk framework utilized by Information technology industry of USA:

Methodologies for assessing risk specific to IT Environments

Gomez (2015) said that there are a lot of methodologies that can use for evaluation of risk specific to IT environments. These methodologies include; system characterization, control analysis, vulnerability identification, likelihood determination, impact analysis, results in the documentation, control recommendations, and risk determination. All these risk assessment methodologies are specific to IT environments and quite popular with the US IT industry. From all above-mentioned assessment methods, the use of likelihood determination and vulnerability identification is very popular. It is because these methodologies play an important role in filling the gap between detailed IT risk management and generic risk management frameworks.

Evaluating Risk Equation

The risk can effectively define through the below-mentioned equation:
Risk = Threat X Vulnerability X Cost (Hess, 2015)

The threat is defined here as the frequency of potentially adverse events. On the other hand, the vulnerability is considered as the likelihood of success for a particular threat. Apart from this, the cost is considered as the total cost of the impact caused by a threat.
The US IT organizations highly depend on Threat Analysis Framework to evaluate the potential risks. It is a key component of the risk analysis utilized against the system. The threat analysis framework is a combination of four different activities which includes adversarial, accidental, structural, and environmental. The combination of all ensures the perfect evaluation of risk equation.

Vulnerability Analysis

The next step after risk analysis is vulnerability evaluation. It is performed with the sole motive to consider the potential effect of loss from a successful attack. Vulnerability analysis is performed by the organizations through the use of a large number of strategies and tasks (Lins, 2016). The first and foremost strategy for vulnerability analysis is listed down key activities and databases published by the other organizations of IT industry. The second and foremost method utilize with the motive of vulnerability analysis is the use of security advisories. On the other hand, the organizations also utilize the security and software analysis by utilizing different automated tools.

Risk Assessment Analysis

The determination of the level of risk is as important as the determination of vulnerabilities. In case of any threat and vulnerability, the US IT organizations determine the risk by using three important functions.
The first and foremost function is a determination of the likelihood of a threat to exploit a given vulnerability.
The second and important function is a determination of the impact on the organization if that threat against the vulnerability is achieved successfully (Madi, 2016). 
The last and final function is to perform the sufficiency of control analysis to either reduce or eliminate the risk. 
With the help of all these functions, the organizations can successfully determine the risk level and maintain their presence within the existing country.

Configuration Documentation for IT Infrastructure

The management of configuration documentation is successfully performed by the US IT Industry. The configuration documentation performed by the organizations to understand the types of resources to manage, and their characteristics that must be accounted for in a configuration management system. The configuration documentation for IT infrastructure maintains the information regarding hostname, international protocol addresses, patch level, operating system, hardware specification, password settings, audit log settings, and user accounts (Rasheed, 2014). The documentation about each activity ensures proper configuration as per required IT infrastructure.  

Identifying and Planning NIST standards and Methodologies 

After conducting a successful interview session of Management Personnel and IT support members of US IT organizations, it can be said that they are concentrated enough towards the effective follow-up of the NIST standards and methodologies. The NIST standards and methodologies are followed by the organizations to ensure technological advancement and security at it's internal as well as the external environment (Weiss, 2015). As per the NIST standards and methodologies, the US organizations are also putting into consideration the categorization of the information and data that they required to secure from vulnerabilities. Apart from this, the NIST standards and methodologies also guide them in preparation of a baseline for the minimum controls required to protect the information. Therefore, it is right to say that that planning and identification of security measures is successfully performed by organizations through NIST standards and methodologies.

IT Security Policy Framework definition in respect to Seven Domains

The IT security policy framework is a combination of seven different domains which collectively build its efficiency to maintain database security. These domains are following:

• User Domain: The user domain of the IT Security Policy Framework ensures the coverage of all users that have access to the other six domains.

• Workstation Domain: The IT security Framework in workstation domain is related to a computer of an individual user where the production takes place. 

• LAN Domain: The IT security policy framework in LAN Domain is a combination of different workstations, hubs, and routers that support a trusted zone (Winer, 2015). 

• LAN-to-WAN Domain: According to this domain, the IT security policy framework is defined as a boundary between the untrusted and trusted zones.

• WAN Domain: The IT security Policy framework in WAN domain is considered as a standard which consists semi-private lines and internet.

• Remote Access Domain: The remote access domain describes the IT security policy framework as a network or mobile through which the user can access the local network. 

• System/Application Domain: The system and Application define the IT security policy framework as the combination of user-accessed servers like databases and email.

Identifying and Testing Monitoring Requirements

The US IT organizations focus enough on testing and monitoring of requirements. This has been done with the sole motive to evaluate the progress of different work processes and detect any risk and vulnerability statement. Apart from this, it can be said that the IT industry of USA requires the monitoring and identification system to gain information about current map represents the networking schedule of each element, detail of factors that affect the variability of information systems, and analysis of risk factors (Bik, 2018). 
Identifying Critical Security Control Points that must be verified throughout the IT Infrastructure
There are a lot of critical security control points that need to verify by the IT organizations throughout the IT infrastructure. These points include gap assessment, implementation roadmap, and phases of control, integration between different operations, and management or reporting (Chou, 2015). The verification of all these key areas is necessary to ensure current progress and plan career growth. 

Conclusion 

After studying all this, it can be concluded that the planning of an IT Infrastructure audit is necessary for the compliance. The US IT industry is active in demonstrating the perfect IT Infrastructure audit for their future growth. They have used a large number of risk assessment tools to eliminate error and frequency of occurring mistakes within their internal and external environment. On the other hand, it can be said that the above-mentioned project plan will significantly guide the IT organizations of other countries about how they can conduct an IT infrastructure audit to remain competitive within their industry.

References 

• Audit, A. I., & Australia, I. (2015). SUBMISSION: AUSTRALIAN INFRASTRUCTURE AUDIT.

• Bik, O., & Hooghiemstra, R. (2018). Cultural Differences in Auditors' Compliance with Audit Firm Policy on Fraud Risk Assessment Procedures. Auditing: A Journal of Practice and Theory.

• Chou, D. C. (2015). Cloud computing risk and audit issues. Computer Standards & Interfaces, 42, 137-142.

• Graham, L. (2015). Internal control audit and compliance: documentation and testing under the new coso framework. John Wiley & Sons.

• Gomez, S. E. (2015). Compare and contrast the extent of content compliance in public performance audit reports published in South Africa and Australia (Doctoral dissertation).

• Hess, D. (2015). Ethical Infrastructure and Evidence-Based Corporate Compliance and Ethics Programs: Policy Implications from the Empirical Evidence. NYUJL & Bus., 12, 317.

• Lins, S., Schneider, S., & Sunyaev, A. (2016). Trust is good, control is better: Creating secure clouds by continuous auditing. IEEE Transactions on Cloud Computing.

• Madi, T., Majumdar, S., Wang, Y., Jarraya, Y., Pourzandi, M., & Wang, L. (2016, March). Auditing security compliance of the virtualized infrastructure in the cloud: Application to openstack. In Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy (pp. 195-206). ACM.

• Rasheed, H. (2014). Data and infrastructure security auditing in cloud computing environments. International Journal of Information Management, 34(3), 364-368.

• Weiss, M., & Solomon, M. G. (2015). Auditing IT infrastructures for compliance. Jones & Bartlett Publishers.

• Winer, R. A., Bennett, E., Murillo, I., Schuetz-Mueller, J., & Katz, C. L. (2015). Monitoring Compliance to Promote Quality Assurance: Development of a Mental Health Clinical Chart Audit Tool in Belize, 2013. Psychiatric Quarterly, 86(3), 373-379.