It Auditing: Using Controls to Protect Information Assets [IT AUDITING -OS N/D]
cable locks, 160
California SB 1386, 340-341
Canadian Personal Information Protection and Electronic Document Act (PIPEDA), 341-342
capacity management, 105
capacity monitoring and planning, 78
card-key devices, in data center, 91
career IT auditors, 23-25
overview, 23-24
sources for, 24-25
CD (control deficiency), 352
ceilings, of data center, 91
Center for Information Security, 150
centralized IT functions, 37
CEO (chief executive officer), 4, 6, 63
CERT (Computer Emergency Response Team) notices, 188
certificates, server side, 213
certifications, 30
Certified Information Systems Auditor (CISA) certification, 23
Certified Information Systems Security Professional (CISSP) certification, 23, 30
CFO (chief financial officer), 4, 6
change management, 118-119, 274, 278-279, 288
change requests, for, 289
change-control documentation, 77
checkout of code, 259
chemical alarms, 85
chief executive officer (CEO), 4, 6, 63
chief financial officer (CFO), 4, 6
chief information officer (CIO), 7, 63
Chkrootkit, 201-202
chown command, 185
CIO (chief information officer), 7, 63
CISA (Certified Information Systems Auditor) certification, 23
Cisco-EAP Wireless (LEAP), 269
CISSP (Certified Information Systems Security Professional) certification, 23, 30
classification, data, 260-261
client/network libraries, 228-229
Clipbook utility, 145
closed items, in audit report, 54
CoBIT (Control Objectives for Information and Related Technologies), 38, 315-319
concepts, 316-317
connection with COSO, 319
IT governance, 318-319
overview, 315
website with information on, 79
code
checkout, modification, and versioning, 259
reviews, 220-221
testing, 260
collaboration, attitude of, 20
college hires, 25, 26
committee, audit, 4, 6
Committee of Sponsoring Organizations. See COSO
communication skills, of IT auditors, 27
communications method, security of, 269
Computer Emergency Response Team (CERT) notices, 188
configuration change management, 76-77
configuration files, backups for, 123
configuration management, 220
configuration values, 227-228
consultants
auditors as, 13
outside, 28
contractors, 28
contracts, with third-party services, 73
control deficiency (CD), 352
control gaps, 366-367
categorizing by severity, 366
choosing controls, 366-367
identifying potential controls, 366
overview, 366
rating controls by cost and effectiveness, 366-367
combining, 366
determining process component control gaps, 365
implementing controls, 367
overview, 366
recalculating risk ratings, 367
validating new controls, 367
Control Objectives for Information and Related Technologies. See CoBIT
control self-assessment (CSA) model, 17
controls
See also internal controls
entity-level, auditing, 61-81
background, 61-62
knowledge base, 79
master checklist, 80-81
overview, 61
test steps, 62-79
environmental controls, 92-93
facility-based, 84-85
access-control systems, 84
alarm systems, 84-85
fire-suppression systems, 85
overview, 84
physical access control, 90-92
conversion plan, for projects, 299-300
cooperation, attitude of, 20
core dumps, 129
corporate financial regulation, history of, 328
corrective controls (reactive controls), 34
COSO (Committee of Sponsoring Organizations), 308-315
definition of internal control, 309
enterprise risk management-integrated framework, 311-315
control activities, 314
COSO effect on IT controls, 315
definition of enterprise risk management, 312
event identification, 313
impact of COSO, 314-315
information and communication, 314
internal environment, 313
monitoring, 314
object setting, 313
overview, 311-313
relationship with internal control-integrated framework, 314
risk assessment, 313
risk response, 314
internal control-integrated framework, 309-311
component relationships, 311
control activities, 310
control environment, 310
information and communication, 310-311
monitoring, 311
overview, 309-310
risk assessment, 310
website with information on, 79
key concepts of internal control, 309
overview, 308-309
cosourcing, 28
costs
of internal auditors, justifying, 7
tracking for projects, 290
Crack tool, 202
credibility, 19
crime rate, around data centers, 89-90
crontabs, 186-187
cross-site scripting (XSS) vulnerabilities, 216-217
CSA (control self-assessment) model, 17
customer steering teams, 72
customers, use of term, 20