1st Edition
Auditing Information and Cyber Security Governance A Controls-Based Approach
"A much-needed service for society today. I hope this book reaches information managers in the organization now vulnerable to hacks that are stealing corporate information and even holding it hostage for ransom."
– Ronald W. Hull, author, poet, and former professor and university administrator
A comprehensive entity security program deploys information asset protection through stratified technological and non-technological controls. Controls are necessary for counteracting threats, opportunities, and vulnerabilities risks in a manner that reduces potential adverse effects to defined, acceptable levels. This book presents a methodological approach in the context of normative decision theory constructs and concepts with appropriate reference to standards and the respective guidelines. Normative decision theory attempts to establish a rational framework for choosing between alternative courses of action when the outcomes resulting from the selection are uncertain. Through the methodological application, decision theory techniques can provide objectives determination, interaction assessments, performance estimates, and organizational analysis. A normative model prescribes what should exist according to an assumption or rule.
Contents
Security Governance *
Abstract *
Introduction *
Governance Perspectives *
Rational Management *
Applied Technology *
Security Program Evolution *
Information Security Infrastructure Management *
Information Security Service Management *
Information Security Governance *
Framing Governance *
Tier One Governance *
Tier Two Governance *
Tier Three Governance *
Security Governance Fusion *
Cyber Security Service Delivery for IT *
Cyber Security Service Support for IT *
Security Governance Insights *
Formal Authority *
Interpersonal Roles *
Informational Roles *
Decisional Roles *
References *
Recommended Reading *
Security Governance Environment *
Abstract *
Introduction *
Entity Centric Considerations *
Entity Control Environment *
Domain Convergence Effects *
Entity Risk Determinants *
Legal Issues *
Managerial Practices *
Control Inscriptions *
Technology Deployments *
References *
Recommended Reading *
Security Governance Management *
Abstract *
Introduction *
Planning *
Security Risk Assessment *
Control Objectives Selection *
Control Goals Selection *
Organizing *
Orchestrating *
Directing *
Controlling *
References *
Recommended Reading *
Appendix: Information Protection Classifications with Criteria and Definitions *
Security Governance Processes *
Abstract *
Introduction *
Framing Information Security Governance *
Tier Four Strategic Alignment *
Tier Four Value Delivery *
Tier Four Risk Management *
Tier Four Resource Management *
Tier Four Performance Measurement *
References *
Recommended Reading *
Appendix: Control Evaluation Worksheets *
Control Evaluation Worksheets 1a: Single Risk Ratings *
Control Evaluation Worksheets 1b: Single Risk Ratings *
Control Evaluation Worksheets 2a: Group Risk Ratings *
Control Evaluation Worksheets 2b: Group Risk Ratings *
Control Evaluation Worksheets 3: Summary Risk Sheet *
Organizational Employees *
Abstract *
Introduction *
Responsibility Delegation *
Access Controls *
Power Granting *
Workplace Irregularities and Illegal Acts *
IT Incident Response Team *
Education, Training, and Awareness *
IT Audit Team *
Planning Activities *
Study and Evaluation Activities *
Testing Activities *
Reporting Activities *
Follow-up Activities *
References *
Recommended Reading *
External Organizational Actors *
Abstract *
Introduction *
Supply Chain Partners *
Information Sharing *
Knowledge Sharing *
Supply Chain Logistics *
Managed Service Providers *
Service Provider Audit *
IT Audit Planning *
IT Audit Study and Evaluation of Controls *
IT Audit Testing of Controls *
IT Audit Report on Controls *
IT Audit Follow-up *
References *
Recommended Reading *
Information Security Governance Audit *
Abstract *
Introduction *
ISG Audit Planning Process *
Control Assessment *
Audit Risk Assessment *
ISG Audit Study and Evaluation of Controls *
Information Security Strategic Alignment *
Information Security Value Delivery *
Information Security Risk Management *
Information Security Resource Management *
Information Security Performance Management and Measurement *
Other Auditable Information Security Units *
ISG Audit Testing and Evaluation of Controls *
Information Security Compliance Testing *
Information Security Substantive Testing *
Information Security Evidence Assessment *
ISG Audit Control Reporting *
Degree of Correspondence *
Engagement Report Structuring *
ISG Audit Follow-up *
ISG Audit Follow-up Responsibilities *
General ISG Audit Follow-up Activities *
References *
Recommended Reading *
Appendix A: Control Environment Characteristics – Internal Policies Matrix *
Appendix B: Entity Culture – Audit Area Personnel Matrix *
Appendix C: ISG Audit Risk Assessment Template *
Appendix D: Testing Methodology Options Table *
Appendix E: Sampling Selection Options Table *
Cyber Security Governance Audit *
Abstract *
Introduction *
CSG Audit Planning Process *
Control Assessment *
Audit Risk Assessment *
CSG Audit Study and Evaluation of Controls *
Cybersecurity Access Management *
Cybersecurity Network Infrastructure *
Cybersecurity Risk Analysis *
Cybersecurity Environmental Controls *
Cybersecurity Confidential Information Assets *
CSG Audit Testing and Evaluation of Controls *
Cybersecurity Compliance Testing *
Cybersecurity Substantive Testing *
Cybersecurity Evidence Assessment *
CSG Audit Control Reporting *
Degree of Correspondence *
Engagement Report Structuring *
CSG Audit Follow-up *
CSG Audit Follow-up Responsibilities *
General CSG Audit Follow-up Activities *
References *
Recommended Reading *
Appendix A: CSG Audit Risk Assessment Template *
Appendix B: IAP Functions or Duties Templates *
Appendix C: IAP Control Classification Template *
Biography
Dr. Robert E. Davis, CISA, CICA unique qualifications encompass over 30 years of internal control practice and scholarship experience. He has provided data security consulting and information systems auditing services to highly regarded government agencies and corporations of various employee sizes. His past teaching experience includes positions with Temple University, Bryant & Stratton College and Cheyney University, as well as presenting various other training sessions and courses. Dr. Davis has authored articles addressing IT issues for ITAudit Magazine, ISACA Journal, TechTarget, and IT Governance, LTD, as well as a chapter discussing continuous auditing for Bloomsbury Information. Dr. Davis has written workbooks and other instructional material for Boson Software and Pleier Corporation.
