دانلود کتاب تسلط بر ممیزی فناوری اطلاعات

I want to express my heartfelt gratitude to those who have stood by me throughout this journey, both personally and professionally. To my family, thank you for your unwavering support, patience, and belief in me. Your encouragement has been the quiet strength behind every milestone and every chapter of this book. I want to thank my father, who taught me to keep learning throughout life, my mother and sisters who supported me relentlessly, my husband who motivated me to take all challenges that came my way, and last but not least, my daughter who lived through my change approver mindset. I am also deeply thankful to my seniors from Tata Consultancy Services Ltd. Trivandrum during my early career, who instilled the habit of excelling in all activities. They provided guidance, vision, and support throughout my professional journey. My supervisors and colleagues from the information security team and the delivery excellence team require a special mention here for helping me learn to look at the bigger picture and cultivate the habit of reviewing solutions, keeping the business context in mind. I would like to acknowledge the support from the cybersecurity service delivery team, my managers, team members, and customer managers, who have helped me in strengthening the governance mindset. The lessons I learned under your direction have echoed through every stage of my growth, and I am very grateful for your support; I will always be thankful for the lessons that you taught me. This book is, in many ways, a reflection of those early lessons and the people who helped instill them. Preface Throughout this book, we explain why an IT audit is important in helping an organization strengthen its IT infrastructure, mitigate potential outages in operations, and identify areas for improvement. The major steps here are risk identification and mitigation; assessment of resilience; geography and industry compliance verification; data and platform protection; and last but not least, assuring governance mechanisms through proper documentation and reporting. Audit process requires understanding of the IT landscape, perimeter setup, and various upstream and downstream connectivity. The landscape covers the various appliances, firewall, IDS and IPS, servers, network devices, their configuration, and maintenance. Capacity management, incident management and change management are the main governance activities that stitch the responsibilities of the IT team of any organization. In addition to these, the auditor has to understand the security policies, the patching practices, and the segregation of networks to manage different access levels to different teams. Once one becomes an IT auditor, they will be able to provide value to managing the backbone of the organization by ensuring security, availability, and integrity of operations and data within their organization. This helps in career growth in the IT service, operation, strategic, and project management roles. Auditors possess a deep understanding of systems, controls, and vulnerabilities. With the right mindset and skillbuilding, they can evolve into engineers who design secure, efficient, and compliant systems from the ground up. Chapter 1: IT Audit and Assurance Standards Statements- Key concepts such as auditing, deciding the criteria, and risk-based approach to audits, etc., are explained. It also covers the principles of auditing, due professional care, conflict of interest, and independence. Chapter 2: IT Audit Defined, Charter and Criteria- Highlights the benefits of the audit process, e.g., improved management system performance, enhanced credibility and trust, better risk management, and increased organizational efficiency. Chapter 3: Planning, Scheduling, Reporting and Follow-ups for Audit- Steps of conducting an audit: entry meeting, gathering audit evidence, document review, interview techniques, and observations, site inspections are introduced here. We will learn the process of managing an audit program for the IT department and the operations of an organization. Chapter 4: Types of Audits- Types of audits are explained herewith, like internal audits, external audits, first-party audits, second-party audits, and third-party audits. Chapter 5: IT Policies, Processes and SOPs- How the policies, processes and operating procedures are defined for typical tasks to be managed by the IT team. We will also get the view of the roles and their responsibilities, helping us to focus on the operational aspects of the IT operations. Chapter 6: Risk Management and Impact Analysis- The key risk areas relevant to the systems and processes are identified. We see how common risk areas are analyzed, including cybersecurity vulnerabilities, system availability, data backups, and disaster recovery capabilities. Risk management is to be carried out based on the impact on the specific industry and business requirements. Chapter 7: Procurement, Asset, Capacity and Cloud Service Management- IT policies have to look at the complete life cycles of the equipment, starting with procurement, configuration, defining and implementing procedures, inventorising of assets by marking critical equipment and finally managing EOL for this equipment. IT policies should also focus on interconnection of equipment, access management, monitoring usage to ensure capacity management, and build-in continuity by managing backup systems. Chapter 8: Access Management and Acceptable Usage Policy- Access management in an organization is the virtue of how well the organization functions when it comes to the authorization of assets to users. Acceptable use policy gives the dos and don’ts and outlines the expectations for how employees and other authorized users should interact with the assets. Chapter 9: Network, Server, Storage and End Point Management- This chapter talks about process of monitoring and maintaining network devices, servers and storage devices, to optimize the performance. This has to encompass the management of hardware, software, security, and backups to minimize slowdowns and downtime. Chapter 10: Business Continuity and Disaster Recovery Planning- BCP and DRP provides assurance of IT infrastructure being available for delivering the required services during disruptive events, such as natural disasters, cyberattacks and communication failures, etc. Planning continuity looks at critical services and also takes inputs from asset inventory for critical assets. Chapter 11: Organization Context and IT Services- IT operation management processes are essential to ensure meeting service requirements, and to continually improve service management. Ensuring information security becomes an integral part of managing IT operations. Business context defines how IT supports the business mission and operations, and how to plan IT strategies and initiatives. Chapter 12: Logging and Monitoring Services- Through logging of events and activities within a system or application, user actions and error messages are captured. Monitoring helps in measuring the performance and health of a system, such as resource usage, network traffic, and error rates. This helps in designing corrective and preventive actions for process improvements. Chapter 13: KPIs and Status Reports- This chapter talks about creating guidelines for designing, planning, implementing, continuous testing, improving the processes in an ongoing manner, and governing the complete enterprise IT architecture. Criticality of the assets give inputs to KPIs and governance measures through status reports. Chapter 14: BCP Drills, Plans and Reports- IT team conducts simulated exercises that test the effectiveness of the business’s BCP. After every BCP drill, the business continuity team analyzes and reports the effectiveness of continuity measures. The learnings from drills go as feedback to the various operating procedures. Chapter 15: Configuration and Change Management- This helps in ensuring that changes to an organization’s technical environment are documented and managed in a structured manner. In change management, changes to applications and hardware are tracked, while configuration management focuses on how the physical attributes of application or systems are consistently maintained and managed. Chapter 16: IT Audit Frameworks ISO 20000 and ITIL– This chapter focuses on how IT audits begins with deciding the audit framework, identifying the aims and benefits of framework, understand the compliance requirements, benefits of audits, etc. The difference between ITIL as a framework and ISO as a certification will also be covered here. Chapter 17: Organizations, People, Data and Technology Processes– During an IT audit, auditors have to focus on the effectiveness, reliability, and security of an organization’s IT infrastructure, systems, and processes. IT audit comprises a review of asset safeguarding practices, namely, data, application systems, technology, and people. Chapter 18: Partners, Value Streams and Processes- Partner audit focuses on assessing the partner or vendor’s past project performance, technical expertise, compliance with industry standards, and financial stability in ensuring uninterrupted services. Value stream analysis can help evaluate the current way of working, identify new requirements, and propose improvements. Chapter 19: Scope of Audit and Audit Plan- Audit planning should define the role and responsibilities of an auditor, and also should include all the entities in the enterprise landscape, including external stakeholders. The apex processes of the organization like information security and quality management systems, need to be included in audit process along with IT policies and operation processes, to ensure IT processes are in alignment. Data at rest and in transit has to be checked for the sensitivity, to see whether the processes around them are adequate. Chapter 20: Review of Policy and Controls- Purpose of the audit function is to evaluate and test the design (ToD) and execution of controls implemented for effectiveness (ToE) by processes surrounding the business operations. Scope of the audit has to be defined either to the entire enterprise or to a specific entity within the enterprise ad all relevant policies surrounding the operations of IT team has to be reviewed along with the governance mechanism in place. Chapter 21: Interviews, Site Visits and Technical Testing- Status reports and actions on any deviation from threshold has to be given adequate importance as this provides inputs to ToE. Site visits to data centre, support systems like UPS, power backup, access control and CCTV monitoring area etc give inputs to effectiveness of processes put in place. Conflict of interest is another area to be checked thoroughly for ensuring ToE. Chapter 22: Audit Findings and Actionable Audit Report- An audit report must be well-written to effectively stand out, capture interest, and promote changes. Audit report should illustrate non-conformities, outline positives, call out opportunities for improvement, and should be translatable to actions to close non-conformities. Chapter 23: Evolving with the Audit Landscape- This chapter provides a conclusion to all areas that have been covered in the book, along with some guidelines on how to plan the audit and prepare a proper audit report with actionable observations. This will also mention how the remediation can be planned on audit observations, and verification audit has to be conducted to cross check the reediation measures taken as a result of audit.