IT Auditing: Assuring Information Assets Protection
About
the
Author
Robert E. Davis, MBA, CISA, CICA
Robert E. Davis is an independent management audit consultant (currently associated with Robert Half Management Resources), as well as Pleier Corporation author. His IT audit specializations include Control Objectives for Information and related Technology, Sarbanes-Oxley Act, and the Foreign Corrupt Practices Act. Regarding information security and privacy, Robert is available to provide International Organization for Standardization-27000, Gramm-Leach-Bliley Act, and Basel II consulting. His primary computer technology research interests are databases, operating systems, and distributed information systems processing.Recently, he has applied his expertise in assisting organizations in fulfilling U.S. Sarbanes-Oxley and Federal Information Security Management Act requirements as well as training professionals internationally.
Since starting his career as an IT auditor, Robert has provided data security consulting and IT auditing services (from staff through senior management positions) to the United States Enrichment Corporation, Raytheon Company, United States Interstate Commerce Commission, Dow Jones & Company, Fidelity/First Fidelity (Wachovia) Corporations, and other organizations.
Some of his professional IT software and hardware experience includes MVS, UNIX, Windows, Oracle, Clarity, the International Money Management System, PERL, COBOL, PASCAL, DEC, IBM, Tandem, Compaq, and DELL.
Prior to engaging in the practice of IT auditing and information security consulting, Robert provided inventory and general accounting services to Philip Morris USA and general accounting services to Philadelphia National Bank (Wachovia).
Robert graduated from Temple University and West Chester University of Pennsylvania with a Bachelor of Business Administration and Master of Business Administration degree, respectively. While attending Temple University, his major areas of study were Business Law and Accounting. He successfully completed the requirements for a Management Information Systems subject major at West Chester University.
Robert obtained the Certified Information Systems Auditor (CISA) certificate, after passing the 1988 Information Systems Audit and Control Association’s rigorous three hundred and fifty multiple-choice questions examination and was conferred the Certified Internal Controls Auditor (CICA) certificate by the Institute for Internal Controls.
During his twenty-year professional involvement in education, Robert acquired postgraduate and professional technical licenses in computer science and computer systems technology.
Robert has authored "Did IT Auditing Forget the Foreign Corrupt Practice Act" and "How Does Management Support Deploying IT Governance?" articles for IT AUDIT magazine and IT Governance, LTD; respectively.
Robert is a former ISACA-Philadelphia Chapter Board of Directors member and College Relations Chairman. Robert has provided instruction to an Internet CISA study group, the Data Processing Management Association, and the ISACA-Philadelphia Chapter CISA Review Course.
Robert is a member of The Institute of Internal Auditors, ISACA, the American Association of University Professors, and The Institute for Internal Controls. He is also a college computer science and mathematics instructor, having previously taught at Cheyney University and Bryant & Stratton College.
Based on his accomplishments, Robert has been featured in Temple University's Fox School of Business Alumni Newsletter and The Institute for Internal Controls e-Newsletter. Furthermore, he is a lifetime member of the Madison Who's Who Registry of Executives and Professionals.
Robert has authored 7 other indispensable resources available from Pleier Corporation:
- "IT Auditing: The Process"
- "IT Auditing: An Adaptive Process"
- "IT Auditing: IT Governance"
- "IT Auditing: Information Assets Protection"
- "IT Auditing: Irregular and Illegal Acts"
- "IT Auditing: Information Security Governance"
- "IT Auditing: IT Service Delivery and Support"
These publications are also especially valuable references to prepare for related sections of the ISACA Certified Information Systems Auditors examination.
Additional references and information is available at Have CISA - Will Travel.
IT
Auditing: Assuring Information Assets Protection
Click
here to view Sample of Publication in Microsoft Word Format
Click
here to view Sample
of Knowledge
Check Answers in Microsoft Word Format
Unlike physical assets, information assets can not be seen or touched directly. Unlike physical assets information assets can be more easily damaged or destroyed accidentally or on purpose by persons in the computer room, in the organization, or an unknown person half way around the world. The nature of these information assets requires extremely close scrutiny.
“IT Auditing: Assuring Information Assets Protection” provides a proven approach to assessing IT security frameworks, architectures, methods, and techniques. This publication converts selected audit standards and guidelines into practical applications using detailed examples and vivid graphics - including definitions of over 140 acronyms helpful in auditing and reviewing. This publication also allows auditors and security professionals to understand various steps and processes required to adequately initiate, document, and compile information assets protection audit or review phases.
This 265-page publication provides auditors and security professionals with an appreciation for the complexities associated with assuring information assets protection and lists numerous references for further in-depth information.
“IT Auditing: Assuring Information Assets Protection” can function as a study guide for CISA or CISM examination preparation as well as an audit or security practice reference manual.
Robert offers this information to assist auditors and security professionals in meeting the challenges of helping to assure the protection of these assets.
Feedback from an on-site version of this training includes:
"[The]
Risk Based IT Audit Course provided a comprehensive understanding for
both IT Auditors & IT Management in identifying risks & the
risk of mitigating actions for them"
- President & CEO from Pentathlon Systems Resources Inc.
- President & CEO from Pentathlon Systems Resources Inc.
Chapter One: Information Security Laws & Regulations
Government-Entity
Convergence
Fiduciary Relationships
Fiduciary Responsibilities
Multiple Legal Requirements
Security, Privacy, and Intellectual Property Edicts
Preserving Electronically Encoded Evidence
Government-Audit Convergence
Audit Practice Areas
Appendix A Selected IAP Related Governance Initiatives
Appendix B Laws & Regulations – IAP Templates
Chapter 1 Knowledge Check
Chapter 1 Bibliography
Fiduciary Relationships
Fiduciary Responsibilities
Multiple Legal Requirements
Security, Privacy, and Intellectual Property Edicts
Preserving Electronically Encoded Evidence
Government-Audit Convergence
Audit Practice Areas
Appendix A Selected IAP Related Governance Initiatives
Appendix B Laws & Regulations – IAP Templates
Chapter 1 Knowledge Check
Chapter 1 Bibliography
Chapter Two: Information Security Governance
Government-Entity Convergence
Framing Information Security Governance
Program Development and Deployment
Responsibilities Separation
Information Assets Protection
Information Security Governance Managerial Aids
Entity-Audit Convergence
Chapter 2 Knowledge Check
Framing Information Security Governance
Program Development and Deployment
Responsibilities Separation
Information Assets Protection
Information Security Governance Managerial Aids
Entity-Audit Convergence
Chapter 2 Knowledge Check
Chapter
2 Bibliography
Chapter Three: Control
Environment Entity-centric
Considerations
Risk Determinants
Entity-level Policies
Managerial Practices
Chapter 3 Knowledge Check
Risk Determinants
Entity-level Policies
Managerial Practices
Chapter 3 Knowledge Check
Chapter 3
Bibliography
Planning
Control Objectives Selection
Control Goals Selection
Risk Management
Organizing
Coordinating
Directing
Controlling
Appendix A Selected Information Assets Classifications
Appendix B Potential Control Evaluation Worksheets
Chapter 4 Knowledge Check
Chapter 4 Bibliography
Control Objectives Selection
Control Goals Selection
Risk Management
Organizing
Coordinating
Directing
Controlling
Appendix A Selected Information Assets Classifications
Appendix B Potential Control Evaluation Worksheets
Chapter 4 Knowledge Check
Chapter 4 Bibliography
Chapter Five: Entity Employees
Employment
Practices
Decisional Quality, Responsibility Delegation, and Societal Engineering
IT Employees
Monitoring and Evaluating Resources
Incident Response Team
Decisional Quality, Responsibility Delegation, and Societal Engineering
IT Employees
Monitoring and Evaluating Resources
Incident Response Team
Chapter
5 Knowledge Check
Chapter 5 Bibliography
Chapter 5 Bibliography
Chapter Six: IT Audits and Reviews
Planning
Considering Laws and Regulations
Audit Risk Assessment
Internal Control Assessment
Studying and Evaluating Controls
Access Management
Network Infrastructure
Risk Analysis
Environmental Controls
Confidential Information Asset Life Cycle
Testing and Evaluating Controls
Reporting
Follow-up
Appendix A Pro Forma IT Audit IAP Risk Assessment Template
Appendix B Generic Control Environment: Awareness Lead-sheet
Appendix C Computer Viruses
Appendix D IAP RACI or RASCI Templates
Appendix E IAP Control Classification Template
Appendix F Authentication Mechanisms Table
Appendix G Peer-to-Peer Networking
Appendix H Trans-border Communication Protection
Appendix I Suggested Access Controls Testing Checklist
Chapter 6 Knowledge Check
Chapter 6 Bibliography
Considering Laws and Regulations
Audit Risk Assessment
Internal Control Assessment
Studying and Evaluating Controls
Access Management
Network Infrastructure
Risk Analysis
Environmental Controls
Confidential Information Asset Life Cycle
Testing and Evaluating Controls
Reporting
Follow-up
Appendix A Pro Forma IT Audit IAP Risk Assessment Template
Appendix B Generic Control Environment: Awareness Lead-sheet
Appendix C Computer Viruses
Appendix D IAP RACI or RASCI Templates
Appendix E IAP Control Classification Template
Appendix F Authentication Mechanisms Table
Appendix G Peer-to-Peer Networking
Appendix H Trans-border Communication Protection
Appendix I Suggested Access Controls Testing Checklist
Chapter 6 Knowledge Check
Chapter 6 Bibliography
Acronyms Used Throughout This Publication
Glossary of Terms Used Throughout This Publication
Biography of the Author
Your feedback, concerning this product, should be sent to pleier@pleier.com.
Other
Resources
If you like the quality of this CD-ROM publication check http://www.pleier.com for additional resources.
Current Publications - Click the link to preview:
-
21st Century Audit Management “Opportunities and Challenges“ by a number of contributing authors
-
A Practitioner's Guide to Corruption Auditing by Muhammad Akram Khan
-
A Practitioners Guide to Performance Auditing by Muhammad Akram Khan
-
IT Auditing: Information Assets Protection by Robert E. Davis
-
IT Auditing: Information Security Governance by Robert E. Davis
- IT Auditing: IT Outsourcing - Balancing Risk vs. Reward by Michael Lapelosa
-
IT Auditing: IT Service Delivery and Support by Robert E. Davis
- Operational
Auditing: Adding Value to Organizations by John D. Tongren
- Transitioning from
Internal Audit to Internal Assurance
Print Order Form - Word Document
Thank you for purchasing
a copy of the "IT Auditing: Assuring Information Assets Protection".
Please
tell others about these resources.
Thank you.
President
Pleier Corporation