IT Audit Checklist: IT Governance & Strategy

• More than 120 control objectives commonly included in operational audits
• Controls derived from major rules/frameworks including CobiT, NIST, and PCI
• Recommendations for audit planning, preparation, testing, and reporting
• Clarification on what auditors want (and don't want) to see

This checklist supports an internal audit of the organization’s IT leadership and high-level planning resources, systems, and processes. With guidance on assessing the completeness, effectiveness, and sustainability of existing IT governance and strategy, the paper is designed to help IT leaders promote more productive audit cycles and ensure continuous improvement of governance efforts.

IT Audit Checklist: Risk Management

• 80 risk management control objectives commonly covered in audits
• Controls derived from major rules/frameworks including CobiT, NIST, and PCI
• Recommendations for audit planning, preparation, testing, and reporting
• Clarification on what auditors want (and don't want) to see

With guidance on improving risk management programs and assessing the robustness of information control efforts, this checklist is designed to help business and IT managers prepare for an audit of risk management controls and support more productive, efficient audit cycles.

IT Audit Checklist: Information Security

• More than 225 control objectives commonly included in operational audits
• Controls derived from major rules/frameworks including CobiT, NIST, and PCI
• Recommendations for audit planning, preparation, testing, and reporting
• Clarification on what auditors want (and don't want) to see

The paper provices practical guidance on the risk-based assessment and assurance of information security controls, including network protection, access management, and security policy management. Written for IT, compliance, audit, and business managers, the paper is designed support more productive, efficient, and positive audit cycles.

IT Audit Checklist: Privacy & Data Protection

• 270 privacy and security control objectives commonly included in audits
• Controls derived from major rules/frameworks including CobiT, NIST, and PCI
• Recommendations for audit planning, preparation, testing, and reporting
• Clarification on what auditors want (and don't want) to see

The checklist includes advice on assessing the robustness of privacy controls; guidance on how management and auditors support privacy policies and procedures; and information on ensuring continual improvement of privacy practices. The paper is designed to help business and IT managers prepare for an audit of privacy and security controls and support more productive, efficient audit cycles.

IT Audit Checklist: Change Management

• More than 185 change management control objectives commonly covered by audits
• Controls derived from major rules/frameworks including CobiT, NIST, and PCI
• Recommendations for audit planning, preparation, testing, and reporting
• Clarification on what auditors want (and don't want) to see

This paper includes recommendations for on assessing change control in operational projects, development, procurement, IT service testing, and IT operations; guidance for management and auditors on supporting change management; and information on ensuring continual improvement of change management efforts.

Research: PCI: Requirements to Action

|

Practical Guidance on More Efficient, Effective Compliance

The PCI Data Security Standard (PCI DSS) can represent an effective baseline for enterprise information security. The greater challenge, however, is making PCI compliance an integral and efficient part of enterprise security programs. This in-depth paper combines high-level analysis with control-level pointers to help compliance and IT managers dymystify the PCI DSS and align it with broader risk- and security-management practices.

Advisory Supplement: 10 Steps to Harden Commerce Systems

|

Although information security may be a continuous process, security risk is inconstant. Environmental variables, such as seasonal business fluctuations and conditions, emergent threats, staff resource availability, and budget levels impact practical security needs and priorities. Your ultimate goal might be to secure all system components all of the time; however, high-stress situations beg the question: "What can I do right now to secure critical information?" This Advisory Supplement, bundled with the Truth to Power research paper PCI: Requirements to Action, addresses the question with specific recommendations for quick-launch, high-impact steps to reduce information risk.

Reality-Based Guide: How to Thwart a Social Engineering Exploit

Social engineering is a type of security exploit designed to distract, disarm, bully, and/or charm the employees responsible for protecting sensitive information and critical resources. This compact, quick-reference guide provides practical advice on recognizing and resisting the most devious (and dangerous) types of social manipulation attacks.

Reality-Based Guide: How to Get More out of Technical Conferences

Technical conferences typically offer more intangible than tangible benefits. This presents a significant challenge in finding and demonstrating the real-world value of conference attendance. This compact, quick-reference guide describes four key activities that will help you engineer more productive conference experiences and demonstrate the value of that experience to colleagues and managers.

Reality-Based Guide: How to Clarify Complex Decisions

Although many decisions are spontaneous, some complex business scenarios call for a more methodical approach to decision analysis. This compact, quick-reference guide provides an accessible overview of multicriteria decision making, including step-by-step pointers on improving decision quality and defensibility while reducing the risks of bad decision outcomes.

How to Clarify Complex Decisions