Methodology for information system (IS) control audits in governmental entities, including criteria checklists and assessment templates. Revision available as exposure draft at http://www.gao.gov/new.items/d081029g.pdf

Guidance for auditors and management on preparing for disruptive natural or man-made events. Covers planning and assessment of continuity programs for critical IT infrastructure and business application systems.

Guidance for internal auditors on scoping IT audits, performing risk assessments (including tying IT risk to business value), and formalizing IT audit plans.

Provides an overview of techniques for effectively engaging with project teams and management to assess the risks related to IT projects. This Practice Guide covers: 1)Key project management risks; 2) Auditor involvement and independence; 3)Five key compo ...

As technology advances, so do schemes to commit fraud. Therefore, technology can not only be used to perpetrate fraud, but also to prevent and detect it. Using technology to implement real-time fraud prevention and detection programs will enable organizat ...

Guidance on the management and assessment of information security, IT general controls, assurance, and risk management. Covers discussions with executives and management and addressing concerns of C-level executives.

Guidance for internal auditors and management on the effective management, audit, measurement, and business case development for stringent control over changes to technology systems.

Guidance for internal audit managers on the effective use of technology in support of continuous monitoring and auditing of information systems.

Guidance on assessing and redressing privacy risks, aimed at internal auditors and managers. Includes abstracts of key privacy frameworks and guidance on privacy assessments.

Guidance for the assessment of vulnerability management practices, including specific managerial recommendations. Developed for audit executives and internal auditors.

Guidance on the assessment and audit of application controls, relation of application controls to general controls, scoping of a risk-based control review, and execution of application control reviews. Developed for internal audit executives and auditors.

General guidance for internal auditors and management on identity and access management (IAM) concepts, processes, and audit.

A methodology aimed at management and external auditors for identification of key IT controls as part of a top-down, risk-based scoping of IT risks.

A methodology for the identification of key controls essential to achieving business goals and objectives. Primarily for internal audit practitioners, but also useful for IT and security managers.

Aimed at internal auditors and management, an approach for the evaluation of IT general control deficiencies identified during the annual SOX assessments of internal controls over financial reporting.

To encourage a more widespread adoption of interoperable health information technology, The American Recovery and Reinvestment Act of 2009 calls for the Office of the National Coordinator (ONC) for Health IT, in consultation with NIST, to recognize a prog ...

A chapter of the Federal Financial Institutions Examination Council (FFIEC) Information Technology Examination Handbook (IT Handbook) providing guidance to examiners and financial institutions on audit roles and responsibilities. General action indication ...

Guidance on the design, conduct and reporting of IT audit and assurance assignments. Standards for IT audit and assurance roles and responsibilities, knowledge and skills, conduct, and reporting requirements.

Asset identification plays an important role in an organization's ability to quickly correlate different sets of information about assets. NISTIR 7693 provides the necessary constructs to uniquely identify assets based on known identifiers and/or known in ...

Framework of issues and processes involved in an internal audit of a compliance and ethics program. Designed primarily for internal auditors, secondarily for directors, executives and other senior managers charged with governance. (Paid membership require

The Open Source Security Testing Methodology Manual (OSSTMM) is a peer-reviewed methodology for performing security tests and metrics. The OSSTMM test cases are divided into five channels (sections) which collectively test: information and data controls, ...

The Open Web Application Security Project (OWASP) is an open-source application security project. The OWASP community includes corporations, educational organizations, and individuals from around the world. This community works to create freely-available ...

Assessment firms use the AUP to perform objective and consistent service provider evaluations. Service providers use AUP reports to provide consistent information to a range of clients and reduce or eliminate the need for on-site audits. Service provide ...

Outsourcers use the SIG as a default questionnaire to streamline vendor assessments. For vendors, the SIG provides a repeatable response to proprietary questionnaires from clients.

This Guide identifies and describes the key characteristics that make up any effective risk assessment methodology, thus providing a common set of criteria for evaluating any given risk assessment methodology against a clearly defined common set of essent ...