IT Infrastructure Audit Checklist

Scope 

The scope of this IT infrastructure audit is to ensure the company maintains a high degree of compliance for efficient operation. The audit will also establish whether all the procedures and laws stipulated by the government are followed accordingly. 

Goals and Objectives 

The goal of our IT infrastructure audit is to establish an accurate, workable procedure. The process will begin by constituting a committee to steer the audit process. The members of the committee must be a representative of the various department in the company such that the final policies tabled will capture the interest of every department in the company. The objective is to establish if the company is operating in compliance with the required set of laws and regulations. 

Frequency of the Audit 

The type of auditing procedure will, however, determine how often the company should run audits. Audits conducted to establish the profitability of a new product are run monthly while an in-depth audit is conducted annually or semiannually. The IT infrastructure audit will be conducted quarter-yearly and spans all the departments in the company. 

Duration of the Audit 

The IT infrastructure audit will be conducted over three months. The first four weeks will specifically be designated for planning, four weeks for fieldwork, and the last four for the compilation of the audit report. Over this time, the auditing committee will be working round the clock to meet the objectives of the audit. 

Critical Requirements for the Audit 

Periodic running of audits in a company is motivated by the target the company sets to attain compliance, which ensures the company is operating lawfully. The IT infrastructure audit will be conducted in accordance with the state-stipulated rules and regulations that govern the company. Failure of the company to adhere to these rules attracts hefty penalties and fines, but worst of all is that the company will lose its reputations and will likely lose investors. The standard operating procedure will entail accessing the reviews of the management to understand the working of the system. The system will then be evaluated by the auditing committee based on the reviews. Development and deployment of the information system audit policy will entail accessing the company’s communication platforms to ensure that policy has been followed all through. The selection of tools will be through evaluating the systems to safeguard any critical information. To determine the activities to be audited, the auditing committee will be required to collect reviewed data on the current situation of the company. 

Privacy Laws that Apply to my Organization 

For the case of a company that deals with health providing, there are many policies that the company has to comply to. Most of these policies span from individual health concerns of patients to the departmental role of every department in the company. Some of the laws specific top this line of business includes HIPPA (Health Insurance Portability and Accountability Act) and the HITECH (Health Information Technology for Economic and Clinical Health). The first law makes sure institutions take precautions to safeguard health information of its clients while the later analyses the personal health information to establish any form of a breach during data handling. The emphasis will mostly be on the IT department, which is responsible for the storage and protection of data. The second department to undergo scrutiny is the accounting department since it is responsible for the funding of the IT department purchases. The policies will, therefore, be constituted at the department level. 

Developing a plan for assessing IT security for your chosen organization by conducting the following: 

Risk management- risk being the most crucial aspect of operating a company, there must be policies stating how the company should address risks. The most suitable approach is to categorize risk into high, moderate, and low. Low risks can easily be countered and are likely not to be problematic for the company. IT risk management include measures such as fraud prevention, identity access management, threat detection and integrated risk management. 

Threat analysis- t hreat analysis entails investigating anything that poses threatens the regular operation of the company. It assesses all the possibilities and cyber activities that poses danger to the client information. Threat analysis will take to account the understanding of both the external and internal vulnerabilities in the organizations system that may expose it cyber-attacks. The most common forms of threat to the company are hacking activities of gross misconduct by an employee by selling out company information. Measures should, therefore, be put in place to counter these forms of threats. 

Vulnerability analysis – refers to the process aimed at isolating risks and threats associated with using technology. It i s a critical analysis conducted by the company to identify loopholes in the system in which the company is vulnerable. Vulnerabilities can be identified through running internal audits, hacking the system, or a company employee brings it to the attention of the company management. Vulnerability analysis is beneficial to the company since it helps the organization to anticipate loopholes in the systems to prevent cyber-attacks. 

Risk assessment analysis – Assessment of risk entails measuring the magnitude of risks and predicting the level of damage that can be caused (Piercey, 2011). This assessment will enable the company to makes a presumption on which threat will be absorbable and which of the risk will require more preparation to counter. High hazards include hacking activities that will lead to client information landing on hands outsiders. 

How to obtain information, documentation, and resources for the audit 

Information is the most component of an audit process. Collection and evaluation of information allows the auditor to gain insight to controls, risk management and governance for a particular organization. For the auditor to evaluate effectiveness in an organization they need facts of the various subject matter in the organization in order to compare them with stipulated criteria to establish any variations and violations. The information collected need to be sufficient, reliable, relevant and useful for it to yield accurate audit results. Auditors can gather information through, self-completing survey, walk-throughs, and one-to-one interviews with employees, questionnaires. The first step is to understand what resources will be required for the completion of the audit process. The necessary resources are then obtained in preparation for the beginning of auditing. The auditing will begin by inspecting the company data to define whether it will be helpful to the audit process. The stage of obtaining data and documentation entails necessarily since this information will be the basis for the reviews being deliberated by the audit committee. The audit committee will, therefore, observe how the company is currently conducting its operations and draw a comparison to how the law stipulates. It will be the job of the audit committee to observe and ensure all the procedures were followed in the acquisition of IT products into the company. As to which resources are appropriate for the audit, the auditor will use the scope and objectives of the audit process to establish the subject matter to analyze and hence which sources will be necessary. 

Analysis of Domains and a Rationale for Alignment 

The seven domains of IT infrastructure include the system application domain, remote access domain, WAN domain, LAN domain, LAN-to-WAN domain, Workstation domain, and user domain. The system application domain ensures that all the applications are installed on the computers. These applications will ensure efficiency in the day to day activities since it will provide the user-based interface. The remote access domain enables the company to establish a working communication interface to relay information through all levels of the company. The remote users will be connected through a routed company domain internet being the primary medium among others like VPN and Skype. WAN stands for an extensive area network. WAN domain is responsible for connecting all the remotes sites outside the company. The WAN domain will enable a smooth flow of information through all the branches of the company. LAN stands for local area network. LAN domain will allow connectivity between all the departments residing in the company. Office devices such as computers, access points, and printers operate with the LAN domain. LAN is only suitable in close proximity compared to WAN, which is extensive it its effectiveness. Workstation domain connects all the computers in the company to the same network from where the company can access, monitor, and audit them at any time. This computer will, therefore, be able to access the company network. The user domain contains network login accounts and password privately specific to every employee (Rostad & Edsberg, 2006). The domain will enable the employees to gain access to the company information available in the network. Only employees entitled to network access can use the user domain. 

Plan 

The best plan will provide and reasonable approach to all the security policies and procedures put in place to determine if they are already working. The company can be audited by checking the reviews of the executive members and the human resource department. Verification of the controls supporting the policies will ensure that any changes made to the policies do not affect the compliance of the company. The company can address this by creating a task force that will be in charge of the oversight role and suggesting the necessary controls need in a given situation. Verification of the effective implementation and ongoing monitoring of controls will be done by running audits to ensure all the departments comply with the policy put in place. 

Critical Security Control Points 

Security control is crucial to the IT infrastructure since it played an essential formation of policies and procedures governing the company. Problems tend to be rampant whenever there is a lack of security controls in a company. The seven domains play a lead, ensuring the safety of the company information. Use of firewalls as a security measure to present outsiders from gaining access to the company network ill safeguard company information. Implementation of security control measures is a continuous process sine newer technology come with more sophisticated specifications hence demanding a constant change of policies and procedures. The user domain ensures that only employees with access have the right to use the company information. Any kind of malice or misconduct by this employee is punishable by the company executive under the company code of conduct. Any changes in the user domain, such as instances where an employee ceases working for the company, all rights to the company information is suspended. Company policy will then revoke the rights of the user from the active directory. All the files will be copied to the server before permanently the user from the user access interface. 

Parameters required to conduct and Report on IT Infrastructure Audits for Organizational Compliance 

Parameters required to conduct IT infrastructure audits include emerging technologies, cybersecurity, integrated assurance, third-party relationships, and regulatory compliance. Emerging technology interferes with the dad-to-day operations of the company. The adoption of newer technologies calls for more modern methods of activities hence increasing possibilities of risks (Coderre & Police, 2005). Methods should be set up to ensure early detection and prevention of such threats through proper training of employees. Cybersecurity is another important parameter. Extensive use of technology in the companies has brought with it the risk of cyber-attacks. All the systems and servers in the company should, therefore, be secured to prevent cyber-related crimes. Integrated assurance takes charge of the risks that the company is likely to face. It enlists any laws and policies stipulated by the government and ensures the company operates by them. Third-party relationships ensure safety measures against the access of private information by outsiders. It entails legal and compliance risks, reputation, and data security. Regulatory compliance stipulated by the state, national and international regulating bodies tend to vary with time. The audit will, therefore, use this parameter to evaluate if responses to the given regulations were cost-effective or inherent in any way. The regulatory compliance framework delivers assurance connected to operational effectiveness. 

Components and Basic requirements for creating an Audit plan to support Business and System Considerations 

Components of an audit plan provide expectations and doctrines to govern the audit committee. The primary purpose of these components is to ensure the company maintains compliance with and operates by the specified regulations. In invents, where the planned audit procedure fails to prove to be ineffective, alternative audit procedures will be employed. Alternative audit procedures are the extra audit tests conducted for confirmation. At the end of the auditing process, the auditing team will be required to pinpoint any apparent form of litigations against the company being audited. 

Conclusion 

The audit process will begin by instituting a committee mandated with the running of the audit process. The committee members must be a representative of the various department in the company such that the final policies tabled will capture the interest of every department in the company. The audit process will last for three months with planning, fieldwork, and the compilation of the audit report, each allocated four weeks. The seven domains of IT infrastructure include the system application domain, remote access domain, WAN domain, LAN domain, LAN-to-WAN domain, Workstation domain, and user domain. Each of the domains plays a role in IT infrastructure hence crucial to evaluate during the audit process. Parameters required to conduct IT infrastructure audits include emerging technologies, cybersecurity, integrated assurance, third-party relationships, and regulatory compliance. These parameters provide a basis by which the auditing team will use to conclude about the company. The results of the audit are compiled and handed to the responsible authorities for approval and action. 

References 

Coderre, D., & Police, R. C. M. (2005). Global technology audit guide: continuous auditing 

implications for assurance, monitoring, and risk assessment. The Institute of Internal Auditors , 1-34. 

Piercey, M. D. (2011). Documentation requirements and quantified versus qualitative audit risk 

assessments. Auditing: A Journal of Practice & Theory , 30 (4), 223-248. 

Rostad, L., & Edsberg, O. (2006, December). A study of access control requirements for 

healthcare systems based on audit trails from access logs. In 2006 22nd Annual Computer Security Applications Conference (ACSAC'06) (pp. 175-186). IEEE.