Running head: “AN IT INFRASTRUCTURE AUDIT FOR COMPLIANCE” 1

IT INFRASTRUCTURE AUDIT FOR COMPLIANCE

NAME

INSTITUTION
 “AN INFRASTRUCTURE AUDIT FOR COMPLIANCE” 2

Planning an It Infrastructure Audit for Compliance

The chosen organization is ORIX Company. Built up more than 25 years back as the U.S.

helper of ORIX Corporation, ORIX USA has transformed into a widened budgetary

association with the ability to give theory capital, asset organization and resource

management facility and money related admonitory organizations to clients all around in the

corporate, land and common record ranges. Their IT division is primary purpose to stimulate

their new technology and IT business.

Definitions of Flowing Items at ORIX IT

Scope

In ORIX Corporation as we pick, the corporation audit scope is basically established

upon the risk management and assessment execution plan. This threat evaluation employment

is way better than once executed on every fourth year. At ORIX, there are distinctive sorts of

IT surveys/reviews that have been played out each year or reliably/third year, close to

establishment audits for consistence, diverse representations are join survey specific to IT

strategies, for instance, organization and programming progression and last yet not the base is

composed survey where money related controls are the center premium.

Goals and Objectives

As particular Audit objectives, scope and goals are similarly in assessment of the risk

or hazard evaluation preparation in ORIX. Both goal and degree are resolutely connected.

ORIX's organization comprehends that for the survey to be operational, the degree should

consider the objectives of the audit. One of the standard commitments of ORIX top

organization is to set goals. Organization further sponsorships these destinations with a

course of action of targets. These objectives are passed on all through the relationship by

game plans. The course of action set the standard, which drive the business to fulfill its
 “AN INFRASTRUCTURE AUDIT FOR COMPLIANCE” 3

targets. This applies to IT security approaches, and additionally to methodologies

transversely over ORIX.

ORIX track these specific three (3) chief goals for relating effective IT security audit

company program:

 Provide a self-governing and an impartial review of a management's information

systems, controls and policies.

 Deliver sensible assurance that appropriate and actual IT controls are present in

department.

 Offer audit recommendations for both corrective actions and progress to access

controls.

Examples of ORIX’S IT AUDIT OBJECTIVES originated on COBIT experience are as

displays:

 Does management pledge that inner controls are influential and capable?

 Is sufficient privacy, integrity, confidentiality, in addition to accessibility system

controls arrangement for data safety?

Frequency of The Audit

At ORIX, repeat (recurrence or frequency) of company IT audits and surveys changes

depending upon the threat. Fundamental structures controls have been checked more

consistently than noncritical controls. Besides, in more high-danger circumstances,

mechanized or tireless survey tests have been eventually.

Duration of The Audit

 “AN INFRASTRUCTURE AUDIT FOR COMPLIANCE” 4

Audit period for every kinds of IT audits includes on-site time period at ORIX 's

office block and interval spent off-site unambiguous out file review, development, interacting

as well as networking with ORIX employees besides account writing.

Critical Requirements of the Audit for ORIX’s IT

The ensuing aftereffects of an IT threat assessment hone constantly remarkably affect

the fundamental necessities of an audit at ORIX. Structure commentators at ORIX request the

fundamental necessities of the audit in dual controls, general as well as application controls.

These controls apply exhaustively to all system parts transversely over ORIX. App controls

or measures must execute to different individual application systems, for instance, General

Ledger, CRM, and Asset organization modules, and kind of use control join distinctive trade

controls, for instance, information, planning and yield controls. The outside inspectors at

ORIX take after “NIST IT security” or protection controls model that join operational,

organization in addition to actually particular controls.

Along these lines, an essential need of IT audit in OIX pivots around these three

fundamental security check controls. Organization controls ordinarily spoke to by

organization as a noteworthy part of the general security program. Cases fuse Security game

plan, Security program organization, Risk organization, Security and masterminding of the

PC Security, life cycle, and orchestrating of PC life range and in addition "Affirmation

Operation Controls" measures that are executed by people rather by systems, outlines

contain:

Personnel and home user issues, incident handling and response, disaster and

Contingency planning, Awareness, Training, Education, Computer support, environmental

and physical Security with system operations. Applied controls are those guidelines that are

proficient by systems. Diagrams include Identification and authorization, Logical access

 “AN INFRASTRUCTURE AUDIT FOR COMPLIANCE” 5

control, Audit Trails as well as Cryptography schemes for the network file and documents (

Buecker, et al., 2010).

ORIX IT planning or arrangement and Infrastructure audit assessment requirement is

further assembled controls as existence criminologist, preventive, or counteractive like

remedial. Defensive controls break a detailed risk in any situation. A criminologist system

control differentiates that a hazard is accessible. Precautionary controls are actions against

any hazard before it happened. An open or recuperative control can reduce the effects of a

risk.

Privacy Laws for ORIX IT

ISACA describes privacy assurance and protection inside the association of

information or IT systems as "adherence to trust and duty in association with any information

relating to a perceived or identifiable individual (data subject). Organization is tried and true

to agree to insurance according to its security procedure or pertinent security controls and

laws." (Data Privacy, 2010).

At ORIX, "For the most part "Generally Accepted Privacy Principles or (GAPP)" is

associated with data security, others applicable corporate laws are Sarbanes-Oxley that

improves the corporate obligation. Also, PCI standard principles and laws are furthermore

taken after at ORIX in light of the way that their e-business division was running the nation
 “AN INFRASTRUCTURE AUDIT FOR COMPLIANCE” 6

over motivation behind offer framework for different shippers. The "Boss Information

Security Officer (CISO)" is responsible for assurance and protection inside the affiliation.

The definition of CISO made on the reason that there is no part is made for "Boss Privacy

Officer (CPO)" stage designation.

A Plan for Assessing It Security for ORIX IT

The recognized plan for computing IT Security by associated succeeding:

a. susceptibility analysis

b. threat scrutiny

c. risk assessment examination

d. risk controlling

Audit plan characteristically dispersed into three stages:

 Preliminary Planning

 Execution

 Reporting.

The frequently practical Audit plan for the risk valuation is conservative linked to reportage

and implementing phase. Since scope evaluation planning and areas are as of now pigeon-

holed. The accompanying ten unique zones will be evaluated against ISO 27001 systems.

Besides, System, straightforward or fusion controls will be checkered in contradiction of

every area. Their responsibility undertaking grid and control prearrangement position, for

instance, arranged, set up, not system or not substantial grade will be determined through this

analysis and audit preparation.

 “AN INFRASTRUCTURE AUDIT FOR COMPLIANCE” 7

ACCESS CONTROL (AC) ACCESS CONTROL POLICY AND PROCEDURES (AC-

1): ORIX distributes, advances, and updates or reviews:

A. A documented and formal access control rule that discourse scope, purpose,

responsibilities, roles, coordination, management commitment amid organizational objects,

besides compliance.

B. Documented and formal access control events to enable the execution of access control

procedure and accompanying access controls.

ACCOUNT MANAGEMENT (AC-2): ORIX accomplishes information system

interpretations, including:

A. Recognizing account categories (i.e., group, individual, application, system,

guest/unidentified, and provisional);

B. Establishing situations for collection membership;

C. Identifying sanctioned operators of the data system and postulating access rights;

D. Requiring suitable approvals for requirements to create accounts;

E. Activating, establishing, disabling, modifying, and eliminating account (Smith, 1999).

CONTINUOUS MONITORING (CA-6): The organization generates a constant observing

strategy and rub in a constant observing package that contains:

A. Configuration managing procedure for the information scheme and its basic components

B. A purpose of the security influence of variations to the information structure and setting of

process

C. Continuing security control valuations in agreement with the administrative continuous

observing strategy
 “AN INFRASTRUCTURE AUDIT FOR COMPLIANCE” 8

D. Broadcasting the safety state of the data system to suitable administrative officials.

Contingency Planning

The organization

A. Constructs an emergency course of action for the data structure that:

 Distinguishes vital mission as well as business works and interrelated possibility

fundamentals.

 Gives recuperation destinations, rebuilding requirements, and dimensions.

 Addresses possibility parts, obligations, and allotted people with contact data.

 Is examined and confirmed by assigned establishments privileged the association.

B Organizes possibility arranging practices with occurrence management practices;

C. Reassesses the emergency policy to report changes in the outside link, data framework,

or environment of operation and issues knowledgeable amid alternative strategy usage, or

testing and execution.

F. Imparts alternate strategy variations to.

Maintenance (Ma) Controlled Maintenance.

 Plans, reports performs as well as overviews upkeep records as well as repairs on

information system parts according to producer or vendor determinations and legitimate

necessities;

 Controls all bolster works out, whether performed adjacent or remotely and whether the

rigging is redesigns close-by or removed to another zone;

 Requires that an allotted power unequivocally underwrite the ejection of the information

structure.
 “AN INFRASTRUCTURE AUDIT FOR COMPLIANCE” 9

Analysis of The Seven (7) Domains Alignment Within the Organization

We should certainly initially identify what the apiece of the seven or 7-domains include

of a detailed IT Infrastructure in addition to how they all can be organized acquiescent.

1) USER DOMAIN

ORIX have set up various method and approaches in the particular client area. Case in

point, Acceptable use principle manages the ascertaining behavior of the end client. Steady

coherent access organization arrangement contracts with client benefits and access on the

predefined frameworks. Intranet and Internet utilization arrangement denote the directions of

substance filtration and web surfing lastly email procedure for approved correspondence with

the different world.

2) WORKSTATION DOMAIN

All the front-end gear/equipment including tablet, desktop, scanners, printers, handheld

contraptions controls and get to point are analyzed in framework security procedure and

physical security approach. These controls are executed upon gear interfaces, working

structures, and framework devices as an element of the information security program.

3) LAN DOMAIN

The framework network system security methodology is moreover planning the

security game plan of login part (i.e. reliable workstation or PC interface with same screen

timeout and backdrop decisions), dissent-of-service or DoS attacks controlling of

revolutionary access concentrates/extemporaneous framework, any separated system

information parcel getting. The physical security and assurance is organizing the controls on

LAN wiring, UPS, and electrical marked outlets. The system diagram and reinforcement
“AN INFRASTRUCTURE AUDIT FOR COMPLIANCE” 10

approach the week after week and every day information reinforcement plan, reinforcement

reclamation methodology and reinforcement media taking care of at ORIX Corporation.

4) LAN-TO-WAN DOMAIN

The CISCO firewalls, routers with hardened Symantec endpoint safekeeping software

routers, security arrangement is key essentials of “LAN-to-WAN” domain range at ORIX

Company. A DMZ (or De-militarized degree or region) is also premeditated at ORIX

information Center to ploy any invader's action. VLANs are similarly applied on

companywide LAN configuration. Network Security plan is unswervingly joined to the

identical domain.

5) WAN DOMAIN

ORIX executed MPLS framework for their neighborhood office network. It is secure,

adaptable and a scholarly system for the corporate level WANs. Consolidation of MPLS

application constituents, including Layer 2 VPNs, QoS, Layer 3 VPNs, IPV6 and Traffic

Engineering, GMPLS empower the change of profoundly versatile, effective, and

additionally secure corporate systems. ORIX is moreover going with an outsider or option

arrangement infiltration testing application on outside IP addresses every second year.

6) REMOTE ACCESS DOMAIN

ORIX uses the threatened CISCO VPN design for the detached or remote access.

Remote clients or inaccessible workers practice this application to grow to the arrangements.

The recognition and authorization is done through windows dynamic record and all

correspondence is mixed with the assistance of a VPN application.

7) SYSTEM/APPLICATION DOMAIN
“AN INFRASTRUCTURE AUDIT FOR COMPLIANCE” 11

The system securing methodology and SDLC methodology is managed structure and

application range. The protected programming design or securing framework principles are

given in these systems. The change organization system is set up at ORIX to control the

movements in effective and capable way.

GOALS AND OBJECTIVES WITH RATIONALE FOR EACH DOMAIN

GOALS OBJECTIVES RATIONALE

MAXIMIZING Network Outages in addition the network threats besides

AVAILABILITY to Surviving Power power outages can be

reduced by dissimilar

security procedures in an

encrusted approach for

example, installation of ups

to guard the calculating

devices, laid off wan links

from dissimilar data carrier

corporations and proper

designed cabling for lan

fittings. this is explicitly

applies to lan-to- wan, lan,

and wan domain

Data Recovery in addition to frequent backup copied of

Backup user data, system data, and

logs are the important

components for somewhat

“AN INFRASTRUCTURE AUDIT FOR COMPLIANCE” 12

security proposal.

information replication and

stowage at removable media

is alternative aspect to

support the backup in

addition to recovery. valid to

system, exactly appropriate

to user computer unit and

systems domains.

MAXIMIZING Secure Firewalls in addition installation and toughening

INTEGRITY to Operative Antivirus the safekeeping of firewalls

programs connected to sieve out the unsolicited

traffic besides execution of

antivirus program crossways

the association is vital for

the reliability of systems

besides data.

Validation Checks along the authorizations on the

with Applications Controls effort data and

authentication controls in

applications/erp is

compulsory for the structure

integrity.

Change Management the sanctioned and effective

transformation
“AN INFRASTRUCTURE AUDIT FOR COMPLIANCE” 13

implementation in the

system is a dynamic portion

of the security plan.

Patch Management patch administration on

operating systems, firmware

updates on system devices

are important maintenance

actions for boosting of

integrity.

MAXIMIZING Access Management access administration shall

CONFIDENTIALITY be founded on need to

recognize and least licence

principles, and this too

upsurges the confidentiality

to attain the security

objective.

Data Encryption ENCRYPTING

INFORMATION SORTS IT

incomprehensible to

everyone deprived of the

decryption key. you can

encode all the delicate

information and only offer

the decryption key to the

approved users.
“AN INFRASTRUCTURE AUDIT FOR COMPLIANCE” 14

Plan for Examine And Verify The Existence Of Relevant Security Policies And Controls

To revision the existence of appropriate security procedure as well as policies at

ORIX Enterprise, the following plan will validate the controls as stated in the assumed table.

CONTROL RELEVANT CONTROLS SUPPORTING

FAMILY POLICY GUIDELINES IN PROCEDURE

POLICY AND EVIDENCES

ACCESS LOGICAL ACCESS Account Change

MANAGEMENT ADMINISTRATION Management, administration

POLICY Separation of duties, requests, Logical

in addition to Least flow of access

Rights administration, List

of employee who

handover or foliage

to alternative

subdivision through

the time dated, User

retract or privileges

sustenance tickets,

and object

authorization events

CONFIGURATION Change Management Baseline Request for

MANAGEMENT Policy Configuration; variations

throughout the age,

“AN INFRASTRUCTURE AUDIT FOR COMPLIANCE” 15

Configuration Change

Change control Administration

Process Flow

CONTINGENCY Incident Response Alternate Storage DR drill tests, DR

PLANNING Policy, Backup Site; Incident manual, Incident

policy and reporting, reporting, results,

Contingency Contingency and mechanism in

planning; Training and addition to

Incident Responsibility

management consignment matrix.

response.

MEDIA SECURITY Backup in addition to Access as well as Access to storing

media Storage planning besides

backup media

PHYSICAL AND Protection Policy, Physical Protection Physical controls

ENVIRONMENTAL Physical Policy, controls similar as valuations

PROTECTION Network Protection Fire, CCTV

controls, and UPS

COMMUNICATION SDLC Policy & DDOS protection, Base Line

AND SYSTEM Scheduling System Boundary Alignments, Error

PROTECTION Procurement in Protection, Spam management

totaling to Network protection technique,

Safety Policy Checking in

addition to
“AN INFRASTRUCTURE AUDIT FOR COMPLIANCE” 16

Observing of

Network

Administration

Schemes

Identification Critical Security Controls Throughout the IT Infrastructure

 Inventory administration of unauthorized and sanctioned devices

 Inventory administration of illegal and approved software

 Sheltered configuration for software as well as hardware on terminals, workstations, in

addition to servers (Hester & Harrison, 1998)

 Secure and harmless provisions for network strategies, like the firewalls, routers, and

switches

 Border security

 Monitoring, preservation, and investigation of safety or security audit logs

 Application as well as organization software program safekeeping

 Controlled use of managerial rights

 Efficient access built on prerequisite to know

 Continuous vulnerability valuation along with remediation

 Account observing and control

 Malware defenses

 Control as well as limitation of network ports, protocols, and services

 Wireless scheme arrangement control

 Data harm prevention (Harrington, 2005)

Plan with Adequate Controls to Meet High-Level Defined Controls Objectives

“AN INFRASTRUCTURE AUDIT FOR COMPLIANCE” 17

An audit proposal is an obligatory step previous to attending the trustworthy reporting

and audit results. The audit application with acceptable controls to accomplish high-level

distinct controls determination at ORIX need to have the subsequent controls and controls

objectives.

Adequate Security Controls Control Objectives

Training and Security Awareness; Security Training; as

Cognizance well as Training Records

Entree Control Account Management; Separation of

Duties; Least Privilege

Authorization and Security Valuation Plan of Action and Milestones; Security

Authorization

Audit and Accountability Audit of Record Maintenance, Auditable

Events; (Johnson, 2011)

Contingency Planning Contingency Training; Another Storage

Site;

Configuration Administration Baseline Configuration; Configuration

Change Control

Incident Rejoinder Incident Handling; Incident Monitoring;

Incident Reporting

Verification and Identification Identifier Management; Cryptographic

Module Authentication;
“AN INFRASTRUCTURE AUDIT FOR COMPLIANCE” 18

Media Protection Media Storage; Media Access; Media

Marking;

Maintenance Controlled Maintenance; Maintenance

Tools;

Planning Security Plan; Privacy Impact Assessment

System;

Environmental and Physical Protection Physical Access Controls; Visitor Control;

Fire Protection

Risk Assessment Security Categorization; Vulnerability

Scanning;

Personal Security Personnel Screening; Personnel

Termination;

Communications and System Allocation of Resources; Security

Engineering Principles;

System and Services Acquisition Denial of Service Protection; Boundary

Protection;

Program Management Enterprise Architecture; Risk Management

Strategy;

Protection System and Information Integrity Malicious Code Protection; Spam

Protection; Error Handling

Source: (Solomon & Weiss, 2010)

“AN INFRASTRUCTURE AUDIT FOR COMPLIANCE” 19

REFERENCES

Buecker, A., Amado, J., Lorentz, C., Druker, D., IBM Redbooks, & Tan, R. (2010). IT

Security Compliance Management Design Guide with IBM Tivoli Security

Information and Event Manager. IBM Redbooks.

Harrington, J. L. (2005). Network Security: A Practical Approach. Academic Press.

Hester, R. E., & Harrison, R. (1998). Risk Assessment and Risk Management. Royal Society

of Chemistry.

Johnson, M. (2011). Network Monitoring: What You Need to Know for It Operations

Management. Emereo Pty Limited.

Solomon, M., & Weiss, M. (2010). Auditing IT Infrastructures for Compliance. Jones &

Bartlett Publishers.