The Basics of IT Audit

BasicsITAuditCurrently available from Syngress (an imprint of Elsevier) and major booksellers is The Basics of IT Audit: Purposes, Processes, and Practical Information, a book by Stephen Gantz that provides a thorough, yet concise (220 pages) overview of IT auditing. Packed with specific examples, this book gives insight into auditing processes and procedures associated with major methodologies and frameworks and explains regulations and standards that drive internal and external IT auditing activities. It offers a useful introduction for those new to IT auditing but also covers U.S. and international audit topics in sufficient breadth to appeal to experienced IT auditors and managers. The book is available from and many online retailers as well as the publisher’s online store.

The book explains the unique aspects of IT auditing compared to other major forms, such as financial, operational, and quality audits, and also highlights many areas of commonality. It addresses both internal and external auditing and provides references to a wide variety of standards, methodologies, and sources of guidance on effective auditing practices. Consistent with other titles in the Syngress Basics series, The Basics of IT Audit complements more extensive or prescriptive handbooks available in the marketplace by pointing out the key procedural elements common to virtually all audit methodologies. Intended for an audience that includes IT professionals and operational staff that may be subject to audits as well as those performing audits, the book places IT auditing in the proper context supporting broader governance, risk management, and compliance practices.

FISMA and the Risk Management Framework

FISMA-RMFIn November 2012 Syngress (an imprint of Elsevier) published FISMA and the Risk Management Framework: The New Practice of Federal Cyber Security, by Stephen Gantz and Dan Philpott. This book provides a comprehensive treatment of information security and risk management practices governing data and systems in U.S. government agencies, including requirements under the Federal Information Security Management Act of 2002 and a wide variety of other legislative, regulatory, and policy drivers. From the publisher’s website:

“If you are responsible for meeting federal information security requirements such as FISMA, this book is all you need to know to get a system authorized. Now in the first full revision of FISMA since its inception in 2002, a new wave of stronger security measures are now available through the efforts of the Department of Defense, Office of the Directory of National Intelligence, Committee for National Security Systems and the National Institute of Standards and Technology. Based on the new FISMA requirements for 2011 and beyond, this book catalogs the processes, procedures and specific security recommendations underlying the new Risk Management Framework. Written by an experienced FISMA practitioner, this book presents an effective system of information assurance, real-time risk monitoring and secure configurations for common operating systems.

The book is available from and other online retailers.

Privacy and Security Considerations for EHR Incentives and “Meaningful Use”

When the HHS Office of the National Coordinator for Health IT (ONC) and the Centers for Medicare and Medicaid Services (CMS) published the rules under which health care providers and professionals can qualify for financial incentives to fund adoption of EHR technology by demonstrating “meaningful” use of the technology, they included just one security measure (and a set of security standards and functional criteria EHR systems must support) and nothing on health data privacy. Articles on security and privacy implications of meaningful use were published in the April 2010 issue of the Computer Security Institute’s Alert (an issue focused on health IT security) and in the May 2010 issue of the Privacy Advisor and Privacy Tracker, both publications of the International Association of Privacy Professionals. The article was also accepted for publication by the peer-reviewed ISACA Journal. Available for download is a somewhat expanded version of these articles on Privacy and Security Considerations for EHR Incentives and “Meaningful Use”, including recommendations to health care organizations seeking to qualify for incentive funding under meaningful use.

Claims-Based Identity Management in HIEs

The September 2009 issue of the Computer Security Institute’s Alert, which focused on claims-based identity management, included an article written by Stephen Gantz on identification and authentication challenges related to health information exchange, and some ways in which claims-based approaches could be applied to those challenges. You can read a slightly expanded version the article here on

Trust as a Prerequisite to Health Information Exchange

The March 2009 issue of the Privacy Advisor, the monthly newsletter of the International Association of Privacy Professionals (IAPP), featured an article written by Stephen Gantz on privacy considerations and the important of establishing a basis of trust among organizations that intend to exchange electronic health records and other sensitive personal information. The newsletter is distributed in hard copy to IAPP members and made available electronically to members as well; you can read a reprint of the article here on