Katana VentraIP

Information security audit

An information security audit is an audit of the level of information security in an organization. It is an independent review and examination of system records, activities, and related documents. These audits are intended to improve the level of information security, avoid improper information security designs, and optimize the efficiency of the security safeguards and security processes.[1] Within the broad scope of auditing information security there are multiple types of audits, multiple objectives for different audits, etc. Most commonly the controls being audited can be categorized as technical, physical and administrative. Auditing information security covers topics from auditing the physical security of data centers to auditing the logical security of databases, and highlights key components to look for and different methods for auditing these areas.

When centered on the Information technology (IT) aspects of information security, it can be seen as a part of an information technology audit. It is often then referred to as an information technology security audit or a computer security audit. However, information security encompasses much more than IT.

Security policy and standards

Organizational and Personal security

Communication, Operation and Asset management

Physical and environmental security

Access control and Compliance

IT systems development and maintenance

IT security incident management

and business continuity management

Disaster recovery

Risk management

Jobs and certifications in information security[edit]

Information Security Officer (ISO)[edit]

Information Security Officer (ISO) is a relatively new position, which has emerged in organizations to deal in the aftermath of chaotic growth in information technology and network communication. The role of the ISO has been very nebulous since the problem that they were created to address was not defined clearly. The role of an ISO has become one of following the dynamics of the security environment and keeping the risk posture balanced for the organization.[8]

Certifications[edit]

Information systems audits combine the efforts and skill sets from the accounting and technology fields. Professionals from both fields rely on one another to ensure the security of the information and data.With this collaboration, the security of the information system has proven to increase over time. In relation to the information systems audit, the role of the auditor is to examine the company’s controls of the security program. Furthermore, the auditor discloses the operating effectiveness of these controls in an audit report. The Information Systems Audit and Control Association (ISACA), an Information Technology professional organization, promotes gaining expertise through various certifications.[9] The benefits of these certifications are applicable to external and internal personnel of the system. Examples of certifications that are relevant to information security audits include:

: Data that is being transmitted over the network is vulnerable to being intercepted by an unintended third party who could put the data to harmful use.

Interception

Availability: Networks have become wide-spanning, crossing hundreds or thousands of miles which many rely on to access company information, and lost connectivity could cause business interruption.

Access/entry point: Networks are vulnerable to unwanted access. A weak point in the network can make that information available to intruders. It can also provide an entry point for viruses and Trojan horses.

[10]

Types of audits[edit]

Encryption and IT audit[edit]

In assessing the need for a client to implement encryption policies for their organization, the Auditor should conduct an analysis of the client's risk and data value. Companies with multiple external users, e-commerce applications, and sensitive customer/employee information should maintain rigid encryption policies aimed at encrypting the correct data at the appropriate stage in the data collection process.[11]


Auditors should continually evaluate their client's encryption policies and procedures. Companies that are heavily reliant on e-commerce systems and wireless networks are extremely vulnerable to theft and loss of critical information in transmission. Policies and procedures should be documented and carried out to ensure that all transmitted data is protected.


The auditor should verify that management has controls in place over the data encryption management process. Access to keys should require dual control, keys should be composed of two separate components and should be maintained on a computer that is not accessible to programmers or outside users. Furthermore, management should attest that encryption policies ensure data protection at the desired level and verify that the cost of encrypting the data does not exceed the value of the information itself. All data that is required to be maintained for an extensive amount of time should be encrypted and transported to a remote location. Procedures should be in place to guarantee that all encrypted sensitive information arrives at its location and is stored properly. Finally, the auditor should attain verification from management that the encryption system is strong, not attackable, and compliant with all local and international laws and regulations.

Logical security audit[edit]

Just as it sounds, a logical security audit follows a format in an organized procedure. The first step in an audit of any system is to seek to understand its components and its structure. When auditing logical security the auditor should investigate what security controls are in place, and how they work. In particular, the following areas are key points in auditing logical security:

Programming

Processing

Access

Summary[edit]

An information security audit can be defined by examining the different aspects of information security. External and internal professionals within an institution  have the responsibility of maintaining and inspecting the adequacy and effectiveness of information security. As in any institution, there are various controls to be implemented and maintained. To secure the information, an institution is expected to apply security measures to circumvent outside intervention. By and large, the two concepts of application security and segregation of duties are both in many ways connected and they both have the same goal, to protect the integrity of the companies’ data and to prevent fraud. For application security, it has to do with preventing unauthorized access to hardware and software through having proper security measures both physical and electronic in place. With segregation of duties, it is primarily a physical review of individuals’ access to the systems and processing and ensuring that there are no overlaps that could lead to fraud. The type of audit the individual performs determines the specific procedures and tests to be executed throughout the audit process.

Computer security

Defensive computing

(European Union)

Directive 95/46/EC on the protection of personal data

Ethical hack

Information security

Penetration test

Security breach

Computing

Gallegos, Frederick; Senft, Sandra; Manson, Daniel P.; Gonzales, Carol (2004). Technology Control and Audit (2nd ed.). Auerbach Publications.  0-8493-2032-1.

ISBN

Examining Data Centers

Network Auditing

The OpenXDAS project

Archived 2007-09-27 at the Wayback Machine

Information Systems and Audit Control Association (ISACA)

The Institute of Internal Auditors