Information Technology Reference
In-Depth Information
that training can be frequent. Some enterprises do make use of video presentations which
users download from the internal portals or enrol for training online.
Information Security Procedures
There are various security procedures an enterprise can use to ensure that security is
achieved in the enterprise. In this section, we will review selected procedures so that we
can highlight the approach an IS auditor could take and what evidence can be obtain to
support assertions made by management.
Access Controls
IS auditors, whenever they are auditing security controls, will come across the requirement
to audit access controls. Access controls are used to ensure that only authorised users have
access to IT systems, data, and information. The assessment of access controls involve re-
viewing granting and revoking of user access, allocation of user rights, password policy,
and account policy.
The enterprise is required to have a policy on access controls at network and application
system levels. Most enterprises have dual access controls which are applied at network op-
erating system level and at application system level. Where enterprises do not use an integ-
rated system, such as an ERP system, access controls will have to be implemented in each
application system used in the enterprise. IS auditors, when reviewing access controls, will
be required to collect evidence from network operating systems and application systems.
This information can be collected from documentation prepared by the IT function or by
extracting data from the security domain controller. Access control information can also
be extracted from application systems and exported to other application systems such as
Word, PDF, or Excel.
The IS auditor should also review application systems audit trails so that any violation of
access controls can be identified and analysed. Audit logs can have huge volumes of data
collected every day, and it is recommended that audit tools are used for such exercises in
order to perform an effective and efficient analysis of data and in a timely manner.
Backups
In order to ensure that enterprise data and information is protected, the IT function is re-
quired to perform backups according to backup policy. In highly automated enterprises and
where recovery time is very short, backups are done frequently or every few seconds by
making use of snapshots to make differential backups.
It is recommended that the IS auditor begins the audit of backups with the review of the
backup policy and assess whether it is being implemented according to the expectations of
Search WWH ::
Custom Search