IT General Controls Audit - Auditing Information Systems: Enhancing Performance of the Enterprise

Information Technology Reference

In-Depth Information

It is recommended that the IS auditor should inspect the various security tools which have

been implemented and assess their effectiveness. In addition to the firewall, the enterprise

might implement security tools such as intrusion detection systems, CCTV, antivirus sys-

tems, and website security systems and antimalware scanners. It might be necessary to re-

view configuration of these systems to assess their effectiveness.

l) What tools has the enterprise implemented for monitoring security of your IT in-

frastructure?

Security systems do not provide absolute security on their own. In order to support these

systems, monitoring systems need to be installed. Usually these are automated systems

which collect data from security devices such as firewalls and produce reports for analysis.

Reports can show if certain malware or hackers are trying to access the network. Rogue

network devices can also be used to access networks.

If an enterprise does not have monitoring systems in place, it is possible that they will not

be alerted on unauthorised activities on their network. It is recommended that enterprises

implement security monitoring tools.

The enterprise would provide a list to the IS auditor of security monitoring tools which they

have implemented. The IS auditor, if he requires further evidence, can conduct a physic-

al inspection to ascertain the installation of these systems. The IS auditor may also collect

data generated by these security monitoring tools to ascertain their effectiveness. The IS

auditor should also review monitoring reports to verify that IT management regularly use

these tools.

Information Systems Management

Effective management of information systems is an important requirement if the enter-

prise has to achieve its objectives of being competitive and have an efficient service-deliv-

ery system. Information systems in this context refer to systems which are used in the en-

terprise to capture, process, and communication information via various types of reports.

There are various types of application systems which are used in the enterprise, ranging

from simple single-module systems to complex multi-modular systems, such as enterprise

resource planning (ERP) systems.

a) Does the enterprise have a policy and supporting procedures for managing in-

formation systems?

Search WWH ::

Custom Search

Home