Information Technology Reference
In-Depth Information
Information security involves the securing of the enterprise's IT infrastructure and protec-
tion of data and information. A lot of resources are usually expanded to provide the ne-
cessary security in an enterprise ranging from network security systems, security servers,
and employee security awareness training. Enterprises with a keen interest in securing their
systems do implement information security policies, standards, and procedures. In large
enterprises, you will find a formal information security organisation with a number of em-
ployees specifically charged with the responsibility of implementing, monitoring, and re-
porting on information security to management.
Information security not only provides protection to data and information but is also an
enabler of business. Where information security is properly implemented, the enterprise is
able to provide services in a secure manner which not only protects its business activities
but also its customers and employees. An enterprise stands to benefit by receiving return
business opportunities if customers feel protected and can conduct transactions in a secure
environment. Of particular importance nowadays is the issue of privacy. Customers take
privacy very seriously and will always want to get assurances on what the enterprise is do-
ing to protect their personal data.
Audit objectives describe what the client wants the IS auditor to perform when carrying out
an IS audit. Often during information security audits, the client might want the IS auditor
to test system security in the enterprise or test performance of the security infrastructure.
Audit objectives might also be highly technical and require an IS auditor to test the design
of the security architecture in an enterprise, for example, reviewing how security is man-
aged on the stock exchange with real-time functionality and connected to other stock ex-
change systems around the world.
Sometimes audit objectives may be general or only require the IS auditor to perform com-
pliance tests with information security policies and procedures. Such audits are fairly stand-
ard and may not require specialised skills. Such audit work can easily be handled by a gen-
eral IS auditor on the team.
There are many security standards which can be used to perform information security
audits or to guide in the development of information security audit programs. Common se-
curity standards include ISO 27001, ISO 17799, and BS 7799. ISACA has also published
COBIT 5 for information security which addresses a number of security areas. The IS aud-
itor will also come across many other proprietary security standards or frameworks pub-
lished by vendors which are specific to operating and application systems.
In a specialised audit, the IS audit team will not only use audit checklists and questionnaires
but will also get to use specialised security audit software when performing the audit, such
as penetration testing software, data flow testing software, antivirus and antimalware soft-
ware, security monitoring tools, intrusion detection software, and many other such tools.
Search WWH ::
Custom Search