Information Technology Reference
In-Depth Information
Auditing Information Security Management
Overview
Implementation of information security enables securing of IT assets and protection of data
and information in the enterprise. In today's interconnected business environment, informa-
tion is vital to the operation of enterprises as it is the oil which lubricates the enterprises.
IT governance enables effective use of IT in an enterprise, and information security is a
component of IT governance. In order for an enterprise to implement information security
effectively, it should be part of IT governance and the board and senior management should
have a good understanding of how information security contributes to the success of the en-
terprise.
Information security risks are on the increase, and we are seeing more enterprises being
hacked, including government and major enterprises in such countries as the USA and
European countries. Frequently attacked systems are financial systems, such as online pay-
ment systems, credit card systems, and bank account records. Security risks are not only ex-
ternal to an enterprise but also internal risks do exist. An enterprise needs to have a security
policy which will address both sources of threats.
Enterprises cannot operate effectively without securing its resources and those of its custom-
ers. It is widely accepted by security professionals that security is an enabler of business and
should be used as such. Security will not operate in a vacuum but also involves employees
and various supporting systems which make the enterprise work.
An IS auditor plays an important role by ensuring that information security is properly im-
plemented in the enterprise and that it does provide security to business operation and pro-
tection of data and information. Enterprises do use IS auditors to audit information security
at planned intervals and when there is a requirement for such an audit. Enterprises use vari-
ous security procedures in order to implement security, and IS auditors are required to audit
these procedures to determine the effectiveness of security in the enterprise. We will assess
these security procedures and highlight what type of evidence is required to be collected to
support the IS auditor's findings, conclusions, and recommendations.
The IS auditor would normally start the audit by focusing on security risks in the enterprise
and should have a good appreciation of security risks in the enterprise. The IS auditor would
do this by reviewing documentation on security risks and interviewing information security
management or other members of senior management. An important document which the IS
Search WWH ::
Custom Search