Information Technology Reference
In-Depth Information
auditor should read is a recent IT risk assessment report. Such a report would give an indic-
ation of the current risk position of the enterprise and also link the assessment to an existing
risk profile. The recent risk assessment can be used to update the existing risk profile.
In this chapter, we will look at areas the IS auditor is required to review in order to conduct
an effective information security audit. The objectives of auditing information security are
many, and we will refer to them throughout the chapter so that you can appreciate the im-
portance of implementing security in the enterprise.
Information Security Policy
The first action an IS auditor would take is to review the information security strategy the
enterprise has in place. This information can be found in the IT strategy document or by
discussing with senior management. It would also be ideal for the IS auditor to review oth-
er documentation, such as board and management minutes, which might shed some light
on how information security strategies have been dealt with over the previous periods at
board and senior-management level.
The board and senior management would generally give a good indication as to how they
are approaching security in the enterprise and their commitment to securing enterprise re-
sources.
To support the enterprise information security strategy, senior management would put in
place an information security policy. The policy is used to guide and implement informa-
tion security in the enterprise. This is a guide to all functions and users in order to ensure
that security is effectively implemented.
The information security strategy and policy should show a clear link between the two doc-
uments, and there should be no conflict between the two documents. The policy should
reflect the spirit of the strategy. One would say that the strategy is the guide for developing
a policy. The IS auditor should review the two documents and ensure that their objectives
are not in conflict. If the two documents are in conflict, the IS auditor should raise the issue
with management.
The second important review the IS auditor would undertake before performing any further
detailed security audit is to confirm existence and implementation of the policy. Senior
management would provide this confirmation through signed documents or minutes of the
board or management meeting. It is recommended that the IS auditor holds discussions
with board members or senior management so that they might provide some insight into the
development and implementation of the security policy. Reading a policy document might
not provide background information which the IS auditor would get by interviewing key
people involved in implementing security in the enterprise.
Search WWH ::
Custom Search