Defining IT Security Audit

Blog

Defining IT Security Audit

IT Security Audits are performed to assess the confidentiality, integrity and availability (CIA) of an organizations information assets. The objective is to proactively create controls that would identify risks, provide recommendations, advice on mitigation strategy and finally enhance the security landscape.

The intention of this write up is to define what may comprise within the scope of an IT Security Audit. IT Security Audit has a broader range of assessments. For example when penetration testing a web server you are looking for vulnerabilities in the service and/or underlying system. In an IT Security audit you want to know, who has access to the designated machine, who is allowed to make changes, are there any changelogs being kept, how accurate is the same, etc.

Below are High-level pointers that would be covered as part of the IT Security Audit apart from Vulnerability Assessment and Penetration Testing which is presumed as an IT and Infra Audit:

  1. Evaluate the information security strategy, policies, standards, procedures and related practices for the management, planning and organization of Information Security.
  2. Review the policies governing Information Security compared to best practices and industry standards.
  3. Evaluate the effectiveness and efficiency of the organization’s implementation and ongoing management of technical and operational infrastructure to ensure that they adequately support the organization’s business objectives.
  4. Evaluate the logical, environmental, and IT infrastructure security to ensure that it satisfies the organization’s business requirements for safeguarding information assets against unauthorized use, disclosure, modification, damage, or loss.
  5. Evaluate the process for developing and maintaining documented, communicated, and tested plans for continuity of business operations and Information Security processing in the event of a disruption.
  6. Evaluate the methodology and processes by which the business application system development, acquisition, implementation, and maintenance are undertaken to ensure that they meet the organization’s business objectives.
  7. Evaluate business systems and processes to ensure that risks are managed in accordance with the organization’s business objectives.
  8. Perform assessment in accordance with generally accepted Information Security audit standards and guidelines to ensure that the organization’s information technology and business systems are adequately controlled, monitored, and assessed.

All of the above would help the organization to:

  1. Establish and maintain a framework to provide assurance that information security strategies are aligned with business objectives and consistent with applicable laws and regulations.
  2. Identify and manage information security risks to achieve business objectives.
  3. Design, develop and manage an information security program to implement the information security governance; oversee and direct information security activities to execute the information security program.
  4. Develop and manage a capability to respond to and recover from disruptive and destructive information security events.

About the Author:
Subbin Varghese works as a Cyber Security Practice Consultant and has more than 14 years of experience of reviewing and auditing information systems and technology. He has worked on variety of assurance and advisory projects that include IT security, regulatory compliance, risk management; he also has been primarily involved in analyzing risks to businesses arising from technology failures and developing strategies for securing infrastructure.