Information security audit – a systematic process of obtaining objective qualitative and/or quantitative evaluation of the current status of Company information security in accordance with specific criteria and safety indicators.
Audit allows to evaluate the current safety status of information system (IS) operation, to assess and predict risks, to manage their impact on the company’s business processes, appropriate and reasonable approach to the issue of ensuring the security of its information assets, strategic development plans, marketing programs, content, corporate databases.
Types and purposes of audit
There two kinds of audit – external and internal.
External audit – is usually a one-time event held on the initiative of the company or shareholders. The external audit is recommended (and is required for a number of financial institutions and joint stock companies) to carry out on a regular basis.
Internal audit is a continuous activity that is carried out in accordance with the plan, the preparation of which the internal audit department and approved by the company’s management. Security audit of information systems is one of the components of an IT audit.
The objectives of information security audit are:
- risk analysis associated with the implementation of the security threats against the IS resources;
- assessment of the current level of IS protection;
- localization of bottlenecks in the IS security system;
- conformity assessment of IS to existing standards in the field of information security;
- making recommendations on the introduction of new and more effective existing IS security mechanisms.
Main stages of security audit
IS security audit work includes a number consecutive stages, which generally correspond to the stages of the integrated IT audit IS, which includes:
- initiation of audit procedure;
- collecting audit information;
- audit data analysis;
- making recommendations;
- preparation of the audit report.
At the stage of audit procedure initiation, the following organizational issues must be settled:
- the rights and responsibilities of the auditor should be clearly defined and are documented in his job description, as well as the position of the internal (external) audit;
- the auditor should be prepared and agreed with the management plan for the audit;
- the position of the internal audit should be fixed, in particular, that the company’s employees are required to assist the auditor and provide all necessary information to carry out the audit.
At the stage audit procedures initiation the border of the survey should be defined. Plan and boundaries of the audit are discussed at the working meeting, which involves the auditors, the company’s management and heads of departments.
Stage of audit information collection is the most difficult and time-consuming. This is due mainly to the lack of necessary documentation on IS and the need for close cooperation with the auditor with many officials of the company.
The competent conclusions about the state of affairs in the company’s information security auditor can be made only on condition that all the necessary input data for analysis.
Recommendations issued by the auditor on the results of the analysis of the IS status, defined used approach, particularly surveyed IS status of information security and the level of detail used in the audit. In any case, the auditor’s recommendations should be specific and applicable to this IS, economically justified, reasoned (backed up by the results of the analysis) and sorted in order of importance. At the same time measures to ensure the protection of organizational level almost always take precedence over the specific software and hardware protection methods.
Audit report is the main result of the audit. Its quality is characterized by the quality of the auditor’s work. It must contain a description of the audit objectives, characteristics surveyed IS indication audit limits and the methods used, the results of the audit data analysis, conclusions, summarizing these results and an assessment of the level IS protection and compliance with its requirements of the standards, and, of course, the auditor recommendations to address existing shortcomings and improve protection system.