“Uncontrolled access to data, with no trail of activity and no oversight would be going too far. This applies to both commercial and government use of data about people.”
The audit of Information Security is a comprehensive assessment, which is allowed, in order to assess the current condition of Information Security in the business and to plan timely actions in order to increase the level of security.
The audit of Information Security is conducted when a current necessity of independent assessment of the condition of Information Security is needed.
- If there is a change in the strategy of the company
- In case of mergers or acquisitions
- When there are significant changes in the organizational structure of the company or change of leadership
- When there are new internal or external requirements for Information Security
- In the event of significant changes in the business processes and IT infrastructure
The audit can be done for the company as a whole and for various critical areas, business processes and information systems. The audit should be carried out by experts that are qualified and internationally certified to conduct an audit and have rich experience in auditing in various industries.
Flexibility and individual approach allow the auditing body to take into account the specific requirements and characteristics of each particular business organization.
THE RULES OF AUDIT
- Analysis of the organizational and administrative documents of the company
- Interviews with employees of the organization: representatives from the business units, the administrators and developers of information systems, professionals in Information Security
- Technology for inspection of office space in terms of physical security of the IT infrastructure
- Analysis of the configuration settings of hardware and software
- Auditing of special hardware (scanners, security analysis, control of the leakage of information, etc.)
- Penetration testing
- Assessment of the knowledge of workers in the field of Information Security
REMEMBER: An extra special examination can be made that takes into account the particularities of the audited company. If necessary, in the phase of the study, additional information may be collected, that is needed for the implementation of other projects, which hereinafter will save additional resources for the organization and will help the distribution of its budget.
INDEPENDENT vs. INTERNAL IT AUDIT
OBJECTIVE- An independent audit is usually performed either due to regulatory requirements or those of third parties wishing to enter in collaborative or supplier relations, an outsourcing partner, for example. Internal audits are usually mandated by management and are more focused on business operations and their continuity.
AUDITORS- An independent audit is carried out by an external team, while internally audits are performed by members of staff. While the independent auditor may provide a more "fair view" of the current state, the internal audit may reflect a business's proprietary technological and organizational characteristics more closely, with in-depth findings.
REPORTING- Usually, the independent IT audit will result in the main report being in a format required by auditing standards, with a focus on whether the Information Security claims of the company give a true and fair view and comply with requirements. These reports, whether formal or not, are designed to provide a status snapshot, rather than go into detailed recommendations on how to make things better.
Internal audit should produce a tailored report about how the risks and objectives are being managed - with a focus on helping the business move forward. As such, internal audit reports are expect to contain recommendations for improvement of the organization's Information Security.