Information security audit


An information security audit is an audit of the level of information security in an organization. It is an independent review and examination of system records, activities, and related documents. These audits are intended to improve the level of information security, avoid improper information security designs, and optimize the efficiency of the security safeguards and security processes.
Within the broad scope of auditing information security there are multiple types of audits, multiple objectives for different audits, etc. Most commonly the controls being audited can be categorized as technical, physical and administrative. Auditing information security covers topics from auditing the physical security of data centers to auditing the logical security of databases, and highlights key components to look for and different methods for auditing these areas.
When centered on the Information technology aspects of information security, it can be seen as a part of an information technology audit. It is often then referred to as an information technology security audit or a computer security audit. However, information security encompasses much more than IT.

The audit process

Step 1: Preliminary audit assessment

The auditor is responsible for assessing the current technological maturity level of a company during the first stage of the audit. This stage is used to assess the current status of the company and helps identify the required time, cost and scope of an audit. First, you need to identify the minimum security requirements:
The auditor should plan a company's audit based on the information found in the previous step. Planning an audit helps the auditor obtain sufficient and appropriate evidence for each company's specific circumstances. It helps predict audit costs at a reasonable level, assign the proper manpower and time line and avoid misunderstandings with clients.
An auditor should be adequately educated about the company and its critical business activities before conducting a data center review. The objective of the data center is to align data center activities with the goals of the business while maintaining the security and integrity of critical information and processes. To adequately determine whether the client's goal is being achieved, the auditor should perform the following before conducting the review:
In the next step, the auditor outlines the objectives of the audit after that conducting a review of a corporate data center takes place. Auditors consider multiple factors that relate to data center procedures and activities that potentially identify audit risks in the operating environment and assess the controls in place that mitigate those risks. After thorough testing and analysis, the auditor is able to adequately determine if the data center maintains proper controls and is operating efficiently and effectively.
Following is a list of objectives the auditor should review:
  • Personnel procedures and responsibilities, including systems and cross-functional training
  • Change management processes are in place and followed by IT and management personnel
  • Appropriate backup procedures are in place to minimize downtime and prevent the loss of important data
  • The data center has adequate physical security controls to prevent unauthorized access to the data center
  • Adequate environmental controls are in place to ensure equipment is protected from fire and flooding

    Step 4: Performing the review

The next step is to collect evidence to satisfy data center audit objectives. This involves traveling to the data center location and observing processes within the data center. The following review procedures should be conducted to satisfy the pre-determined audit objectives:
  • Data centre personnel – All data center personnel should be authorized to access the data center. Datacenter employees are adequately educated about data center equipment and properly perform their jobs. Vendor service personnel are supervised when doing work on data center equipment. The auditor should observe and interview data center employees to satisfy their objectives.
  • Equipment – The auditor should verify that all data center equipment is working properly and effectively. Equipment utilization reports, equipment inspection for damage and functionality, system downtime records and equipment performance measurements all help the auditor determine the state of data center equipment. Additionally, the auditor should interview employees to determine if preventative maintenance policies are in place and performed.
  • Policies and Procedures – All data center policies and procedures should be documented and located at the data center. Important documented procedures include data center personnel job responsibilities, back up policies, security policies, employee termination policies, system operating procedures and an overview of operating systems.
  • Physical security / environmental controls – The auditor should assess the security of the client's data center. Physical security includes bodyguards, locked cages, man traps, single entrances, bolted-down equipment, and computer monitoring systems. Additionally, environmental controls should be in place to ensure the security of data center equipment. These include Air conditioning units, raised floors, humidifiers and an uninterruptible power supply.
  • Backup procedures – The auditor should verify that the client has backup procedures in place in the case of system failure. Clients may maintain a backup data center at a separate location that allows them to instantaneously continue operations in the instance of system failure

    Step 5: Preparing the Audit Report

After the audit examination is completed, the audit findings and suggestions for corrective actions can be communicated to responsible stakeholders in a formal meeting. This ensures better understanding and support of the audit recommendations. It also gives the audited organization an opportunity to express its views on the issues raised.
Writing a report after such a meeting and describing where agreements have been reached on all audit issues can greatly enhance audit effectiveness. Exit conferences also help finalize recommendations that are practical and feasible.

Step 6: Issuing the review report

The data center review report should summarize the auditor's findings and be similar in format to a standard review report. The review report should be dated as of the completion of the auditor's inquiry and procedures. It should state what the review entailed and explain that a review provides only "limited assurance" to third parties.
Typically, a data center review report consolidates the entirety of the audit. It also offers recommendations surrounding proper implementation of physical safeguards and advises the client on appropriate roles and responsibilities of its personnel. Its contents may include:
  • The auditors' procedures and findings
  • The auditors' recommendations
  • Objective, scope, and methodologies
  • Overview/conclusions
The report may optionally include rankings of the security vulnerabilities identified throughout the performance of the audit and the urgency of the tasks necessary to address them. Rankings like "high", "low", and "medium" can be used to describe the imperativeness of the tasks.

Who performs audits

Generally, computer security audits are performed by:
  1. Federal or State Regulators
  2. *Information security audits would primarily be prepared by the partners of these regulators.
  3. *Examples include: Certified accountants, Cybersecurity and Infrastructure Security Agency, Federal Office of Thrift Supervision, Office of the Comptroller of the Currency, U.S. Department of Justice, etc.
  4. Corporate Internal Auditors
  5. *If the information security audit is an internal audit, it may be performed by internal auditors employed by the organization.
  6. *Examples include: Certificated accountants, Cybersecurity and Infrastructure Security Agency, and Certified Internet Audit Professional
  7. External Auditors
  8. *Typically, third-party experts employed by an independent organization and specializing in the field of data security are hired when state or federal auditors are not accessible.
  9. Consultants
  10. *Outsourcing the technology auditing where the organization lacks the specialized skill set.

    Jobs and certifications in information security

Information Security Officer (ISO)

Information Security Officer is a relatively new position, which has emerged in organizations to deal in the aftermath of chaotic growth in information technology and network communication. The role of the ISO has been very nebulous since the problem that they were created to address was not defined clearly. The role of an ISO has become one of following the dynamics of the security environment and keeping the risk posture balanced for the organization.

Certifications

Information systems audits combine the efforts and skill sets from the accounting and technology fields. Professionals from both fields rely on one another to ensure the security of the information and data.With this collaboration, the security of the information system has proven to increase over time. In relation to the information systems audit, the role of the auditor is to examine the company's controls of the security program. Furthermore, the auditor discloses the operating effectiveness of these controls in an audit report. The Information Systems Audit and Control Association, an Information Technology professional organization, promotes gaining expertise through various certifications. The benefits of these certifications are applicable to external and internal personnel of the system. Examples of certifications that are relevant to information security audits include: