This stage is used to assess the current status of the company and helps identify the required time, cost and scope of an audit.
First, you need to identify the minimum security requirements:[2] The auditor should plan a company's audit based on the information found in the previous step.
Planning an audit helps the auditor obtain sufficient and appropriate evidence for each company's specific circumstances.
It helps predict audit costs at a reasonable level, assign the proper manpower and time line and avoid misunderstandings with clients.
[3] An auditor should be adequately educated about the company and its critical business activities before conducting a data center review.
After thorough testing and analysis, the auditor is able to adequately determine if the data center maintains proper controls and is operating efficiently and effectively.
It also offers recommendations surrounding proper implementation of physical safeguards and advises the client on appropriate roles and responsibilities of its personnel.
The role of an ISO has become one of following the dynamics of the security environment and keeping the risk posture balanced for the organization.
In relation to the information systems audit, the role of the auditor is to examine the company’s controls of the security program.
Examples of certifications that are relevant to information security audits include: The auditor should ask certain questions to better understand the network and its vulnerabilities.
When you have a function that deals with money either incoming or outgoing it is very important to make sure that duties are segregated to minimize and hopefully prevent fraud.
One of the key ways to ensure proper segregation of duties (SoD) from a systems perspective is to review individuals’ access authorizations.
Certain systems such as SAP claim to come with the capability to perform SoD tests, but the functionality provided is elementary, requiring very time-consuming queries to be built and is limited to the transaction level only with little or no use of the object or field values assigned to the user through the transaction, which often produces misleading results.
Also, developing a matrix for all functions highlighting the points where proper segregation of duties has been breached will help identify potential material weaknesses by cross-checking each employee's available accesses.
Companies that are heavily reliant on e-commerce systems and wireless networks are extremely vulnerable to theft and loss of critical information in transmission.
Finally, the auditor should attain verification from management that the encryption system is strong, not attackable, and compliant with all local and international laws and regulations.
The process of encryption involves converting plain text into a series of unreadable characters known as the ciphertext.
Once encrypted information arrives at its intended recipient, the decryption process is deployed to restore the ciphertext back to plaintext.
As a result, a thorough InfoSec audit will frequently include a penetration test in which auditors attempt to gain access to as much of the system as possible, from both the perspective of a typical employee as well as an outsider.
[14] Application Security centers on three main functions: When it comes to programming it is important to ensure proper physical and password protection exists around servers and mainframes for the development and update of key systems.
It is important to be able to identify incomplete processing and ensure that proper procedures are in place for either completing it or deleting it from the system if it was in error.
External and internal professionals within an institution have the responsibility of maintaining and inspecting the adequacy and effectiveness of information security.
By and large, the two concepts of application security and segregation of duties are both in many ways connected and they both have the same goal, to protect the integrity of the companies’ data and to prevent fraud.
With segregation of duties, it is primarily a physical review of individuals’ access to the systems and processing and ensuring that there are no overlaps that could lead to fraud.