An information security audit is an audit on the level of information security in an organization. Within the broad scope of auditing information security there are multiple types of audits, multiple objectives for different audits, etc. Most commonly the controls being audited can be categorized to technical, physical and administrative. Auditing information security covers topics from auditing the physical security of data centers to auditing the logical security of databases and highlights key components to look for and different methods for auditing these areas.
The audit process
Audit planning & preparation
The auditor should be adequately educated about the company and its critical business activities before conducting a data center review. The objective of the data center is to align data center activities with the goals of the business while maintaining the security and integrity of critical information and processes. To adequately determine whether or not the client's goal is being achieved, the auditor should perform the following before conducting the review:
* Meet with IT management to determine possible areas of concern
* Review the current IT organization chart
* Review job descriptions of data center employees
* Research all operating systems, software applications and data center equipment operating within the data center
* Review the company's IT policies and procedures
* Evaluate the company's IT budget and systems planning documentation
* Review the data center's disaster recovery plan
Establishing audit objectives
The next step in conducting a review of a corporate data center takes place when the auditor outlines the data center audit objectives. Auditors consider multiple factors that relate to data center procedures and activities that potentially identify audit risks in the operating environment and assess the controls in place that mitigate those risks. After thorough testing and analysis, the auditor is able to adequately determine if the data center maintains proper controls and is operating efficiently and effectively.
Following is a list of objectives the auditor should review:
* Personnel procedures and responsibilities including systems and cross-functional training
* Change management processes are in place and followed by IT and management personnel
* Appropriate back up procedures are in place to minimize downtime and prevent loss of important data
* The data center has adequate physical security controls to prevent unauthorized access to the data center
* Adequate environmental controls are in place to ensure equipment is protected from fire and flooding
Performing the review:
The next step is collecting evidence to satisfy data center audit objectives. This involves traveling to the data center location and observing processes and procedures performed within the data center. The following review procedures should be conducted to satisfy the pre-determined audit objectives:
Data center personnel - All data center personnel should be authorized to access the data center (key cards, login ID's, secure passwords, etc.). Data center employees are adequately educated about data center equipment and properly perform their jobs. Vendor service personnel are supervised when doing work on data center equipment. The auditor should observe and interview data center employees to satisfy their objectives.
Policies and Procedures - All data center policies and procedures should be documented and located at the data center. Important documented procedures include: data center personnel job responsibilities, back up policies, security policies, employee termination policies, system operating procedures and an overview of operating systems.
Main article: Computer security audit
Interception controls: Interception can be partially deterred by physical access controls at data centers and offices, including where communication links terminate and where the network wiring and distributions are located. Encryption also helps to secure wireless networks.
Logical security audit
The first step in an audit of any system is to seek to understand its components and its structure. When auditing logical security the auditor should investigate what security controls are in place, and how they work. In particular, the following areas are key points in auditing logical security:
Passwords: Every company should have written policies regarding passwords, and employee's use of them. Passwords should not be shared and employees should have mandatory scheduled changes. Employees should have user rights that are in line with their job functions. They should also be aware of proper log on/ log off procedures. Also helpful are security tokens, small devices that authorized users of computer programs or networks carry to assist in identity confirmation. They can also store cryptographic keys and biometric data. The most popular type of security token (RSA's SecurID) displays minute. Users are authenticated by entering a personal identification number and the number on the token.
By and large the two concepts of application security and segregation of duties are both in many ways connected and they both have the same goal, to protect the integrity of the companies' data and to prevent fraud. For application security it has to do with preventing unauthorized access to hardware and software through having proper security measures both physical and electronic in place. With segregation of duties it is primarily a physical review of individuals' access to the systems and processing and ensuring that there are no overlaps that could lead to fraud