1.3 Introduction to Security Audit: Servers and Storage devices, Infrastructure and
Networks, Communication Routes:
1.3.1 Information Systems Audit versus Information Security Audit:
Information System Audit and Information Security Audit are two such tools that are used to ensure safety
and integrity of information and sensitive data. People are often confused by the difference between these two tools
and feel they are same. But there are differences that will be highlighted in this article.
“Information systems audit is a large, broad term that encompasses demarcation of responsibilities,
server and equipment management, problem and incident management, network division, safety, security and
privacy assurance etc. On the other hand, as the name implies, information security audit has a one-point agenda
and that is security of data and information when it is in the process of storage and transmission.”
Here data must not be confused with only electronic data as print data is equally important and its security
is covered in this audit. Both audits have many overlapping areas which is what confuses many people. However,
from a physical point of view, information system audit is related to the core, whereas information security audit is
related to the outer circles. Here core can be taken as system, servers, storage and even printouts and pen drives,
whereas outer circles mean network, firewalls, internet etc. If one were to look from a logical point of view, it would
emerge that while information systems audit deals with operations, and infrastructure whereas information security
audit deals with data on the whole.
Note: Do prepare a table of differences between both of them as an assignment
• Information systems audit is a broader term that includes information security audit
• System audit includes operations, network segmentation, server and device management etc., whereas security
audit focuses on security of data and information.
What is an Information Security Audit?
A security audit is a systematic evaluation of the security of a company’s information system by measuring how
well it conforms to a set of established criteria. A thorough audit typically assesses the security of the system’s
physical configuration and environment, software, information handling processes, and user practices. Security
audits are often used to determine regulatory compliance, in the wake of legislation that specifies how organizations
must deal with information.
Some of the purpose of audits is listed below:
a) Build awareness of current practices and risks
b) Reducing risk, by evaluating, planning and supplementing security efforts
c) Strengthening controls including both automated and human
d) Compliance with customer and regulatory requirements and expectations
e) Building awareness and interaction between technology and business teams
f) Improving overall IT governance in the organization
An information security audit is an audit on the level of information security in an organization. Within the broad
scope of auditing information security there are multiple types of audits, multiple objectives for different audits, etc.
Most commonly the controls being audited can be categorized to technical, physical and administrative.
According to Ira Winkler, president of the Internet Security Advisors Group, there are three main types of security
Security Audits measure an information system’s performance against a list of criteria.
A vulnerability assessment, on the other hand, involves a comprehensive study of an entire information system,
seeking potential security weaknesses.
Penetration testing is a covert operation, in which a security expert tries a number of attacks to ascertain whether
or not a system could withstand the same types of attacks from a malicious hacker. In penetration testing, the
feigned (insincere/manmade) attack can include anything a real attacker might try, such as social engineering. Each
of the approaches has inherent strengths, and using two or more of them in conjunction may be the most effective
approach of all.