Introduction to Security Audit: Servers and Storage devices, Infrastructure and Networks, Communication Routes:
1.3.1 Information Systems Audit versus Information Security Audit: Information System Audit and Information Security Audit are two such tools that are used to ensure safety and integrity of information and sensitive data. People are often confused by the difference between these two tools and feel they are same. But there are differences that will be highlighted in this article. “Information systems audit is a large, broad term that encompasses demarcation of responsibilities, server and equipment management, problem and incident management, network division, safety, security and privacy assurance etc. On the other hand, as the name implies, information security audit has a one-point agenda and that is security of data and information when it is in the process of storage and transmission.” Here data must not be confused with only electronic data as print data is equally important and its security is covered in this audit. Both audits have many overlapping areas which is what confuses many people. However, from a physical point of view, information system audit is related to the core, whereas information security audit is related to the outer circles. Here core can be taken as system, servers, storage and even printouts and pen drives, whereas outer circles mean network, firewalls, internet etc. If one were to look from a logical point of view, it would emerge that while information systems audit deals with operations, and infrastructure whereas information security audit deals with data on the whole.
Note: Do prepare a table of differences between both of them as an assignment In brief:
• Information systems audit is a broader term that includes information security audit
• System audit includes operations, network segmentation, server and device management etc., whereas security audit focuses on security of data and information.
What is an Information Security Audit? A security audit is a systematic evaluation of the security of a company’s information system by measuring how well it conforms to a set of established criteria. A thorough audit typically assesses the security of the system’s physical configuration and environment, software, information handling processes, and user practices. Security audits are often used to determine regulatory compliance, in the wake of legislation that specifies how organizations must deal with information.
Some of the purpose of audits is listed below:
a) Build awareness of current practices and risks
b) Reducing risk, by evaluating, planning and supplementing security efforts
c) Strengthening controls including both automated and human
d) Compliance with customer and regulatory requirements and expectations
e) Building awareness and interaction between technology and business teams
f) Improving overall IT governance in the organization An information security audit is an audit on the level of information security in an organization.
Within the broad scope of auditing information security there are multiple types of audits, multiple objectives for different audits, etc. Most commonly the controls being audited can be categorized to technical, physical and administrative.
According to Ira Winkler, president of the Internet Security Advisors Group, there are three main types of security diagnostics, namely:
Security Audits measure an information system’s performance against a list of criteria. A vulnerability assessment, on the other hand, involves a comprehensive study of an entire information system, seeking potential security weaknesses. Penetration testing is a covert operation, in which a security expert tries a number of attacks to ascertain whether or not a system could withstand the same types of attacks from a malicious hacker. In penetration testing, the feigned (insincere/manmade) attack can include anything a real attacker might try, such as social engineering. Each of the approaches has inherent strengths, and using two or more of them in conjunction may be the most effective approach of all.
1.3.2 Scope of the Audit As with any Audit, a risk assessment should be one of the first steps to be completed when examining a new process. The risk assessment will help determine whether the process warrants expending a significant amount of audit resources on the project. The scope of the audit depends on the risk. But even for the high-risk systems, the scope should be limited to testing the critical internal controls upon which the security of the process depends. The scope of the audit depends upon: a. Site business plan b. Type of data assets to be protected c. Value of importance of the data and relative priority d. Previous security incidents e. Time available f. Auditors experience and expertise