How to Audit Security of Informations Systems
Maintaining security throughout information systems is essential in today's high-tech environment. Periodic testing of the way an organization maintains information availability, confidentiality and integrity helps to ensure the information is safe. The best security testing entails regular information-security audits performed by outside independent auditors who specialize in information security and keep up with its ever-changing requirements. Because security threats are continuously changing, frequent audits are necessary. The most effective information security audits are a joint effort by management and the external auditors.
Other People Are Reading
Instructions
-
-
1
Develop and implement an organization information security policy. An information security audit is an evaluation of how effectively the organization's security policy is being implemented, according to the post Conducting a Security Audit: An Introductory Overview on the Symantec website. Written security policies can help standardize security practices. Employees read and sign off on the written policy, agreeing to put it into practice. An informal or nonexistent security policy can cause a severely compromised environment for an organization's information systems. Written information security policies ensure that all employees at every level of the organization understand how to protect company data and agree to follow the policy.
-
2
Prepare for the information security audit. A site survey is required to provide the auditors with a technical description of the system, management and user information, and an outline of agreed-upon security practices. The auditors obtain information to scope the audit, such as the site business plan, type of information protected, value and importance of data to the organization and time available for the audit. A review of the organization's previous security incidents offers a timeline of historical weak points in the information security system. Someone in the organization must provide this information and work with the auditors to scope the audit and schedule time for the audit.
-
-
3
Conduct the information security audit fieldwork. The auditors will conduct an entrance conference in which they again review the audit's scope and answer any last-minute requests for additional information. The audit procedures are carried out as the auditors gather data concerning the organization's information security and weak spots. At the end of field work, the auditors will conduct an exit conference to inform management about any immediate corrective actions needed and answer management's questions prior to a final analysis of the audit information.
-
4
Analyze the audit data. Auditors will review their checklists and identify problem areas discovered during the audit. The auditors will have a meeting to discuss their results and formulate possible solutions to any problems discovered. The audit report can be drafted in a variety of formats, but it should be simple and straightforward, with clear presentation of findings and viable solutions. The audit report should be delivered in a timely fashion so that corrective actions can be instituted as soon as possible.
-
1
