Introduction
The role of audit in the information security management is to review and confirm the compliance with the organization security policies, business and legal regulatory requirements; to confirm that confidentiality, integrity and availability of information is assured. The audits generate reports that can be used by the management to verify if the assigned security responsibility and authority to an individual is being performed well.
Audits find faults in the organization IS system policy/control. An audit is also performed after the fault has been fixed to confirm the reliability and effectiveness of the fix. An audit can be conducted when new security policies are drafted, new information assets are identified, new regulatory compliance requirements are issued, new employees are hired or on a periodic basis to review and keep a watch on the implementation of security controls.
In the “Plan-Do-Check-Act” (PDCA) model for Information Security Managment System (ISMS) audits are part of the “Check” phase. The “Check” phase is executed to check security activity in all the other three phases. In the “Plan” phase the audit is conducted to ensure that security policies have been defined for all security requirements and regulations. In the “Do” phase the role of audit is to confirm that security methods are implemented and controls are executed. In the “Act” phase audit confirms that the security incident has been correctly fixed. PDCA is a sequence of phases; every ISMS process passes through all these phases. Example: the PDCA is executed in the “monitor” process; plan-do-check-act within “monitor” process.
Types of Audit
Internal Audit
These audits are conducted for the internal use of the organization. The auditors for internal audits may be internal staff, or external agency hired to co-work with internal auditors; an auditor must not audit the security controls he/she is responsible for and must follow the standards and guidelines specified by IIA. The internal audits are conducted to determine if the security controls (ISO/IEC 27001):
- Conform to ISO/IEC 27001 requirements, organization business & legal regulation requirements.
- Conform to the organization information security policies.
- Are implemented effectively.
- Perform as expected under all circumstances.
The internal auditors must confirm that the management has acted appropriately on the recommendations of the previous audits, internal or external. The internal auditors also have a role to evaluate controls and information security safeguards in the event of organization merger or acquisition (I&E AUDIT, 12-15).
External Audit
The out-sourced internal audits are not considered external audits. The external audit is conducted by the independent certified auditors from an external agency. The advantage of external audit is that it provides management with:
- Reasonable assurance and reliable report on the effectiveness of internal controls.
- An independent & objective view of organization business processes.
- Feedback on organization risk management process.
When hiring an external auditor, the objectivity of the auditor must be confirmed by verifying the auditors credentials such as experience, qualification and relationship with any organization employees. A scope for the audit, time schedule and deliverable audit reports must be agreed upon before the commencement of the audit (I&E AUDIT, 32-40).
IT Audit
IT audits are conducted to assess the information security controls for the organization electronic information assets and computer resources (I&E AUDIT, 10). COBIT measures performance by setting & monitoring measurable objective for IT processes, what IT processes must deliver and how they deliver it. COBIT framework links IT governance requirements, IT processes and IT controls. The COBIT components for governance, assurance, control and security professionals are interrelated as shown in Figure 4 of COBIT 4.0 specifications. The business requirements are converted into IT processes and control objectives are defined to control these processes. The control objectives are translated into audit guidelines that are used to audit the IT processes. COBIT defines the following criteria for information control to meet the business requirements: effectiveness, efficiency, confidentiality, integrity, availability, compliance and reliability (COBIT, 11).
Internal controls and regulatory compliance
The following internal controls must be applied to information security audits (ISO/IEC 27001):
- Audits must be planned at a time such that the risk & interruption to business processes is minimized.
- The access to the information security audit tools must be controlled to avoid any misuse or compromise with the tools; in order to abort any attempt of influencing audit results.
The audits are performed to confirm the security of customer private information, organization financial records and compliance with all relevant laws and regulations. These audits confirm the compliance with regulatory requirements for IT controls defined by Centre for the Protection of National Infrastructure (CPNI), ISO 17799/BS7799 and Data Protection Act (DPA). CPNI provides guidelines for risk analysis and protection of organization assets. Additional regulatory requirements may be audited based on the organization business such as health care, AML, etc. At the end of audits a report is generated to establish that the organization information security policies and procedures are drafted to meet the regulatory control objectives and that necessary processes are in place to meet these objectives (I&E AUDIT, 11). The audit report must comply with SAS 70.
Conclusion
The regulations and law define the compliance requirements for an organization; governance provides the framework for implementing the processes, control objectives & practices. Internal controls are applied to the IT governance processes for compliance with the information security requirements. It is recommended by CPNI that the organization must reduce the vulnerabilities to its infrastructure so as to keep the country’s essential services safe. Audit process checks conformance of all organizational processes with the requirements.
References
About SAS 70. 2007. Web.
COBIT 4.0. IT Governance Institute. CPNI. 2007. Web.
DPA. (2002) The UK’S anit-money laundering legislation and the Data Protection Act 1998. 2007. Web.
Hayes, Bill. (2003) Conducting a Security Audit: An Introductory Overview. SecurityFocus. 2007. Web.
Internal and External Audit. (2003) Comptroller’s Handbook. 2007. Web.
Glossary
AML – Anti-Money Laundering.
OFAC – Office of Foreign Assets Control.
COBIT – Control Objectives for Information and related Technology.