Information Security

Mind Explorer Technology

An information security audit is an audit on the level of information security in an organization. Within the broad scope of auditing information security there are multiple types of audits, multiple objectives for different audits, etc. Most commonly the controls being audited can be categorized to technical, physical and administrative. Auditing information security covers topics from auditing the physical security of data centers to auditing the logical security of databases and highlights key components to look for and different methods for auditing these areas.
When centered on the IT aspects of information security, it can be seen as a part of an information technology audit. It is often then referred to as an information technology security audit or a computer security audit. However, information security encompasses much more than IT.

The audit process

Audit planning & preparation

The auditor should be adequately educated about the company and its critical business activities before conducting a data center review. The objective of the data center is to align data center activities with the goals of the business while maintaining the security and integrity of critical information and processes. To adequately determine whether or not the client's goal is being achieved, the auditor should perform the following before conducting the review:

* Meet with IT management to determine possible areas of concern

* Review the current IT organization chart

* Review job descriptions of data center employees

* Research all operating systems, software applications and data center equipment operating within the data center

* Review the company's IT policies and procedures

* Evaluate the company's IT budget and systems planning documentation

* Review the data center's disaster recovery plan

Establishing audit objectives

The next step in conducting a review of a corporate data center takes place when the auditor outlines the data center audit objectives. Auditors consider multiple factors that relate to data center procedures and activities that potentially identify audit risks in the operating environment and assess the controls in place that mitigate those risks. After thorough testing and analysis, the auditor is able to adequately determine if the data center maintains proper controls and is operating efficiently and effectively.

Following is a list of objectives the auditor should review:

* Personnel procedures and responsibilities including systems and cross-functional training

* Change management processes are in place and followed by IT and management personnel

* Appropriate back up procedures are in place to minimize downtime and prevent loss of important data

* The data center has adequate physical security controls to prevent unauthorized access to the data center

* Adequate environmental controls are in place to ensure equipment is protected from fire and flooding

Performing the review:

The next step is collecting evidence to satisfy data center audit objectives. This involves traveling to the data center location and observing processes and procedures performed within the data center. The following review procedures should be conducted to satisfy the pre-determined audit objectives:

Data center personnel - All data center personnel should be authorized to access the data center (key cards, login ID's, secure passwords, etc.). Data center employees are adequately educated about data center equipment and properly perform their jobs. Vendor service personnel are supervised when doing work on data center equipment. The auditor should observe and interview data center employees to satisfy their objectives.

Equipment - The auditor should verify that all data center equipment is working properly and effectively. Equipment utilization reports, equipment inspection for damage and functionality, system downtime records and equipment performance measurements all help the auditor determine the state of data center equipment. Additionally, the auditor should interview employees to determine if preventative maintenance policies are in place and performed.

Policies and Procedures - All data center policies and procedures should be documented and located at the data center. Important documented procedures include: data center personnel job responsibilities, back up policies, security policies, employee termination policies, system operating procedures and an overview of operating systems.

Physical security / environmental controls - The auditor should assess the security of the client's data center. Physical security includes bodyguards, locked cages, man traps, single entrances, bolted down equipment, and computer monitoring systems. Additionally, environmental controls should be in place to ensure the security of data center equipment. These include: Air conditioning units, raised floors, humidifiers and uninterruptible power supply.

Backup procedures - The auditor should verify that the client has backup procedures in place in the case of system failure. Clients may maintain a backup data center at a separate location that allows them to instantaneously continue operations in the instance of system failure.

Issuing the review report-The data center review report should summarize the auditor's findings and be similar in format to a standard review report. The review report should be dated as of the completion of the auditor's inquiry and procedures. It should state what the review entailed and explain that a review provides only "limited assurance" to third parties.

Network vulnerabilities

Main article: Computer security audit

Interception: Data that is being transmitted over the network is vulnerable to being intercepted by an unintended third party who could put the data to harmful use.

Availability: Networks have become wide-spanning, crossing hundreds or thousands of miles which many rely on to access company information, and lost connectivity could cause business interruption.

Access/entry point: Networks are vulnerable to unwanted access. A weak point in the network can make that information available to intruders. It can also provide an entry point for viruses and Trojan horses.

Controls

Interception controls: Interception can be partially deterred by physical access controls at data centers and offices, including where communication links terminate and where the network wiring and distributions are located. Encryption also helps to secure wireless networks.

Availability controls: The best control for this is to have excellent network architecture and monitoring. The network should have redundant paths between every resource and an access point and automatic routing to switch the traffic to the available path without loss of data or time.

Access/entry point controls: Most network controls are put at the point where the network connects with external network. These controls limit the traffic that pass through the network. These can include firewalls, intrusion detection systems, and antivirus software.

Logical security audit

The first step in an audit of any system is to seek to understand its components and its structure. When auditing logical security the auditor should investigate what security controls are in place, and how they work. In particular, the following areas are key points in auditing logical security:

Passwords: Every company should have written policies regarding passwords, and employee's use of them. Passwords should not be shared and employees should have mandatory scheduled changes. Employees should have user rights that are in line with their job functions. They should also be aware of proper log on/ log off procedures. Also helpful are security tokens, small devices that authorized users of computer programs or networks carry to assist in identity confirmation. They can also store cryptographic keys and biometric data. The most popular type of security token (RSA's SecurID) displays minute. Users are authenticated by entering a personal identification number and the number on the token.

Termination Procedures: Proper termination procedures so that old employees can no longer access the network. This can be done by changing passwords and codes. Also, all id cards and badges that are in circulation should be documented and accounted.

Special User Accounts: Special User Accounts and other privileged accounts should be monitored and have proper controls in place.

Remote Access: Remote access is often a point where intruders can enter a system. The logical security tools used for remote access should be very strict. Remote access should be logged.

Summary

By and large the two concepts of application security and segregation of duties are both in many ways connected and they both have the same goal, to protect the integrity of the companies' data and to prevent fraud. For application security it has to do with preventing unauthorized access to hardware and software through having proper security measures both physical and electronic in place. With segregation of duties it is primarily a physical review of individuals' access to the systems and processing and ensuring that there are no overlaps that could lead to fraud