Introduction
This is a report on the internal auditing of information security carried out in the organization and the preparation for the external audit process that is aimed at attaining the ISO 27001 certification. Information security is a fundamental element of computer security that ensures that information in any organization is secure at all times. It is a vital component in any organization since information is important and should be relayed on time, in the correct format and to the correct persons thus its security is paramount.
Most companies and organizations use networking as a means of communication and information sharing. However, due to the process of sharing, the information security is compromised both internally and externally. As information is shared through avenues such as emails, attachments and network drives, information is exposed to dangers of unauthorized access. The organization should therefore employ information security measures to prevent unauthorized access and protection of resources.
In an effort to address the information security risk and indicate how they can be mitigated, this report will indicate the importance of internal auditing and external auditing ensures information security and the identification of loop holes in information security.
Information security auditing involves the provision of independent evaluations of the organizations procedures, policies, measures, standards and practices for safeguarding information from loss, unintended disclosure, damage or denial of availability. This process provides the management with the assessment whether there is sufficient controls in place to mitigate an organization’s risk.
ISO27001 is an information security management system (ISMS) that was published in October of 2005 by the international organization for standardization. It specifies a management system that is intended to bring information security under explicit and proper management control.
Information security audit covers multiple thematic areas from auditing the physical security of the data centers to the logical security of the database systems. The objective of the information security audit in the organization was to evaluate the level of information security in the organization and to identify the loopholes and inadequacies with an aim of ensuring complete security of information. Additionally, the internal audit was a preparation for external auditing that is aimed at attaining the ISO 27001 in the organization. Most specifically the information security audit is aimed at providing the management with the assessment of the effectiveness of the information security function in the organization. It is also purposed to evaluate the scope of the information security management and functions and whether the essential aspects of information security is addressed effectively.During the internal information security audit, the auditor reviews the following objectives;
Review personnel responsibilities and procedures that include systems and cross functional trainings; the appropriate back up procedures should be in place in order to minimize down time and prevent loss of important data.
Information security auditing has four major steps that are followed by qualified and certified auditors, these phases of information security internal audit are discussed below;
Audit planning and preparation;
This phase essentially entails the identification of the scope of the information security audit, establish the information security policy that is used in the organization, carrying out of the information security risk assessment and finally deciding on the information security and data controls that can be adopted by the organization.
This phase involves the preparation and acquaintance of the organization by the auditor. The auditor has to be adequately educated about the company and organization activities and business goals and objectives before conducting an information security audit and review. An organizational review is important in order to determine whether the organizations objectives are met. The phase entails several activities involving various personnel at the different levels in the organization. These activities include;
Meeting with the information technology manager in an attempt to determine the possible areas of concern in the organization. The auditor then reviews the current information technology organizational chart which will entail the personnel responsibilities and detailed tasks assigned, review company’s policies and procedures with regard to information and data security, evaluate the company’s budget allocated to information technology and finally determine the objectives for the information security audit in the organization. Basically, the planning phase information security is important in an organization since it ensures availability of information, integrity of data and systems, confidentiality and accountability in the organization.
This phase of internal information security audit sets the basis for determining the purpose and the objectives of carrying out the internal audit.
Do
After identifying the objectives of the audit, planning and preparation for the process, the actual review can then begin. This phase entails collection of the actual evidence that will satisfy the stated and identified organization information security objectives. The stage involves actual travelling to the physical location of the organization resources which include data centers, information centers, and networked environments among others. In this process the auditor observes the information transmission and transformation processes and procedures carried out within the organization. In order to satisfy the predetermined audit objectives, the review of personnel and their access to data and information is done. Essentially, all personnel handling data and information in the organization are entitled to authorized access to information and data for their day to day operations.
However, the access should be restricted using passcodes, logging in credentials and personal identification credentials to minimize unauthorized access to data and information. In view of this, the auditor should interview and observe the personnel and satisfy their objectives as set out in the previous phase.
The auditor also verifies that all the organization’s equipment that are used for handling data and information are properly and effectively working. The state of the equipment are determined by the utilization reports, system down time records, performance measurements and inspection of damage and functionality. Additionally, the auditor should interview the personnel in efforts to determine whether preventive and maintenance policies of the equipment are in place.
Best standard operation practice entails that all organization information security policies, procedures and standards are well documented and stored in the organization and readily available for auditing. The audit process should thus identify and ensure availability of personnel job responsibilities, security policies, back up policies, system operating procedures, personnel termination policies and an overview description of operating systems, programs and information systems in the organization.
At this phase, the auditor also assesses the physical security of the data in the organization. This includes body guards, physical locks, computer monitoring systems and bolted down equipment. In addition, environmental controls such as air conditioning, humidifiers, uninterruptable power supply and raised floors must be put in place to ensure security of data and information.
Finally, the auditor should verify that there are back up procedures in place in case there is system failure. The organization should maintain a backup center and procedure for recovery in order to allow instantaneous continuity of operations in case of system failure.
It is important to note that at this phase the audit team involves all the human resource personnel responsible for data and information security. The process is all inclusive in order to ensure proper evaluation of policies, procedures and activities aimed at enhancing information security. In doing these the auditor comes up with a control framework, hence resources needs to be put in place to ensure that implementation of the frameworks is possible. This include a balanced and comprehensive measurement system used to evaluate performance in information security management.
The organization must also ensure human resource training and awareness creation about the new policy and procedures put in place as security control measures in the organization. The training requirements will vary with staff and personnel depending on their roles and responsibilities in the information security management. However, all persons should understand what the policies are, and how they are required to carry out their responsibilities according to the policies. They should also understand the nature of threats facing information security and the possible impacts it may have on their daily operations.
Check
At this phase the auditor verifies that the audit plans and recommendations have been implemented in the organization. During the previous phases, the aim was to review and identify information security loop holes, problems and issues and report to the management for appropriate action. Additionally, recommendations on the way forward with regard to information security is provided by the relevant information security personnel. This phase thus seeks to ensure that the proposed security plans, policies and procedures for information and data security are effectively implemented in the organization.
The auditor assesses how risks are controlled and managed in the organization and how the assessment of the information security risks are effective. The audit team may also investigate the causes of the information security threats and how they can be mitigated. Basically, information security is caused mainly by unauthorized access, loss of confidentiality, compromise of integrity of data and information and the tampering of information accuracy and correctness.
The proposed interventions to manage these security threats should be monitored and identification of any deviations from the implementation plan should be made. Additionally, the auditor measures the processes and the information technology services and compares with the objectives of the information security internal audit.
The phase also entails carrying out a management review of the organization and the management of information and the relevant resources. This is done through interviews of the responsible personnel and human resources, head of departments and the management of the entire organization. Most importantly the decision makers in the organization are the main human resource personnel who are responsible for policy formulation, implementation and review of procedures in the organization. A review and assessment of their procedural operations and determination of their effectiveness is important in determining the effectiveness of information security audit.
In summary the check phase entails monitoring and review of the information security management in the organization. The fundamental and critical aspect of this phase is to define what is the ideal criteria that constitutes elements of success and acceptable performance and ensure that there are practices in place to monitor and report against deviations from this criteria to the respective authorities.
Act
At this phase the auditor will have identified the necessary measures and steps to be undertaken in order to ensure a continuous process of information security. This audit phase therefore involves the adoption of corrective measures and preventive actions that are geared towards the achievement of continual improvement of the information security management. The outcomes of the management review include; proposed improvement on the information security management, updated risk assessment, modified controls and procedures, better methods of measuring effectiveness of controls and recommendation for additional resource requirements. This final phase of the auditing process involves the development of a plan to address the shortcomings identified in the previous stages.
This phase is entirely dependent and informed by objectives, strategies, plans, procedures, security policy, and assessment results from the check phase and the analysis of the security events. The phase always start as a reactive task that identifies critical short term corrective actions that need immediate implementation. With increasing stability in the system and software security, the responsible personnel can then concentrate on the more proactive and preventive measures. The best method of determining what should be done next is through risk centered practices that will produce reliable risk assessment results.
Conclusion
Just like all the other auditing processes the information security auditing system shows th importance and need for planning and preparation before actual auditing, it shows the importance of determining the objectives and scope of the audit in order to guide the auditor in making decision through the auditing process. It also needs consistent implementation and control in order for the process to be effective. This therefore means that the without these features the process is futile and a total waste of time.
It is evident that internal auditing is among the elements that make the quality management of the organization complete. It is a reliable tool that acts as an indicator that shows the integrity and level of the organizations systems and processes and their ability to support the organizational goals and objectives.
The system is helpful in identifying problems, risks, good practices and opportunities that are aimed at better serving the organization clients. The information that is obtained from the auditing process is important asset and is of great value to the organization. Risks.
The understanding of the system is important since it provides a convenient framework and platform where one can easily develop an information security management system. The approach promotes a continuous cycle of improvements to the information system. The risk management techniques used to identify the information security risks and subsequent selection of appropriate controls. Additionally, the development of the information security management and control based on the ISO/EC27000 series provides assurance to trustees and financial supporters and all major stakeholders that there is a sound and effective information security measures.
With the increasing demand of information technology and the use of information systems in many organizations, the need for information security stands out as the paramount objective in every organization. The understanding of the system is of great importance since it provides proper development frameworks for information security management and the information security auditing process.
Work cited
iso27001security.com. "Audit & Certification." 2009. iso27001security. 27 November 2013. <http://www.iso27001security.com/html/audit___certification.html>.
Julia, Hallen. "Build Security." 1 November 2006. buildsecurityin.us-cert.gov/articles. 27 November 2013. <https://buildsecurityin.us-cert.gov/articles/best-practices/deployment-and-operations/plan-do-check-act>.
Sayer, Vincent. "information security management made Simple." 2013. sayer vincent. 27 November 2013. <http://www.sayervincent.co.uk/Asp/uploadedFiles/File/Publications/MadeSimpleGuides/Information_Security_Made_Simple.pdf>.
