Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Download
Standard view
Full view
of .
Save to My Library
Look up keyword
Like this
2Activity
0 of .
Results for:
No results containing your search query
P. 1
Requirements for Development of an Assessment System for ITC Security Audit

Requirements for Development of an Assessment System for ITC Security Audit

Ratings: (0)|Views: 92 |Likes:
IT&C security audit processes are carried out to implement information security management. The audit processes are included in an audit program as decision of the management staff to establish the organization situation against to the planned or expected one. The audit processes require evidence to highlight the above issues. The evidences are gathered by audit team and some automation processes to increase the productivity and accuracy of the audit are needed. The paper presents some issues of the requirements for development of an assessment system with some considerations for IT&C security audit. The emphasized issues are grouped in the following sections: IT&C security audit processes, characteristics of the indicators development process and implementation issues of an assessment system.
IT&C security audit processes are carried out to implement information security management. The audit processes are included in an audit program as decision of the management staff to establish the organization situation against to the planned or expected one. The audit processes require evidence to highlight the above issues. The evidences are gathered by audit team and some automation processes to increase the productivity and accuracy of the audit are needed. The paper presents some issues of the requirements for development of an assessment system with some considerations for IT&C security audit. The emphasized issues are grouped in the following sections: IT&C security audit processes, characteristics of the indicators development process and implementation issues of an assessment system.

More info:

Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

03/16/2013

pdf

text

original

 
www.jmeds.eu
56
 
Requirements for Development of an Assessment System forIT&C Security Audit
Marius POPA
 
Department of Computer Science in Economics, Academy of Economic StudiesPta. Romana 6, Bucharest, ROMANIAmarius.popa@ase.ro
 
 Abstract 
: IT&C security audit processes are carried out to implement information security management. Theaudit processes are included in an audit program as decision of the management staff to establish theorganization situation against to the planned or expected one. The audit processes require evidence to highlightthe above issues. The evidences are gathered by audit team and some automation processes to increase theproductivity and accuracy of the audit are needed. The paper presents some issues of the requirements fordevelopment of an assessment system with some considerations for IT&C security audit. The emphasized issuesare grouped in the following sections: IT&C security audit processes, characteristics of the indicatorsdevelopment process and implementation issues of an assessment system.
Key-Words 
: assessment system, security audit, information security management.
1. IT&C Security AuditProcesses for InformationSecurity Management
The
audit 
is the process throughcompetent and independent personscollect and evaluates proofs to set anopinion on correspondence degree amongthe observed things and some pre-definedcriteria [1].The distributed informatics systems arecomplex constructions. They are designed,implemented and maintained to resolvedifferent business tasks in companies.Having in mind the human and financialresources consumption to develop adistributed informatics system, it isnecessary to carry out some activities thatlead to proposed objective. Also, theproposed objective must be reached intime with the established quality level andwithin the budget limits [2].Principles that underlie the audit processare [3]:
 
Independence
: auditors freely developthe audit program; information deemedto be relevant is examined and thecontent of the report is related to thescope of examination;
 
Use of audit evidence
: it is theinformation that an auditor uses it forunderling the conclusions and to drawup the audit report.Principles that the auditors must follow are[3]:
 
Ethical behavior 
: it is governed byindependence, integrity, objectivity,professional competence,confidentiality, professional behaviorand technical standards;
 
Correct reporting
: the auditing report iswritten by persons with professionalskills and high experience in the auditedfield; its content is based on auditevidences and informationrecommendations for the audit client;
 
Professional responsibility 
: auditorshave the obligation to respect theprinciples of the audit process and to
assume the consequences if they don’t
do that.An IT&C system differs of a manual onethrough the way in which the results areobtained, the level of security and control,the risks associated to the processing. Thepotential impact of the risks is minimizedthrough high standards of security andcontrol [3].In [4], there are presented some commoninstances of computer fraud and abuse:
This is a post conference paper. Parts of this paper have been published in theProceedings of the 2
nd 
International Conference on Security for InformationTechnology and Communications, SECITC 2009 Conference (printed version).
 
Journal of Mobile, Embedded and Distributed Systems, vol. II, no. 2, 2010
 
ISSN 2067
 – 
4074
57
 
 
Unauthorized disclosure of confidentialinformation;
 
Unavailability of key IT&C systems;
 
Unauthorized modification/destructionof software;
 
Unauthorized modification/destructionof data;
 
Theft of IT&C hardware and software;
 
Use of IT&C facilities for personalbusiness.The IT&C security audit evaluates theinstances of computer fraud and abuse onthe base of security standards. The resultof such audit process is the imageregarding the vulnerabilities of theanalyzed system and the risks that canappear during the system exploitation.Also, the audit process is concretized intoan auditing report which containsevaluations of the risks andrecommendation to reduce the securityvulnerabilities.During an IT&C audit process, the auditorsdevelop a structured approaching toevaluate the risks and to assist the auditedorganization to improve its IT&C activities.The requirements of the auditedorganization aim the independentassessment of its IT&C systems that assistthe business processes of the organization.The goal is to find the lacks in IT&Csystems, especially the security ones toprevent the possible computer frauds andabuses.To cover the requirements of the auditedorganization, the auditing team examinesthe following IT&C areas:
 
IT&C strategy 
: the level of alignmentbetween business and IT strategies, sothat to form a direction, common goalsand objectives, to delivery the timelyservices required by IT&C department;
 
IT&C organizing
: compliance of theIT&C organizing to supports allprocesses and systems deemed critical,having the personnel with necessaryprofessional skills;
 
 Application management 
: managementand maintaining of the applicationsystems to support critical businessprocesses optimally and efficiently;
 
Service management 
: internalmanagement of the services, qualityparameters assumed by IT&Cdepartment to deliver servicesappropriated to the organization needs;
 
Data and database management 
:management and maintaining the dataand databases to support optimally andefficiently the critical businessprocesses, assuring the data protection;
 
Computer network management 
:management and maintaining thecomputer networks and communicationsystems to support optimally andefficiently the critical business processesto deliver correct and timely data to theappropriate destinations;
 
Hardware and workstationmanagement 
: management andmaintaining the servers, mainframesand operating systems to supportoptimally and efficiently the criticalbusiness processes, applications anddata, assuring the data processingwithin the established parameters andtime periods;
 
Computer operation management 
:planning and logging the operationalactivities in data centers and other dataprocessing facilities so that the activitiesthat must optimize and execute theoperations that support critical systemsare executed correctly and timely;
 
Security management 
: managementand maintaining the physical and logicalaccess to the IT&C resources to protectthe information against unauthorizedaccess;
 
Business continuity management 
:process of planning, maintaining andimprovement of the security proceduresto continue the service delivery withinorganization;
 
 Asset management 
: inventorying,management, configuring andmaintaining the IT&C assets, includingthe systems, applications, data andinfrastructure components;
 
Change management 
: changes in IT&Carchitecture to assure compatibility,feasibility, planning, correct and timelyimplementation of the proposedmodifications within the components of the IT&C architecture;
 
Solution development and implementation
: process of analyzing,designing, development, configuring,testing, acceptance and release of theIT&C solutions, including the
 
www.jmeds.eu
58
 applications, programs, systems andinfrastructure components.To establish the maturity level of eacharea, the audit team has to follow someobjectives described below:
 
Tactical alignment: degree in which theorganization covers the requirements of a particular process;
 
Stability, availability and degree of safety: how stable and safe it is aparticular process, including the supportsystems, data and infrastructure;
 
Processes: how well-defined are politics,standards and procedures;
 
Automation and technological coverage:degree in which a process is sustainedby available technological resources;
 
Results assessment: how the processresults are reported, managed andassessed; the way in which the resultsproduce a feedback and a continuousimprovement;
 
Human resource: degree in which theneeds are covered with personal,organizational structure, skills andprofessional competence of thepersonnel involved in a particularprocess.Specifications regarding the IT&C securityaudit are included in security auditstandards. For instance, the internationalstandards ISO/IEC 17799 approachesaudit issues regarding:
 
Information technology;
 
Security techniques;
 
Code of practice for information securitymanagement.The standard ISO/IEC 17799 establishesguidelines and general principles forinitiating, implementing, maintaining, andimproving information securitymanagement in an organization [5].The following controls are considered to becommon practice for information security,as they are defined in [5]:
 
Information security policy document;
 
Allocation of information securityresponsibilities;
 
Information security awareness,education, and training;
 
Correct processing in applications;
 
Technical vulnerability management;
 
Business continuity management;
 
Management of information securityincidents and improvements.ISO/IEC 17799 International Standardcontains 11 security control clauses [5]:
 
Security Policy;
 
Organizing Information Security;
 
Asset Management;
 
Human Resources Security;
 
Physical and Environmental Security;
 
Communications and OperationsManagement;
 
Access Control;
 
Information Systems Acquisition,Development and Maintenance;
 
Information Security IncidentManagement;
 
Business Continuity Management;
 
Compliance.Each main security category includes:
 
A control objective stating what is to beachieved;
 
One or more controls that can beapplied to achieve the control objective.COBIT framework
Control Objectives forInformation and related Technology
isused as a source of best practice guidance.COBIT includes set of controls and controltechniques for information systemmanagement. In the IT&C audit processes,it must select the appropriate elementsfrom COBIT in order to evaluate IT&Cprocesses and consideration of informationcriteria [3].The organizations that use informationtechnology and communication facilities toreach their objectives are more successfulthan the ones that do not use them. TheIT&C use introduces other challengeswithin organization. As consequence, theorganizations must understand andmanage the associated risks and criticaldependence of the business processes onIT&C facilities.
2. Characteristics of theIndicator Development for IT&CSecurity Audit
Information security management aims allmethods and techniques of management,use of specific tools and procedures toensure protection of the information. Inmodern organizations, information is anessential asset to ensure business

You're Reading a Free Preview

Download
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->