Scribd Logo
Upload

Welcome to Scribd!

  • An Information Security Audit Is A Systematic Process That Determines Security Risks at An Organization. Why Do An Information Security Audit?

    Uploaded by

    huzaifa hasnain
    6 views7 pages
    cisa

    Original Title

    New Microsoft Word Document

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    cisa

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    6 views7 pages

    An Information Security Audit Is A Systematic Process That Determines Security Risks at An Organization. Why Do An Information Security Audit?

    Uploaded by

    huzaifa hasnain
    cisa

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 7

    An information security audit is a systematic process that

    determines security risks at an organization.


    Why do an information security audit?

    An information security audit (ISA) reduces vulnerability to security breaches at an


    organization.

    Doing an ISA renders an organization proactive and strong by keeping information secure. It
    safeguards the organization against hacks.

    Establishing a process for security audits reduces reactivity, saves time, and reduces labor costs.
    And an ISA can help meet legal and regulatory requirements for sensitive data.

    Why a process? Why not just do an informal assessment?


    A process ensures that the audit is performed

    correctly,

    completely,

    and iteratively.

    Following a process lets an organization

     Assess and prioritize its business assets


     Budget for security safeguards
     Plan and schedule employees’ time.

    It helps improve systems over time, manage knowledge, and save time that can be lost
    reinventing unsystematized work.
    Who should be involved?
    Designated auditors -- the "auditing team" -- are staff with technical knowledge of the
    organization’s business processes and IT assets.

    The auditing team should include people from various departments and pay levels.

    What exactly should be assessed?


    An organization might do risk assessments of:

     Hardware infrastructures at data repositories/data centers


     Office network architecture
     Network services and protocols
     Servers and their operating systems
     Operating systems of staff computers
     Security that’s in place, like firewalls and virus-detection software
     Identity controls such as authorization and authentication
     Network access and controls
     Intrusion prevention controls and detection tools
     Current safety procedures and rules

    When should an information security audit be done?


    It depends on type of data you manage or store.

    Organizations that do not store sensitive client data should


    do an information security audit at least once a year.
    How do we do it?
    By implementing a planned, formalized, documented process according to the phases described
    next.

    Phase 1: Identify

    What are we auditing?


    Define a limited scope of audit in a Zone Map by dividing business assets (servers, workstation
    computers) into zones.

    This Zone Map will be used later in your risk assessment. It will allow allocation of resources —
    financial, human, and physical — to where they are needed.

    List the participants and their roles.


    For each zone, list who is involved and their anticipated role in the security audit. Include people
    from more than one department and pay grade.

    List dependencies
    For example,

     Assessing servers might require the presence of people who have security access.
     Assessing remote data centers depends on ability of staff to travel.
     Assessing staff computers might depend on employee work schedules and loads for a
    particular time.

    Set estimated schedules and deadlines.


    Keep in mind that deadlines will shift as the as risk assessment process evolves.

    Once information is gathered, formalize it into a report.


     Formalize this part of the process (Identification) in a report with names of people
    involved, date of report, and projected deadlines.

    Note: This is an estimation, not a final audit.

     Send the report out for review.

    Get feedback on the report from those who collaborated.


    Make needed changes, if any.
    Redistribute reports.

    Phase 2: Include others.

    Present the edited report.


    Present identification report to

     IT
     Management
     The business office
     Any others involved in planning

    Get written support from management to proceed with the


    risk assessment.

    If possible, have management announce the risk assessment,


    who’s involved, and the deadlines.

    Phase 3: Nuts and Bolts: Do the Assessment.

    For each security zone defined in your Zone Map (Phase 1),
    answer the questions in the checklist below.
    Use the Risk Assessment Checklist (attached below) to write out your answers. This list of
    answers will be made into a report later.

    Be careful not to assume you know where all the risks lie. Involve all relevant personnel, not just
    IT, in this decision. Include staff from various departments and levels.
    As you address each item, note how long it takes to arrive at a complete answer.

    This will give a good estimate of time needed to complete a full risk assessment.

    Risk-Assessment Checklist

    Are the firewalls strong and up to date?

    How are our servers configured and protected?

    How are external network connections, including our Internet connection, configured and
    protected?

    List known vulnerabilities and consequences.


    Using the Impact Analysis worksheet linked below, fill out one worksheet for each zone
    defined in your Zone Map.

    
 
 1. In column 1 of the worksheet, make a list of known vulnerabilities.

    
 
 2. In column 2, rank each in consequence (i.e., level of importance to the company) from 1
    to 5, with 1 bearing the highest consequence.

    3. In column 3, list the likelihood of occurrence (probability), with 1 bearing the highest
    probability.

    Note: When assessing probability, consider that it increases with number of users. 


    LINK: Blank worksheet

    LINK: Example filled worksheet


    Calculate risk.
    To calculate risk, do an impact analysis.

    This data will quantify potential lost revenue in the event of exploitation of each vulnerability.

    a. Using the same worksheet:

    For each vulnerability determine risk by multiplying:

    Consequence c x Probability (likelihood of occurrence) p = Risk r

    cxp=r

    Put this result in column 4.

    This is the risk associated with each vulnerability

    Qualify.
    Qualify the potential damage by estimating harm to reputation or some other intangible aspect.

    Map a plan of attack.


    Starting with the highest-risk assets, list steps for rectifying vulnerabilities in each zone.

    Include dates and personnel.

    Phase 4: Document.

    Write down the results.


    1. Document the results in a rough draft.
    2. Distribute this draft among the participants.
    3. Get feedback.
    4. Formalize it in a readable report with an introduction, explanation, illustrations and a
    conclusion.
    Conclusion

    Following a formal risk assessment empowers your


    organization to understand, quantify and proactively
    address risk.

    Introduction

    Organizations that store sensitive data should do a risk


    assessment once a month.

    You might also like