Scribd Logo
Upload

Welcome to Scribd!

  • 478 613 PDF

    Uploaded by

    esskae59m
    27 views8 pages

    Original Title

    478_613.pdf

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    27 views8 pages

    478 613 PDF

    Uploaded by

    esskae59m

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 8

    Finance - Accountancy 81

    Information Systems Security Audit

    Abstract:The article covers:


    ¾Def i
    ningani nformati onsystem;benef i
    tsobtai
    nedbyi ntroducingnew i nformati ontechnol
    ogi
    es;
    IT management;
    ¾Def i
    ningprerequisites,anal
    ysi s,desi
    gn,implementationofIS;
    ¾Inf ormati
    onsecuri tymanagementsystem;aspectsregardi ngISsecuri typol icy;
    ¾Conceptualmodelofasecuri tysystem;
    ¾Audi ti
    nginformati onsecuritysystemsandnetworki nfrastructuresecurity.
    Key words: —˜›–Š’˜—ȱœ¢œŽ–ǰȱ’—˜›–Š’˜—ȱŽŒ‘—˜•˜’Žœǰȱ ȱœŽŒž›’¢ǰȱ‹Šœ’Œȱ›Žž•Š’˜—œǰȱ
    œŠ—Š›œǰȱ—˜›–œǰȱŠž˜–ŠȱŠŠȱ™›˜ŒŽœœ’—ȱœ¢œŽ–œȂȱŠž’ǰȱ’—˜›–Š’˜—Š•ȱœ¢œŽ–œȂȱŠž’ǰȱ’—˜› Ȭ
    –Š’˜—ȱœŽŒž›’¢ȱ–Š—ŠŽ–Ž—ȱœ¢œŽ–ǰȱ ȱœŽŒž›’¢ȱ™˜•’Œ’Žœǰȱ’›Ž Š••ǯ

    1. Information Systems – Development, throughout allm anagem ent decisionallevels


    Audit, Security Policies Š—ȱ’—ȱŒ˜—›˜••’—ȱ‘Žȱ˜›Š—’£Š’˜—ȂœȱŠŒ’Ÿ’¢ǯ
    —ȱ‘Žȱ—•˜Ȭ–Ž›’ŒŠ—ȱ•’Ž›Šž›ŽǰȱŠ• Ȭ
    An information systemȱǻ Ǽȱ›Ž™›ŽœŽ—œȱŠȱ ‘˜ž‘ȱ‘Žȱ’œ’—Œ’˜—ȱ’œȱ–ŠŽȱ‹Ž ŽŽ—ȱȃ’— Ȭ
    œŽȱ˜ȱ‘ž–Š—ȱŠ—ȱŒŠ™’Š•ȱ›Žœ˜ž›ŒŽœǰȱ’—ŸŽœŽȱ ˜›–Š’˜—ȱœ¢œŽ–ȄȱŠ—ȱȃŒ˜–™žŽ›ȱ‹ŠœŽȱ’— Ȭ
     ’‘’—ȱŠ—ȱŽ—’¢ȱ˜›ȱ‘Žȱ™ž›™˜œŽȱ˜ȱŒ˜••ŽŒ’—ȱ ˜›–Š’˜—ȱœ¢œŽ–ȄǰȱžŽȱ˜ȱ‘ŽȱŽŒ‘—˜•˜’ŒŠ•ȱ
    Š—ȱ™›˜ŒŽœœ’—ȱ‘Žȱ—ŽŒŽœœŠ›¢ȱŠŠȱ’—ȱ˜›Ž›ȱ˜ȱ •ŽŸŽ•ȱ›ŽŠŒ‘Žȱ‹¢ȱǰȱŠ••ȱŠž‘˜›œȱŠŽ›ȱ–Š” Ȭ
    ™›˜žŒŽȱ’—˜›–Š’˜—ǰȱ ‘’Œ‘ȱŒŠ—ȱ‘Ž—ȱ‹ŽȱžœŽȱ ’—ȱ‘ŽȱœŠ’ȱ’Ž›Ž—ŒŽǰȱžœŽȱ‘ŽȱŽ›–ȱȃ’—˜› Ȭ

    No. 6 ~ 2007
    82 Finance - Accountancy

    –Š’˜—ȱœ¢œŽ–Ȅǰȱ–˜’ŸŠ’—ȱœžŒ‘ȱ‹¢ȱ‘Žȱ‘’‘ȱ Information systems’audit represents a


    level of informational activities automation. complexactivity for assessing an information sys-
    M ost benefits are obtained in a business tem in order to set forth a qualified opinion re-
    ‹¢ȱ’—›˜žŒ’—ȱ‘Žȱ—Ž ȱ information tech- garding the conformity between the system and
    nologies ǻ Ǽǯȱ —ȱ‘ŽȱŒŠœŽȱ˜ȱŠȱ ȱ™›˜“ŽŒǰȱ‘Žȱ the regulating standards, as well as over the infor-
    ‹Ž—Ž’œȱŠ›Žȱ—˜ȱ˜‹Š’—Žȱ’––Ž’ŠŽ•¢ǰȱ‹žȱ mation system’ s capacity of achieving the organi-
    ‘›˜ž‘˜žȱ‘Žȱ™›˜“ŽŒȂœȱ•’ŽȱŒ¢Œ•Žǯȱ•˜—ȱ zation’s strategic obj ectives, by efficiently using
     ’‘ȱ‘Žȱ‹žœ’—ŽœœȱŒŠœŽȱœž¢ǰȱž™˜—ȱ‘Žȱ‹Ž’—Ȭ the informational resources and by ensuring the
    —’—ȱ˜ȱŠȱ™›˜“ŽŒȱ˜›ȱŽœ’—’—ȱŠȱ ǰȱ™•Š——’—ȱ integrity of the processed and stored data.
    –žœȱ‹Žȱ™Ž›˜›–Žȱ˜ȱ‘Žȱ‹Ž—Ž’œȂȱŠŒ‘’ŽŸŽ Ȭ
    –Ž—ǰȱ ‘’Œ‘ȱ–žœȱ‹Žȱ‘Ž—ȱ˜••˜ ŽȬž™ȱ‹¢ȱ œžŠ••¢ǰȱœžŒ‘ȱŠŒ’Ÿ’¢ȱ–žœȱ‹ŽȱŒŠ››’Žȱ
    –ŽŠ—œȱ˜ȱŠ—ȱŽ’Œ’Ž—ȱ–Š—ŠŽ–Ž—ȱ™›˜ŒŽœœǰȱ ˜žȱ‹¢ȱŠȱŒ˜–™ŽŽ—ȱ™Ž›œ˜—ǰȱ›Š’—ŽȱŠ—ȱšžŠ•Ȭ
     ‘’Œ‘ȱ’—Œ•žŽœDZ ’’Žȱ’—ȱ‘Žȱ’Ž•ȱ˜ȱ’—˜›–Š’˜—ȱœ¢œŽ–œȂȱŒ˜—Ȭ
    Ȭȱ Š•’Š’—ȱ‘Žȱ‹Ž—Ž’œȱ™›ŽœŽ—Žȱ’—ȱ ›˜•ǰȱœŽŒž›’¢ȱŠ—ȱ–Š—ŠŽ–Ž—ǰȱ™Ž›œ˜—ȱ ‘˜ȱ
    the business; ’œȱ—Š–Žȱȃ ȱŠž’˜›ȄǯȱžŒ‘ȱœ˜›ȱ˜ȱ•’ŒŽ—œ’—ȱ
    Ȭȱ •Š——’—ȱ‘Žȱ‹Ž—Ž’œȱ˜ȱ‹ŽȱŠŒ‘’ŽŸŽDz is granted by ISACAǰȱ‹¢ȱ–ŽŠ—œȱ˜ȱ‘Žȱ CISA
    Ȭȱ ŽœŒ›’‹’—ȱ‘Žȱ‹Ž—Ž’œǰȱ–ŽŠœž›’—ȱ (Certified Information System Auditor).
    the outcome and the objective;
    Ȭȱ ŽœŽŠ›Œ‘’—ȱŠœœž–™’˜—œDz —Ž›ȱœžŒ‘ȱŒ’›Œž–œŠ—ŒŽœǰȱ IT security
    Ȭȱ Ž’—ȱž™ȱ”Ž¢ȱ›Žœ™˜—œ’‹’•’’Žœȱ˜›ȱ ’–™•’Žœȱ’–™•Ž–Ž—’—ȱœ™ŽŒ’’Œȱ ȱŽ—Ÿ’›˜— Ȭ
    achieving the benefits. –Ž—ȱ™›˜ŽŒ’ŸŽȱ–ŽŠœž›ŽœȱǻŒ˜–™žŽ›œǰȱ—Ž Ȭ
    The benefits achievement management  ˜›”œǰȱ’—˜›–Š’˜—ȱœ¢œŽ–œǰȱŠ—ȱŠŠȱ‹ŠœŽœǼȱ
    ’œȱŠ—ȱ’–™˜›Š—ȱŒ˜–™˜—Ž—ȱ˜ȱ™›˜“ŽŒȱ–Š— Ȭ ‹˜‘ȱŠŠ’—œȱŠŒŒ’Ž—Š•ȱŠ–Š’—ȱŠŒ’˜—œǰȱ
    ŠŽ–Ž—ǰȱŠ•œ˜ȱ’—Ÿ˜•Ÿ’—ȱ‘Žȱ™›˜“ŽŒȂœȱœ™˜— Ȭ Š—ȱŠŠ’—œȱ’—Ž—ŽȱŠŠŒ”œǰȱœžŒ‘ȱŠœȱŽœ™’˜ Ȭ
    sors. —ŠŽǰȱœŠ‹˜ŠŽǰȱ–ž›Ž›ȱŽŒǯȱŠ”’—ȱ’—˜ȱŒ˜— Ȭ
    IS Development ’œȱŠ—ȱŽ¡›Ž–Ž•¢ȱŒ˜– Ȭ œ’Ž›Š’˜—ȱ‘ŽȱœŠ’ȱ›’œ”œǰȱ’—ȱŘŖŖŖȱ‘Žȱ —Ž›—Š Ȭ
    ™•Ž¡ȱŠŒ’Ÿ’¢ǯȱŒžŠ•ȱ™›˜žŒ’˜—ǰȱŒ˜—œ’œ’—ȱ ’˜—Š•ȱŠ—Š›’£Š’˜—ȱ›Š—’£Š’˜—ȱǻ Ǽȱ
    ’—ȱ›Š’—ǰȱŽœ’—ȱŠ—ȱ˜™’–’£’—ȱ‘Žȱ™›˜ Ȭ Š˜™ŽȱŠœȱ’—Ž›—Š’˜—Š•ȱœŠ—Š›ȱ‘ŽȱBritish
    ›Š–œǰȱŠœȱ Ž••ȱŠœȱ‘Žȱ›ž•Žœȱ˜›ȱžœ’—ȱœžŒ‘ǰȱ Standard BS 7799ǰȱ‹¢ȱ™ž‹•’œ‘’—ȱ’ȱž—Ž›ȱ‘Žȱ
    –žœȱ‹Žȱ™›ŽŒŽŽȱ‹¢ȱŽœ’—’—ȱŠȱ™›˜“ŽŒǰȱ —Š–Žȱ˜ȱ ȱŗŝŝşşȱȮȱ “Practical Code for In-
    that must establish the necessary details for formation Security M anagement”.
    Ž’—’—ȱ‘Žȱ™›˜ŒŽž›Žœǰȱ‘˜ ŽŸŽ›ȱ—˜ȱ‹Ž Ȭ
    ˜›ŽȱŽœŠ‹•’œ‘’—ȱ ‘’Œ‘ȱŠ›Žȱ‘Žȱ—ŽŒŽœœŠ›¢ȱ The said StandardȱŠ••˜ ȱ˜›ȱřŜȱŒ˜—›˜•ȱ
    ™›˜›Š–œȱŠ—ȱ’—ȱ ‘Šȱ•˜‹Š•ȱŒ˜˜™Ž›Š’˜—ȱ ˜‹“ŽŒ’ŸŽœȱŠ—ȱŗŘŝȱŒ˜—›˜•ȱŽ•Ž–Ž—œȱ˜ȱ‹Žȱ’Ž— Ȭ
    ›Š–Ž ˜›”ȱǻ’—ȱ ‘ŠȱŽ—Ÿ’›˜—–Ž—Ǽȱ ’••ȱ‘Ž¢ȱ ’’Žǰȱ›˜ž™Žȱ’—ȱŽ—ȱŒŠŽ˜›’ŽœDZ
    ž—Œ’˜—ǯȱ‘Žȱ™›˜“ŽŒȱŽœ’—ȱŒŠ——˜ȱ‹Žȱ–ŠŽȱ 1. œŽŒž›’¢ȱ™˜•’Œ¢Dz
     ’‘˜žȱ”—˜ ’—ȱ‘Žȱ ’—˜›–Š’˜—ȱ™›Ž›Žšž’ Ȭ 2. Œ˜—’—ž˜žœȱ‹žœ’—Žœœȱ™•Š——’—Dz
    sitesȱ ‘’Œ‘ȱ‘Žȱœ¢œŽ–ȱ–žœȱ–ŽŽǯȱ••ȱ‘ŽœŽȱ 3. controlling the access to the system;
    ‘ŠŸŽȱŠ•›ŽŠ¢ȱœ‘Š™ŽȱŠȱœŽȱ˜ȱŠŒ’Ÿ’’Žœȱ˜ȱ‹Žȱ 4. œ¢œŽ–ȱŽŸŽ•˜™–Ž—ȱŠ—ȱ–Š’—Ž Ȭ
    ž•’••ŽDZȱdefining the prerequisites, analysis, nance;
    design, creating the IS. 5. ™‘¢œ’ŒŠ•ȱŠ—ȱŽ—Ÿ’›˜—–Ž—Š•ȱœŽŒž›’¢Dz

    No. 6 ~ 2007
    Finance - Accountancy 83
    6. conformity; ’—˜›–’—ȱ‹Ž˜›ŽȱŠ™™•¢’—ȱ˜ —ȱŒ˜—›˜•œȱ
    7. ™Ž›œ˜——Ž•ȱœŽŒž›’¢Dz ˜ȱ‘Žȱ ȱŽ—Ÿ’›˜—–Ž—ǯȱ‘ŽȱœŽŒž›’¢ȱ™˜•’Œ¢ȱ
    8. ˜›Š—’£Š’˜—ȱœŽŒž›’¢Dz Œ˜–™›’œŽœȱ‘ŽȱŽœŒ›’™’˜—ȱ˜ȱ™ž›™˜œŽœȱŠ—ȱ
    9. Œ˜–™žŽ›œȱŠ—ȱ—Ž ˜›”ȱ–Š—ŠŽ Ȭ ’—Ž—œǰȱ›Ž™›ŽœŽ—’—ȱŠȱ’’Œž•ȱ™›˜ŒŽœœȱ’– Ȭ
    ment; ™˜œ’—ȱ˜›ȱŠŠ™Š’˜—ȱ˜ȱŽŠŒ‘ȱ˜›Š—’£Š’˜—Ȃœȱ
    10.information resources classification œ™ŽŒ’’ŒȱŽŠž›Žœǯȱȱ’›œȱœŽ™ȱ’—ȱ’–™•Ž–Ž—’—ȱ
    and control. ‘ŽȱœŽŒž›’¢ȱ™•Š—ȱ’œȱ›Ž™›ŽœŽ—Žȱ‹¢ȱŽœŠ‹•’œ‘ Ȭ
    ’—ȱ‘Žȱœ¢œŽ–œǰȱŠ™™•’ŒŠ’˜—œǰȱŠŠȱŠ—ȱŽ—’ Ȭ
    In order for the ISO 17799 standard to ’Žœȱ˜ȱ‹ŽȱœŽŒž›’’£Žǯȱ—ŒŽȱ‘ŽȱœŽŒž›’¢ȱ™˜•’Œ¢ȱ
    ‹ŽŒ˜–Žȱ˜™Ž›Š’˜—Š•ǰȱ‘ŽȱŒ›ŽŠ’˜—ȱ Šœȱ—ŽŒŽœ Ȭ ’œȱŒ•ŽŠ›•¢ȱŽ’—Žǰȱ’ȱ’œȱ–Š—Š˜›¢ȱ˜›ȱ‘Žȱžœ Ȭ
    sary of the BS 7799-2standard. Its advantage ers to be trained.
    •Š¢œȱ’—ȱ‘ŽȱŠŒȱ‘Šȱ’ȱŠ••˜ œȱ˜›ȱŠ—ȱ informaȬ
    tion security management system to be imȬ ȱ Ž••ȱŽ’—ŽȱœŽŒž›’¢ȱ™˜•’Œ¢ȱ–žœȱŽ¡ Ȭ
    ™•Ž–Ž—’—ȱ‹¢ȱœžŒŒŽœœ’ŸŽ•¢ȱž•’••’—ȱ‘Žȱ˜• Ȭ ŠŒ•¢ȱœ™ŽŒ’¢ȱŠœ™ŽŒœȱ›ŽŠ›’—DZ
    •˜ ’—ȱ™‘ŠœŽœDZ ƒ˜›Š—’£Š’˜—ȂœȱœŽŒž›’¢ȱ›Ž•ŠŽȱ˜‹“ŽŒ Ȭ
    a) defining the information security tivesǰȱ ‘’Œ‘ȱ’–™•’Žœȱ‘Šȱ‘ŽȱŠŠȱ™›˜ŽŒ’˜—ȱ
    –Š—ŠŽ–Ž—ȱœ¢œŽ–ȱŠ—ȱŠŽ›Ž—ȱ™˜•’Œ’ŽœDz –žœȱ‹ŽȱŽ—œž›ŽȱŠŠ’—œȱ’—˜›–Š’˜—ȱ•ŽŠ” Ȭ
    b) œŽ’—ȱ˜žȱ›Žœ™˜—œ’‹’•’’ŽœȱŠ—ȱ—ŽŒŽœȬ ’—ȱ˜ Š›œȱŽ¡Ž›—Š•ȱŽ—’’ŽœǰȱŠŠȱ™›˜ŽŒ’˜—ȱ
    sary resources; ŠŠ’—œȱ—Šž›Š•ȱŒŠ•Š–’’ŽœǰȱŽ—œž›’—ȱŠŠȱ’— Ȭ
    c) ŠœœŽœȱœ™ŽŒ’’ŒŠ’˜—ȱŠ—ȱ›’œ”ȱ–Š—ŠŽ Ȭ tegrity or ensuring business continuity;
    ment; ƒ‘Žȱ™Ž›œ˜——Ž•ȱŽœ’—ŠŽȱ˜ȱŽ—œž›Žȱ
    d) ›’œ”ȱŠ–’—’œ›Š’˜—Dz securityǰȱ ‘’Œ‘ȱŒŠ—ȱ‹Žȱ›Ž™›ŽœŽ—Žȱ‹¢ȱŠȱœ–Š••ȱ
    e) controls selection;  ˜›”’—ȱ›˜ž™ǰȱŠȱ–Š—ŠŽ–Ž—ȱ›˜ž™ȱ˜›ȱ‹¢ȱ
    f) Š™™•’ŒŠ‹’•’¢Dz ŽŠŒ‘ȱŽ–™•˜¢ŽŽDz
    g) ’–™•Ž–Ž—Š’˜—ǯ ƒ‘Žȱ ‘˜•Žȱ˜›Š—’£Š’˜—Ȃœȱ’—Ÿ˜•ŸŽ Ȭ
    ŒŒ˜›’—ȱ˜ȱ‘’œȱœŠ—Š›ǰȱ‘ŽȱIT Gov- ment in ensuring securityǰȱŽ¡ŠŒ•¢ȱŽœŠ‹•’œ‘ Ȭ
    ernance Instituteȱž—Œ’˜—’—ȱž—Ž›ȱ‘Žȱ ’—ȱ ’—ȱ ‘˜ȱ ’••ȱ™›˜Ÿ’Žȱ›Š’—’—ȱ˜—ȱœŽŒž›’¢ȱ
    of ISACAǰȱ™›˜Ÿ’Žœȱthe best practices for the –ŠŽ›œǰȱŠœȱ Ž••ȱŠœȱ‘Žȱ–˜Š•’¢ȱ’—ȱ ‘’Œ‘ȱ‘Žȱ
    ȱ™›˜ŒŽœœŽœȱ‹¢ȱ‘Žȱ“COBIT”ȱ™Š™Ž›ȱȮȱȃControl œŽŒž›’¢ȱŠœ™ŽŒœȱŠ›Žȱ˜ȱ‹Žȱ’—Ž›ŠŽȱ’—ȱ‘Žȱ˜›Ȭ
    Objectives for Information and related Tech- Š—’£Š’˜—Š•ȱœ›žŒž›Žǯȱ
    nology”. COBIT structures the ȱ™›˜ŒŽœœŽœ In order to achieve security objectives
    into four areasDZ Š—ȱ˜‹Š’—’—ȱŠȱ‘’‘ȱ™›˜ŽŒ’˜—ȱ•ŽŸŽ•ǰȱ‘ŽȱœŽ Ȭ
    a) ™•Š——’—ȱŠ—ȱ˜›Š—’£Š’˜—Dz Œž›’¢ȱ™•Š—ȱœ‘˜ž•ȱ‹ŽȱŽŸŽ•˜™ŽȱŠ—ȱ’–™•Ž Ȭ
    b) ŠŒšž’œ’’˜—ȱŠ—ȱ’–™•Ž–Ž—Š’˜—Dz –Ž—Žȱ˜—ȱ•ŽŸŽ•œǯȱ‘žœǰȱ‘ŽȱŒ˜—ŒŽ™žŠ•ȱ–˜Ž•ȱ
    c) ž—Œ’˜—’—ȱŠ—ȱœž™™˜›Dz ˜ȱŠȱœŽŒž›’¢ȱœ¢œŽ–ȱ ’••ȱ’—Œ•žŽȱ‘Žȱ˜••˜  Ȭ
    d) monitoring and evaluation. ing levelsDZ
    —ȱ›ŽŠ•’¢ǰȱ‘ŽœŽȱ˜ž›ȱŠ›ŽŠœȱ’—Œ•žŽȱŘŘŖȱ ƒapplication security, first of all imȬ
    Œ˜—›˜•œǰȱŒ•Šœœ’’Žȱ’—˜ȱřŚȱ‘’‘ȱ•ŽŸŽ•ȱ˜‹“ŽŒ Ȭ ™•¢’—ȱ‘ŽȱœŽŒž›’¢ȱ˜ȱ‘Žȱœ˜ Š›Žȱ™›˜žŒœȱ
    tives.  ‘’Œ‘ȱŒŠ—ȱ‹ŽȱžœŽȱ’—ȱ˜›Ž›ȱ˜ȱŽŸŽ•˜™ȱ‹žœ’ Ȭ
    The security policyǰȱŒŽ—›Š•ȱ™Š›ȱ˜ȱ‘Žȱ —ŽœœȱŠ™™•’ŒŠ’˜—œǰȱœžŒ‘ȱŠœȱ Ž‹ȱœŽ›ŸŽ›œǰȱȱ
    œŽŒž›’¢ȱ™•Š—ȱ’–™•’Žœȱ›ŽœŽŠ›Œ‘ȱŠ—ȱ›’˜›˜žœȱ (Secure Sockets Layer) etc.;

    No. 6 ~ 2007
    84 Finance - Accountancy

    ƒsystem securityǰȱ’–™•Ž–Ž—Žȱ˜—ȱ‘Žȱ ž—Šž‘˜›’£ŽȱŠŒŒŽœœȱ˜ȱ’—˜›–Š’˜—ǯȱ¢ȱŒ˜— Ȭ


    •ŽŸŽ•ȱ˜ȱœ¢œŽ–ȱŒ˜––Š—œǰȱŠ—ȱ ‘’Œ‘ȱ ’••ȱ ’Ž—’Š•’¢ȱ’ȱ’œȱŽ—œž›Žȱ‘Šȱ‘Žȱ’—˜›–Š’˜—ǰȱ
    Œ˜—›˜•ȱŠ••ȱœ˜ Š›Žȱž—Œ’˜—œȱ˜ȱ‘Žȱœ¢œŽ–ǯȱ Ž’‘Ž›ȱ’—ȱ›Š—œ’ȱ˜›ȱœ˜›Žǰȱ’œȱŠŒŒŽœœ’‹•Žȱ˜—•¢ȱ˜ȱ
    The users are identified and authenticated Ž—’’Žœȱ ‘’Œ‘ȱŠ›ŽȱŠž‘˜›’£Žȱ˜ȱŠŒŒŽœœȱ‘˜œŽȱ
    on a system level by a single security mechaȬ resources;
    —’œ–ǰȱ˜›ȱŠ••ȱ˜™Ž›Š’˜—œȱ‘Ž¢ȱ–’‘ȱ™Ž›˜›–ȱ ¾ integrityȱȮȱ’—˜›–Š’˜—ȱ’œȱ™›˜ŽŒŽȱ
    on the system; ›˜–ȱ•˜œœŽœȱ˜›ȱ–˜’’ŒŠ’˜—ȱ’œȱž—Šž‘˜›’£ŽDzȱ
    ƒnetwork securityǰȱ’—Ž›Š—ȱ™Š›ȱ’—ȱ ‹¢ȱžœ’—ȱŠŽšžŠŽȱ™›˜ŒŽž›ŽœȱŠ—ȱ–Ž‘˜œǰȱ
    Žœ’—’—ȱœžŒ‘ǰȱ’—Œ•ž’—ȱŒ˜—›˜•œȱ‹¢ȱ’›Ž Ȭ by means of the integrity it is ensured that inȬ
     Š••œǰȱȱǻVirtual Private Network) and gate- ˜›–Š’˜—ǰȱŽ’‘Ž›ȱ’—ȱ›Š—œ’ȱ˜›ȱœ˜›ŽǰȱŒŠ——˜ȱ
    ways; be modified;
    ƒphysical securityǰȱŠ’–’—ȱ˜›ȱœ¢œŽ–œȱ ¾ availability – it ensures that authoȬ
    ™›˜ŽŒ’˜—ǰȱ‹ŠŒ”ž™ȱŽŸ’ŒŽœȱŠ—ȱœž™™˜›œǰȱ’— Ȭ ›’£ŽȱŽ—’’Žœȱ‘ŠŸŽȱŠŒŒŽœœȱ˜ȱ’—˜›–Š’˜—ȱ›Ž Ȭ
    Œ•ž’—ȱŠŒŒŽœœȱŒ˜—›˜•œǰȱž—’—Ž››ž™’‹•Žȱ™˜ Ȭ œ˜ž›ŒŽœȱ˜—•¢ȱ ‘Ž—ȱ‘Ž¢ȱ—ŽŽȱ‘Ž–Dzȱ˜›ȱ’— Ȭ
    Ž›ȱœž™™•’Žœǰȱ›Žž—Š—ȱŒ˜––ž—’ŒŠ’˜—ȱ•’—ŽœDz œŠ—ŒŽǰȱ™›ŽŸŽ—’—ȱ˜ȱǻŽ—’Š•ȱ˜ȱŽ›Ÿ’ŒŽǼȱ
    ƒorganization securityǰȱ›Žœ™˜—œ’‹•Žȱ ŠŠŒ”œDz
    ˜›ȱŠ••ȱŠœ™ŽŒœȱ˜ȱ‘Žȱ˜›Š—’£Š’˜—ȂœȱœŽŒž›’¢ȱ ¾ conformityȱȮȱ ’‘ȱŠ™™•’ŒŠ‹•Žȱ•Š œǰȱ
    ™•Š—ǰȱ’—Œ˜›™˜›Š’—ȱœŽŒž›’¢ȱ™˜•’Œ’ŽœǰȱŠ”’—ȱ regulations and standards.
    into consideration the training in the field ‹Ÿ’˜žœ•¢ǰȱ’–™•Ž–Ž—’—ȱŠ—ȱ’—˜›–Š’˜—ȱ
    ˜ȱœŽŒž›’¢ǰȱ˜›Š—’£Š’˜—Ȃœȱ‹žœ’—Žœœȱœ¢œŽ–œǰȱ security management systemȱ™›˜Ÿ’Žœȱ—ž–Ž›Ȭ
    Š—ȱŠ•œ˜ȱ‘Žȱ™•Š——’—ȱ˜›ȱ›ŽŒ˜ŸŽ›’—ȱ’—ȱŒŠœŽȱ ous advantagesǰȱŠ–˜—œȱ ‘’Œ‘ȱ Žȱ–Ž—’˜—DZ
    of disaster. ¾ Š’—’—ȱ‘Žȱ›žœȱ˜ȱ‹žœ’—Žœœȱ™Š›—Ž›œȱ
    It is mandatory for the œŽŒž›’¢ȱ™•Š— to ǻŽ’‘Ž›ȱœž™™•’Ž›œȱ˜›ȱŒ•’Ž—œǼDz
    ŽœŠ‹•’œ‘ȱŠȱ ˜›”’—ȱ›Š–Ž ˜›”ȱ˜›ȱ–Š”’—ȱ ¾ ’–™›˜Ÿ’—ȱ™›ŽŸŽ—’˜—ȱœ¢œŽ–œȱŠ—ȱ
    œ™ŽŒ’’ŒȱŽŒ’œ’˜—œȱœžŒ‘ȱŠœȱŽŒ’’—ȱž™˜—ȱ‘Žȱ ›Žœ™˜—œŽȱœ¢œŽ–œȱ’—ȱŒŠœŽȱ˜ȱ’—Œ’Ž—œDz
    ŽŽ—œŽȱ–ŽŒ‘Š—’œ–œȱ˜ȱ‹ŽȱžœŽǰȱŠ—ȱŒ˜—œŽ Ȭ ¾ –’—’–’£’—ȱ‘Žȱ›’œ”ȱ˜›ȱ’—˜›–Š’˜—ȱ
    quently on the modality of configuring the ‘ŽǰȱŒ˜››ž™’˜—ȱ˜›ȱ•˜œœDz
    ™›˜Ÿ’ŽȱœŽ›Ÿ’ŒŽœǯȱ ȱ–žœȱ‹Žȱ–Ž—’˜—Žȱ‘Šȱ ¾ safely accessing information (by emȬ
    ™•Š——’—ȱŠȱœŽŒž›’¢ȱœ¢œŽ–ȱŠ—ȱ–Š—Š’—ȱ ™•˜¢ŽŽœȱŠ—ȱŒžœ˜–Ž›œǼDz
    Ÿž•—Ž›Š‹’•’’ŽœȱŠ›ŽȱŠŒ’Ÿ’’Žœȱ’–™•¢’—ȱŒ˜– Ȭ ¾ “žœ’¢’—ȱŠ—ȱ˜™’–’£’—ȱŒ˜œœȱ—ŽŒŽœȬ
    ™›˜–’œŽœȱŠ—ȱœžŒŒŽœœ’ŸŽȱ˜™’–’£Š’˜—œǯȱ‘Žȱ œŠ›¢ȱ’—ȱ˜›Ž›ȱ˜ȱ’–™•Ž–Ž—ȱœŽŒž›’¢ȱŒ˜—›˜•Dz
    Œ˜—Œ•žœ’˜—ȱŒŠ—ȱ‹Žȱ›Š —ȱ‘Šȱ™•Š——’—ȱœŽŒž Ȭ ¾ ™›˜Ÿ’—ȱ‘Žȱ–Š—ŠŽ–Ž—Ȃœȱ’—Ÿ˜•ŸŽ Ȭ
    rity measures can be also defined as the art of ment in and commitment to information seȬ
    ›ŽŠŒ‘’—ȱŠȱŒ˜–™›˜–’œŽȱ‹Ž ŽŽ—ȱ‘Žȱ›Ž•Š’ŸŽȱ curity;
    ŸŠ•žŽȱ˜ȱ‘Žȱ’—˜›–Š’˜—ǰȱ‘ŽȱŒ˜œȱ˜›ȱ™›˜ŽŒȬ ¾ ™›˜Ÿ’—ȱ‘ŽȱŒ˜—˜›–’¢ȱ‹Ž ŽŽ—ȱ˜ —ȱ
    ’—ȱœžŒ‘ȱŠ—ȱ‘Žȱ™›˜‹Š‹’•’¢ȱ˜›ȱ‘Ž–ȱ˜ȱ‹Žȱ œŽŒž›’¢ȱ™›ŠŒ’ŒŽœȱŠ—ȱ›ŽŒ˜—’£ŽȱœŠ—Š›œDz
    ŠŠŒ”Žǯȱ ¾ Œ˜–™•’Š—ŒŽȱ ’‘ȱ•ŽŠ•ȱ™›Ž›Žšž’œ’Žœǰȱ
    The main security objectivesǰȱŽ’—Žȱ regulations and local regulations;
    •’”ŽȱœžŒ‘ȱ‹¢ȱ‘Žȱ™›Ž›Žšž’œ’Žœȱ˜ȱŠ—¢ȱ‹žœ’—Žœœȱ ¾ Ž—œž›’—ȱ‘Šȱ›’œ”œȱŠ—ȱŒ˜—›˜•œȱŠ›Žȱ
    Ž—Ÿ’›˜—–Ž—ǰȱŠ›ŽDZ ™Ž›–Š—Ž—•¢ȱ›ŽŸ’œŽDz
    ¾ confidentialityȱȮȱŠœœž–Žœȱ™›ŽŸŽ—’—ȱ ¾ business continuity.

    No. 6 ~ 2007
    Finance - Accountancy 85
    ȱ‘Žȱ™›ŽœŽ—ȱ–˜–Ž—ǰȱ‘Žȱ audit and ’ŽœȱŽ’—’’˜—ǰȱ–’—’–’£’—ȱœŽ›Ÿ’ŒŽœȱ‘Šȱ
    evaluation toolsȱŠ›ŽȱŽ¡™›Žœœ•¢ȱ˜ŒžœŽȱ˜—ȱ ŒŠ—ȱ‹Žȱ™›˜Ÿ’Žȱ‹¢ȱ‘ŽȱœŽ›Ÿ’ŒŽǰȱ–˜Š•’¢ȱ˜ȱ
    ‘˜œŽȱ‹Šœ’ŒȱŠœ™ŽŒœȱ˜ȱ’—˜›–Š’˜—ȱœ¢œŽ–œȱ ™ŠŒ‘’—ȱ‘Žȱœ¢œŽ–ǰȱ’—Ÿ˜•ŸŽȱ ȱ™Ž›œ˜——Ž•Dz
    Š—ȱ—Ž ˜›”œǰȱ ’‘˜žȱ™Š¢’—ȱŽ—˜ž‘ȱŠ Ȭ ƒstandard access.
    Ž—’˜—ȱ˜ȱ‘Žȱ™›˜‹•Ž–œȱŽ¡’œ’—ȱ’—ȱ˜›Š Ȭ
    —’£Š’˜—œǰȱ—Š–Ž•¢ȱ‘ŽȱŠ™™•’Žȱ™˜•’Œ¢ȱŠ—ȱ Logic access audit implies:
    ™›˜ŒŽž›Žœǰȱ˜›ȱ‘ž–Š—ȱŠœ™ŽŒœǰȱŒŠ••’—ȱ˜›ȱ ƒŽŽ›–’—’—ȱ‘˜œŽȱœŽŒž›’¢ȱ›’œ”œȱ›ŽȬ
    ŠŽšžŠŽȱ–Š—ŠŽ–Ž—ǰȱŒž•ž›ŽǰȱŠ—ȱ”—˜ • Ȭ Š›’—ȱ›Š—œŠŒ’˜—œȱ™›˜ŒŽœœ’—Dz
    ŽŽǯȱ ȱ’œȱ—˜ȱœž›™›’œ’—ȱ˜›ȱ’—ŽŸ’Š‹•¢ȱ‘Šȱ ƒevaluating controls regarding system
    œžŒ‘ȱŠ›ŽȱŠŒ˜›œȱ‘Žȱ’—•žŽ—ŒŽȱ˜ȱ ‘’Œ‘ȱŒŠ—ȱ ŠŒŒŽœœȱ™Š‘œDz
    ™›˜ŸŽȱ›Š–Š’Œȱ˜›ȱ’—˜›–Š’˜—ȱ’—›Šœ›žŒ Ȭ ƒevaluating the control environment in
    ž›ŽœȂȱœŽŒž›’¢ǯ ˜›Ž›ȱ˜ȱŽœŠ‹•’œ‘ȱ˜ȱ ‘ŠȱŽ¡Ž—ȱ‘ŠȱŒ˜—Ȭ
    ›˜•Ȃœȱ˜‹“ŽŒ’ŸŽœȱŠ›ŽȱŠŒ‘’ŽŸŽȱ‹¢ȱ‘ŽȱŽœȱ›ŽȬ
    2. Information Systems’ sults;
    Security Audit ƒŽŸŠ•žŠ’—ȱ‘ŽȱœŽŒž›’¢ȱŽ—Ÿ’›˜—–Ž—ǰȱ
    ‹¢ȱ›ŽŸ’œ’—ȱ‘ŽȱžœŽȱ™˜•’Œ’Žœǰȱ™›ŠŒ’ŒŽœȱŠ—ȱ
    Information systems’ security audit ™›˜ŒŽž›Žœǯȱ
    ’–™•’Žœȱ‹˜‘ȱ ™‘¢œ’ŒȱŠŒŒŽœœȱŠž’ and logic ‹Ÿ’˜žœ•¢ǰȱ’—ȱ˜›Ž›ȱ˜ȱ˜‹Š’—ȱŠȱŒ•ŽŠ›ȱœ’Ȭ
    access auditǯȱ˜›Ž˜ŸŽ›ǰȱœ™ŽŒ’’ŒȱŽŒ‘—’šžŽœȱ žŠ’˜—ȱ˜ȱ‘ŽȱŽ—Ÿ’›˜—–Ž—ȂœȱœŽŒž›’¢ȱŠ—ȱ˜ȱ
    must be used (aiming to test the security) ›’œ”œȱŽŸŠ•žŠ’˜—ǰȱ‘Žȱ•˜’ŒȱŠŒŒŽœœȱŠž’ȱ—ŽŽœȱ
    Š—ȱ’—ŸŽœ’Š’˜—ȱŽŒ‘—’šžŽœǯȱ˜—œŽšžŽ—•¢ǰȱ ’›œȱ˜ȱŠ••ȱ˜˜ȱ”—˜ •ŽŽȱ˜ȱ‘Žȱ ȱŽ—Ÿ’›˜—Ȭ
    phasesȱŠ›Žȱž•’••ŽǰȱœžŒ‘ȱŠœDZ –Ž—ǯȱ —ȱ‘’œȱ›Žœ™ŽŒǰȱŠȱŽŽ›–’—Š—ȱŽ•Ž–Ž—ȱ
    ƒ›ŽŠ—Š•¢£’—ȱ‘ŽȱŽ—’¢Ȃœȱœ™ŽŒ’’Œȱ™˜•’Ȭ ’œȱ›Ž™›ŽœŽ—Žȱ‹¢ȱ‘Žȱ researching of the acȬ
    Œ’Žœǰȱ™›˜ŒŽž›ŽœȱŠ—ȱœŠ—Š›œDz ŒŽœœȱ™Š‘œǰȱŠ—ȱ–˜›ŽȱŽ¡ŠŒ•¢ȱŽœŠ‹•’œ‘’—ȱ‘Žȱ
    ƒœŽŒž›’¢ȱ™˜•’Œ’Žœȱ›ŽŠ›’—ȱ™‘¢œ’ŒŠ•ȱŠŒȬ •˜’Œȱ Š¢ȱ˜›ȱŽŠŒ‘ȱ’—’Ÿ’žŠ•ȱžœŽ›ȱ˜ Š›œȱ
    cess; ’—˜›–Š’˜—ǯȱ•œ˜ǰȱ‘ŽȱŠŒŒŽœœȱ˜ȱ‘Žȱœ¢œŽ–Ȃœȱ
    ƒœŽŒž›’¢ȱ™˜•’Œ’Žœȱ›ŽŠ›’—ȱ•˜’ŒȱŠŒŒŽœœDz Œ˜–™˜—Ž—œǰȱ˜›ȱŠ—ȱŽ’Œ’Ž—ȱŒ˜—›˜•ǰȱ’–™˜œŽœȱ
    ƒŠ Š›Ž—ŽœœȱŠ—ȱ™Ž›–Š—Ž—ȱ›Š’—’—ȱ˜ȱ most times the žœŽȱ˜ȱœ™ŽŒ’Š•’œœȱ’—ȱ‘’œȱ’Ž• .
    ‘ŽȱžœŽ›œȱ˜—ȱœŽŒž›’¢ȱ™˜•’Œ’ŽœDz ‘Ž¢ȱŒŠ—ȱ™›˜Ÿ’ŽȱŠŠȱ›ŽŠ›’—ȱœ¢œŽ–ȂœȱœŽȬ
    ƒŽœŠ‹•’œ‘’—ȱ‘ŽȱŠŠȱ˜ —Ž›œȱŠ—ȱžœŽ›œDz Œž›’¢ǰȱŠ—ȱ‘Šȱ’œȱ ‘¢ȱ‘Ž¢ȱŠ›Žȱ›ŽŠ›ŽȱŠœȱŠȱ
    ƒestablishing the data in custody; valuable source for the auditor. C onsequentȬ
    ƒestablishing the security administrator; •¢ǰȱ‘Ž auditor is entitled to request an interȬ
    ƒŽ’—’—ȱ—Ž ȱžœŽ›œDz Ÿ’Ž ȱ ’‘ȱ‘˜œŽȱœ™ŽŒ’Š•’œœǰȱ‘Ž—ŒŽȱŽŽ›–’— Ȭ
    ƒŽœŠ‹•’œ‘’—ȱ˜›–Ž›ȱŽ–™•˜¢ŽŽœȂȱŠŒŒŽœœDz ’—ȱ˜ȱ ‘ŠȱŽ¡Ž—ȱ‘Žȱ–Š—ŠŽ›’Š•ȱ™˜•’Œ’ŽœȱŠ›Žȱ
    ƒŽœŠ‹•’œ‘’—ȱŠž‘˜›’£Š’˜—ȱ™›˜ŒŽž›Žœȱ Ÿž•—Ž›Š‹•Žǰȱ˜›ȱ˜ȱ ‘ŠȱŽ¡Ž—ȱ‘Žȱ•˜’ŒȱœŽŒž Ȭ
    for accessing documents; ›’¢ȱŠ—ȱŒ˜—’Ž—’Š•’¢ȱŠ›ŽȱŒ˜–™•’Žȱ ’‘ȱ’—ȱ
    ƒŽœŠ‹•’œ‘’—ȱ‹Šœ’ŒȱœŽŒž›’¢ȱ–ŽŠœž›Žœǰȱ ‘Šȱ™Š›’Œž•Š›ȱŽ—’¢ǯȱ•œ˜ǰȱ‘Ž›Žȱ–žœȱ—˜ȱ‹Žȱ
    ’–™•¢’—DZȱŽ’—’—ȱ‘Žȱ ˜›”’—ȱŽ—Ÿ’›˜—Ȭ —Ž•ŽŒŽȱ‹¢ȱ‘ŽȱŠž’˜›ȱ‘ŽȱŠ—Š•¢œ’œȱ›Ž™˜›œȱ
    –Ž—ǰȱŠ—’Ÿ’›žœȱœ˜ Š›Žȱ˜ȱ‹ŽȱžœŽǰȱŠŒŒŽœœȱ ›ŽŠ›’—ȱ‘ŽȱŒ˜—›˜•ȱ˜ȱŠŒŒŽœœȱ˜ȱœ˜ Š›Žǰȱ
    ™Šœœ ˜›œȱ˜›ȱŽŸŽ›¢ȱ•ŽŸŽ•ǰȱ‘Žȱ Š¢ȱ’—ȱ ‘’Œ‘ȱ —˜›ȱ‘ŽȱŠ—Š•¢œ’œȱŠ™™•’ŒŠ’˜—œȱ˜ȱ–Š—žŠ•ȱœ¢œ Ȭ
    ‹ŠŒ”ž™œȱŠ›Žȱ˜’—ȱ˜ȱ‹Žȱ–ŠŽǰȱŸž•—Ž›Š‹’•’Ȭ Ž–ȱ˜™Ž›Š’˜—œǯ

    No. 6 ~ 2007
    86 Finance - Accountancy

    The techniques used by the auditor Š—ȱ—Šž›ŽǰȱœžŒ‘ȱŠœDZȱŽ¡Ž›—Š•ȱŽœœȱǻœ’–ž•Š Ȭ


    in testing the security are different. Some of ’—ȱŠŠŒ”œȱŠ—ȱŽ¡Ž›—Š•ȱŒ˜—›˜•œǰȱŠ—ȱŠŒŒŽœœȱ
    ‘Ž–ȱ’—Ÿ˜•ŸŽDZȱ  Š¢ȱ‹Ž’—ȱ‘Žȱ’—Ž›—ŽǼǰȱ’—Ž›—Š•ȱŽœœȱǻœ’–’•Š›ȱ
    ƒ”Ž¢œȱŠ—ȱŒŠ›ȱŸŽ›’’ŒŠ’˜—Dz ˜ȱ‘ŽȱŽ¡Ž›—Š•ȱ˜—ŽœDZȱ’—›Š—ŽǼǰȱȃ‹•’—ȄȱŽœœȱ
    ƒterminal identification; (that test is limited or has no information reȬ
    ƒusers identification and authenticaȬ Š›’—ȱ‘Žȱœ¢œŽ–ǼȱŠ—ȱ˜ž‹•Žȱȃ‹•’—ȄȱŽœœǰȱ
    tion; ˜ȱ™Š›’Œž•Š›ȱ™ž›™˜œŽǯ
    ƒresources control; ‘Žȱ™‘ŠœŽœȱ˜ȱ‘Žȱ™Ž—Ž›Š’˜—ȱŽœœ ȱŠ›ŽDZȱ
    ƒŽ—Ž›’—ȱ‘Žȱ ˜›”’—ȱœŽœœ’˜—ȱŠ—ȱ›Ž Ȭ ™•Š——’—ǰȱ›ŽŸŽŠ•’—ǰȱŠŠŒ”ȱŠ—ȱ›Ž™˜›’—ǯȱ —ȱ
    ™˜›’—ȱž—Šž‘˜›’£ŽȱŠŒŒŽœœDz ‘Žȱ™Ž—Ž›Š’˜—ȱŽœ’—ȱ‘Ž›ŽȱŠ›ŽȱŠ”Ž—ȱ’—˜ȱ
    ƒ’—ŸŽœ’Š’—ȱž—Šž‘˜›’£ŽȱŠŒŒŽœœDz Œ˜—œ’Ž›Š’˜—ȱ‘Žȱ—Ž ˜›”ȱŽŸŠ•žŠ’˜—ȱŠ—Š•¢ Ȭ
    ƒž—Œ˜—›˜••ŽȱœŽŒž›’¢ȱŠ—ȱŒ˜–™Ž—œŠȬ œ’œǰȱ‘Žȱȱ—Ž ˜›”ȱŽŸŠ•žŠ’˜—ǰȱ‘ŽȱŽŸŽ• Ȭ
    tion controls; ˜™–Ž—ȱŠ—ȱŠž‘˜›’£Š’˜—ȱ˜ȱ—Ž ˜›”ȱŒ‘Š—Ȭ
    ƒŠŒŒŽœœȱŒ˜—›˜•œȱŠ—Š•¢œ’œȱŠ—ȱ™Šœœ Ȭ ŽœǰȱŠ—ȱŠž‘˜›’£ŽȱŒ‘Š—Žœǯȱ
     ˜›œȱŠ–’—’œ›Š’˜—ǯ
    Techniques investigation also involves 4. Security M easures in the
    ’—ŸŽœ’Š’—ȱ‘ŽȱŽŸ’Ž—ŒŽœȂȱ™›˜ŽŒ’˜—ǰȱ‘Žȱ Entity – Client Relationship
    –˜Š•’¢ȱ˜ȱŒžœ˜¢ȱ˜‹Š’—’—ǰȱŠ—ȱ‘ŽȱŽ¡’œ Ȭ
    Ž—ŒŽȱ˜ȱŒ›’–Žȱ’—ȱŒ˜–™žŽ›ȱ—Ž ˜›”œǯȱ Security of commercial transactions
    The matter of security concerns the cliȬ
    3. Auditing Network Ž—ǰȱ‘Žȱ—Ž ˜›”ǰȱ‘Žȱ’—˜›–Š’˜—ȱœ’Žȱ˜ȱ‘Žȱ
    Infrastructure Security Œ˜–™Š—¢ȱ›Š’—ȱ’œȱ™›˜žŒœȱ˜›ȱœŽ›Ÿ’ŒŽœȱ˜—ȱ
    ‘Žȱ’—Ž›—Žǯȱ‘Žȱ›’œ”œȱŠ›’œ’—ȱ˜—ȱ‘ŽȱŒ•’Ž—Ȃœȱ
    Controls regarding network infrastruc- behalf are closely connected to disclosing
    ture security audit involve verification by the Œ˜—’Ž—’Š•ȱ’—˜›–Š’˜—ǰȱŠ—ȱŠ•œ˜ȱ˜ȱž—•Š  Ȭ
    Šž’˜›ȱ˜ȱ‘Žȱ—Ž ˜›”ȱŠ›Œ‘’ŽŒž›ŽȂœȱ’Ž—’’Ȭ ž•ȱžœŽǯȱ‘ŽȱœŽŒž›’¢ȱ’œœžŽœȱ˜—ȱŠȱ—Ž ˜›”ȱ•ŽŸȬ
    ŒŠ’˜—ǰȱŽŽ›–’—’—ȱ‘ŽȱŽ’Œ’Ž—Œ¢ȱ˜ȱŠ™™•¢ Ȭ Ž•ȱŠ›ŽȱŒ˜—Œ›Ž’£Žȱ’—ȱŽ›–œȱ˜ȱ™Ž›˜›–Š—ŒŽœȱ
    ’—ȱœŽŒž›’¢ȱ™˜•’Œ’ŽœǰȱŽŽ›–’—’—ȱ‘ŽȱžœŽȱ ›Ž™›ŽœŽ—Žȱ‹¢ȱ‘Žȱ›Žœ™˜—œŽȱ’–ŽǰȱŠŠȱ›Š Ȭ
    œŠ—Š›œȱŠ—ȱ™›˜ŒŽž›Žœǰȱ’Ž—’¢’—ȱ‘Žȱ ’ŒȱŽŒǯȱ—ȱ’–™˜›Š—ȱ›’œ”ȱ‘ŠȱŒŠ—ȱ‹ŽȱŠŒŽȱ
    ™Ž›œ˜——Ž•ȱ’—ȱŒ‘Š›Žȱ ’‘ȱ—Ž ˜›”ȱœŽŒž›’¢ǰȱ by the entity is that regarding the informaȬ
    ›ŽŠ—Š•¢£’—ȱ‘Žȱ—Ž ˜›”ȱŠ–’—’œ›Š’˜—ȱ™›˜Ȭ ’˜—ȱŽ—Ÿ’›˜—–Ž—ȱ™Ž—Ž›Š’˜—ȱ›˜–ȱ‘ŽȱŸŽ›¢ȱ
    ŒŽž›Žœǰȱ’—ȱŒŠœŽȱŸž•—Ž›Š‹’•’’ŽœȱŠ›Žȱ—˜’ŒŽǯȱ ’—Ž›—Žȱœ’Žǰȱ’—’—ȱŠž‘˜›’£Š’˜—ȱœ˜•ž’˜—œȱ
    —ȱ‘’œȱ›Žœ™ŽŒǰȱŠž’’—ȱ’—Ÿ˜•ŸŽœȱ‘ŽȱŠž’ȱ˜ȱ ’—ȱŠ••ȱ™˜œœ’‹’•’’Žœȱ˜ȱžœ’—ȱœžŒ‘ǯ
    ’œŠ—ŒŽȱŠŒŒŽœœǰȱ‘ŽȱŠž’ȱ˜ȱ‘Žȱ™˜’—œȱ ‘Ž›Žȱ
    ‘ŽȱŒ˜–™žŽ›œȱ—Ž ˜›”ȱ’—Ž›ŠŒœȱ ’‘ȱ‘Žȱ’— Ȭ Buyer-seller connection security
    ternet. Ensuring trading transactions security
    is not only a matter of security of the interȬ
    Combiningȱ‘ŽœŽȱ™›˜ŒŽž›ŽœȱŒŠ—ȱ‹Žȱ —ŽȱŒ˜——ŽŒ’˜—ȱ‹Ž ŽŽ—ȱ‘ŽȱŒžœ˜–Ž›ȱŠ—ȱ‘Žȱ
    ˜ž—ȱ’—ȱ‘Žȱœ˜ȬŒŠ••Žȱ ™Ž—Ž›Š’˜—ȱŽœœ or of œŽ••Ž›ǰȱ‹žȱ’ȱ’œȱŽšžŠ••¢ȱŠȱ–ŠŽ›ȱ˜ȱ‘ŽȱŒ•’Ž—ȱ
    —Ž ˜›”ȱ intrusion. These tests are of many œŽ›Ÿ’ŒŽǯȱ‘ŽȱŒ•’Ž—Ȃœȱ’—˜›–Š’˜—ȱŽ—Ÿ’›˜—–Ž—ȱ
    ”’—œǰȱŽ™Ž—’—ȱ˜—ȱ‘Ž’›ȱ™ž›™˜œŽǰȱ˜‹“ŽŒ’ŸŽȱ œ‘˜ž•ȱ‹Žȱ’Ž›Ž—ȱ‘Š—ȱ‘ŽȱœŽ••Ž›Ȃœȱ’—˜›–Š Ȭ

    No. 6 ~ 2007
    Finance - Accountancy 87
    tion environment. An internet connection —ȱ‘’œȱ›Žœ™ŽŒȱ‹žœ’—ŽœœŽœȱŒŠ—ȱŠ•œ˜ȱžœŽȱ
    ‹Ž ŽŽ—ȱŠȱ‹›˜ œŽ›ȱŠ—ȱŠȱ Ž‹ȱœŽ›ŸŽ›ȱŒŠ—ȱ‹Žȱ Œ˜–™Š—’Žœȱ‘ŠȱŠ›Žȱœ™ŽŒ’Š•’£Žȱ’—ȱŒ›ŽŠ’—ȱ
    established by using the logic SSL module ŠŠȱœŽŒž›’’£’—ȱ–˜Ž•œȱ˜›ȱŽŸŽ—ȱœ™ŽŒ’Š• Ȭ
    (Secure Sockets Layer). SSL is integrated into ’£ŽȱŽ¡™Ž›œȱ’—ȱ‘’œȱ’Ž•ǯȱ˜—Ž‘Ž•Žœœǰȱ—Ž Ȭ
    ‘Žȱ‹›˜ œŽ›ȱŠ—ȱŽ—œž›ŽœȱŒ˜—’Ž—’Š•’¢ǯȱ  ˜›”ȱŠ–’—’œ›Š˜›œȱ ’••ȱ—˜ȱ‹ŽȱŠ‹•Žȱ˜ȱ’– Ȭ
    ™•Ž–Ž—ȱŠ—ȱ–Š’—Š’—ȱ‘Žȱž—Œ’˜—Š•’¢ȱ˜ȱ‘Žȱ
    ‘Žȱ–Š’—ȱŒ›Ž’ȱŒŠ›ȱ˜™Ž›Š˜›œȱ™›˜–˜Žȱ Žœ’—Žȱ™•Š—ǯȱ›Š—’£Š’˜—œȱ–žœȱŽ—œž›Žȱ
    SET (Secure Electronic Transaction). In this material and financial conditions in order to
    ŒŠœŽǰȱ‘Žȱ›Š—œŠŒ’˜—ȱŠ—ȱŒ•’Ž—ȂœȱŒ›Ž’ȱŒŠ›ȱ ›Š’—ȱ‘Ž’›ȱ˜ —ȱ—Ž ˜›”ȱŠ–’—’œ›Š˜›œǰȱ‘žœȱ
    —ž–‹Ž›ȱŠ›ŽȱŽ—Œ’™‘Ž›Žȱ‹¢ȱ‘ŽȱŠ™™•’ŒŠ’˜—ȱ ŠŸ˜’’—ȱž—™›Ž’ŒŽȱœ’žŠ’˜—œǯ
    and it is only then that they are sent to the
    œŽ••Ž›ǯȱ‘ŽȱœŽ••Ž›ǰȱ’—ȱ’œȱž›—ȱ ’••ȱ›Ž’–‹ž›œŽȱ’œȱ —ȱ›ŽŠ•’¢ǰȱ‘Ž›Žȱ ’••ȱ—ŽŸŽ›ȱ‹Žȱ™˜œœ’‹•Žȱ
    identification number and message returning for an information system to be totally secuȬ
    ’ž›Žȱ‹Ž˜›Žȱ‹Ž’—ȱœŽ—ȱ˜ȱ‘Žȱ‹Š—”ǯȱ™˜—ȱ›ŽȬ ›’’£Žǰȱ‹ŽŒŠžœŽȱ‘ŠŒ”Ž›œȱ ’••ȱŠ• Š¢œȱ’œŒ˜Ÿ Ȭ
    ŒŽ’™ǰȱ‘Žȱ‹Š—”ȱ ’••ȱŽŒ˜ŽǰȱŠž‘Ž—’ŒŠŽȱŠ—ȱ Ž›ȱœŽŒž›’¢ȱŸž•—Ž›Š‹’•’’Žœȱ¢˜žȱŒ˜ž•—Ȃȱ‘’—”ȱ
    ’Ž—’¢ȱ‘ŽȱžœŽ›ǰȱ’—ȱ‘ŽȱœŠ–Žȱ’–ŽȱŽ•’ŸŽ›’—ȱ ˜ǰȱ ‘’Œ‘ȱ‘Ž¢ȱ ’••ȱžœŽȱ’—ȱ˜›Ž›ȱ˜ȱ‹›ŽŠ”ȱ‘Žȱ
    ’œȱŠ›ŽŽ–Ž—ȱ˜ȱ‘ŽȱœŽ••Ž›ȱ ‘’Œ‘ȱ’—ȱ’œȱž›—ȱ œ¢œŽ–ǯȱŽ™Ž—’—ȱ˜—ȱ‘Žȱ‘ŠŒ”Ž›œȂȱ™ž›™˜œŽǰȱ
     ’••ȱ™Ž›˜›–ȱ‘Žȱ›ŽšžŽœŽȱ›Š—œŠŒ’˜—ȱ˜›ȱ—˜ǯȱ ‘Ž¢ȱ ’••ȱŠŽŒȱ‘Žȱœ¢œŽ–ȱ˜›ȱ‘Ž¢ȱ ’••ȱ˜—•¢ȱ
    ȱ—˜ȱ–˜–Ž—ȱž›’—ȱ‘Žȱ›Š—œŠŒ’˜—ȱ ’••ȱ‘Žȱ Š›ŠŒȱ‘ŽȱŠŽ—’˜—ȱ˜ŸŽ›ȱ‘Žȱ›Žœ™ŽŒ’ŸŽȱȃ’œ Ȭ
    Œ›Ž’ȱŒŠ›ȱ‹Žȱ–ŠŽȱ™ž‹•’Œȱ˜›ȱ ’••ȱ‘ŽȱœŽ••Ž›ȱ œž›ŽœȄǯȱ —ȱ’–Žǰȱ‘Žȱ˜›Š—’£Š’˜—Ȃœȱ’—˜›–Š Ȭ
    be identifiable. ’˜—ȱœ¢œŽ–ȱŽŸ˜•ŸŽœȱŠ—ȱŽ¡™Š—œȱ‹¢ȱ—Ž ȱ
    ‘Š› Š›ŽȱŠ—ȱœ˜ Š›ŽȱŒ˜–™˜—Ž—œǯȱ•˜—ȱ
    Server securitizing  ’‘ȱ‘Žȱœ¢œŽ–ȂœȱŽŸ˜•ž’˜—ǰȱ˜‘Ž›ȱŸž•—Ž›Š Ȭ
    ŽŒž›’’£’—ȱ‘ŽȱœŽ›ŸŽ›ȱ’—Ÿ˜•ŸŽœȱŒ˜—›˜•Ȭ ‹’•’’Žœȱ ’••ȱŠ•œ˜ȱŠ™™ŽŠ›ȱ˜›ȱ ‘’Œ‘ȱ—Ž ȱœŽŒž Ȭ
    ling the requests addressed to such and seȬ ›’’£’—ȱœ˜•ž’˜—œȱœ‘˜ž•ȱ‹ŽȱŽŸŽ•˜™Žǯ
    Œž›’’£’—ȱ‘Žȱ’—˜›–Š’˜—ȱœ¢œŽ–ȱ˜ȱ ‘’Œ‘ȱ
    it collaborates in order to return the service In conclusionǰȱ ŽȱŒŠ—ȱŠœœŽ›ȱ‘Šȱ˜—•¢ȱ
    requested by the customers. G rounded on ‹¢ȱ™Ž›–Š—Ž—•¢ȱ’—ŸŽœ’—ȱ’—˜ȱŠȱŒ˜–™•Ž¡ȱœŽ Ȭ
    ‘Žȱœ›’Œȱœ¢œŽ–ȱŒ˜—’ž›Š’˜—ǰȱ’œȱ™›˜ŽŒ Ȭ Œž›’¢ȱ–˜Ž•ȱ Žȱ ’••ȱ‹ŽȱŠ‹•Žȱ˜ȱ‘ŠŸŽȱœŠŽ›ȱ
    ’˜—ȱŠŠ’—œȱ‘ŽȱŽ¡Ž›’˜›ȱ’œȱžœžŠ••¢ȱ–ŠŽȱ‹¢ȱŠȱ ȱœ¢œŽ–œǯȱ‘Ž›Ž˜›Žǰȱ‘ŽȱœŽŒž›’¢ȱœ˜•ž’˜—œȱ
    firewall. A firewall configuration is made by Š—ȱŠ•œ˜ȱ‘ŽȱœŽŒž›’¢ȱ™˜•’Œ¢ȱœ‘˜ž•ȱ‹ŽȱŒ˜—œ’Ȭ
    the security criteria established for filtering Ž›Žȱ•˜‹Š••¢ǰȱŠ—ȱ—˜ȱ“žœȱ™ž—ŒžŠ••¢ǯȱ‘Ž›Žȱ
    ‘ŽȱŒ˜ŸŽ›Žȱ›Š’ŒȱŠ—ȱ‘žœȱŠȱŒ˜—›˜•ȱ™˜•’Œ¢ȱ must not be neglected the fact that the securiȬ
    ’œȱŠ™™•’Žȱ˜ŸŽ›ȱ‘Žȱœ¢œŽ–ȱŠŒŒŽœœǯȱ‘Ž›Ž˜›Žǰȱ ¢ȱ•ŽŸŽ•ȱ˜ȱ‘ŽȱŽ—’›Žȱœ¢œŽ–ȱ’œȱ›Ž™›ŽœŽ—Žȱ‹¢ȱ
    ŠŠȱ™›˜ŽŒ’˜—ȱŒ˜—œ’œœȱ˜ȱ•’–’’—ȱŠŒŒŽœœȱ˜ȱ ’œȱ ŽŠ”Žœȱ•’—”ǰȱŠ—ȱ‘Šȱ’œȱ ‘¢ȱ‘ŽȱœŽŒž›’¢ȱ
    œžŒ‘ǰȱŠœȱ Ž••ȱŠœȱ˜ȱ™•ŠŒ’—ȱ‘Ž–ȱ˜ȱ‘Žȱ’œ™˜œȬ ™˜•’Œ¢ȱœ‘˜ž•ȱ‹Žȱž™ŠŽȱ™Ž›’˜’ŒŠ••¢ǯȱ
    Š•ȱ˜ȱŠž‘˜›’£ŽȱŒ•’Ž—œǯȱ

    REFERENCES:
    ŗǯȱOprea, Dumitru, Analysis and Design of Economic Information Systems ǻ˜–Š—’Š—DZȱ—Š•’£Šȱó’ȱ™›˜’ŽŒ-
    Š›ŽŠȱœ’œŽ–Ž•˜›ȱ’—˜›–Šö’˜—Š•ŽȱŽŒ˜—˜–’ŒŽǼǰȱ˜•’›˜–ȱž‹•’œ‘’—ȱ
    ˜žœŽȱŗşşşǯ

    No. 6 ~ 2007
    88 Finance - Accountancy

    Řǯȱ ŸŠ—ȱ ǯǰȱ˜óŒŠȱ ‘ǯǰȱŠ™’œ’£žȱǯǰȱInformation Systems Audit ǻ˜–Š—’Š—DZȱAuditul sistemelor informaticeǼǰȱ


    ȱž‹•’œ‘’—ȱ
    ˜žœŽǰȱžŒ‘Š›ŽœǰȱŘŖŖśǯ
    řǯȱMunteanu, A, Accountancy Information Systems’ Audit ǻ˜–Š—’Š—DZȱAuditul sistemelor informationale
    contabileǼǰȱ˜•’›˜–ȱž‹•’œ‘’—ȱ
    ˜žœŽǰȱ Šœ’ǰȱŘŖŖŗǯ
    ŚǯȱŠœŠœŽȱǯǰȱ•’ȱǯǰȱŠœŠœŽȱǯǰȱŠ—Œ’žȱǯǰȱ˜™ŽœŒžȱ ‘ǯǰȱ ‘Ž˜›‘Žȱǯǰȱ©‹ŽŠ—žȱǯǰȱȱ˜•ŽŠ—žȱȱǯǰȱ
    Gavrila AlǯǰȱInformation Systems’ Audit and Control ǻ˜–Š—’Š—DZȱAuditul si controlul sistemelor informationaleǼǰȱȱ
    Œ˜—˜–’ŒŠȱž‹•’œ‘’—ȱ
    ˜žœŽǰȱžŒ‘Š›ŽœǰȱŘŖŖŝǯ
    5. Popescu, Gheorghe, Internal Control Proceedings and Financial Audit ǻ˜–Š—’Š—DZȱProcedurile controlu-
    lui intern si auditul financiarǼǰȱ Žœ’ž—ŽŠȱž‹•’œ‘’—ȱ
    ˜žœŽǰȱžŒ‘Š›Žœǰȱŗşşŝǯ
    ŜǯȱPopescu, Veronica, Expert Systems for Auditing M anagement Information Systems ǻ˜–Š—’Š—DZȱSisteme
    expert pentru auditarea sistemelor informatice de gestiuneǼǰȱ Žœ’ž—ŽŠȱž‹•’œ‘’—ȱȱ
    ˜žœŽǰȱžŒ‘Š›ŽœǰȱŘŖŖŜǯ
    7.    ǯ’œŠŒŠǯ˜›g
    Şǯȱ‘™DZȦȦŒŒ˜ǯŒ’œŒ˜ǯŒ˜m

    No. 6 ~ 2007

    You might also like