• Observe how to audit Physical Controls • Environment Controls • Understand security Management • Understand the emerging technologies • Traditionally, companies have a data processing facility to host their information systems and process and store data. • A data centre is a facility that hosts the servers and infrastructure that provide computing power and resources to its information systems. Data • The data centre is usually geographically isolated. • Companies typically have two separate data centres Centre (primary and secondary sites) for business resilience and Facility continuity purposes. • This facility contains business-critical and sensitive information that is relied upon for business operations and financial reporting. • A security officer should guard the outside perimeter to monitor movements • The security guard should also vet visitors to ensure that the users accessing the facility have a valid business reason. • The data center should have a closed-circuit television Auditing (CCTV) system to monitor the facility. Physical • If possible, motion detection cameras should be used to detect and record motion in these areas. Control • • What type of control is a CCTV The facility should have an access control system to for a data prevent unauthorized access centre • The facility manager/security officer should grant users access based on their job roles • the data center should have a motion detection alarm system connected to a security company / local authorities and emergency services to ensure that an intrusion is detected in a timely manner • The data centre should have a backup power supply system to ensure that the facility continues to be operational in the event of the loss of electricity • A diesel generator, uninterrupted power supply (UPS) or any other alternative power source should be used. Auditing • The servers within the data centre require a certain temperature for optimal performance Environm • The data centre should have a thermometer in place to ent • monitor the temperature within the data centre. The data centre requires an effective air cooling system to Control direct hot air outside and bring in cooled air. • for a data The data centre should have smoke detectors to detect smoke within the facility and a fire suppression system to centre • suppress a fire if a fire breaks out a dry fire suppression system using agents such as carbon dioxide should be utilised within the data centre • Security controls can either be administrative or technical • A policy is an administrative directive put in place to lay the foundation of the measures that should Auditing be put in place to secure an organisations information systems. Security • The password settings are examples of technical Controls security controls and other controls such as the in the segmentation of a corporate network, firewall rules to restrict access to the network, virtual private data networks (VPN) to restrict access further, data centre encryption standards such as MD5 or SHA256. Technical controls are the technical measures to secure the confidentiality, integrity and availability (CIA) of an information system and its data Authentication is the bedrock or first gate to access a corporate network or information system. As an IS auditor, you should review the authentication mechanism enforced on the information systems within the scope of your audit engagement. Type of Authentication 1. Native authentication • Using this method, users are authentication at the Authentication application level with a form of identification such as a username and password to authenticate the validity of the users accessing an application. Using an analogy, 2. Single sign-on (for example, a name and password) 3. Multifactor authentication According to Doshi (2020), there are three factors of authentication: Something you know - for example, a password or secret pin Something you have - for example, a badge or one-time pin Something you are - for example, fingerprint or eye Authentication scan Security Management • Technical security controls should be implemented, considering other elements of an organisation. The human factor is the weakest link within the organisatio • Creating security awerness • The security awareness training provided to employees should cover social engineering exercises. Social engineering exercises have resulted in corporations losing millions of dollars in revenue. Let us look at some examples of social engineering: Example Of Social Engineering • Phishing • Business email compromise • Baiting • Tailgating • Diversion theft Prevention of malicious software • Logging Ensuring that user activities are logged or kept on the system • Penetration testing The identification of risks to information systems' confidentiality, integrity, and availability. Penetration testing aims to check the organization’s control environment and take corrective action if a flaw is discovered. • Intrusion detection system intrusion detection system (IDS) monitors a network (network-based IDS) or a single machine to recognise and detect incursion activities • Honeypot a honey pot is a decoy system that attracts attackers and hackers New emerging technologies
Amazon Web Services defines cloud computing as “the on-demand
delivery of IT resources over the Internet with pay-as-you-go pricing. Instead of buying, owning, and maintaining physical data centers and servers, you can access technology services, such as computing power, storage, and databases, on an as-needed basis from a cloud provider like Amazon Web Services (AWS)”. Emerging Technologies 3.2 Artificial Intelligence . For example, A car is programmed to study road conditions and be fully autonomous and self-driving. 3.3 Augmented reality • augmented reality (AR) is a technologically augmented version of the real world created through digital visual elements, music, or other sensory stimulation. Emerging Technologies Internet of things • IoT is a new concept that is slowly being accepted by businesses. Blockchain • blockchain is a decentralised database shared among computer network nodes. A blockchain acts as a database, storing information in a digital format. Metaverse • The metaverse is a virtual world that integrates social networking, online gaming, augmented reality (AR), virtual reality (VR), and cryptocurrency to allow people to connect digitally.