Information Security Audit
Information security audit is an audit done on the information security of an organisation. There are multiple types of audit, and multiple objectives for different kinds of audits. Controls that are being audited are categorised as physical, technical and administrative. Information security audit covers audits of physical security of data centres to audits of analytical security of databases. Audits highlight key components and various techniques for auditing these parts of the system.
If the information security audit is centered on the IT attributes of information security, it is considered as part or fragment of the information technology audit. It is usually referred to as information technology security audit or computer security audit. But information security involves more than IT.
The Process of Information Security Audit
Audit Preparation and Planning
Auditors should be properly educated about the company and its business activities before a data centre review is conducted. A data centre’s objective is to align data centre activities with the goals of a business and maintain the integrity and security of critical processes and information. To determine if the client’s goals are being achieved, auditors should do the following before doing a review:
- Determine possible areas of concern by meeting with IT management.
- Review the present organisational chart of IT.
- Review the data centre employees’ job descriptions.
- Research all software applications, operating systems and data centre equipment operating within the data centre.
- Review the policies and procedures of the IT department.
- Evaluate the budget and systems planning documentation of the company’s IT.
- Review the disaster recovery plan of the data centre.
Establishing Information Security Audit Objectives
The next step is outlining the data centre audit objectives. Auditors should consider multiple factors that relate to data centre activities and procedures. These factors may potentially identify audit risks in the operating setting and assess the existing controls that mitigate these risks. Through thorough analysis and testing, auditors should adequately determine if the data centre is maintaining proper controls and if it is operating efficiently and effectively.
A list of objectives that the auditor should review include:
- Personnel responsibilities and procedures which include systems and cross-functional training.
- Change in management processes and followed by management and IT personnel.
- Proper backup procedures to minimise downtime and prevent the loss of important data.
- Adequate physical security controls to prevent unauthorised access to the data centre.
- Proper environmental controls to ensure that equipment is protected from floods and fire.
Performing the Review
The next step in information security audit is the process is the process of collecting evidence to satisfy the data centre audit objectives. Security audit services typically include travelling or going to the data centre location and observing processes and those within the data centre. The review procedures should be done to satisfy the set audit objectives.
- Review of the data centre personnel. Data centre personnel are authorised to have access to the data centre with login ID’s, key cards, secure passwords, etc. These employees are properly educated about the data centre equipment and properly do their jobs. Service personnel are supervised when working on data centre equipment. Auditors should observe and interview data centre employees to satisfy audit objectives.
- Review of equipment. Auditors should verify if all equipment in the data centre is working properly and effectively. Utilisation reports of equipment, inspection for damage of equipment and functionality, downtime records and equipment performance measurements can help auditors determine the state of the data centre tools and equipment. An interview of employees may also help in determining if preventive maintenance policies are in place and are performed.
- Review of policies and procedures. Policies and procedures in the data centre should be documented and found in the data centre. Documented procedures should include the data centre personnel job and their responsibilities, as well as their security and backup policies, system operating procedures, employee termination policies, and overview of operating systems.
- Review of environmental controls and physical security. The client’s data centre should be assessed by the auditor. Physical security refers to locked cages, bodyguards, man traps, bolted down equipment, single entrance, and computer monitoring systems. Environmental controls should be in place to keep the data centre equipment secure. This should include raised floors, humidifiers, air conditioning, and uninterrupted power supply.
Review of backup procedures. Auditors should verify if the client has backup procedures in case of system failure. A backup data centre may be in a separate location which will allow operations to continue in case of system failure. It should include what the review involves and should explain that the review only provides ‘limited assurance’ to third parties.
Kingston Knight Audit are the Auditor Melbourne experts to contact when dealing with your trust account audit, SMSF Audit, financial statement audit, and internal audit requirements. Contact us today, Kingston & Knight Audit offers a free telephone consultation to establish how we can best help you achieve the assurance and compliance you require.