The Processes of Design, Implementation, and Monitoring of Security

The IS auditor does not generally review the effectiveness and utilization of assets during a security audit. Security audits primarily focus on the evaluation of the policies and procedures that ensure the confidentiality, integrity, and availability of data. During an audit of security, the IS auditor normally reviews access to assets and validates the physical and environmental controls to the extent necessary to satisfy the audit requirements. The IS auditor also should review logical access policies and compare them to job profiles, to ensure that excessive access has not been granted, and evaluate asset safeguards and procedures to prevent unauthorized access to assets.

Rather than simply reviewing the effectiveness and utilization of assets, an IS auditor is more concerned with adequate access control, appropriate access policies, and the effectiveness of safeguards and procedures.

Network performance-monitoring tools are used to measure and ensure proper network capacity management and availability of services. Proper implementation and incident-handling procedures ensure network connectivity and the availability of network services.

The IT organization should have policies and procedures outlining proper patch-management procedures. The application of patches reduces known vulnerabilities to operating systems and applications, but systems administrators should always assess the impact of patches before installation. System administrators should immediately evaluate patches as they become available and should understand the effect they will have within their environment. Any patch management methodology should also include extensive testing on the effects of the patch implemented.

The data owners, who are responsible for the use and reporting of information under their control, should provide written authorization for users to gain access to that information. The data owner should periodically review and evaluate authorized (granted) access to ensure that these authorizations are still valid.

Data owners are ultimately responsible and accountable for reviewing user access to systems.

Intrusion-detection systems (IDS) are used to identify intrusion attempts to a network. However, work should be implemented in concert with firewalls and routers because they detect intrusion attempts instead of prevent against attack.

Per ISACA, the IS auditor should review the following when auditing security management, logical access issues, and exposures.

Review Written Policies, Procedures, and Standards

Policies and procedures provide the framework and guidelines for maintaining proper operation in control. The IS auditor should review the policies and procedures to determine whether they set the tone for proper security and provide a means for assigning responsibility for maintaining a secured computer processing environment.

Logical Access Security Policy

These policies should encourage limiting logical access on a need-to-know basis and should reasonably assess the exposure to the identified concerns.

Formal Security Awareness and Training

Promoting security awareness is a preventive control. Through this process, employees become aware of their responsibility for maintaining good physical and logical security.

Per ISACA, assimilation of the framework and intent of a written security policy by the users of the systems is critical to the successful implementation and maintenance of security policy. You might have a good password system, but if the users of the system keep passwords written on their table, the password system is of little value. Management support and commitment is no doubt important, but for successful implementation and maintenance of security policy, user education on the critical nature of security is of paramount importance. The stringent implementation, monitoring, and enforcing of rules by the security officer through access-control software, and the provision for punitive actions when security rules are violated also are required.

Data Ownership

Data ownership refers to the classification of data elements and the allocation of responsibility for ensuring that they are kept confidential, complete, and accurate. The key point of ownership is that by assigning responsibility for protecting the organization's data to a particular person, you establish accountability for appropriate protection of confidentiality, integrity, and availability of the data.

Security Administrators

Security administrators are responsible for providing adequate physical and logical security for the IS programs, data, and equipment.

Access Standards

The IS auditor should review access standards to ensure that they meet organizational objectives for separating duties, preventing fraud or error, and that they meet policy requirements for minimizing the risk of unauthorized access.

Auditing Logical Access

When evaluating logical access controls, the highest order should be as follows:

• Obtain a general understanding of the security risks facing information processing, through a review of relevant documentation, inquiry, observation, risk assessment, and evaluation techniques

• Document and evaluate controls over potential access paths to the system, to assess their adequacy, efficiency and effectiveness, by reviewing appropriate hardware and software security features in identifying any deficiencies

• Test controls over access paths, to determine whether they are functioning and effective, by applying appropriate audit techniques

• Evaluate the access control environment, to determine whether the control objectives are achieved, by analyzing test results and other audit evidence

• Evaluate the security environment, to assess its adequacy, by reviewing written policies, observing practices and procedures, and comparing them to appropriate security standards or practices and procedures used by other organizations