StudentShare
Contact Us
Sign In / Sign Up for FREE
Search
Go to advanced search...
Free

Information Security Audit and Assurance - Literature review Example

Cite this document
Summary
This review 'Information Security Audit and Assurance' is about an audit carried out to determine the operation and effectiveness of the Human resource management system and its effectiveness in the management and control of activities including payroll computation and pension schemes. Computer security entail the safeguarding of computer resources, limiting access to authorized users etc…
Download full paper File format: .doc, available for editing
GRAB THE BEST PAPER96.4% of users find it useful
Information Security Audit and Assurance
Read Text Preview

Extract of sample "Information Security Audit and Assurance"

? Information Security Audit and Assurance Number: Lecturer: Information Security Audit and Assurance This is an audit carried out to determine the operation and effectiveness of the Human resource management system and its effectiveness in the management and control of activities including payroll computation and pension schemes. The collection, input, storage, processing and the dissemination of data and information in the organizations database. Increase in the use of information technology in the organization has made the operations and activities in the organization more effective. Data is stored in a database that makes access, retrieval and manipulation easy and more secure (Chrisopher, 2012). The Department of information technology in the organization oversees the security of the information system and hardware that is used in running all the activities in the organization. Computer and information security entails the safeguarding of computer resources, limiting access to authorized users, ensuring data integrity, maintaining data confidentiality and enhancing accountability in the organization (Chrisopher, 2012). The effective security will therefore involve taking security measures to ensure hardware and media are not stolen or damaged. Developing back –up strategies to minimize loss of data and information, encryption of sensitive data files and appropriate user identification (Ruskwig, 2012). Audit checklist: INFORMATION SECURITY SYSTEM AUDIT AND ASSUARANCE CHECKLIST Personnel/ Human resources Check item Answer Responsibility Who has the responsibility for ensuring system security? employee Do employees and other users of the system have the knowledge and training on how to handle security threats? Training Do the personnel and staff member with any responsibility of system security have adequate training and do they receive training to support their roles? Computer security policy Is there a documented security policy that is fully supported by the senior management , with associated operating systems Non – disclosure Agreements Is there confidentiality agreements to sensitive employee data and information and its disclosure to third parties Process Audit Are the installed systems in the company including security systems and firewalls installed in the company audited on a regular basis? Software patches Do mechanisms exist that are used to deploy software patches at the security systems in the company in a timely and audited manner? Data protection Are employee and company data well secured in the database? And comply with the legislative frameworks such as data privacy Act. Authentication Are there reliable and effective authentication mechanisms in the organization? Technology External network security Are there security measures such as intrusion detectors, firewalls that are used to protect against external computer access such as internet. Are these safety measures authorized by the senior management. Content monitoring Is there proper monitoring of the content of emails, and internet to prevent virus infection, internet fraud, SPAM and also litigation from the improper use and improper content. Anti virus Is there an installed antivirus and is it up to date, are all users trained and educated on how to identify and avoid suspected files to avoid virus and malware infection. Physical security Are critical IT systems, equipment and servers, stored in a secure and protected area free from unauthorized access? Security policy. Policy statement: The department of information technology in the organization is vested with the responsibility to provide the substantial data security and confidentiality of all the resources, data and information that are held in the organization which include local storage media, or remotely placed in order to ensure the continuous availability resources and data to the authorized users in the organization and also to provide integrity of these data and configuration controls (Ruskwig, 2012). Security policies: a) The data confidentiality is maintained through mandatory and discretionary access controls, the controls should meet the C2 class security functionality. b) The access to external and internet services are restricted only to the authorized personnel. c) The data in the organization is stored in laptops and other machines, these are secured through encryption and any other means to ensure confidentiality incase of loss of the equipments. d) The purchase and installation of the software in the organization that is to be used for the different purposes must be purchased from licensed software and hardware vendors and the installation performed only by the information technology staff. e) Data stored in the database is maintained only by the database administrator, he is responsible for issuing the access credentials and authorization checks. f) Data from the database can only be transferred only by authorized personnel and for purposes that are only determined by the organizations data- protection policy. g) Any external storage media or device a times are infested with viruses, if the use of these devices is necessary , these devices should be scanned and checked for viruses before they are used in the organization. h) Passwords and access controls to the database, data storage devices and computers and other devices should be strong and not easily broken. They should also be unique and be changed every 40 days. i) The computers in the organization shall be networked to form different workstations, the configuration of these networks and workstations shall only be done by the IT department personnel. j) Absolute loss of data and information may occur in an organization, in order to prevent this data and information in the computer resources shall have backups in order to prevent loss and availability of I.T resources. k) Additionally a business continuity plan shall be developed and testing done on a regular basis. Gap analysis. The standards that are set out in the security plan are aimed at ensuring data and information security; however there still exists some weaknesses in the implementation of these policies and plans (Chrisopher, 2012). Human resource training: The human resource and personnel in the organization have to be trained on the importance of data security and more so data integrity and confidentiality. Most of the employees are not aware of the importance and the procedures of ensuring the data they are working on and also the information they produce are safe and secure. Most use external storage devices without proper scanning which may result in virus transmission. Furthermore the information can be disclosed to outside parties without the authorization of relevant personnel (Davis, 2005). The human resource therefore needs to be trained and equipped with skills and knowledge of ensuring data security. The data in the organization should be treated with the confidentiality it deserves. Database security: Despite the availability of security procedures to secure the database, internal data security from the personnel responsible for maintaining the database should be addressed. The database administrator should be held responsible through relevant legislation and policies determined by the organization to ensure the database is absolutely secure (MSDN, 2012). Social networking and media; A policy should also be developed that manages the use of social networking in the institution, these social networks use computer resources in the organization which may eventually result in the exposure of the organizations resources to the external world , this could be a window for malicious attack (Siewiorek & Swarz, 1982). Validations done in the system. The system has a series of validations that are done to ensure security of data . The first validation is the system user validation. The users of the systems are validated by entering their data and information which include names, physical addresses and then given a unique identity that will be used as a validation key. The employees are given different authorization levels that determine their privileges in using the system. The validation checks will thus determine the level of access of an employee before allowing the use of the system (Government of canada, 2012). The management is given an authority to view almost all the information in the organizations data base, the end users are given little access to information, additionally the accounts department and employees have more privileges since they have access to financial information in the organization. The users are thus validated based on their roles in the organization (Richard E. C., 2007). There are also validations when it comes to editing of vital information in the organization, for instance accounts editing and manipulation always require validation, the editing and change of employee details and information also need validation. Other validations in the system also include the change of security details and access controls and authorizations that are crucial for data security, integrity and accountability (Siewiorek & Swarz, 1982). Input of data and information is authorized by the system administrator. The administrator manages the database and all the other computing systems, softwares and hardware. The input authorization is provided by the use of access authorization where users are required to key in their credentials such as the user name and the password. The username is always a unique identity to individual users in this case the employee number (government of Australia, 2011). Error detection controls: There are bound to be errors and omissions in the system, these errors and omissions could be of huge proportions to the company thus resulting in huge losses and impacts. This is managed by having error detection controls in place. The error detection is managed during the definition of data and information in the organizations. Validating fields and columns in the database during the database design minimizes the availability of huge figures, empty cells and also unexpected figures in the data tables (Huffman & Pless, 2000). In addition to this error detection can be detected by mathematical and logical comparison to identify anomalies before the data is validated as correct and are true representations (Shu & Costello, 1983). The errors can also be detected by using control checks at each stage of processing. The data is checked against standards and expected results, any deviations beyond the normal and any unexpected data and information are identified at these check points. Personnel are dedicated for this counter checking and identifying the errors from the system (Yau & Fu-Chung, Mar. 1980). The human resource manager validates the list of employees in the organization as stored in the system. The list contains the employee details salary scale and the monthly payments and deductions. The information is derived from the systems payroll module. Once the list is validated it is forwarded to the financial manager who then crosschecks the list to ensure it is accurate and that there are no anomalies, repetitions and any other errors. He then authorizes the payments based on the payroll. The organization may also have additional expenses and payouts from the different departments, these are also validated by the respective managers in these departments before they are cross checked and authorized by the finance manager and the director of operations of the organizations (Rainer & Casey, 2011). The system is installed with error control detection and correction. The mechanisms used include the use of system monitoring tools that detect any deviation from normal operation. The installed controls use defined procedures to correct identified errors. In case the errors need personnel input, the error message is sent to the responsible party and prompted to make the necessary corrections before the process can continue (Aamer & Mcluskey, 1998). The system is also designed to monitor human resources in the organization. Human resources management is vital for the success of any organization. All the data and information of all the employees in the organization including the names, address, job description, and account details are stored in the database. The biometric data including passport photograph and the finger prints are also stored in the systems database. The information is used for all the operations of the system for security checks, authorizations and payroll computation (Chrisopher, 2012). Employee performance is monitored by using the clock in and clock out module of the system. Each employee must register when reporting to work by clocking in at the reception; this is done by pressing the thumb on the biometric recognition system after which the employee is recorded as present in the system. Any employee who does not register is denied access to facilities and resources in the organization , the system will not accept access to the applications in the organization by the user. This minimizes theft and unauthorized access in the organization. After the shift or work is done the employee must also clock out through the same procedure, an employee will not clock out if they did not clock in (Government of canada, 2012). Departmental risks There are risks associated with all the processes in the organization. The major departments that handle the crucial data and information are the IT department, Human resource department and the Accounts and finance department (Davis, 2005). The IT department is faced with risks of insecurity arising from security threats from the organization and also external sources. Such risks include unauthorized access, virus attack, vandalism and theft; physical threats such as fires, floods among others are also potential sources of threats. The information in the organization is stored in a central database which is managed and monitored by the system administrator, the central storage is however risky, any failure will make the operations in the organization paralyzed. In the event of data loss recovery is difficult due to central data storage; therefore the administrator needs to have periodic backups which consume storage space (Gary, Alice, & Alexis, 2002). The human resource department also faces challenges regarding personnel management and classification. The personnel in the organization have roles that should be defined by the human resource manager, these roles aide the system administrator and the financial manager in handling their work. The human resource manager has a greater risk in ensuring that the employees are well conversant with the system and the security checks enforced by the security personnel. Improper use of the system could result in errors and omissions. Human resource department also faces the risk of employee detail alteration and manipulation, disclosure to third parties without authorization (Rainer & Casey, 2011). The accounts department is faced with more huge risks that could have detrimental impacts to the organization. These risks include manipulation of figures, purchase and procurement amounts by the accounts personnel. Additionally risks such as unauthorized access to the organization accounts are also inevitable. The overall risk in the department of accounts and finance is the eventuality of the system failing, this could result in loss of vital information from the organization, however this is mitigated by ensuring there is a back up of all data and information in the organization (Chrisopher, 2012). System error detection, correction and recovery. The system has a mechanism of ensuring recovery in case of system failure. The database has a continuous update of activities in the system, an image is created that is used to access this log of activities in the database and the system resumes from the point where the failure occurred, however data that was not entered into the database is lost in the event (Aamer & Mcluskey, 1998). In order to ensure that transaction data and information is not lost in the event of a system failure, there is data logging and consistency in the system. Each transaction is allocated a temporary memory space in the database and is released once the transaction is recorded as complete and stored in the database. Through this mechanism, the system cannot lose the processes and transactions that are going on in the system (Huffman & Pless, 2000). Operating system The Windows operating system is used in all the machines in the entire organization. The operating system is much user friendly, secure and ideal for database management. The network and data base is run by Microsoft windows server 2008. However the use of Linux operating system would have been more ideal. Linux is more secure than the windows operating system. Thus it will reduce the exposure of the system to virus attack and also unauthorized access. However most employees will need training on how to use this operating system (Siewiorek & Swarz, 1982). Risk assessment. There are several risks that the organization is bound to face as a result of the activities and the operations taking place in the organization. Some of the risks identified in the organization include: a) Unauthorized access: b) Loss of information c) Physical damage to equipments and computer resources. d) Errors and omissions. e) Employee sabotage f) Industrial espionage. g) Unauthorized disclosure of data and information h) Internet fraud i) Malicious software j) Hardware and software failures caused by power surges and other causes. These risks may affect several people in the organization and prevent the continuous operations in the organization. They will interfere with the availability of information, confidentiality, integrity and accountability in the organization. The affected parties include: a) Management b) System administrator c) Accounts department d) End users Possible mitigation measures. I) Install and regularly update an antivirus II) Provide adequate and effective authorization checks III) Employ security personnel. IV) Use effective and efficient firewall. V) Use physical locks and security alarms VI) Store computers and other hardware in a secure and well conditioned room. References. Aamer, M., & Mcluskey, E. (1998, May). Concurrent Error Detection Using Watchdog processor. Retrieved November 22, 2012, from CrcStanford: http://crc.stanford.edu/crc_papers/Mahmood_ced.pdf Chrisopher, B. (2012, september 30). Computer security. Retrieved November 23, 2012, from ExplaniningComputers.com: http://www.explainingcomputers.com/security.html Davis, R. E. (2005). IT Auditing: An Adaptive Process. . Mission Viejo: Pleier Corporation. Gary, S., Alice, G., & Alexis, F. (2002, July). Risk Management Guide for information security systems. Computer security . government of Australia. (2011). Information systems Audit report. Retrieved November 22, 2012, from Audit.wa.gov.au: http://www.audit.wa.gov.au/reports/pdfreports/report2012_10b.pdf Government of canada. (2012, September 20). Audit of the human resource management System. Retrieved November 21, 2012, from International.gc.ca: http://www.international.gc.ca/about-a_propos/oig-big/2006/hrms-sgrh.aspx?lang=eng&view=d Hoelzer, D. H. (2009). Audit Principles, Risk Assessment & Effective Reporting. SANS Press. . Huffman, W., & Pless, V. (2000). Fundamentals of error-correcting codes. Cambridge: Cambridge University Press. MSDN. (2012, March 20). Regulatory Compliance Demystified: An Introduction to Compliance for Developers. Retrieved November 23, 2012, from MSDN: http://msdn.microsoft.com/en-us/library/aa480484.aspx Rainer, R. K., & Casey, G. C. (2011). Introduction to information systems. New Jersey: Wiley and sons. Richard, A. G., & Lawless, M. W. (1994). Technology and strategy: conceptual models and diagnostics. . us: Oxford University Press. Richard, E. C. (2007). Auditor's Guide to Information Systems Auditing. New Jersey: Wiley. Ruskwig. (2012). Security Policy. Retrieved November 22, 2012, from Ruskwig: http://www.ruskwig.com/docs/security_policy.pdf Shu, L., & Costello, D. J. (1983). Error Control Coding: Fundamentals and Applications. Prentice Hall. Siewiorek, D., & Swarz, R. (1982). The Theory and Practice of Reliable System Design. Massacheutes: Digital Publishers. Yau, s., & Fu-Chung, C. (Mar. 1980). An approach to concurrent control flow checking. IEEE Trans. Software Eng , 126- 137. Read More
Cite this document
  • APA
  • MLA
  • CHICAGO
(“Information Security Audit And Assurance Essay Example | Topics and Well Written Essays - 3250 words”, n.d.)
Information Security Audit And Assurance Essay Example | Topics and Well Written Essays - 3250 words. Retrieved from https://studentshare.org/information-technology/1402538-information-security-audit-and-assurance
(Information Security Audit And Assurance Essay Example | Topics and Well Written Essays - 3250 Words)
Information Security Audit And Assurance Essay Example | Topics and Well Written Essays - 3250 Words. https://studentshare.org/information-technology/1402538-information-security-audit-and-assurance.
“Information Security Audit And Assurance Essay Example | Topics and Well Written Essays - 3250 Words”, n.d. https://studentshare.org/information-technology/1402538-information-security-audit-and-assurance.
  • Cited: 1 times

CHECK THESE SAMPLES OF Information Security Audit and Assurance

Security Audit: Lafleur Trading Company

security audit: Lafleur Trading Company Introduction Lafleur Trading Company is a multinational concern based in Canada, dealing in wholesale of food items.... As part of overall task, a security audit was conducted in respect of information systems incorporated at this organization.... hellip; security audit refers to assessment of effectiveness of information systems and internal controls implemented by the company's management.... This paper entails the details and implications of security audit procedures carried out and observations noted....
3 Pages (750 words) Essay

Security and Integrity of Health Care Information Systems

Keywords: Nursing Informatics, Healthcare Information System, Change Theory, Electronic Patient Record, Medical Identity Theft, Threats, Vulnerabilities, HIPAA, HITECH, Information Exchange, Frauds, Security, Integrity, Privacy, Confidentiality, Authorization, Authentication, Technical And Administrative Safeguards, Information Flow, audit Logs, Healthcare Organizations, Medical Records, Business Associates, Patients, Stakeholders 1.... security and Integrity of HIS (Health Care Information Systems) Author's Name Institutional Affiliation Abstract In the recent past, different fields have evolved with the evolution in technology....
17 Pages (4250 words) Term Paper

Successful information security management

Successful information security management involves an amalgamation of prevention, detection and response in order to deploy a strong security defense.... hellip; A system should also be able to counter incidents and raise proper procedures in case an information security incident occurs.... information security incident handling takes a stride forward in the information security management procedure.... Security incident management facilitates the development of security incident handling and planning including preparation for detection and reply to information security issues....
9 Pages (2250 words) Research Paper

Information systems security incident

… CONOP outlines the key players, their roles and responsibilities in the event of information security incident.... CONOP outlines the key players, their roles and responsibilities in the event of information security incident.... The CONcept of OPerations on information security incident is based on the severity and impact of the incident... To fulfill this mission the operational framework for security of the software,hardware and data associated with information systems is defined based on ISO 17799....
8 Pages (2000 words) Essay

Security Audits

One of the most vital business… A security audit is the a final steps towards implementing an organization's security protocols.... A security audit is the a final steps towards implementing an organization's security protocols.... Obtaining a security audit can tremendously add value to organization (2011).... In order to enforce this policy, one must understand that running a security audit can save an organization millions of dollars in case of a crucial emergency(2011)....
2 Pages (500 words) Essay

Quality Assurance Manual for Long-Term Care Facilities

This quality assurance manual for is guided mission and vision and regulations that… Long term care institutions have the responsibility of providing nutrition care and support for all persons in care that is implemented through strategic and coordinated approach from their time of admission to transfer of care (Davison & This means that a nutrition care plan should be completed as soon as the patient is admitted; be continuously monitored to ensure proper implementation within 14 days of admission; review its alignment in relation to institution-wide care plan; and review the plan based on changes in the needs of the person in care....
4 Pages (1000 words) Assignment

Network Security - Information Assurance

information security could be defined as the protection of information and the associated systems against unauthorized access to or modification of information, whether in storage, processing, or transit and against the denial of service to authorized users, including those measures necessary to detect, document and counter such threats.... The paper "Network Security - Information assurance" highlights that in general, the explosive growth of Information Technology and the amalgamation of IT with telecommunication have brought together the world much closer than any time before in history....
12 Pages (3000 words) Coursework

Security of Information in Business Organisations

That aside, the concept of information security is interpreted according to the specific purpose(s) for which protecting information by a particular businessman becomes a primary concern (Gupta, 2009).... … INTRODUCTIONSecuring business information may be defined as a process of protecting any form of information that is vital to one's business interests and business's wellbeing (Cisco Systems Inc.... (2012) states that INTRODUCTIONSecuring business information may be defined as a process of protecting any form of information that is vital to one's business interests and business's wellbeing (Cisco Systems Inc....
14 Pages (3500 words) Essay
sponsored ads
We use cookies to create the best experience for you. Keep on browsing if you are OK with that, or find out how to manage cookies.
Contact Us