Information Security Audit and Assurance - Literature review Example

? Information Security Audit and Assurance Number: Lecturer: Information Security Audit and Assurance This is an audit carried out to determine the operation and effectiveness of the Human resource management system and its effectiveness in the management and control of activities including payroll computation and pension schemes. The collection, input, storage, processing and the dissemination of data and information in the organizations database. Increase in the use of information technology in the organization has made the operations and activities in the organization more effective. Data is stored in a database that makes access, retrieval and manipulation easy and more secure (Chrisopher, 2012). The Department of information technology in the organization oversees the security of the information system and hardware that is used in running all the activities in the organization. Computer and information security entails the safeguarding of computer resources, limiting access to authorized users, ensuring data integrity, maintaining data confidentiality and enhancing accountability in the organization (Chrisopher, 2012). The effective security will therefore involve taking security measures to ensure hardware and media are not stolen or damaged. Developing back –up strategies to minimize loss of data and information, encryption of sensitive data files and appropriate user identification (Ruskwig, 2012). Audit checklist: INFORMATION SECURITY SYSTEM AUDIT AND ASSUARANCE CHECKLIST Personnel/ Human resources Check item Answer Responsibility Who has the responsibility for ensuring system security? employee Do employees and other users of the system have the knowledge and training on how to handle security threats? Training Do the personnel and staff member with any responsibility of system security have adequate training and do they receive training to support their roles? Computer security policy Is there a documented security policy that is fully supported by the senior management , with associated operating systems Non – disclosure Agreements Is there confidentiality agreements to sensitive employee data and information and its disclosure to third parties Process Audit Are the installed systems in the company including security systems and firewalls installed in the company audited on a regular basis? Software patches Do mechanisms exist that are used to deploy software patches at the security systems in the company in a timely and audited manner? Data protection Are employee and company data well secured in the database? And comply with the legislative frameworks such as data privacy Act. Authentication Are there reliable and effective authentication mechanisms in the organization? Technology External network security Are there security measures such as intrusion detectors, firewalls that are used to protect against external computer access such as internet. Are these safety measures authorized by the senior management. Content monitoring Is there proper monitoring of the content of emails, and internet to prevent virus infection, internet fraud, SPAM and also litigation from the improper use and improper content. Anti virus Is there an installed antivirus and is it up to date, are all users trained and educated on how to identify and avoid suspected files to avoid virus and malware infection. Physical security Are critical IT systems, equipment and servers, stored in a secure and protected area free from unauthorized access? Security policy. Policy statement: The department of information technology in the organization is vested with the responsibility to provide the substantial data security and confidentiality of all the resources, data and information that are held in the organization which include local storage media, or remotely placed in order to ensure the continuous availability resources and data to the authorized users in the organization and also to provide integrity of these data and configuration controls (Ruskwig, 2012). Security policies: a) The data confidentiality is maintained through mandatory and discretionary access controls, the controls should meet the C2 class security functionality. b) The access to external and internet services are restricted only to the authorized personnel. c) The data in the organization is stored in laptops and other machines, these are secured through encryption and any other means to ensure confidentiality incase of loss of the equipments. d) The purchase and installation of the software in the organization that is to be used for the different purposes must be purchased from licensed software and hardware vendors and the installation performed only by the information technology staff. e) Data stored in the database is maintained only by the database administrator, he is responsible for issuing the access credentials and authorization checks. f) Data from the database can only be transferred only by authorized personnel and for purposes that are only determined by the organizations data- protection policy. g) Any external storage media or device a times are infested with viruses, if the use of these devices is necessary , these devices should be scanned and checked for viruses before they are used in the organization. h) Passwords and access controls to the database, data storage devices and computers and other devices should be strong and not easily broken. They should also be unique and be changed every 40 days. i) The computers in the organization shall be networked to form different workstations, the configuration of these networks and workstations shall only be done by the IT department personnel. j) Absolute loss of data and information may occur in an organization, in order to prevent this data and information in the computer resources shall have backups in order to prevent loss and availability of I.T resources. k) Additionally a business continuity plan shall be developed and testing done on a regular basis. Gap analysis. The standards that are set out in the security plan are aimed at ensuring data and information security; however there still exists some weaknesses in the implementation of these policies and plans (Chrisopher, 2012). Human resource training: The human resource and personnel in the organization have to be trained on the importance of data security and more so data integrity and confidentiality. Most of the employees are not aware of the importance and the procedures of ensuring the data they are working on and also the information they produce are safe and secure. Most use external storage devices without proper scanning which may result in virus transmission. Furthermore the information can be disclosed to outside parties without the authorization of relevant personnel (Davis, 2005). The human resource therefore needs to be trained and equipped with skills and knowledge of ensuring data security. The data in the organization should be treated with the confidentiality it deserves. Database security: Despite the availability of security procedures to secure the database, internal data security from the personnel responsible for maintaining the database should be addressed. The database administrator should be held responsible through relevant legislation and policies determined by the organization to ensure the database is absolutely secure (MSDN, 2012). Social networking and media; A policy should also be developed that manages the use of social networking in the institution, these social networks use computer resources in the organization which may eventually result in the exposure of the organizations resources to the external world , this could be a window for malicious attack (Siewiorek & Swarz, 1982). Validations done in the system. The system has a series of validations that are done to ensure security of data . The first validation is the system user validation. The users of the systems are validated by entering their data and information which include names, physical addresses and then given a unique identity that will be used as a validation key. The employees are given different authorization levels that determine their privileges in using the system. The validation checks will thus determine the level of access of an employee before allowing the use of the system (Government of canada, 2012). The management is given an authority to view almost all the information in the organizations data base, the end users are given little access to information, additionally the accounts department and employees have more privileges since they have access to financial information in the organization. The users are thus validated based on their roles in the organization (Richard E. C., 2007). There are also validations when it comes to editing of vital information in the organization, for instance accounts editing and manipulation always require validation, the editing and change of employee details and information also need validation. Other validations in the system also include the change of security details and access controls and authorizations that are crucial for data security, integrity and accountability (Siewiorek & Swarz, 1982). Input of data and information is authorized by the system administrator. The administrator manages the database and all the other computing systems, softwares and hardware. The input authorization is provided by the use of access authorization where users are required to key in their credentials such as the user name and the password. The username is always a unique identity to individual users in this case the employee number (government of Australia, 2011). Error detection controls: There are bound to be errors and omissions in the system, these errors and omissions could be of huge proportions to the company thus resulting in huge losses and impacts. This is managed by having error detection controls in place. The error detection is managed during the definition of data and information in the organizations. Validating fields and columns in the database during the database design minimizes the availability of huge figures, empty cells and also unexpected figures in the data tables (Huffman & Pless, 2000). In addition to this error detection can be detected by mathematical and logical comparison to identify anomalies before the data is validated as correct and are true representations (Shu & Costello, 1983). The errors can also be detected by using control checks at each stage of processing. The data is checked against standards and expected results, any deviations beyond the normal and any unexpected data and information are identified at these check points. Personnel are dedicated for this counter checking and identifying the errors from the system (Yau & Fu-Chung, Mar. 1980). The human resource manager validates the list of employees in the organization as stored in the system. The list contains the employee details salary scale and the monthly payments and deductions. The information is derived from the systems payroll module. Once the list is validated it is forwarded to the financial manager who then crosschecks the list to ensure it is accurate and that there are no anomalies, repetitions and any other errors. He then authorizes the payments based on the payroll. The organization may also have additional expenses and payouts from the different departments, these are also validated by the respective managers in these departments before they are cross checked and authorized by the finance manager and the director of operations of the organizations (Rainer & Casey, 2011). The system is installed with error control detection and correction. The mechanisms used include the use of system monitoring tools that detect any deviation from normal operation. The installed controls use defined procedures to correct identified errors. In case the errors need personnel input, the error message is sent to the responsible party and prompted to make the necessary corrections before the process can continue (Aamer & Mcluskey, 1998). The system is also designed to monitor human resources in the organization. Human resources management is vital for the success of any organization. All the data and information of all the employees in the organization including the names, address, job description, and account details are stored in the database. The biometric data including passport photograph and the finger prints are also stored in the systems database. The information is used for all the operations of the system for security checks, authorizations and payroll computation (Chrisopher, 2012). Employee performance is monitored by using the clock in and clock out module of the system. Each employee must register when reporting to work by clocking in at the reception; this is done by pressing the thumb on the biometric recognition system after which the employee is recorded as present in the system. Any employee who does not register is denied access to facilities and resources in the organization , the system will not accept access to the applications in the organization by the user. This minimizes theft and unauthorized access in the organization. After the shift or work is done the employee must also clock out through the same procedure, an employee will not clock out if they did not clock in (Government of canada, 2012). Departmental risks There are risks associated with all the processes in the organization. The major departments that handle the crucial data and information are the IT department, Human resource department and the Accounts and finance department (Davis, 2005). The IT department is faced with risks of insecurity arising from security threats from the organization and also external sources. Such risks include unauthorized access, virus attack, vandalism and theft; physical threats such as fires, floods among others are also potential sources of threats. The information in the organization is stored in a central database which is managed and monitored by the system administrator, the central storage is however risky, any failure will make the operations in the organization paralyzed. In the event of data loss recovery is difficult due to central data storage; therefore the administrator needs to have periodic backups which consume storage space (Gary, Alice, & Alexis, 2002). The human resource department also faces challenges regarding personnel management and classification. The personnel in the organization have roles that should be defined by the human resource manager, these roles aide the system administrator and the financial manager in handling their work. The human resource manager has a greater risk in ensuring that the employees are well conversant with the system and the security checks enforced by the security personnel. Improper use of the system could result in errors and omissions. Human resource department also faces the risk of employee detail alteration and manipulation, disclosure to third parties without authorization (Rainer & Casey, 2011). The accounts department is faced with more huge risks that could have detrimental impacts to the organization. These risks include manipulation of figures, purchase and procurement amounts by the accounts personnel. Additionally risks such as unauthorized access to the organization accounts are also inevitable. The overall risk in the department of accounts and finance is the eventuality of the system failing, this could result in loss of vital information from the organization, however this is mitigated by ensuring there is a back up of all data and information in the organization (Chrisopher, 2012). System error detection, correction and recovery. The system has a mechanism of ensuring recovery in case of system failure. The database has a continuous update of activities in the system, an image is created that is used to access this log of activities in the database and the system resumes from the point where the failure occurred, however data that was not entered into the database is lost in the event (Aamer & Mcluskey, 1998). In order to ensure that transaction data and information is not lost in the event of a system failure, there is data logging and consistency in the system. Each transaction is allocated a temporary memory space in the database and is released once the transaction is recorded as complete and stored in the database. Through this mechanism, the system cannot lose the processes and transactions that are going on in the system (Huffman & Pless, 2000). Operating system The Windows operating system is used in all the machines in the entire organization. The operating system is much user friendly, secure and ideal for database management. The network and data base is run by Microsoft windows server 2008. However the use of Linux operating system would have been more ideal. Linux is more secure than the windows operating system. Thus it will reduce the exposure of the system to virus attack and also unauthorized access. However most employees will need training on how to use this operating system (Siewiorek & Swarz, 1982). Risk assessment. There are several risks that the organization is bound to face as a result of the activities and the operations taking place in the organization. Some of the risks identified in the organization include: a) Unauthorized access: b) Loss of information c) Physical damage to equipments and computer resources. d) Errors and omissions. e) Employee sabotage f) Industrial espionage. g) Unauthorized disclosure of data and information h) Internet fraud i) Malicious software j) Hardware and software failures caused by power surges and other causes. These risks may affect several people in the organization and prevent the continuous operations in the organization. They will interfere with the availability of information, confidentiality, integrity and accountability in the organization. The affected parties include: a) Management b) System administrator c) Accounts department d) End users Possible mitigation measures. I) Install and regularly update an antivirus II) Provide adequate and effective authorization checks III) Employ security personnel. IV) Use effective and efficient firewall. V) Use physical locks and security alarms VI) Store computers and other hardware in a secure and well conditioned room. References. Aamer, M., & Mcluskey, E. (1998, May). Concurrent Error Detection Using Watchdog processor. Retrieved November 22, 2012, from CrcStanford: http://crc.stanford.edu/crc_papers/Mahmood_ced.pdf Chrisopher, B. (2012, september 30). Computer security. Retrieved November 23, 2012, from ExplaniningComputers.com: http://www.explainingcomputers.com/security.html Davis, R. E. (2005). IT Auditing: An Adaptive Process. . Mission Viejo: Pleier Corporation. Gary, S., Alice, G., & Alexis, F. (2002, July). Risk Management Guide for information security systems. Computer security . government of Australia. (2011). Information systems Audit report. Retrieved November 22, 2012, from Audit.wa.gov.au: http://www.audit.wa.gov.au/reports/pdfreports/report2012_10b.pdf Government of canada. (2012, September 20). Audit of the human resource management System. Retrieved November 21, 2012, from International.gc.ca: http://www.international.gc.ca/about-a_propos/oig-big/2006/hrms-sgrh.aspx?lang=eng&view=d Hoelzer, D. H. (2009). Audit Principles, Risk Assessment & Effective Reporting. SANS Press. . Huffman, W., & Pless, V. (2000). Fundamentals of error-correcting codes. Cambridge: Cambridge University Press. MSDN. (2012, March 20). Regulatory Compliance Demystified: An Introduction to Compliance for Developers. Retrieved November 23, 2012, from MSDN: http://msdn.microsoft.com/en-us/library/aa480484.aspx Rainer, R. K., & Casey, G. C. (2011). Introduction to information systems. New Jersey: Wiley and sons. Richard, A. G., & Lawless, M. W. (1994). Technology and strategy: conceptual models and diagnostics. . us: Oxford University Press. Richard, E. C. (2007). Auditor's Guide to Information Systems Auditing. New Jersey: Wiley. Ruskwig. (2012). Security Policy. Retrieved November 22, 2012, from Ruskwig: http://www.ruskwig.com/docs/security_policy.pdf Shu, L., & Costello, D. J. (1983). Error Control Coding: Fundamentals and Applications. Prentice Hall. Siewiorek, D., & Swarz, R. (1982). The Theory and Practice of Reliable System Design. Massacheutes: Digital Publishers. Yau, s., & Fu-Chung, C. (Mar. 1980). An approach to concurrent control flow checking. IEEE Trans. Software Eng , 126- 137. Read More