How Should Organizational Information Systems Be Audited for Security - Essay Example

ID # How should organizational information systems be audited for security Paper Information security auditing is a process of carrying out self-governing assessments of an organization’s processes, policies, measures, standards and practices implemented in an attempt to protect electronic information from loss, damage, rejection of availability or unintended disclosure. In addition, the extensive scope of work comprises the evaluation of wide-ranging processes and application controls. Additionally, the present condition of technology necessitates audit steps that share to testing methods of access paths appearing due to the connectivity of LAN or local-area networks, WAN or wide-area networks, Internet, intranet etc., in the information technology environment (U. S. General Accounting Office; Mandol and Verma; Cert-In; Stanford University; Davis). At the present, businesses should take a number of steps in an attempt to formulate or improve an IS security audit facility. For instance, organizations must clearly outline their business goals and aims. After that, the business should evaluate its own information security audit readiness. However, this kind of evaluation requires from organizations to recognize a variety of matter such as reporting limitations, legal problems, the audit situation, security and safety vulnerabilities, abilities automated tools and associated costs. Additionally, it is essential for the organizations to plan how to decide what information systems security audit projects should be performed for instance both stand-alone information system security audit projects and those projects which require support from the information systems security audit potential. Thus, when the planning stage is successfully completed, businesses should be able to connect the aims and objectives selected in the initial phase to the tasks required for their completion. On the other hand, all through the process, businesses should not ignore the resources exist on the Web intended for research and training (U. S. General Accounting Office; Mandol and Verma; Cert-In; Stanford University; Davis). Moreover, making a decision regarding organization’s aims and objectives for developing or improving an information system’s security audit capability will support them in determining and understanding the varieties of skills, tools and training required to carry out this process. In this scenario, it is essential for the organizations to define objectives and aims earlier without initial recognition like that how and by whom the business aims and objectives would be convened (for instance, whether organization resources would be contractor, in-house, shared staff or a number of combinations). In addition, establishment of temporary milestones will facilitate in attaining a staged accomplishment of organization’s desired policy. Additionally, while constructing an information system security audit potential, administration should review the organization’s information systems security audit willingness by keeping in mind the applicable issues. In this scenario, the implementation of a baseline by recognizing powers and faults will facilitate an organization to choose a most excellent system to proceed (U. S. General Accounting Office; Mandol and Verma; Cert-In; Stanford University; Davis). Moreover, the process of tackling information security risks varies and depends on the nature of the processing carried out by the business and sensitivity of the data and information which is being processed. However, to completely judge these issues and risks, the auditor should completely understand information about the business’s computer operations and major applications. In this scenario, a most important part of planning to produce or improve a successful information systems security audit potential can encompass activities such as assessing the present staff’s skills, knowledge and capabilities to decide what the audit capability is at the present and what knowledge have to be obtained (U. S. General Accounting Office; Mandol and Verma; Cert-In; Stanford University; Davis). COBIT is an information technology governance structure and toolset that facilitates managers to bridge the gap among control needs, technical issues and company risks. In addition, COBIT allows organizations to build and implement an apparent policy and high-quality practice for IT control all through business. Moreover, COBIT highlights authoritarian fulfillment, facilitates the business to augment the value achieved from IT, facilitates arrangement and simplifies completion of the COBIT structure (ISACA.). Paper 2 For this paper we have selected TOPCAATS, AUDIMATION and ACL. These are auditing software applications. In this section I will discuss these applications from the cost and performance point of view. I have listed below the websites for each application: http://www.topcaats.com/ http://www.audimation.com/ http://www.acl.com/ The table given below outlines the description of the above given tools: Name of the tool Brief description of the program and what it claims to do Specific business needs being addressed by program and value delivered by it Your reasons why you decided to check it out (first impression) Your overall evaluation of it, to the degree that you can judge; is it something you'd use?  Why? (Please comment also on the effectiveness of the demo itself) http://www.topcaats.com/ TopCAATs is used by a broad variety of Audit, Accounting and Finance Professionals.  For the assessment of the systems from the cost point of view TopCAATs are less than ? of the cost of IDEA or ACL applications.  TopCAATs are the complete subject to the parallel boundaries similar to the Excel and are equivalent to Excel 2003 with 65,536 rows.  TopCAATs are easy to use at each level. They offer a lot of features which are easy to use.  The exclusive color coded input data and information boxes (inputs are red if they hold invalid data or missing value, and green in case if they hold valid data), easy perceptive user-forms as well as inbuilt help, outcome in negligible (if any) training needs.   http://www.audimation.com/  It allows the organizations to carry out data analysis and help organizations access, analyze and share data. It allows professionals to make best use of the powerful functionality and rich features it provides by means of technical facilities and support, training, user groups and fraud seminars.    It offers a commanding and easy to use application intended to facilitate the organizations and individuals in accounting and auditing and documentation. http://www.acl.com/  IDEA and ACL are jointly unlimited to the amount of data and information that they are capable to inspect (restricted only in the course of the size of our hard disk).  IDEA and ACL are much quicker at analyzing data as compared to TopCAATs, even though none of the systems were mainly slow.  Both IDEA and ACL allow for printing files, allows us to simply describe the fields as well as strip out the headers.  Both ACL and IDEA offer easy to use features. Both these applications are executed totally inside Excel. Summary and conclusions from a user and organizational level  While selecting Generalized Audit Software, organizations must keep in mind various factors, such as data analysis characteristics, easy to use features, price, importation needs, etc. In addition, before selecting and purchasing costly software for the entire department, start small as well as begin with some of these methods to carry out important business operations.  TopCAATs works well with Excel, thus they can be employed on a great deal more regular basis, as well as this decompose of knowledge over time is a great deal fewer profound. Cumulative learning Information system auditing has become essential for the organizations which heavily depend on data and information. This assignment has helped me to learn about the process of information system auditing and why it is carried out. I have learned about different tools and applications which can be used by the organizations to carry out auditing process. For this research I have conducted experiments while using different applications. This assignment helped me to learn which application/tool is useful in specific scenario. Works Cited Cert-In. EMPANELLED OF INFORMATION SECURITY AUDITING ORGANISATIONS. 2011. 20 November 2011 . Davis, Robert E. Auditing Information Security Management . 2011. 20 November 2011 . ISACA. COBIT Framework for IT Governance and Control . 2011. 24 November 2011 . Mandol, Puja S and Monika Verma. IT Audit Seminar organized by National Audit Office, China Paper on “Formulation of IT Auditing Standards”. 01 September 2004. 21 November 2011 . Stanford University. Stanford IT Audits. 03 November 2011. 24 November 2011 . U. S. General Accounting Office. Management Planning Guide for Information Systems Security Auditing. 10 December 2001. 20 November 2011 . Read More