Planning an IT Infrastructure Audit for Compliance - Research Proposal Example

Planning and IT Infrastructure Audit affiliation: Section one: IT infrastructure audit planning and requirements Introduction: Information technology auditing refers to the process of reviewing and evaluating the systems of processing the automated information technology, the non-automated processes of IT, and IT interfaces. It also evaluates the effectiveness and efficiency of IT infrastructures. IT infrastructure audit helps the digital organizations to assess and address questions of IT security, information workflow and information privacy and integrity of the organization. The process of the information technology audit evaluates the corporate IT personnel and the undertakings of the department of corporate IT with the designed management recommendations. With such an evaluation, the company will be able to streamline the inter-company communication effectiveness and departmental communications (Newsom & Haynes, J. 2014. P66). Planning, the IT audit, entails gathering information to formulate an audit plan and to gain insight of the available internal control structure of the IT. The Planning and IT infrastructure audit is a valuable practice to local and global organizations. The audit planning process directly affects the quality of the outcome. A proper plan ensures that resources are focused on the right areas and that potential problems are identified early. A successful audit first outlines what’s supposed to be achieved as well as what procedures will be followed and the required resources to carry out the procedures. The information to be collected is regulatory statutes, inherent risk assessment, recent financial information, and past audit results. Besides the auditors will require to avail information such as control procedures, equate total risks, control risk assessment, and control environment to gain an understanding of the present internal control structure. With all this prior audit information, auditors will be in a position to formulate a useful audit plan. The audit plan must details the time and cost required to execute IT infrastructure audit. It also needs to show the different areas and activities to be engaged during IT auditing process. The scope of planning and IT infrastructure audit: Canada Border Services Agency (CBSA) is a Canadian IT organization that manages and controls the IT infrastructure of two government organizations. It also provides auditing and IT security services to various digital organizations in Canada. CBSA performs frequent IT infrastructure audit to appraise how effective and efficient the organization execute it operations and activities. Chart 1: what the CBSA manages, audits and executes During the IT infrastructure audit examination, CBSA usually concentrates on the following scope; The IT: infrastructure planning, technical standards, investment management, roles and responsibilities, governance, operations objectives and requirements, and practices and policies. The IT management activities (the internal control methods, procedures and practices) implemented to avoid possible business problems. That is a security, integrity and privacy issues. The possible IT infrastructure change and the general control related to life-cycle management of assets. The operation of IT hardware, networks and telecommunication devices (Agency, 2012). Goals and objectives of IT infrastructure audit: CBSA has a clear of objectives and goals for undertaking the IT infrastructure audit. It needs to assess its IT infrastructure compliance with the international standards of operations and substantiate the control risks that have not been met. It also aims to provide assurance to top management on the sufficiency and adequacy of the controls that ensure IT infrastructures are planned, maintained and managed to support cost effectiveness and efficient operations. Further, CBSA aims to concentrate on substantiating that the organization internal controls of IT infrastructure exists and works as per the expectation to minimize the risk of the business. The organization carries out IT audit to improve the security, management and maintenance of IT infrastructure. It wants to have an appropriate logical and physical access to network hosts and devices. The frequency of IT infrastructure audit: The internal audit directorate of CBSA states that the organization must undertake two types of IT infrastructure audit every year at different times. The first audit aims to appraise the level of IT services. The audit aims to ensure that CBSA achieves the optimum or high level of IT services that meet future and current business needs. The objective of this auditing to improve governance arrangements in delivery of IT services. The second audit focuses on the effectiveness and adequacy of the IT control framework. The IT auditing is performed by the internal audit directorate of CBSA together with an outsourced firm called Interis Consulting firm. These two auditing bodies jointly perform the IT infrastructure audit. Interis consulting is a specialist and highly qualified firm in auditing practices in Canada. The critical requirements for IT infrastructure audit: There are critical requirements needed undertake a very successful IT infrastructure audit. The auditing team needs information such as regulatory statutes, past audit results, inherent risk management, and recent financial information related to IT, and the external information about the industry. The information is very useful in preparing the IT infrastructure audit plan. In addition, auditors require information about equate total risks, control procedures, control risk assessment and control environment. This information will auditors to have an insight of internal control structure that exists in the CBSA. The following are also critical requirements; A review of the responsibilities and roles for change embracement, new management in office, project governance, and emergency fixes. An appraisal of IT governance and other IT architecture-related issues A document review to appraise the effectiveness and adequacy of control framework of management about the IT infrastructure. Samples of information technology infrastructure procurements to appraise the planning as well as management of compliance in comparison to technology standards and controls. Privacy and integrity laws adopted during IT infrastructure audit: The process of auditing IT infrastructure requires disclosure of very critical and sensitive information to the auditing team. The information such methods of procurements, IT governance and cost of IT operations are among the critical requirements for a successful IT audit. However, these information means a lot to the CBSA as far privacy and competition are concerned. Therefore, a high degree of disciple, privacy, integrity and confidentiality is recommended for the auditing team. The law and ethics of privacy protect the employer or organization from auditors with bad motives of leaking the sensitive information to competitors. It also deters auditors from interfering with information given to them during auditing practices. Auditors are not supposed to act in a manner the will interfere or breach the privacy of the organizations or its stakeholders. Therefore, they are required to maintain a high level of integrity in their profession. In CBSA, the general secretary for IT and Human Resource manager are responsible for ensuring the law of privacy and integrity is followed to the letter. Section two: IT security assessment and maintenance plan Introduction: Security is an imperative component of IT infrastructure in an organization. In fact, it is the backbone of information technology and without security no organization will take a risk to venture in IT infrastructure. The IT security needs an effective assessment and maintenance plan that will facilitate a successful IT infrastructure audit. Security assessment helps to identify security risks, security venerability, and the perimeters of security efforts in auditing. In fact, IT security demands more than the software and hardware use. Risk assessment: This is the process of identifying the potential areas of audit. Risk assessment is done the phase of planning for IT infrastructure audit. The process entails; The development IT strategic plan will be understood and accepted all the stakeholders. The plan will help to align information technology investments and allocation of resources in accordance with strategic directions and priorities CBSA The need of CBSA for advanced IT infrastructure services and equipment that require effective certification and approval of new technology to achieve operational requirements The IT infrastructure changes need to be adopted to maximize availability of the infrastructure and to support requirements of the operation. The IT continuity plan is required to ensure the continuity of critical operations even during any disruption. Security risks and vulnerabilities: The auditors should identify the various security risks and vulnerabilities in their auditing report. The auditing team ought to check the existing IT security controls that address security risks and vulnerabilities to assets of IT accurately. They should be able to identify the possible modifications that may be used to improve the efficiency and effectiveness of existing controls. The process of audit should identify the critical IT security infrastructure that miss and recommend them to the management for the purchase. All the existing IT security infrastructure that are faulty or are do not offer adequate protection to the IT assets should be identified. The auditing report must give recommendation about the defective IT assets. All the IT insecurity gateways, practices and devices as well as security threats must be determined and identified in the audit report. The appropriate recommendations for proper course of actions over these IT security risks and vulnerabilities IT security threats: the auditing team should determine and identify the potential IT security threats in the IT audit plan. The team should be aware of the problem of networks hacking and virus infection of the IT infrastructure such as computers other electronic gadgets. The IT interfaces that are susceptible to hacking may cause sensitive information of the organization to end up to wrong hands (Furnell. 2005. P.76). There are also malicious programs such as Trojans, worms and viruses that can be released to IT assets. These programs are difficult to detect and dangerous to both information and the computers or any digital device (Ciampa. 2008. P.44). Also, social media privacy may be an issue. Email data pass via several routers before arriving at destinations and may be tampered with while on the network. The auditing reports should address any of these security issues if identified while auditing to be a threat to IT infrastructure. The report should recommend the best techniques or methods to do away with these threats. Techniques such as encryption, secure HTP and secure sockets layer protocols are been incorporated to protect digital customers. Also, there are security measures in place that take into consideration the transaction integrity especially by guaranteeing aircraft transaction delivery. In an effort to protect IT devices such as computers, the company have put down initiative of monitoring active content, dealing with the cookies, using antivirus software and calling in experts for computer forensics (Walden, 2001, p. P.15). Risk management: The auditing team should recommend the best ways to address and manage the various IT security risks and threats. Auditors may work with top managements to assist the implementation of IT audit recommendations about security. Auditors must ensure executives understand the relationship between the IT security and business needs. If the CBSA executives know the risks related to certain business objectives and goals, they will be able to understand areas of IT that need investment. A real IT security focuses to mitigate the business risks and, therefore, auditors must help the management team to realize this connection. The auditing team must recommend the various best perimeters of security that the management must adopt effectively and efficiently to manage all operational aspects of IT security. Auditors must come up with the best practices of IT to have an efficient IT infrastructure in CBSA organization. Acquisition of information, resources and documentation for IT infrastructure audit: In CBSA, the auditing team moves and transverses to departments, individuals and stakeholders that are associated with IT infrastructure and assets across the CBSA organization. The purpose for this is to obtain all the required information, documentation and resources for planning and IT infrastructure audit. The constitution of CBSA provides ample allocation of auditing fund. Documentation for business structure, past audits and configuration should be collected for review. Auditors need to request for available documentation from IT staff and if not given they have a right to notify the responsible personnel. The regulatory and requirements of business industries give auditors a right to have access to all information, resources and documentation to facilitate a successful audit. Auditors can have a larger understanding of organizational activities by collecting information to have a general knowledge on business. CBSA gives auditors information from key business processes, reporting cycles and strategic objectives. The auditors also interview key personnel for information. The strategic and operational objectives provide information on the future and present state of the organization. Another source for information is a document of written policies that provide guidelines to check the business environment for gaps. Other resources to help auditing can be obtained from administration and procurement documentation. Alignment of the seven IT domains in an organization: In CBSA, the auditing team usually gives much attention to each of the seven domains for a successful audit. Auditors know that IT security is paramount to the success of the organization and, therefore, conduction of a very effective and efficient audit to the IT systems will be of great benefit to CBSA. The alignment of the security policy framework to the IT infrastructure seven domains helps so much to define suitable boundaries for the audit. The IT standards of CBSA also help to align the seven domains to the IT security policy. The alignment is facilitated by having the access to control requirements for networks, applications, users and operating systems. The alignment helps to put IT infrastructure within the framework that auditors use for IT audit. The seven domains form the IT universe of the organization for auditing. The seven IT audit domains help to describe specific operations, location, functions or processes of the organization. Also these IT audit domains help to define the monitoring and evaluation of IT internal security controls. Section three: A plan for IT Security Controls, Policies and Procedures Examination of existing policies and procedures for IT security: All digital organizations in the world have a set of IT security practices and procedures. These policies and procedures differ from one organization to another. During auditing of IT infrastructure in CBSA, the auditing team usually examines the policies and procedures in place for IT security thoroughly. Auditors compare these policies and procedures with those of the best performing organizations and the international recommended policies and procedures for IT security. After benchmarking and identifying the downfalls, they recommend to the executives the best policies and procedures to adopt for IT security. Further, they make a follow up for the implementation of the recommended policies and procedures. Verification of IT security controls: in addition to examination of policies and practices, the auditing team scrutinizes the IT security control measures put in place by CBSA and verifies their appropriateness and effectiveness. The auditors check how in the past, these control measures have been used, and the effect initiated into the IT security systems. The ineffective ones are recommended for review of elimination. Also, the team may interview the IT personnel over the effectiveness of these measures for verification. Verification of the implementation and monitoring IT security controls: After the scrutiny of the control measures for IT security, the auditing team goes to the IT fields where these controls are being used to verify how they are been implemented and monitored. Also, the team engages the various staff at different IT field and interview them about how the measures are implemented and monitored. Areas of the IT security that do not conform to this measure are noted and communicated to the top management. Also, the methods of implementation and monitoring that are not useful are modified. CBSA has the following IT security control points which help to manage the IT security; Boundary defense – this point is used to detect, correct and prevent the flow of information at networks. Audit logs monitoring, maintenance and analysis – is the point audit logs of the event are collected, manage and analyzed to help detect and recover from the attack. Data protection – this point prevent data exfiltration, ensure the integrity and privacy of sensitive information. Incident response and management – the point protect reputation and information of the organization. Secure network engineering – allow high privacy systems by minimizing or denying attacks. Penetration tests and red team exercises – test the strength of defense of the organization by simulating the actions and objectives of attackers. Account monitoring and control – minimizes the attack opportunities by managing application accounts, dormancy, the use and the life cycle of the system. Malware defense – control the installation, execution and spread of malicious code. It enables rapid updating corrective action, defense and data gathering. Application software security – it detects. Prevent and correct security weakness of an in-house software. Wireless access control – used to control, track, correct and prevent the security by use of wireless LANs (Local Area Networks). Data recovery capability – used in backing up important information in organizations (Kerner, 2013). CBSA is incorporating the above IT security control points to control and maintain the security in the IT infrastructure. These security control points are subjected high level of auditing and management to ensure that the security controls are always effective. The management of CBSA adopts the recommendation of the auditing team about the IT security control measures with immediate effect because IT security is critical to the success of the organization. Reference Agency, C. B. (2012, 12 12). Internal Audit Control. Retrieved 06 08, 2014, from Audit of Information Technology Infrastructure — General Controls: http://www.cbsa-asfc.gc.ca/agency-agence/reports-rapports/ae-ve/2008/itigc-iticg-eng.html Kerner, S. M. (2013, 03 25). Network Control Point for Security?. Retrieved from Enterprise Networking Planet: http://www.enterprisenetworkingplanet.com/netsecur/what-is-the-network-control-point-for-security-video.html FURNELL, S. (2005). Computer insecurity risking the system. London, Springer. CIAMPA, M. D. (2008). Security+ guide to network security fundamentals. Clifton Park, N.Y., Delmar Learning. Walden, l. H., 2001. E-commerce Law and Practice in Europe. Burlington, Elsevier Science.. Burlington: NEWSOM, D., & HAYNES, J. (2014). Public relations writing: form and style. Boston, MA, Wadsworth Cengage Learning. Read More