Information Security Audits

How to conduct the best IT and Information Security Audits. How the Maturity Model of COBIT can help an IS Audit.

Control Structures: Auditing
Assignment Overview

Effective planning and well-defined structure must be a part of an audit policy for it to work properly. As IT professionals, we do not have to monitor everything because we do not want to stress system resources with unmanageable data. Therefore, it is important to identify the most meaningful events and activities that should be audited within an organization having in mind the needs of the organization.

In this Case Assignment, you are required to read the articles listed as required in the background page about the auditing process.

When you’ve read the required articles and conducted additional research on the optional readings and other readings you find interesting, please compose a short (4-5 pages without counting the cover and references) paper on the topic:

How to conduct the best IT and Information Security Audits. How the Maturity Model of COBIT can help an IS Audit.

Below are some questions for you to think about to help you get started:

Clarify the differences between information systems auditing and information security auditing.
Explain the criteria for setting up priorities and scope for auditing
What is COBIT? You can refer to Cobit 4 which is available for free but remember that the latest version is Cobit 5.
How can COBIT help in the IT auditing process?
What is the maturity model used in COBIT?

Upon successful completion of this module, the student will be able to satisfy the following outcomes:

Case
Explain the information security auditing process.
Explain the characteristics of existing security standards.

Module Overview

This module will help you become familiar with the main concepts and relevant topics in information security auditing. We begin with some definitions:

Auditing is the process of tracking users and their actions. Information systems audit is a part of the overall audit process, which is one of the facilitators for good corporate governance. While there is no single universal definition of IS audit, Ron Weber has defined it (EDP auditing–as it was previously called) as “the process of collecting and evaluating evidence to determine whether a computer system (information system) safeguards assets, maintains data integrity, achieves organizational goals effectively and consumes resources efficiently.”

IS audit often involves finding and recording observations that are highly technical. Such technical depth is required to perform effective IS audits. At the same time it is necessary to translate audit findings into vulnerabilities and businesses impacts to which operating managers and senior management can relate. Therein lies a main challenge of IS audit. (Sayana, 2002)

In this module, we will study the main concepts of information security auditing and the procedures that are part of the auditing process. We take the organizational perspective considering the managerial, procedural, and technical aspects of information systems auditing.