AUDITING INFORMATION SYSTEMS SECURITY

AUDITING INFORMATION SYSTEMS SECURITY

• AUDIT OF LOGICAL ACCESS

• USE OF TECHNIQUES FOR TESTING SECURITY

• USE OF INVESTIGATION TECHNIQUES

AUDITING INFORMATION SYSTEMS SECURITY

• Information security management framework

• Auditing logical access

• Auditing network infrastructure security

• Auditing engironmental exposures & controls

• Auditing physical access

Information security management framework• The IS Auditor must review:

– Written policies, procedures, standards– Logical access security policies– Formal Security awareness & training– Segregation of duties– Security regarding new IT users– Access standards– Terminated employee access - policy

AUDITING LOGICAL ACCESS

• General understanding of security risks• Document and evaluate controls over

access paths• Test controls over access paths• Evaluate access control environment• Testing security• Review access controls and password

administration

Auditing network infrastructure security

• Review Network diagrams• Identify network design implemented• Determine applicable security policies,

standards etc.• Review network administrator

procedures• Assess remote access points of entry &

dial-up access controls

Auditing Environmental exposures and controls

• Water and smoke detectors• Fire extinguishers• Fire suppression systems• Fireproof walls, floors etc.• Electrical Surge Protectors• Fully documented & Tested BCP

AUDITING PHYSICAL ACCESS

• Touring the Information Processing Facility

• Test the physical safeguards – by observation

• Test other locations such as location of Operator consoles, printer rooms etc.

• Evaluate paths of physical entry