Search in ISMS Guides

Google
 

Tuesday, July 31, 2007

PREPARING FOR AN INFORMATION SECURITY AUDIT

For an Information Security audit to be effective it must be planned and have adequate preparation. A common purpose of conducting the audit is to enable the Information Security Officer (or the person who is responsible for the security of information) to measure the level of compliance with the organization’s Information Security Policies and associated procedures.

At the highest level, the Information Security Officer should initially prepare an audit program which ensures that all key risk areas are audited and reviewed on a regular basis. The greater the threats, and the higher the risk or probability of an Information Security incident, the more often the audit should be conducted.

Once the risk area to be audited has been selected, the Information Security Officer should prepare a list of the INFORMATION that needs to be collected to carry out the audit.

As an example, if the audit chosen is regarding the Portable Computing Facilities, the documents to be considered for review are:

• Insurance documents.

• Hardware register.

• Software register.

• User Profile.

• Network Profile.

• Issue form.

• General terms of use.

• Removal of equipment authorization.

The Information Security Officer will also decide on which PERSONNEL need to be audited and arrange an interview schedule. In the same example, the following personnel would be audited:

• The issuers of portable computers.

• A sample of the user population who use portable computers.

• Ancillary staff.

As with many tasks, pre-planning is sometimes seen as a necessary evil, and there is temptation to shortcut. However, in most cases, there is little doubt that the quality of the planning is likely to go a long way in determining the quality of the audit.


From : http://www.17799central.com/news.htm

No comments: