Study Document
Pages:11 (3165 words)
Sources:7
Subject:Technology
Topic:Information Security
Document Type:Research Paper
Document:#36684821
Abstract
Cybercrime, data breaches, and fraud represent evils that significantly threaten businesses. Companies have, in the past, lost much to these crimes and, hence, must come up with plans to prevent such future occurrences. In this paper, the processes information technology security audits entail and how such audits enhance organizational IT security will be dealt with. According to research on the subject, IT security auditing constitutes a significant step in the safeguarding of corporate data against cybercrime, data breaches, and fraud. It must be performed from time to time in the form of a methodical analysis by an outside specialist on compliance, for identifying any chinks in the armor of the company's information technology system.
Introduction
ICT advancements have meant the availability of vast quantities of data, which also creates considerable risks to the data itself, computer systems, and critical infrastructures and operations it supports. Despite developments in information security, numerous information systems continue to display susceptibility to both external and internal breaches (Suduc, Bîzoi & Filip, 2010). Internal information security auditing enhances the likelihood of implementation of suitable security measures for averting such breaches and reducing their adverse impacts.
Security risks
Two classes of risks exist, against which corporate information systems require protection: logical and physical. The latter, more to do with devices as compared to the actual information system, encompasses natural calamities like floods, earthquakes, typhoons, among others, terror attacks, vandalism, fire outbreak, illegal tampering, power surges, and break-ins. Vlad and Lenghel (2017) put forward a collection of controls defending information systems from such physical threats.
The controls include different kinds of locks, hardware insurance coverage, and coverage of information recreation costs, having processes in place for everyday data and information system backups, tested, state-of-the-art disaster recovery interventions, and rotation and off-site backup data storage in a secure place. Logical risks denote illegal access and purposeful or inadvertent modification or destruction of information or the whole information system. Such threats may be reduced using logical security controls, limiting user system accessibility, and averting unauthorized system access. All of the precautions above prove ever more salient when one is dealing with central information systems.
Suduc and colleagues (2010) claim that modern-day corporations need to deal with the following major kinds of information technology risks: availability, security, compliance, and performance risks. Security risks constitute accessing data without permission, including information leakage, fraud, endpoint security, and data privacy. This class also encompasses broad threats from external sources (e.g., viruses), and more focused attacks on particular users, data, or applications. A survey performed by Ernst and Young revealed security incidents costing as much as 17-28 million dollars per case to organizations (Suduc et al., 2010). A second study conducted over 13 years using the assistance of a total of 522 American IT security experts revealed virus incidents as being the most frequent risk (49 percent of respondent firms). The next most commonly occurring event was insider network abuse (44 percent) and, subsequently, mobile device (including laptop) theft (42 percent) (Suduc et al., 2010). Even corporate security measures concentrate on external threats owing to their disturbingly high incidence (sometimes more than half the sum total of risks) and to their origins lying in legal network use.
Audit for IS Security
Khan (2017) reports that despite significant developments in the field of information security, like object/subject access matrix model, star-property- and information flow- reliant multilevel security, access control lists, cryptographic protocol, and public-key cryptography, several information systems continue to be at risk of internal as well as external attacks. Security setups are a time-consuming process and do not play any part in helpful output; hence, nobody will realize until an audit is done or the system is attacked, in case of an overly permissive setup. The above finding underscores the need for internal IT security auditing in all companies.
According to a Security Administrator and System Auditor having nearly two decades of experience, it is imperative to routinely monitor the following computer activity domains: user access control, audit trail, and system activity monitoring (Davis & Yen, 2019; Suduc et al., 2010). The abovementioned tasks are not open to primary security measure adoption mechanisms put forward by Suduc and coworkers (2010). These security measures include authenticating principals (including who said it, or which entities have access to that data – i.e., individuals, groups, programs, or devices). Moreover, these measures also include authorizing access ("Which entities are permitted to carry out what operations on a given object?") and decision auditing ("what occurred and what was the reason for its occurrence").
The goal of user access control security is the optimization of productive computing time, guaranteeing data confidentiality, mitigating fraud and error risks, and preventing unauthorized access. Further, permanent monitoring of system activity is vital, as malicious fraud and sabotaging will more likely take place in case of the low likelihood of detection. The following questions need to be posed concerning potential risk areas: (1) Can this event occur here? (2) In what form will it transpire? (3) Do security measures prove sufficient in threat prevention/detection? (4) How can the measures be improved upon? (Suduc et al., 2010). The application of sound system controls and security may, to a great extent, decrease risk event occurrence and adverse effects through improving chances of detection and prevention.
Maintenance of thorough logs of access time, credentials of the accessing individual, and whether a security breach was attempted constitutes a second essential security action. The above details prove highly informative to system auditors.
Audit frameworks
i. ISO 27001 Framework
ISO 27001, a kind of taxonomy of potential controls, outlines conditions for the establishment, adoption, monitoring, maintenance, operations, review, and improvement of a documented ISMS (Information Security Management System) for overall organizational risks. This standard aims at ensuring appropriate, reasonable security controls are chosen to safeguard data assets and create trust among interested entities. Accompanying it is the ISO 27002 standard (Almatari et al., 2018), setting down…
…For guaranteeing security policy adherence and ascertaining the minimum control set needed for the reduction of risks to a satisfactorily low level, security audits ought to be carried out from time to time (environmental risks and susceptibilities can change over time and with changes to the environment). These audits may assume the form of new enhancement/ installation auditing, routine auditing, unplanned, spontaneous auditing, or audits performed in non-office hours.
Auditing methods adopted in this regard may encompass automated audit instruments such as off-the-rack security auditing systems or auditor-developed instruments, or even manual review methods like auditing checklists and social engineering attack checklists.
Audit processes involve several steps. According to 3D Networks, auditing is a 7-step process (Suduc et al., 2010), the steps being as follows: (1) vulnerability scanning – which entails scanning of infrastructure, (2) security architecture auditing – which involves auditing of extant security infrastructure, (3) report auditing – covering auditing of reports such as logs and unauthorized entry/breach detection system reports, (4) workflow and internal control auditing – auditing of extant workflow, (5) baseline auditing – encompassing auditing of organizational security setup in order for ensuring that it conforms to the company's security baseline, (6) risk/threat analysis – evaluation of the many threats and risks the information systems of the organization encounter, and (7) policy auditing – which is an audit of the firm's security policy for making sure it is aligned with the firm's business aims.
In the course of, as well as, after the culmination of, security auditing, a succession of reports can be described, including reports identifying susceptibilities in the information system of the company, reports addressing the risks and threats encountered by the firm owing to extant susceptibilities such as infrastructure and faulty policy, and audit reports that present security overview as well as audit results.
Suduc and colleagues (2010) offer a second view on the subject of security auditing, segregating the process into the following six steps: (1) planning – for the ascertainment and selection of sound, successful techniques to conduct a security audit and procure all desired data; (2) collection of audit information – in order to ascertain the kind and quantity of data to be procured, and how this data, as well as audit logs, are to be filtered, stored, accessed, and analyzed; (3) performance of audit tests – a broad examination of current security standards, policies, technical tests, or security configurations; (4) audit outcome reporting – presenting the existing security environment in the organization; (5) safeguarding of audit instruments and information – ensuring the safety of audit instruments and information for use in the future or the subsequent audit; (6) follow-up and improvements – undertaking corrective action where needed.
As information systems grow ever more sophisticated, security auditing is becoming increasingly challenging; however, security auditors have automated audit tools at their disposal to facilitate the process.
Conclusion
A variety of different security methods may be adopted. The choice of security process set depends on…
References
Almatari, O. and Helal, I., and Mazen, S., and El Hennawy, S. (2018). "Cybersecurity Tools for IS Auditing." The 6th International Conference on Enterprise Systems, At Limassol, Cyprus 10.1109/ES.2018.00040.
Davis, W. S., & Yen, D. C. (Eds.). (2019). The information system consultant's handbook: Systems analysis and design. CRC press.
Diamantopoulou, V., Tsohou, A., & Karyda, M. (2019). From ISO/IEC 27002: 2013 Information Security Controls to Personal Data Protection Controls: Guidelines for GDPR Compliance. In Computer Security (pp. 238-257). Springer, Cham.
Khan, M. (2017). Computer security in the human life. International Journal of Computer Science and Engineering (IJCSE), 6(1), 35-42.
Lenghel, R. D., & Vlad, M. P. (2017). INFORMATION SYSTEMS AUDITING. Quaestus, (11), 178.
Manaseer, S., & Alawneh, A. (2019). ON CYBERSECURITY AUDITING AWARENESS: CASE OF INFORMATION AND COMMUNICATION TECHNOLOGY SECTOR. International Journal of Computer Science and Information Security (IJCSIS), 17(7).
Suduc, A. M., Bîzoi, M., & Filip, F. G. (2010). Audit for information systems security. Informatica Economica, 14(1), 43.
Study Document
Security in Cloud Computing Security issues associated with the cloud Cloud Security Controls Deterrent Controls Preventative Controls Corrective Controls Detective Controls Dimensions of cloud security Security and privacy Compliance Business continuity and data recovery Logs and audit trails Legal and contractual issues Public records The identified shortcomings in the cloud computing services and established opportunities for growth regarding security aspects are discussed in the current research. The security of services is regarded as the first obstacle. The opportunity for growth is provided as combination
Study Document
Security Information is the Power. The importance of collecting, storing, processing and communicating the relevant information presently is viewed as crucial in order to achieve success in almost all the fields be it business firms, individuals or organizations. An integrated set of components assisting collection, store, process and communication of information is termed as information system. Increasing dependence on information systems is noticed in order to excel in the respective fields
Study Document
IT Security Infrastructure
IT Security Infrastructure & Its Importance to Physical Security Planning and Infrastructure
IT security infrastructure requires a varied number of skills and knowledge to understand how it relates to creation of comprehensive security strategy. Information technology is an important part of physical planning. Risks of cybercrime having gone high, it has become important for information to run securely through cloud. Business have moved to it infrastructure to
Study Document
IT Security Plan The technological advances that have been witnessed in the past twenty to thirty years, has placed a tremendous emphasis on data and information. Computers have changed the world in many facets and the ability to communicate and perform work have been greatly assisted by the digital age. Along with these new found powers, there exists also new found threats. The ability to protect these investments and resources of
Study Document
Internet Risk and Cybercrime at the U.S. Department of Veterans Affairs Internet Risk Cybercrime Today, the mission of the U.S. Department of Veterans Affairs (VA) as taken from President Lincoln's second inaugural address is, "To care for him who shall have borne the battle, and for his widow, and his orphan." To this end, this cabinet-level organization provides healthcare services through the Veterans Health Administration (VHA) to nine million veteran patients each year.
Study Document
Information Security Strategy
The world of information technology (IT) has evolved tremendously in the last few decades. Today, IT systems permeate virtually every aspect of work in the organizational setting – from strategic planning functions to administrative and operational functions such as human resource management, payroll management, project management, procurement, customer relationship management, and financial management. These systems have enabled organizations undertake a wide variety of tasks with far greater