Categories Topics
Audit of Information Systems

There should be a formal audit plan and assessment process to evaluate the organization's effectiveness of it's information security policies and controls. The assessment (or audit) process should be part of the overall security program and should be performed periodically.

The audit process should test the organization's procedures (or controls) for effectiveness to meet company policies and standards. If the independent review finds that certain controls or processes are inadequate to meet the organization's policies, security best practice or relevant regulatory requirements, management should take corrective action to correct the deficiency or "gap".

The audit process should also use pre-established frameworks or standards to include ISO, COBIT, or PCI and should be performed at least annually by an independent third party or internal group.  Audits can include interviewing management or control owners, reviewing procedures and testing a sampling of controls.

Additionally, penetration tests are also recommended to have an independent third party security firm test internet facing applications periodically for vulnerabilities. Penetration tests can also include testing for social engineering attacks, physical security controls and network security to name a few (to mimic what a potential intruder may attempt to do). The results would then be shared with management to close gaps and improve the organizations security posture.

Topic Category
Information Security Program
News Articles
NSA failed to implement security measures, says damning reportnakedsecurity.sophos.com6/21/2017
Banks and Fed sites score as least trustworthy in OTA 2017 security and privacy auditwww.networkworld.com6/21/2017
Will Target’s Lawsuit Finally Expose the Failings of Security Audits?www.wired.com3/28/2014
Pilfering sysadmin gets four years and $2.3m fine for kit
FBI Credit Card Ring Bust Exposes PCI Challengeswww.darkreading.com7/2/2012
PA DSS (Payment Application Data Security Standard)PCI5/27/2016
NIST Technical Guide to Information Security Testing and AssessmentNIST9/1/2008