In developing an information security audit capability and in performing security audits,
legal and reporting issues may arise of which an organization needs to be aware. You
should consult with your legal counsel before establishing or extending the security
audit capability so that legal barriers can be identified and resolved. Potential legal and
reporting issues include the following:
• Your organization’s right to review IS security issues.
• State laws regarding unauthorized access to sensitive data or “hacker” type
activity. Analyze your state laws pertaining to computer crimes—particularly those
relevant to penetration testing—to determine how the IS security audit capability
can operate effectively within those bounds.
• Potential liability issues. Liability concerns may arise if penetration testing
inadvertently causes problems with a critical system. While the risk of this
happening may be low, steps should be taken to limit such exposure.
• Security clearances or background checks. If these are required, this issue is
especially critical for a security audit capability that uses consultants or other third
parties. Your state or agency may also have personnel policies governing your
ability to perform background checks or security clearances. Further, performing
such checks may involve costs. Also, your audit organization or state may want to
obtain security clearances to obtain additional assurances concerning those staff
who have access to sensitive system information.
• Provisions of the public records law. Potential issues include both restrictions and
excessively permissive requirements. For example, there may be prohibitions
against reporting security information—or the reverse: you might be required to
provide access upon request to working papers containing sensitive, detailed
security information.
Even if no public records laws apply, you should assess the level of detail included in
your reports. If your organization posts audit reports on the Internet, the information is
accessible to virtually anyone, anywhere. Posting detailed security findings may expose
an information system to more risk than if no audit had been performed.15
Once potential barriers have been identified, you can determine feasible solutions. As
one example, GAO and some states use separate confidential or “Limited Official Use”
(LOU) reports to detail IS security issues. The publicly issued report addresses security
issues in more general terms and gives only general recommendations.
If potential barriers are identified during this assessment, the next step is to determine
whether the environment can be changed or if the barrier prevents your organization
from effectively forming an IS security audit capability.
______________
laminate flooring dallas scavenger hunt
Fri Nov 25, 2011 10:32 am
megavideolinks Fallen Angel
Joined: 19 Nov 2011 Posts: 153
Determine Audit Environment
Along with experienced personnel to perform security audits, an IS security audit
capability must have relevant tools, techniques, and practice aids available to assist the
auditors with their audit tasks. Decisions on obtaining such tools, techniques, and
practice aids, along with the appropriate expertise to use them, must be based on the
hardware, system software, and applications that constitute the audit environment. With
systems becoming more and more interconnected, the hardware and software that make
up and connect these systems are critical. In addition, the technical components that
provide network, Internet, and intranet connectivity must be identified. An audit
organization should develop an inventory of this infrastructure, which should be
periodically refreshed since computer systems are extremely fluid, and projections are
that technology will continue to advance rapidly.
In addition, it is important to keep informed on emerging technologies and related
control issues. These new technologies may soon be integrated into your audit
environment, and auditing them may require additional expertise and automated tools.
Appendix C provides a questionnaire that can assist you in collecting the type of IS
infrastructure information needed to understand your audit environment. Sources of this
information may include any prior audit history and other studies performed by outside
contractors. Depending on the size of your audit environment, you may not be able to
readily determine exact counts of the various hardware and software components. For
this purpose, an estimate of the number of systems involved will suffice. Also, the
questionnaire can be completed by agency personnel.
____________
laminate flooring dallas scavenger hunt
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
