The information security risks confronting an organization will vary with the nature of
the processing performed by the organization and the sensitivity of the information
processed. To fully consider these risks, the auditor should develop comprehensive
information concerning the organization’s computer operations and significant
applications.
7
This information should be documented and generally will include
• the significance and nature of the programs and functions, such as public
protection and safety, supported by automated systems;
• the sensitivity or confidentiality of the information processed;
• the types of computer processing performed (standalone, distributed, or
networked);
• the specific hardware and software constituting the computer configuration,
including (1) the type, number, and location of primary central processing units
and peripherals, (2) the role of microcomputers, and (3) how such units are
interconnected;
• the nature of software utilities used at computer processing locations that provide
the ability to add, alter, or delete information stored in data files, databases, and
program libraries;
• the nature of software used to restrict access to programs and data at computer
processing locations;
• significant computerized communications networks (including firewalls and
network control devices), interfaces to other computer systems and the Internet,
and the ability to upload and/or download information;
• significant changes since any prior audits/reviews;
• the general types and extent of significant purchased software used;
• the general types and extent of significant software developed in-house;
__________________
7
The audited entity is generally responsible for the completion of a security risk assessment which the auditor
should obtain and build upon.17
• how (interactive or noninteractive) and where data are entered and reported;
• the approximate number of transactions and related monetary amounts processed
by each significant system;
• the organization and staffing at the organization’s data processing and software
development sites, including recent key staff and organizational changes;
• the organization’s reliance on service bureaus or other agencies for computer
processing support;
• results of past internal and external reviews, including those conducted by
inspector general staff and consultants specializing in security matters; and
• compliance with relevant legal and regulatory requirements.
The identification of security risks has a direct relationship to the audit environment
assessed in the preceding section. An organization’s hardware/software infrastructure
and the extent and type of computer interconnectivity used by the organization all have a
bearing on the types of security risks confronting the organization. Further, the
infrastructure and interconnectivity will dictate the skills and tools needed by the auditor
to efficiently and effectively assess the adequacy of these security risks. Any one auditor
should not be expected to have all the skills or abilities necessary to perform each of the
tasks to successfully complete an information security audit. However, the audit team
collectively should possess the requisite skills.
_______________
laminate flooring dallas scavenger hunt
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
