Auditing Information Security
   HOME

TheInfoList



OR:

An information security audit is an
audit An audit is an "independent examination of financial information of any entity, whether profit oriented or not, irrespective of its size or legal form when such an examination is conducted with a view to express an opinion thereon.” Auditing ...
on the level of
information security Information security, sometimes shortened to InfoSec, is the practice of protecting information by mitigating information risks. It is part of information risk management. It typically involves preventing or reducing the probability of unauthorize ...
in an organization. It is an independent review and examination of system records, activities and related documents. These audits are intended to improve the level of information security, avoid improper information security designs, and optimize the efficiency of the security safeguards and security processes. Within the broad scope of auditing information security there are multiple types of audits, multiple objectives for different audits, etc. Most commonly the controls being audited can be categorized to
technical Technical may refer to: * Technical (vehicle), an improvised fighting vehicle * Technical analysis, a discipline for forecasting the future direction of prices through the study of past market data * Technical drawing, showing how something is co ...
, physical and
administrative Administration may refer to: Management of organizations * Management, the act of directing people towards accomplishing a goal ** Administrative Assistant, traditionally known as a Secretary, or also known as an administrative officer, administ ...
. Auditing information security covers topics from auditing the physical security of data centers to auditing the logical security of databases, and highlights key components to look for and different methods for auditing these areas. When centered on the
Information technology Information technology (IT) is the use of computers to create, process, store, retrieve, and exchange all kinds of data . and information. IT forms part of information and communications technology (ICT). An information technology system (I ...
(IT) aspects of information security, it can be seen as a part of an
information technology audit An information technology audit, or information systems audit, is an examination of the management controls within an Information technology (IT) infrastructure and business applications. The evaluation of evidence obtained determines if the inform ...
. It is often then referred to as an
information technology security audit An information security audit is an audit on the level of information security in an organization. It is an independent review and examination of system records, activities and related documents. These audits are intended to improve the level of in ...
or a computer security audit. However, information security encompasses much more than IT.


The audit process


Step 1: Preliminary audit assessment

The auditor is responsible for assessing the current technological maturity level of a company during the first stage of the audit. This stage is used to assess the current status of the company and helps identify the required time, cost and scope of an audit. First, you need to identify the minimum security requirements: * Security policy and standards * Organizational and Personal security * Communication, Operation and Asset management * Physical and environmental security * Access control and Compliance * IT systems development and maintenance * IT security incident management *
Disaster recovery Disaster recovery is the process of maintaining or reestablishing vital infrastructure and systems following a natural or human-induced disaster, such as a storm or battle.It employs policies, tools, and procedures. Disaster recovery focuses on t ...
and business continuity management * Risk management


Step 2: Planning & preparation

The auditor should plan a company's audit based on the information found in previous step. Planning an audit helps the auditor obtain sufficient and appropriate evidence for each company's specific circumstances. It helps predict audit costs at a reasonable level, assign the proper manpower and time line and avoid misunderstandings with clients. An auditor should be adequately educated about the company and its critical business activities before conducting a data center review. The objective of the data center is to align data center activities with the goals of the business while maintaining the security and integrity of critical information and processes. To adequately determine whether the client's goal is being achieved, the auditor should perform the following before conducting the review: *Meet with IT management to determine possible areas of concern *Review the current IT
organization chart An organizational chart, also called organigram, organogram, or organizational breakdown structure (OBS) is a diagram that shows the structure of an organization and the relationships and relative ranks of its parts and positions/jobs. The term ...
*Review job descriptions of data center employees *Research all
operating systems An operating system (OS) is system software that manages computer hardware, software resources, and provides common services for computer programs. Time-sharing operating systems schedule tasks for efficient use of the system and may also inc ...
,
software applications Software is a set of computer programs and associated documentation and data. This is in contrast to hardware, from which the system is built and which actually performs the work. At the lowest programming level, executable code consists o ...
, and data center equipment operating within the data center *Review the company's IT policies and procedures *Evaluate the company's IT budget and systems planning documentation *Review the data center's
disaster recovery plan Given organizations' increasing dependency on information technology to run their operations, Business continuity planning covers the entire organization, and Disaster recovery focuses on ''IT''. Auditing of documents covering an organization's ' ...


Step 3: Establishing audit objectives

In the next step, the auditor outlines the objectives of the audit after that conducting a review of a corporate data center takes place. Auditors consider multiple factors that relate to data center procedures and activities that potentially identify audit risks in the operating environment and assess the controls in place that mitigate those risks. After thorough testing and analysis, the auditor is able to adequately determine if the data center maintains proper controls and is operating efficiently and effectively. Following is a list of objectives the auditor should review: *Personnel procedures and responsibilities, including systems and cross-functional training *
Change management Change management (sometimes abbreviated as CM) is a collective term for all approaches to prepare, support, and help individuals, teams, and organizations in making organizational change. It includes methods that redirect or redefine the use of ...
processes are in place and followed by IT and management personnel *Appropriate backup procedures are in place to minimize downtime and prevent loss of important data *The data center has adequate physical security controls to prevent unauthorized access to the data center *Adequate environmental controls are in place to ensure equipment is protected from fire and flooding


Step 4: Performing the review

The next step is collecting evidence to satisfy data center audit objectives. This involves traveling to the data center location and observing processes and within the data center. The following review procedures should be conducted to satisfy the pre-determined audit objectives: *Data centre personnel – All data center personnel should be authorized to access the data center (key cards, login ID's, secure passwords, etc.). Datacenter employees are adequately educated about data center equipment and properly perform their jobs. Vendor service personnel are supervised when doing work on data center equipment. The auditor should observe and interview data center employees to satisfy their objectives. *Equipment – The auditor should verify that all data center equipment is working properly and effectively. Equipment utilization reports, equipment inspection for damage and functionality, system downtime records and equipment performance measurements all help the auditor determine the state of data center equipment. Additionally, the auditor should interview employees to determine if preventative maintenance policies are in place and performed. *Policies and Procedures – All data center policies and procedures should be documented and located at the data center. Important documented procedures include data center personnel job responsibilities, back up policies, security policies, employee termination policies, system operating procedures and an overview of operating systems. *
Physical security Physical security describes security measures that are designed to deny unauthorized access to facilities, equipment and resources and to protect personnel and property from damage or harm (such as espionage, theft, or terrorist attacks). Physica ...
/ environmental controls – The auditor should assess the security of the client's data center. Physical security includes bodyguards, locked cages, man traps, single entrances, bolted-down equipment, and computer monitoring systems. Additionally, environmental controls should be in place to ensure the security of data center equipment. These include Air conditioning units, raised floors, humidifiers and
uninterruptible power supply An uninterruptible power supply or uninterruptible power source (UPS) is an electrical apparatus that provides emergency power to a load when the input power source or mains power fails. A UPS differs from an auxiliary or emergency power system ...
. *Backup procedures – The auditor should verify that the client has backup procedures in place in the case of system failure. Clients may maintain a backup data center at a separate location that allows them to instantaneously continue operations in the instance of system failure


Step 5: Preparing the Audit Report

After the audit examination is completed, the audit findings and suggestions for corrective actions can be communicated to responsible stakeholders in a formal meeting. This ensures better understanding and support of the audit recommendations. It also gives the audited organization an opportunity to express its views on the issues raised. Writing a report after such a meeting and describing where agreements have been reached on all audit issues can greatly enhance audit effectiveness. Exit conferences also help finalize recommendations that are practical and feasible.


Step 6: Issuing the review report

The data center review report should summarize the auditor's findings and be similar in format to a standard review report. The review report should be dated as of the completion of the auditor's inquiry and procedures. It should state what the review entailed and explain that a review provides only "limited assurance" to third parties. Typically, a data center review report consolidates the entirety of the audit. It also offers recommendations surrounding proper implementation of physical safeguards and advises the client on appropriate roles and responsibilities of its personnel. Its contents may include: * The auditors’ procedures and findings * The auditors’ recommendations * Objective, scope, and methodologies * Overview/conclusions The report may optionally include rankings of the security vulnerabilities identified throughout the performance of the audit and the urgency of the tasks necessary to address them. Rankings like “high”, “low”, and “medium” can be used to describe the imperativeness of the tasks.Privacy Technical Assistance Center.
Responding to IT Security Audits: Improving Data Security Practices
. PDF.


Who performs audits

Generally, computer security audits are performed by: #Federal or State Regulators #*Information security audits would primarily be prepared by the partners of these regulators. #*Examples include: Certified accountants, Cybersecurity and Infrastructure Security Agency (CISA), Federal Office of Thrift Supervision (OTS), Office of the Comptroller of the Currency (OCC), U.S. Department of Justice (DOJ), etc. #Corporate Internal Auditors #*If the information security audit is an internal audit, it may be performed by internal auditors employed by the organization. #*Examples include: Certificated accountants, Cybersecurity and Infrastructure Security Agency (CISA), and Certified Internet Audit Professional (CIAP) #External Auditors #*Typically, third-party experts employed by an independent organization and specializing in the field of data security are hired when state or federal auditors are not accessible. #Consultants #*Outsourcing the technology auditing where the organization lacks the specialized skill set.


Jobs and certifications in information security


Information Security Officer (ISO)

Information Security Officer (ISO) is a relatively new position, which has emerged in organizations to deal in the aftermath of chaotic growth in information technology and network communication. The role of the ISO has been very nebulous since the problem that they were created to address was not defined clearly. The role of an ISO has become one of following the dynamics of the security environment and keeping the risk posture balanced for the organization.


Certifications

Information systems audits combine the efforts and skill sets from the accounting and technology fields. Professionals from both fields rely on one another to ensure the security of the information and data.With this collaboration, the security of the information system has proven to increase over time. In relation to the information systems audit, the role of the auditor is to examine the company’s controls of the security program. Furthermore, the auditor discloses the operating effectiveness of these controls in an audit report. The Information Systems Audit and Control Association (ISACA), an Information Technology professional organization, promotes gaining expertise through various certifications. The benefits of these certifications are applicable to external and internal personnel of the system. Examples of certifications that are relevant to information security audits include: * Certified Information Systems Manager (CISM) * Certified in Risk and Information Systems Control (CRISC) * Certified in the Governance of Enterprise IT (CGEIT) * Certified Information System Auditor (CISA) * CSX (Cybersecurity Nexus Fundamentals) * CSXP (Cybersecurity Nexus Practitioner)


The audited systems


Network vulnerabilities

*
Interception In ball-playing competitive team sports, an interception or pick is a move by a player involving a pass of the ball—whether by foot or hand, depending on the rules of the sport—in which the ball is intended for a player of the same team b ...
: Data that is being transmitted over the network is vulnerable to being intercepted by an unintended third party who could put the data to harmful use. * Availability: Networks have become wide-spanning, crossing hundreds or thousands of miles which many rely on to access company information, and lost connectivity could cause business interruption. * Access/entry point: Networks are vulnerable to unwanted access. A weak point in the network can make that information available to intruders. It can also provide an entry point for viruses and Trojan horses.


Controls

*Interception controls: Interception can be partially deterred by physical access controls at data centers and offices, including where communication links terminate and where the network wiring and distributions are located. Encryption also helps to secure wireless networks. *Availability controls: The best control for this is to have excellent network architecture and monitoring. The network should have redundant paths between every resource and an access point and automatic routing to switch the traffic to the available path without loss of data or time. *Access/entry point controls: Most network controls are put at the point where the network connects with an external network. These controls limit the traffic that passes through the network. These can include firewalls, intrusion detection systems, and antivirus software. The auditor should ask certain questions to better understand the network and its vulnerabilities. The auditor should first assess the extent of the network is and how it is structured. A network diagram can assist the auditor in this process. The next question an auditor should ask is what critical information this network must protect. Things such as enterprise systems, mail servers, web servers, and host applications accessed by customers are typically areas of focus. It is also important to know who has access and to what parts. Do customers and vendors have access to systems on the network? Can
employees Employment is a relationship between two parties regulating the provision of paid labour services. Usually based on a contract, one party, the employer, which might be a corporation, a not-for-profit organization, a co-operative, or any othe ...
access information from home? Lastly, the auditor should assess how the network is connected to external networks and how it is protected. Most networks are at least connected to the internet, which could be a point of vulnerability. These are critical questions in protecting networks.


Segregation of duties

When you have a function that deals with money either incoming or outgoing it is very important to make sure that duties are segregated to minimize and hopefully prevent fraud. One of the key ways to ensure proper
segregation of duties Separation of duties (SoD), also known as segregation of duties is the concept of having more than one person required to complete a task. It is an administrative control used by organisations to prevent fraud, sabotage, theft, misuse of informati ...
(SoD) from a systems perspective is to review individuals’ access authorizations. Certain systems such as
SAP Sap is a fluid transported in xylem cells (vessel elements or tracheids) or phloem sieve tube elements of a plant. These cells transport water and nutrients throughout the plant. Sap is distinct from latex, resin, or cell sap; it is a separa ...
claim to come with the capability to perform SoD tests, but the functionality provided is elementary, requiring very time-consuming queries to be built and is limited to the transaction level only with little or no use of the object or field values assigned to the user through the transaction, which often produces misleading results. For complex systems such as SAP, it is often preferred to use tools developed specifically to assess and analyze SoD conflicts and other types of system activity. For other systems or for multiple system formats you should monitor which users may have superuser access to the system giving them unlimited access to all aspects of the system. Also, developing a matrix for all functions highlighting the points where proper
segregation of duties Separation of duties (SoD), also known as segregation of duties is the concept of having more than one person required to complete a task. It is an administrative control used by organisations to prevent fraud, sabotage, theft, misuse of informati ...
has been breached will help identify potential material weaknesses by cross-checking each employee's available accesses. This is as important if not more so in the development function as it is in production. Ensuring that people who develop the programs are not the ones who are authorized to pull it into production is key to preventing unauthorized programs into the production environment where they can be used to perpetrate fraud.


Types of audits


Encryption and IT audit

In assessing the need for a client to implement encryption policies for their organization, the Auditor should conduct an analysis of the client's risk and data value. Companies with multiple external users, e-commerce applications, and sensitive customer/employee information should maintain rigid encryption policies aimed at encrypting the correct data at the appropriate stage in the data collection process. Auditors should continually evaluate their client's encryption policies and procedures. Companies that are heavily reliant on
e-commerce E-commerce (electronic commerce) is the activity of electronically buying or selling of products on online services or over the Internet. E-commerce draws on technologies such as mobile commerce, electronic funds transfer, supply chain manageme ...
systems and
wireless networks A wireless network is a computer network that uses wireless data connections between network nodes. Wireless networking is a method by which homes, telecommunications networks and business installations avoid the costly process of introducing c ...
are extremely vulnerable to theft and loss of critical information in transmission. Policies and procedures should be documented and carried out to ensure that all transmitted data is protected. The auditor should verify that management has controls in place over the data encryption management process. Access to keys should require dual control, keys should be composed of two separate components and should be maintained on a computer that is not accessible to programmers or outside users. Furthermore, management should attest that encryption policies ensure data protection at the desired level and verify that the cost of encrypting the data does not exceed the value of the information itself. All data that is required to be maintained for an extensive amount of time should be encrypted and transported to a remote location. Procedures should be in place to guarantee that all encrypted sensitive information arrives at its location and is stored properly. Finally, the auditor should attain verification from management that the encryption system is strong, not attackable, and compliant with all local and international laws and regulations.


Logical security audit

Just as it sounds, a logical security audit follows a format in an organized procedure. The first step in an audit of any system is to seek to understand its components and its structure. When auditing
logical security Logical Security consists of software safeguards for an organization’s systems, including user identification and password access, authenticating, access rights and authority levels. These measures are to ensure that only authorized users are a ...
the auditor should investigate what security controls are in place, and how they work. In particular, the following areas are key points in auditing logical security: *
Password A password, sometimes called a passcode (for example in Apple devices), is secret data, typically a string of characters, usually used to confirm a user's identity. Traditionally, passwords were expected to be memorized, but the large number of ...
s: Every company should have written policies regarding passwords, and employees' use of them. Passwords should not be shared and employees should have mandatory scheduled changes. Employees should have user rights that are in line with their job functions. They should also be aware of proper log on/ log off procedures. Also helpful are security tokens, small devices that authorized users of computer programs or networks carry to assist in identity confirmation. They can also store
cryptographic Cryptography, or cryptology (from grc, , translit=kryptós "hidden, secret"; and ''graphein'', "to write", or '' -logia'', "study", respectively), is the practice and study of techniques for secure communication in the presence of adve ...
keys and biometric
data In the pursuit of knowledge, data (; ) is a collection of discrete values that convey information, describing quantity, quality, fact, statistics, other basic units of meaning, or simply sequences of symbols that may be further interpreted ...
. The most popular type of security token (RSA's SecurID) displays a number that changes every minute. Users are authenticated by entering a personal identification number and the number on the token. *Termination Procedures: Proper termination procedures so that, old employees can no longer access the network. This can be done by changing passwords and codes. Also, all id cards and badges that are in circulation should be documented and accounted for. *Special User Accounts: Special User Accounts and other privileged accounts should be monitored and have proper controls in place. *Remote Access: Remote access is often a point where intruders can enter a system. The logical security tools used for remote access should be very strict. Remote access should be logged.


Specific tools used in network security

Network security is achieved by various tools including firewalls and
proxy servers In computer networking, a proxy server is a server application that acts as an intermediary between a client requesting a resource and the server providing that resource. Instead of connecting directly to a server that can fulfill a request ...
,
encryption In cryptography, encryption is the process of encoding information. This process converts the original representation of the information, known as plaintext, into an alternative form known as ciphertext. Ideally, only authorized parties can decip ...
, logical security and
access control In the fields of physical security and information security, access control (AC) is the selective restriction of access to a place or other resource, while access management describes the process. The act of ''accessing'' may mean consuming ...
s,
anti-virus software Antivirus software (abbreviated to AV software), also known as anti-malware, is a computer program used to prevent, detect, and remove malware. Antivirus software was originally developed to detect and remove computer viruses, hence the name. ...
, and auditing systems such as log management. Firewalls are a very basic part of network security. They are often placed between the private local network and the internet. Firewalls provide a flow-through for traffic in which it can be authenticated, monitored, logged, and reported. Some different types of firewalls include network layer firewalls, screened subnet firewalls, packet filter firewalls, dynamic packet filtering firewalls, hybrid firewalls, transparent firewalls, and application-level firewalls. The process of encryption involves converting plain text into a series of unreadable characters known as the
ciphertext In cryptography, ciphertext or cyphertext is the result of encryption performed on plaintext using an algorithm, called a cipher. Ciphertext is also known as encrypted or encoded information because it contains a form of the original plaintext ...
. If the encrypted text is stolen or attained while in transit, the content is unreadable to the viewer. This guarantees
secure transmission In computer science, secure transmission refers to the transfer of data such as confidential or proprietary information over a secure channel. Many secure transmission methods require a type of encryption. The most common email encryption is called ...
and is extremely useful to companies sending/receiving critical information. Once encrypted information arrives at its intended recipient, the decryption process is deployed to restore the ciphertext back to plaintext. Proxy servers hide the true address of the client workstation and can also act as a firewall. Proxy server firewalls have special software to enforce authentication. Proxy server firewalls act as a middle man for user requests. Antivirus software programs such as
McAfee McAfee Corp. ( ), formerly known as McAfee Associates, Inc. from 1987 to 1997 and 2004 to 2014, Network Associates Inc. from 1997 to 2004, and Intel Security Group from 2014 to 2017, is an American global computer security software company head ...
and Symantec software locate and dispose of malicious content. These virus protection programs run live updates to ensure they have the latest information about known computer viruses. Logical security includes software safeguards for an organization's systems, including user ID and password access, authentication, access rights and authority levels. These measures are to ensure that only authorized users are able to perform actions or access information in a network or a workstation. Auditing systems, track and record what happens over an organization's network. Log Management solutions are often used to centrally collect audit trails from heterogeneous systems for analysis and forensics. Log management is excellent for tracking and identifying unauthorized users that might be trying to access the network, and what authorized users have been accessing in the network and changes to user authorities. Software that record and index user activities within window sessions such as ObserveIT provide a comprehensive audit trail of user activities when connected remotely through terminal services, Citrix and other remote access software.


Behavioral audit

Vulnerabilities in an organization's 
IT systems Information technology (IT) is the use of computers to create, process, store, retrieve, and exchange all kinds of Data (computing), data . and information. IT forms part of information and communications technology (ICT). An information te ...
are often not attributed to technical weaknesses, but rather related to individual behavior of employees within the organization. A simple example of this is users leaving their computers unlocked or being vulnerable to
phishing Phishing is a type of social engineering where an attacker sends a fraudulent (e.g., spoofed, fake, or otherwise deceptive) message designed to trick a person into revealing sensitive information to the attacker or to deploy malicious softwar ...
attacks. As a result, a thorough InfoSec audit will frequently include a
penetration test A penetration test, colloquially known as a pen test or ethical hacking, is an authorized simulated cyberattack on a computer system, performed to evaluate the security of the system; this is not to be confused with a vulnerability assessment. T ...
in which auditors attempt to gain access to as much of the system as possible, from both the perspective of a typical employee as well as an outsider. A behavioral audit ensures preventative measures are in place such as a phishing webinar, where employees are made aware of what phishing is and how to detect it. System and process assurance audits combine elements from IT infrastructure and application/information security audits and use diverse controls in categories such as Completeness, Accuracy, Validity (V) and Restricted access (CAVR).K. Julisch et al.
Compliance by design - Bridging the chasm between auditors and IT architects
Computers & Security 30(6-7): 410-426 (2011)


Auditing application security


Application security

Application Security centers on three main functions: *Programming *Processing *Access When it comes to programming it is important to ensure proper physical and password protection exists around servers and mainframes for the development and update of key systems. Having physical access security at one's
data center A data center (American English) or data centre (British English)See spelling differences. is a building, a dedicated space within a building, or a group of buildings used to house computer systems and associated components, such as telecommunic ...
or office such as electronic badges and badge readers, security guards, choke points, and security cameras is vitally important to ensuring the security of applications and data. Then one needs to have security around changes to the system. Those usually have to do with proper security access to make the changes and having proper authorization procedures in place for pulling programming changes from development through test and finally into production. With processing, it is important that procedures and monitoring of a few different aspects such as the input of falsified or erroneous data, incomplete processing, duplicate transactions and untimely processing are in place. Making sure that input is randomly reviewed or that all processing has proper approval is a way to ensure this. It is important to be able to identify incomplete processing and ensure that proper procedures are in place for either completing it or deleting it from the system if it was in error. There should also be procedures to identify and correct duplicate entries. Finally, when it comes to processing that is not being done on a timely basis one should back-track the associated data to see where the delay is coming from and identify whether or not this delay creates any control concerns. Finally, access, it is important to realize that maintaining
network security Network security consists of the policies, policies, processes and practices adopted to prevent, detect and monitor unauthorized access, Abuse, misuse, modification, or denial of a computer network and network-accessible resources. Network securi ...
against unauthorized access is one of the major focuses for companies as threats can come from a few sources. First, one have internal unauthorized access. It is very important to have system access passwords that must be changed regularly and that there is a way to track access and changes so one is able to identify who made what changes. All activity should be logged. The second arena to be concerned with is remote access, people accessing one's system from the outside through the internet. Setting up firewalls and password protection to on-line data changes are key to protecting against unauthorized remote access. One way to identify weaknesses in access controls is to bring in a
hacker A hacker is a person skilled in information technology who uses their technical knowledge to achieve a goal or overcome an obstacle, within a computerized system by non-standard means. Though the term ''hacker'' has become associated in popu ...
to try and crack one's system by either gaining entry to the building and using an internal terminal or hacking in from the outside through remote access.


Summary

An information security audit can be defined by examining the different aspects of information security. External and internal professionals within an institution  have the responsibility of maintaining and inspecting the adequacy and effectiveness of information security. As in any institution, there are various controls to be implemented and maintained. To secure the information, an institution is expected to apply security measures to circumvent outside intervention. By and large, the two concepts of application security and
segregation of duties Separation of duties (SoD), also known as segregation of duties is the concept of having more than one person required to complete a task. It is an administrative control used by organisations to prevent fraud, sabotage, theft, misuse of informati ...
are both in many ways connected and they both have the same goal, to protect the integrity of the companies’ data and to prevent fraud. For application security, it has to do with preventing unauthorized access to hardware and software through having proper security measures both physical and electronic in place. With segregation of duties, it is primarily a physical review of individuals’ access to the systems and processing and ensuring that there are no overlaps that could lead to fraud. The type of audit the individual performs determines the specific procedures and tests to be executed throughout the audit process.


See also

*
Computer security Computer security, cybersecurity (cyber security), or information technology security (IT security) is the protection of computer systems and networks from attack by malicious actors that may result in unauthorized information disclosure, the ...
*
Defensive computing Defensive computing is a form of practice for computer users to help reduce the risk of computing problems, by avoiding dangerous computing practices. The primary goal of this method of computing is to be able to anticipate and prepare for potential ...
*
Directive 95/46/EC on the protection of personal data The Data Protection Directive, officially Directive 95/46/EC, enacted in October 1995, is a European Union directive which regulates the processing of personal data within the European Union (EU) and the free movement of such data. The Data Pr ...
(
European Union The European Union (EU) is a supranational political and economic union of member states that are located primarily in Europe. The union has a total area of and an estimated total population of about 447million. The EU has often been des ...
) * Ethical hack *
Information security Information security, sometimes shortened to InfoSec, is the practice of protecting information by mitigating information risks. It is part of information risk management. It typically involves preventing or reducing the probability of unauthorize ...
*
Penetration test A penetration test, colloquially known as a pen test or ethical hacking, is an authorized simulated cyberattack on a computer system, performed to evaluate the security of the system; this is not to be confused with a vulnerability assessment. T ...
*
Security breach Security is protection from, or resilience against, potential harm (or other unwanted Coercion, coercive change) caused by others, by restraining the freedom of others to act. Beneficiaries (technically referents) of security may be of persons an ...


References


Bibliography

* {{cite book , author1=Gallegos, Frederick , author2=Senft, Sandra , author3=Manson, Daniel P. , author4=Gonzales, Carol , title= Technology Control and Audit (2nd ed.) , publisher= Auerbach Publications , year=2004 , isbn=0-8493-2032-1


External links


Examining Data Centers

Network Auditing

The OpenXDAS projectInformation Systems and Audit Control Association (ISACA)The Institute of Internal Auditors
Information technology audit
Audit An audit is an "independent examination of financial information of any entity, whether profit oriented or not, irrespective of its size or legal form when such an examination is conducted with a view to express an opinion thereon.” Auditing ...
Types of auditing