Identifying and Testing Monitoring Requirements

Perhaps one of the most important and beneficial elements of an IT security program for auditors is monitoring. All frameworks include a control objective for regularly assessing and monitoring IT systems and controls. For example, COBIT places a heavy emphasis on monitoring, as defined by the key areas within the framework. COBIT states that continuous monitoring and evaluation of the control environment helps provide answers to the following questions:

• Is IT performance measured to detect problems before it is too late?

• Does management ensure that internal controls are effective and efficient?

• Can IT performance be linked back to business goals?

• Are adequate confidentiality, integrity, and availability controls in place for information security?

Auditors are trying to answer the same questions. Therefore, auditors should identify the tools already put in place by organizations that they can leverage to help answer these questions. Of course, one of the objectives of most audits, regardless of the IT domain being audited, is to identify and test monitoring requirements. Although organizations might have monitoring solutions in place, it doesn’t necessarily mean that they are monitoring the right things.

In addition, many companies might be monitoring the right things but might not have a process in place to make the data actionable. Computer logs provide a perfect example. Are logs being generated? Is the correct information being captured? Is that information being maintained correctly? Are system analysts examining the log data? After analysts examine the data, are any actions taken to deal with identified problems? Depending upon the maturity of the organization, many systems manage these events and information and even provide ways to correlate and make this data more manageable and actionable.

Identifying and testing whether an organization has implemented a sound program for monitoring provides a lot of the information required by an auditor. Consider the following control objectives suggested by COBIT:

• Monitor, evaluate, and assess performance and conformance

• Monitor, evaluate, and assess the system of internal control

• Evaluate and assess compliance with external requirements

The outputs provided from these objectives are a valuable resource to auditors. Except in situations where these controls are nonexistent, auditors can derive usable data regardless of maturity.