Incorporating the Security Assessment into the Overall Audit Validating Compliance Process

The section “Performing a Security Assessment for the Entire IT Infrastructure and Individual Domains” listed some security assessment techniques. These techniques help determine the feasibility of a successful attack against organizational resources. A security assessment is a component of a full IT security audit. Despite the technically focused nature of security assessment methods such as penetration testing and vulnerability assessments, they are not substitutes for an internal audit of IT security. An audit should also include a risk assessment and pay particular attention to internal controls.

The overall process of validating compliance should take a more holistic view. A penetration test, for example, might reveal only a limited number of vulnerabilities that are actually exploited, thus ignoring other vulnerabilities. As a result, these tools and methods should complement the overall audit process.

ISACA produces a series of auditing standards, guidelines, and procedures for information systems auditors. ISACA guidance includes an approach to assess the existing system and infrastructure environment through analysis of the audits performed across the COBIT framework. Several types of information are often collected:

• Security requirements and objectives

• System or network architecture and infrastructure, such as a network diagram showing how assets are configured and interconnected

• Information available to the public or accessible from the organization’s website

• Physical assets, such as hardware, including those in the data center, network, and communication components and peripherals (e.g., desktop, laptop, PDAs)

• Operating systems, such as PC and server operating systems, and network management systems

• Data repositories, such as database management systems and files

• A listing of all applications

• Network details, such as supported protocols and network services offered

• Security systems in use, such as access control mechanisms, change control, antivirus, spam control, and network monitoring

• Security components deployed, such as firewalls and intrusion detection systems

• Processes, such as a business process, computer operation process, network operation process, and application operation process

• Identification and authentication mechanisms

• Government laws and regulations pertaining to minimum security control requirements

• Documented or informal policies, procedures, and guidelines

A holistic view of the IT infrastructure cannot be produced through a single audit. Rather it's an accumulation of audits over time. The ISACA guidance provides a framework for organizing the collected audit material into a single comprehensive opinion of the overall health of the IT infrastructure.

In many situations, an information systems auditor might not have the skills necessary to perform a security assessment. Additionally, there might be other limitations or constraints that prevent the auditor from performing such a technical analysis. In such situations, the auditor might consider using the work of other experts. The expert can be internal or external to the organization as long as independence and objectivity are preserved. Examples of experts provided by ISACA include the following:

• An information system auditor from an external accounting firm

• A management consultant

• An IT expert or expert in the area of audit who has been appointed by top management or by the information systems audit team

The auditor should determine that the expert’s work is relevant to the audit objectives. The auditor should also obtain a letter indicating that he or she has the right to access the results from the work of others. Before incorporating the results of an assessment into the audit, the auditor should review all supporting documents and reports. This includes determining that the assessment supports the audit objectives. If necessary, the auditor should conduct additional testing for supporting audit evidence if it is not covered in the assessment.