Understanding and Conducting Information Systems Auditing + Website
Format: PDF / Kindle (mobi) / ePub
A comprehensive guide to understanding and auditing modern information systems
The increased dependence on information system resources for performing key activities within organizations has made system audits essential for ensuring the confidentiality, integrity, and availability of information system resources. One of the biggest challenges faced by auditors is the lack of a standardized approach and relevant checklist. Understanding and Conducting Information Systems Auditing brings together resources with audit tools and techniques to solve this problem.
Featuring examples that are globally applicable and covering all major standards, the book takes a non-technical approach to the subject and presents information systems as a management tool with practical applications. It explains in detail how to conduct information systems audits and provides all the tools and checklists needed to do so. In addition, it also introduces the concept of information security grading, to help readers to implement practical changes and solutions in their organizations.
- Includes everything needed to perform information systems audits
- Organized into two sections—the first designed to help readers develop the understanding necessary for conducting information systems audits and the second providing checklists for audits
- Features examples designed to appeal to a global audience
Taking a non-technical approach that makes it accessible to readers of all backgrounds, Understanding and Conducting Information Systems Auditing is an essential resource for anyone auditing information systems.
critical since c02.indd 36 1/7/13 5:39 PM Network and Communication Issues FIGURE 2.1 ■ 37 Route Command most organizations outsource some critical component of the network to specialized agencies. In the event the outsourcing vendor is noncompliant with the specific requirements of the auditee, a specific exemption must be obtained. This will also call for an added audit test to ensure that no security compromise takes place at the end of the outsourcing agency. Other Network Controls
allow the reader to refer to the relevant checklist and appreciate its implications. Part Two comprises the following two chapters: Chapter 11: “ISecGrade Auditing Framework”: This chapter explains the process involved in conducting an ISecGrade audit for awarding a security grade to an auditee. A detailed process of the audit, selecting checklists, and drafting the audit report are described. Chapter 12: “ISecGrade Checklists”: This chapter provides one of the most comprehensive information
system: 184.108.40.206. Physical and environmental security 220.127.116.11.1. Access control systems. 18.104.22.168.2. Fire/ﬂooding/water leakage/gas leakage, and so forth. 22.214.171.124.3. Assets safeguarding and handling of movement of staff/materials/media/backup/software/hardware/information during disaster. 126.96.36.199.4. Air-conditioning of data center, humidity control systems. 188.8.131.52.5. Electrical supply, redundancy of power level, generator, UPS capacity. 184.108.40.206.6. Surveillance systems of data center. 220.127.116.11.7.
capacity available before the disaster. Restoration strategy specifies processes that will ensure total resumption of business operations either from the original site or, in the case of a catastrophic disaster, from a new site. BUSINESS RESUMPTION PLAN AUDIT CHECKLIST The information systems auditor will review the business resumption plan of the auditee to form an opinion on adequacy and effectiveness of the plan. In order to be able to form an opinion, the information systems auditor may
computing power inclusive of processor, software, storage space, and so on for hire. The user connects to the service through a network, usually based on the Internet. This converts computing from a product-based solution to a service and allows the user to save on procurement cost and have anywhere access. CLASSIFICATION OF CONTROLS Controls are central to the idea of an information systems audit. They define a point of action in a work process wherein a decision to select the subsequent action