ISACA Journal Author Blog

ISACA > Journal > Practically Speaking Blog > Posts > Framework for Protecting Your Valuable IT Assets

Framework for Protecting Your Valuable IT Assets

Shemlse Gebremedhin Kassa, CISA, MSCS
| Published: 9/26/2016 3:11 PM | Permalink | Email this Post | Comments (1)

Technology is evolving at an amazing pace and offering a vital benefit for businesses. On the other hand, it has also brought ever-increasing security threats. There is no agreed upon and well-suited security audit framework for tackling IT security challenges, and there is also no holistic approach for the audit process. Because of this lack of agreement, it is getting more challenging to monitor assets; confidentiality, integrity and availability (CIA); threats; vulnerability; risk; and control.

My recent Journal article proposed 8 audit processes in 1 hierarchical framework to understand and design visualizations on the previously mentioned security concepts.

The following are a few of the benefits of using the framework:

  • Provide a common understanding on concepts, definitions and approaches
  • Create a common understanding of steps and processes
  • Clearly show how you perform the audit
  • Help managers follow along with the audit stages
  • Facilitate the control follow-up process
  • Demonstrate how ontological and hierarchical thinking simplifies tasks
  • Increase efficiency and performance
  • Improve skills of auditors and people in the area to manage security auditing process
  • Build a common base for evaluation, monitoring, reporting, analyzing and training

After performing several audits, I find the framework quite helpful. Today, auditors are driven to perform risk-based audit. To identify risk-based auditable areas, they are required to carry out asset valuation, risk measurement and identification of the existing control gap of the company being audited, which can be a difficult process. The framework presented in my Journal article can help provide an effective framework for thinking about audits.

Read Shemlse Gebremedhin Kassa’s recent Journal article:
Information Systems Security Audit: An Ontological Framework,” ISACA Journal, volume 5, 2016.


Critical Framework

In getting into current complex IT auditing activities, having a framework, like the one proposed in this article is critical.  Hope, the proposed framework will be enriched by subject matter expertise and standardized for application.  One of the issue in achieving security objective -Preliminary Audit Assessment- would be better if elaborated more for the applicable model of maturity level as this step is basic for resource allocation.

Sebleab at 10/3/2016 3:21 AM