Technology is evolving at an amazing pace and offering a vital benefit for businesses. On the other hand, it has also brought ever-increasing security threats. There is no agreed upon and well-suited security audit framework for tackling IT security challenges, and there is also no holistic approach for the audit process. Because of this lack of agreement, it is getting more challenging to monitor assets; confidentiality, integrity and availability (CIA); threats; vulnerability; risk; and control.
My recent Journal article proposed 8 audit processes in 1 hierarchical framework to understand and design visualizations on the previously mentioned security concepts.
The following are a few of the benefits of using the framework:
- Provide a common understanding on concepts, definitions and approaches
- Create a common understanding of steps and processes
- Clearly show how you perform the audit
- Help managers follow along with the audit stages
- Facilitate the control follow-up process
- Demonstrate how ontological and hierarchical thinking simplifies tasks
- Increase efficiency and performance
- Improve skills of auditors and people in the area to manage security auditing process
- Build a common base for evaluation, monitoring, reporting, analyzing and training
After performing several audits, I find the framework quite helpful. Today, auditors are driven to perform risk-based audit. To identify risk-based auditable areas, they are required to carry out asset valuation, risk measurement and identification of the existing control gap of the company being audited, which can be a difficult process. The framework presented in my Journal article can help provide an effective framework for thinking about audits.
Read Shemlse Gebremedhin Kassa’s recent Journal article:
“Information Systems Security Audit: An Ontological Framework,” ISACA Journal, volume 5, 2016.