24-01-2013, 12:01 PM
AUDIT AND SECURITY OF COMPUTER SYSTEMS
1AUDIT AND SECURITY.pdf (Size: 315.31 KB / Downloads: 39)
INTRODUCTION
Every business process can experience events that can hamper and in some cases may stop normal operations of business. Even best designed system can’t control the prevention of natural disaster. In today’s ever-changing world of information assurance and network security, it can become extremely difficult to keep up on the latest vulnerabilities, viruses, patches, trends, technology, hacker behaviors and activity. It’s easy for the information systems security professional to get caught up in attending the logical aspects of security such as reviewing log files, making configuration changes, troubleshooting, and other technical duties.
OBJECTIVES
After going through this unit, you should be able to:
• control, Assess and Monitor your organization’s information and business
systems;
• know Factors that are looked into , during Audit;
• learn about CAATs (Computer Assisted Audit Techniques);
• apply Information System Architecture;
• recover the Information Systems from disasters;
DEFINITION OF AUDIT
This is an assessment of an information system performed by an information systems professional or IS auditor to provide recommendations and advice to improve system performance and security. Audit should be done regularly and the result should be used to refine the system.
Is auditors are those people who make it sure that the system does what it is supposed to do. Although the audit can be carried out by the internal team of IT professionals, it is advisable that the audit is carried out by external auditors as they are neither stakeholders nor friendly with the stakeholders. Above all there is nothing like an unbiased opinion.
Responsibility and Authority of the System Auditor
The system auditor shall make the basis for each of his or her assessment clear. The system auditor may demand data and materials from the division being audited. The system auditor may also demand the head of an organization to issue a report on the implementation of improvement to an audited division as suggested by him.
The system auditor shall firmly maintain professional ethics as an impartial evaluator. The system auditor shall be aware of the ethical demands on himself or herself and meet the internal and external trust by performing an accurate and sincere system audit.
AUDIT OF TRANSACTIONS ON COMPUTER
Audit can be broadly of two types namely auditing manual processes and audit through computer. Audit through computer is important to find out the accuracy and integrity of information system output. This types of audit are done by information system expert and use test data to check the adequacy and accuracy of control mechanism built-in to the system.
Audit of Computer Security
Issues of security of computer involve both physical and logical security. Physical security involves restricting physical access to the computing resources from unauthorized person. Logical security involves restricting the use of computing resources by unauthorized person by providing logical control mechanism (e.g. password protection). The audit of computer security involves review of physical and logical security measures. Review of parameters, plans, practices, and policies that are developed and implemented by the organization over the computer resources, and how security measures are followed for Computers, Networks and Data communication. They are also included in the Audit.
COMPUTER ASSISTED AUDIT TECHNIQUES
The auditors use various types of automated audit software to carryout IS audit. The use of Computer Assisted Audit Tools (CAATs) should be controlled by the IS Auditor to provide reasonable assurance that the audit objectives and the detailed specifications of the CAATs have been met. There are two major types of CAATs namely audit software and test data.
Audit Trail
Audit trail is a log of changes made in the data, settings and related changes. A security subsystem should maintain detailed logs of who did what and when and also if there are any attempted security violations. The availability of the log is extremely valuable. Log provides information for the system auditor to be able to determine who initiated the transaction, the time of the day, date of entry, the type of entry, fields of information that were affected and the terminal used.
System log should be analyzed to provide detailed information on all normal and abnormal transactions during each processing period. System access and attempted access violations can be automatically logged by the computer and can be reported for check & review. Listing of terminal addresses and locations can be used to look for incorrectly logged, missing or additional terminals.
COMPUTER SYSTEM AND SECURITY ISSUES
Security is an important issue for modern IT Systems. Even though technology provides immense possibilities to safeguard organizations computing infrastructure, there has been security lapses and security breaches which have cost the organization heavily. System administrator and security administrator have spent sleepless nights to safeguard organization’s data and computing infrastructure. One can think of organization like airlines, railway and banks which are heavily dependent on computing infrastructure and unavailability of system for few hours can create havoc. Organizations can’t afford to underestimate the security issues that can affect their business operations.