|
| |
Services |
|
| |
_________________________________________________________________
Information Security
Audit
(Cyber Plus, Incorporated's IS Audit Process)
Cyber Plus' objective in performing an IS audit is to provide your company with a statement of
assurance (the audit report) that your business processes supported by information technology are controlled, monitored, and
adequately assessed.
Cyber Plus auditors collect and evaluate evidence to determine whether your systems and related resources adequately safeguard your information assets,
maintain integrity, and have in effect internal controls that provide reasonable assurance that your objectives will be met and that
undesired events will be prevented, or detected and corrected, in a timely manner.
Our auditors complete the following series of steps and processes to assure that your mission-critical information is reliable, confidential, secure and
available when needed.
- We start by developing and implementing a
risk-based audit strategy, based on
company goals and objectives.
To develop an adequate strategy the Cyber Plus auditor will:
- gain an understanding of the company's business mission, business
objectives, business purpose, and business processes
- identify policies, standards, guidelines, procedures, and
organization structure
- evaluate any privacy
impact analysis carried out by management
Regulated industries are highly concerned about privacy. Cyber Plus auditors are prepared to:
- identify the nature of personally identifiable information
associated with business processes
- document the collection, use, disclosure and destruction of
personally identifiable information
- provide management with a tool to make informed policy regarding
privacy risk and options for mitigating that risk
- ensure that accountability for privacy issues exists
- perform a risk
analysis to identify risks and vulnerabilities so that the auditor can determine the controls needed to mitigate those risks
As part of the risk analysis the Cyber Plus auditor will:
- identify business objectives, information assets, and the underlying
systems/information resources
- perform a risk assessment to identify risks and determine the
probability of occurence, the resulting impact and additional
safeguards that would mitigate this impact to a level acceptable to
management
- identify controls
for mitigating identified risks
The auditor will perform this assessment based on a cost-benefit analysis:
- cost of the control compared to the benefit of minimizing the
risk
- management's appetite for risk (e.g., level of acceptable
residual risk)
- preferred risk-reduction methods (e.g., terminate the risk;
minimize the probability; minimize the impact; or transfer the
risk [e.g., buy insurance])
- conduct an internal
control review.
Controls might include:
- preventative controls
- using access control software for authorization to sensitive
files
- employing only qualified personnel
- segregating duties
- etc.
- detective controls
- hash totals
- duplicate checking of calculations
- periodic performance reporting with variances
- etc.
- corrective controls
- contingency planning
- backup procedures
- rerun procedures
- etc.
- set the audit scope and audit objectives
- develop the audit strategy (approach)
- assign personnel resources to the audit
- We plan specific audits that will ensure that the IS audit
strategy and objectives are achieved.
- Router audit
- Firewall audit
- VPN audit
- Security policy audit
- Remote-access policy
- Assets Management audit
- Human Resources Security Management audit
- Wireless audit
- We identify reportable conditions and reach conclusions by analyzing all of the information gathered.
Determining the materiality of audit findings is the assessment of what would be significant to different
levels of management.
- To provide reasonable assurance that objectives have been achieved we review all the work performed.
Because our conclusions are based on a holistic view of the audited environment in light of industry-defined best practices, we review
all work performed and consider all reportable findings prior to submitting an audit report. This allows our auditors to reach
reasonable conclusions regarding the overall wellness of mission-critical information in addition to highlighting areas for isolated improvement.
- We communicate the audit results to key managers and stakeholders.
Cyber Plus uses a flexible approach in presenting audit results to key managers and stakeholders, based on the needs, size and goals of the audited entity.
Typically, audit results are communicated in an exit interview as follows:
- Cyber Plus' IS auditors discuss the audit findings among themselves and with the entire audit team to ensure
completeness, accuracy, and relevance of the audit report
- our auditors discuss the relevant findings with the audited entity's management staff prior to
communicating results to senior management
- to gain agreement on the findings
- to develop a course of corrective action
- the audit report typically includes:
- an executive summary
- a review of the audit objectives, scope, and nature and extent of audit procedures
- our overall conclusion and opinion on the adequacy of controls and procedures
- our reservations or qualifications
- a detailed list of audit findings and recommendations
- We facilitate and monitor the implementation of risk management
and control practices within the organization.
Back to
Services |
|
|
|
|
|
