Information Systems Audit versus Information Security Audit:
Information System Audit or Application Security Audit and Information Security Audit are two such tools that are used to ensure the safety and integrity of information and sensitive data. People are often confused by the difference between these two tools and feel they are the same. But there are differences that will be highlighted in this article.
“Information systems audit is a large, broad term that encompasses demarcation of responsibilities, server and equipment management, problem and incident management, network division, safety, security, and privacy assurance, etc. On the other hand, as the name implies, information security audit has a one-point agenda and that is the security of data and information when it is in the process of storage and transmission.”
Here data must not be confused with only electronic data as print data is equally important and its security is covered in this audit. Both audits have many overlapping areas which are what confuses many people. However, from a physical point of view, an information system audit is related to the core, whereas an information security audit is related to the outer circles. Here core can be taken as a system, servers, storage, and even printouts and pen drives, whereas outer circles mean network, firewalls, internet, etc. If one were to look from a logical point of view, it would emerge that an information systems audit deals with operations, and infrastructure whereas an information security audit deals with data on the whole.
Note: Do prepare a table of differences between both of them as an assignment
In brief:
What is an Information Security Audit?
A security audit is a systematic evaluation of the security of a company's information system by measuring how well it conforms to a set of established criteria. A thorough audit typically assesses the security of the system's physical configuration and environment, software, information handling processes, and user practices. Application Security Assessments are often used to determine regulatory compliance, in the wake of legislation that specifies how organizations must deal with information.
Some of the purposes of audits are listed below:
An information security audit is an audit on the level of information security in an organization. Within the broad scope of auditing information security there are multiple types of audits, multiple objectives for different audits, etc. Most commonly the controls being audited can be categorized to technical, physical and administrative. According to Ira Winkler, president of the Internet Security Advisors Group, there are three main types of security diagnostics, namely:
Security Audits measure an information system's performance against a list of criteria. A vulnerability assessment, on the other hand, involves a comprehensive study of an entire information system, seeking potential security weaknesses.
Penetration testing is a covert operation, in which a security expert tries a number of attacks to ascertain whether or not a system could withstand the same types of attacks from a malicious hacker. In penetration testing, the feigned (insincere/manmade) attack can include anything a real attacker might try, such as social engineering. Each of the approaches has inherent strengths, and using two or more of them in conjunction may be the most effective approach of all.
1.3.2 Scope of the Audit
As with any Audit, a risk assessment should be one of the first steps to be completed when examining a new process. The risk assessment will help determine whether the process warrants expending a significant amount of audit resources on the project. The scope of the audit depends on the risk. But even for the high-risk systems, the scope should be limited to testing the critical internal controls upon which the security of the process depends.
The scope of the audit depends upon:
What should be covered in audits? (Given just for reference only)
1.3.4 What makes a good security audit?
The development and dissemination of the IS Auditing Standards by the Information Systems Audit and Control Association (ISACA) is already in circulation for further information. A good security audit is part of a regular and comprehensive framework of information security.
A good security audit may likely include the following:
1.3.5 Constraints of a security audit: Time constraints
1.4 Information Security Methodologies (Black-box, White-box, Grey-box)
1.4.1 Need for a Methodology
Audits need to be planned and have a certain methodology to cover the total material risks of an organization. A planned methodology is also important as this clarifies the way forward to all in the organisation and the audit teams. Which methodology and techniques is used is less important than having all the participants within the audit approach the subject in the same manner.
Audit methodologies
There are two primary methods by which audits are performed. Start with the overall view of the corporate structure and drill down to the minutiae; or begin with a discovery process that builds up a view of the organization. Audit methods may also be classified according to the type of activity. These include three types
1.4.2 Auditing techniques:
There are various Auditing techniques used: Examination Techniques, are generally conducted manually to evaluate systems, applications, networks, policies, and procedures to discover vulnerabilities. These techniques include • Documentation review • Log review • Ruleset and system configuration review • Network sniffing • File integrity checking Target Identification and Analysis Techniques Testing techniques are generally performed using automated tools used to identify systems, ports, services, and potential vulnerabilities. The techniques include • Network discovery • Network port and service identification • Vulnerability scanning • Wireless scanning • Application security examination Page | 5 Target Vulnerability Validation Techniques Testing techniques that corroborate the existence of vulnerabilities, these may be performed manually or with automated tools. These techniques include • Password cracking • Penetration testing • Social engineering • Application security testing Organisations use a combination of these techniques to ensure effectiveness and meeting the objectives of the audit.
1.4.3 Security Testing Frameworks:
There are numerous security testing methodologies being used today by security auditors for technical control assessment.
Four of the most common are as follows:
1.4.4 Audit Process:
A successful audit will minimally:
Every successful audit has common properties:
Auditing Security Practices (Reference)
The first step for evaluating security controls is to examine the organization’s policies, security governance structure, and security objectives because these three areas encompass the business practices of security. Security controls are selected and implemented because of security policies or security requirements mandated by law.
Some criteria you can use to compare the service of security against are:
After you have identified the security audit criteria that the organization needs to comply with, the next phase is to perform assessments to determine how well they achieve their goals. A number of assessments are usually required to determine appropriate means for referring back to the scope, which defines the boundaries of the audit.
The following are types of assessments that might be performed to test security controls:
1.4.5 Testing Security Technology
There are many terms used to describe the technical review of security controls. Ethical hacking, penetration test, and security testing are often used interchangeably to describe a process that attempts to validate security configuration and vulnerabilities by exploiting them in a controlled manner to gain access to computer systems and networks. There are various ways that security testing can be conducted, and the choice of methods used ultimately comes down to the degree to which the test examines security as a system.
There are generally two distinct levels of security testing commonly performed today:
Vulnerability assessment:
Read More https://veegent.com/application-security-audit/