Sat May 17 10:29:53 PDT 2014

Management: Auditing: How should audits be managed within information protection?


Options:

Audit management options:

Issue Yes/No
Audit is used to verify the proper operation of the protection program.
Internal audits are scheduled with frequency based on risk levels.
External audits are used to verify internal audits are working correctly.
Audit requirements include regulatory and other external mandates.
Audit management

Decisions:

Describe how audits should be managed starting with the approach below.

Issue Yes/No
Audit is used to verify the proper operation of the protection program. Yes
Internal audits are scheduled with frequency based on risk levels. See table below
External audits are used to verify internal audits are working correctly. Yes
Audit requirements include regulatory and other external mandates. Yes
Risk Frequency
Low Annually on a statistical basis
Medium Quarterly
High Monthly
How audits are managed

Basis:

Internal audit processes: assure that operations meet internal requirements. This typically involves audit staff and a cyclical process that assures that high valued systems are revisited often while lower valued systems are covered consistent with their value.

External audit processes: act as independent verifications that operations are as they are supposed to be and also act to assure that internal audit is effectively doing its job.

Periodicity: for audits is a nontrivial matter with audit periods determined by risks, costs, resources, and time and cost to audit. Random audits, surprise audits, regular audits, and other time-related issues all fall under this broad category.

Standards: are typically what audits compare realities to. Auditors are generally tasked with relating performance to a standard so that a consistent basis for opinions can be used and comparisons can be done over time and between systems and organizations. It is normal to use the same standards for protection as are used for audit so that the audit provides reconcilable feedback on the adequacy of the program in meeting the standards set for it. The global standard for auditing information technology is CoBIT.

Coverage: expresses the extent to which audit processes cover the set of things that could possibly be checked in an audit. It acts as a metric on the audit itself as well as a means to evaluate the value of the audit. An audit that is passed but only covers an unimportant subset of the issues or systems at hand is not a very good reflection of the situation and has little utility.

Copyright(c) Fred Cohen, 1988-2012 - All Rights Reserved