Information security audits cover many different objectives.
The most common categories are administrative, physical and technical and covers everything from auditing physical security to logical security.
The audits check that the systems in place are all working as they should be and highlights any areas where improvements or changes should be made.
While some people believe that Information Security covers just IT, it should be remembered that it covers so much more.
To begin with, the auditor must be sufficiently knowledgeable about the business and its activities.
He or she must meet with IT management to discuss any areas where they may be concern as well as checking over the current organization chart.
All job descriptions must be reviewed and all of the operating systems and software applications must be fully researched, along with the equipment that powers the data center.
All security policies and procedures must be checked and the budget and system planning documents and policies checked and evaluated.
Lastly, the disaster recovery plan, particularly for the data center has to be reviewed to ensure it covers everything it should do.
Next the auditor will lay out their objectives. They will take a lot of different factor into account, and will review the following:
- Procedures and responsibilities for all personnel, including all cross-functional training and systems training
- That there are change management procedures in place and that these are followed properly by management and IT personnel
- That the data center is adequately secured physically to ensure that unauthorized access cannot happen
- That there are proper procedures for backups in place to prevent data from being lost and to cut down on downtime
- That there are sufficient environmental controls to ensure that all equipment is fully protected from flood or fire
During the audit, the auditor will observe al processes, especially in the data center and will check that the following procedures are being followed:
- All authorized data center personnel have the correct access rights and that they are educated about the equipment and the security procedures
- Vendor service personnel must be supervised by authorized employees when they work on data center equipment
- All of the data center equipment and all other controls to protect information are working as they should be and not damaged or defective in any way.
- All policies and procedures are correctly documents and can be found at the data center. This includes job descriptions of data center staff, any back up policies, employee termination policies, security policies, operating procedures and operating system overviews. All staff should be aware of these policies and where they can find them
- The physical security should be adequate and should include the likes of equipment affixed so that it cannot be removed, security guards, provisions for authorized personnel to be accompanied at all times in the data center, computer monitoring systems, single monitored entrances, etc.
- Environmental controls should be in place to protect the equipment, such as air conditioning, humidifiers, raised flooring and an uninterruptable power supply
- There should be backup procedures in place in the event of system failure, such as a backup data center stored at another location
The findings should summarize the findings of all of these and communicate the results to the management team.
There should also be procedures in place to protect information on BYOD devices, full training and policies in place advising staff of the consequences of leaking information and full back up procedures in place for every computer and technical device in the enterprise.