CourseLover
$10/per page/Negotiable
Please focus more on content
Performing audits on the IT policy systems of Red Clay Renovations is very important. The purpose of an IT policy system audit is to “audit of how the confidentiality, availability and integrity of an organization's information is assured” (Hayes, Paragraph 1). The IT policy should ensure the confidentiality, availability, and integrity of the system is protected and the audit is a way to make sure that is true. An IT policy audit differs from penetration testing because it focuses on the entire system and not just specific vulnerabilities. In Bill Hayes’ article “Conducting a Security Audit” he states, “a computer security audit is a systematic, measurable technical assessment of how the organization's security policy is employed at a specific site” (Hayes, Paragraph 3). Penetration testing is defined as “an attempt to evaluate the security of an IT infrastructure by safely trying to exploit vulnerabilities.” (What is Penetration Testing?, www.coresecurity.com).
The person who is chosen to perform the audit is also very important. The person performing the audit should be external from Red Clay Renovations and a cybersecurity professional (Fennelly, IT Security Auditing). Hiring an external auditor ensures that the process is ethical and the auditor won’t be biased. The auditor should have a good combination of valid certificates and credentials as well as real auditing experience.
The audit should be performed during peak business hours and should not interrupt regular business from being performed. The auditor will perform their audit using checklists and also prior knowledge to evaluate the system. The audit should be performed one system at a time, in Red Clay’s situation, one location at a time. This is to keep each system separate and it only makes sense to do it this way because Red Clay Renovations has different System Security Plans for each system/office. After the auditor is done they may need to take the collected data back to their office for analysis and then they will deliver an audit report which outlines any findings during the audit (Hayes, Paragraph 15). These audits should be performed once a year at a minimum, in order to ensure the security of the systems of Red Clay Renovations is not compromised.
References:
Fennelly, C. (n.d.). IT security auditing: Best practices for conducting audits. Retrieved July 19, 2016, from http://searchsecurity.techtarget.com/IT-security-auditing-Best-practices-for-conducting-audits
Hayes, B. (2003, May 26). Conducting a Security Audit: An Introductory Overview. Retrieved July 19, 2016, from http://www.symantec.com/connect/articles/conducting-security-audit-introductory-overview
Penetration Testing Overview. (2016). Retrieved July 19, 2016, from https://www.coresecurity.com/penetration-testing-overview
Paper 2 – Michael
Introduction
Information security awareness audits, conducted at the employee level, are critical enterprise tools useful towards keeping compliance programs as error-free as possible. When conducted internally, they go a long way towards reducing the stress of more formal, externally-generated audits. Because of the inherent stress and strain normally associated with such probing examinations; in order to maintain acceptable levels of organizational continuity, a detailed plan that specifies who, what, when, where, and how of the audit plan will help ease the difficulties likely to be encountered and ensure minimal disruption. The following sections will break-down the individual components of an IT Security Awareness audit.
Personnel and Audit Methods
Whether internally or externally, audits are carried out by selected and trained personnel who conduct the organizational review to ensure that the correct and most up-to-date processes and infrastructure are being applied. This team will also administer a series of tests which will guarantee information security assets meet all expectations and requirements within the organization (ISACA, 2016).
Audit Focus
Effectively auditing and evaluating employee awareness of IT security protocols requires not only deep expertise in IT security and up-to-date knowledge of regulatory details, but an in-depth analysis of usage practices by the employees as well. This overall assessment will help the enterprise management by focusing on:
· Information Security Management—Processes associated with governance, policy, monitoring, incident management and management of the information security function
· Information Security Operations Management—Processes associated with the implementation of security configurations
· Information Security Technology Management—Processes associated with the selection and maintenance of security technologies
Frequency of Audits
Because the pace of technology changes are not always in tandem with business operational changes, best practice recommendations indicate a yearly security assessment by an objective third party as being necessary towards ensuring that security guidelines are followed (Fennelly, 2016). Randomly scheduled internal audits are equally helpful in order to prepare for the formal assessments.
Audit Locations
Assessment teams should be well prepared with documentation including policies, procedures and checklists that define and/or support IT controls. The interviews and walkthroughs, which are conducted with key personnel from the organization, coordinated at locations so as not to disrupt normal business operations (TraceSecurity, 2016). These performance assessments will validate adherence to the enterprise policies and procedures, as well as corroborating the practices described during the interview process (TraceSecurity, 2016).
Conclusion
IT security audits involve the examination of practices, procedures, technical controls, personnel, and other resources that are leveraged to manage security risks while assuring that adherence towards appropriate best practices and IT security mandates. It is imperative that a significant emphasis of such assessments is placed employee awareness, as they represent the most valuable enterprise resource.
References
Fennelly, C. (2016). IT security auditing: Best practices for conducting audits. Retrieved from TechTarget: http://searchsecurity.techtarget.com/IT-security-auditing-Best-practices-for-conducting-audits
ISACA. (2016). Information Security Management Audit/Assurance Program. Retrieved from ISACA Knowledge Center: http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Information-Security-Management-Audit-Assurance-Program.aspx
TraceSecurity. (2016). IT Security Audit. Retrieved from Trace Security: https://www.tracesecurity.com/services/it-security-audit