Key Topics
Requirement
Task:
Perform a web search on recent (in the past 3 years) articles to find an interesting case study, such as news articles in relation to IS risks.
Assuming that you are an IS auditor, prepare an IS audit plan and report to the management of your client.
Solution
Executive Summary
The paper has audited the information security risk of a very small business. The steps to audit have been followed and it is recommended to the company that it needs to install cloud computing technology to provide more security.
Along with the above, the company also needs to train its current information technology operator. The operator has been found to be less experience in terms of handling the company’s current security risk requirements.
The audit report preparation of the company is intended to help the business owner in managing the current security risks effectively and efficiently.
Case Background
The case study taken for the IT Audit has been developed by SANS Institute InfoSec Reading Room (link in reference section). It is about the risk audit of a very small business (SANS Institute InfoSec Reading Room, 2003). However, this paper has focused on one division of its business areas that is the information system. The business is into retail that substantially utilizes the online medium to contact to the customers and bring the orders and fulfill the orders. The business that has chosen for the audit is operating entirely over the internet and there are similar companies around the world those operate online and, therefore, it can be beneficial to conduct such audit and understand the loopholes that can arise in terms of security threats. The company has developed effective customer base for its niche products and it is imperative for the company to understand and manage the operations effectively to ensure that the customers’ data and operational information stay secured. This paper will conduct information system audit in the company to understand the various risks those are likely to occur and the measures those should be considered to mitigate the same. Prior to developing the audit plan the objectives for the audit have been developed. Based on the audit plan, the defined procedures will be followed for the complete audit of the information system of the company.
IS Risks
Mentioned below are the risks those are concerned with the current information system of the company (Janvrin and Bierstaker, 2008). These risks are intended ones those can be expected in the current business:
-
- Over reliability on the existing security system: It defines that the management has the perception that the current security does not require any future updates of the system. Such orientation sometime leads to the vulnerability from the new and strong viruses.
-
- System logs are not proper: The proper event logging helps the company identify the information system technician track any issues related to security risks. Therefore, the proper logs are imperative to identify any occurrence of issues.
-
- Technology development that leaves the security measures behind: The technologies have developed fast in the recent times and most of the times it happens that the organizations miss to implement the new changed technologies as soon as the new technology is launched in the market due to the various reasons such as unavailability of time and money.
-
- Continuous use of outdated operating systems: Staying less oriented towards updating the systems periodically might make it more vulnerable to the external environment.
-
- Not using encryption for the secure information:
-
- Data are being operated through the vulnerable devices: Use of mobile phones those are not secure with proper software can allow the third party to access the sensitive information such as customers information related to payment details and other personally identifiable information (PII).
-
- Business owners are not supportive of the technology: Some time the procrastination of the business owners lead to security issues.
-
- IT staffs are less qualified to handle the security measures: Hiring employees those are not efficient in handling the online security measures might leave the system to be vulnerable to the external threats.
Audit Objectives
The objectives have been prepared for auditing of the information system. The objective of this auditing is to understand any vulnerabilities of the system that the company is currently using. The objectives for the audit are intended to guide the whole audit progress.
Audit Plan
The audit plan for the information system should help the auditor in auditing. The plan will act as the guideline which will help the auditor in completing the IS audit. Mentioned below are the steps those will be considered while auditing the information system of the business:
-
- Determining the assets those are under the information system purview: Currently the business has eleven computer systems those are used by the staffs to operate and manage the online order processing and delivery schedules (Otero et al, 2008).
-
- Determining the intended users of the system: The users of the company are the company employees and the business owners.
-
- Identifying the physical setup of the existing system: The system has currently in-house server used to store data which seems to be more vulnerable to the security threats as the company is unable to spend intended amounts on the security.
-
- Identifying the current hardware information: Currently all the computers are using AMD processor with 2 GB RAM on each of them. The internal storage is of 100 GB on each of the computers. Moreover, the central server has the storage of 5 TB.
-
- Identifying the current software information: The company is using the Windows OS on all the computers and use MS Office package for all the document related requirements.
-
- Determining the knowledge of the business owner: The business owner has average understanding about the information system implemented in the company. He cannot handle the whole process without assistance.
-
- Determining the knowledge of the IT operator: The IT operator needs some improvements in the knowledge as he lacks enough understanding about the critical threats for the system.
-
- Analyzing the past security records: The past security records of the company are bumpy and show that the company invested less time and effort towards the same.
-
- Assessing the system improvement requirements: The areas those need improvements are: Transferring all the information from in-house server to cloud computing, updating the current antivirus software, and other similar activities.
-
- Identifying the required resources to procure the improvements: The various vendors should be contacted with the new requirements and the bidding should be done from various vendors to secure the right deal.
-
- Preparing the report: The final report prepared have all the assessment and information defined above.
-
- Submitting the final report to the business owner: The final report submitted to the business owner.
The steps mentioned above will help the business owner identify and understand the risks those are to be considered and the changes those need to be employed. The audit report will help the owner implement the right updated system.
Audit Procedures
The audit procedures for the developed plan are mentioned below. These steps can be followed to develop the plan:
-
- Preparation of the Audit Scope
-
- Preparation of Threat Lists
-
- Prediction of the Future based on the assessment
-
- Prioritization of the Assets and Risks
-
- Implementation of Network Controls
-
- Implementation of prevention measures
-
- Implementation of identity management
-
- Creation of backups
-
- Protection measures for emails
-
- Implementing measures to prevent intrusions
Audit Questions
Mentioned below are the questions those can be asked while auditing the information security of the business:
-
- What is the difficulty level of the passwords?
-
- What audit logs has been prepared in the past one year?
-
- What are the access control lists available for the network devices?
-
- What was the last review of the audit logs?
-
- Which operating system is being used and of which version it is/
-
- What are the backup provisions?
-
- Does company use any cryptographic technology?
-
- Does company have any personalized software for the business?
Audit Documents
Mentioned below are the documents those are required for the auditing purposes:
-
Past IT Vulnerability Report
-
IT hardware and software detail documents
-
Periodic hardware and software update reports
Control Recommendations
Based on the above auditing of the identified very small business, it is recommended that the first measure that should be implemented is putting all the company data to the online system, which is placing all the information on the cloud. The cloud computing will ensure that there is less security risks (Knechel and payne, 2001). Moreover, the current software systems need to be updated to the current versions and the antivirus software need to be reinstalled. Along with this, the company need to train the existing IT operator or should hire one who has through understanding about the complete IT security measures.
Conclusion
The paper thus concludes that if the company utilizes the new recommended measures then it can be stated that the company will be able to improve its security measures and there will be less threat to its current operation from the external environment. Moreover, the company will be able to ensure that the all data are remotely placed on the cloud which will keep the hackers away.
Place Order For A Top Grade Assignment Now
We have some amazing discount offers running for the students
Place Your OrderReferences
-
Janvrin, D., Bierstaker, J., & Lowe, D. J. (2008). An examination of audit information technology use and perceived importance. Accounting Horizons, 22(1), 1-21.
-
SANS Institute InfoSec Reading Room,. (2003). A Risk Audit of a Very Small Business. SANS Institute InfoSec Reading Room. Retrieved from https://www.sans.org/reading-room/whitepapers/casestudies/case-study-risk-audit-small-business-1243
-
Otero, A. R., Senft, S., & Gallegos, F. (2008). Information technology control and audit. CRC Press.
-
Buchanan, S., & Gibb, F. (1998). The information audit: an integrated strategic approach. International journal of information management, 18(1), 29-47.
-
Knechel, W. R., & Payne, J. L. (2001). Additional evidence on audit report lag. Auditing: A Journal of Practice & Theory, 20(1), 137-146.
-
Brynjolfsson, E., & Hitt, L. M. (2000). Beyond computation: Information technology, organizational transformation and business performance. The Journal of Economic Perspectives, 14(4), 23-48.