Information security audit is the basis for effective enterprise protection. The stages of the work on the tests provide. reasons to entrust the audit to our company

Windows 10

Many businessmen try to keep their company secret. Since this is the age of high technologies, it is quite difficult to do this. Almost everyone is trying to protect themselves from the leakage of corporate and personal information, but it is no secret that it will not be difficult for a professional to find out the necessary data. At the moment, there are quite a few methods to protect against such attacks. But in order to check the effectiveness of such a security system, it is necessary to conduct an information security audit.

What is an audit?

According to the Federal Law "On Auditing", the audit includes different methods and methods, as well as practical implementation of checks. With regard to the information security of the enterprise, it is an independent assessment of the state of the system, as well as the level of its compliance with the established requirements. Expertises are carried out on accounting and tax reporting, economic support and financial and economic activities.

What is such a check for?

Some consider such activities a waste of money. However, by timely identification of problems in this sector, even greater economic losses can be prevented. The objectives of an information security audit are as follows:

  • determining the level of protection and bringing it to the required level;
  • settlement of the financial issue in terms of ensuring the confidentiality of the organization;
  • demonstration of the feasibility of investing in this sector;
  • getting the maximum benefit from security costs;
  • confirmation of the effectiveness of internal forces, means of control and their reflection in the conduct of business.

How is information security audited in an enterprise?

A comprehensive information security audit takes place in several stages. The process is divided into organizational and instrumental. Within the framework of both parts of the complex, the security of the customer's corporate information system is studied, and then the compliance with the established norms and requirements is determined. Information security audit is divided into the following stages:

  1. Determination of customer requirements and the scope of work to be performed.
  2. Study of necessary materials and drawing conclusions.
  3. Analysis of possible risks.
  4. Expert opinion on the work done and the issuance of an appropriate verdict.


What is included in the first stage of an information security audit?

An information security audit program begins precisely with specifying the scope of work required by the customer. The client expresses his opinion and purpose, pursuing which he applied for an expert assessment.

At this stage, the verification of the general data provided by the customer begins. They describe the methods to be used and the planned set of activities.

The main task at this stage is to set a specific goal. The client and the organization conducting the audit must understand each other, agree in a common opinion. After that, a commission is formed, into which the appropriate specialists are selected. The required technical task is also agreed with the customer separately.

It would seem that this event should only outline the state of the system that protects against information attacks. But the final results of the check may vary. Some are interested in complete information about the work of protective equipment of the customer's company, while others are only interested in the efficiency of individual information technology lines. The choice of methods and means of assessment depends on the requirements. The goal setting also affects the further course of the work of the expert commission.

By the way, working group consists of specialists from two organizations - the firm performing the audit, and employees of the audited organization. Indeed, it is the latter, like no one else, who know the intricacies of their institution and can provide all the information necessary for a comprehensive assessment. They also carry out a kind of control over the work of the employees of the executing company. Their opinion is also taken into account when presenting the results of the check.

Experts from a firm conducting an enterprise information security audit research subject areas... They, having an appropriate qualification level, as well as an independent and unbiased opinion, are able to more accurately assess the state of work of protective equipment. Experts conduct their activities in accordance with the planned work plan and assigned tasks. They develop technical processes and agree on the results obtained.

The terms of reference clearly sets out the goals of the auditor's work, determines the methods of its implementation. It also spells out the timing of the audit, it is even possible that each stage will have its own period.

At this stage, contact is also established with the security service of the inspected institution. The auditor firm pledges not to disclose the results of the audit.

How is the second stage implemented?

An enterprise information security audit at the second stage is a detailed collection of information necessary for the assessment. To begin with, a general set of measures is considered that are aimed at implementing the privacy policy.

Since now most of the data is duplicated in electronic form or, in general, the company carries out its activities only with the help of information technologies, then also software... Physical security is also being analyzed.

At this stage, specialists are engaged in reviewing and evaluating how information security is maintained and audited within the institution. For this, the organization of the protection system operation, as well as the technical capabilities and conditions for its provision, lends itself to analysis. Special attention is paid to the last point, since fraudsters most often find holes in protection precisely through the technical part. For this reason, the following points are considered separately:

The audit of the information security of the enterprise at this stage ends with summing up and expressing the results on the work done in the form of a report. It is the documented conclusions that form the basis for the implementation of the next stages of the audit.

How are possible risks analyzed?

Information security audit of organizations is also carried out in order to identify real threats and their consequences. At the end of this stage, a list of measures should be formed that will avoid or at least minimize the possibility of information attacks.

To prevent breaches of confidentiality, you need to analyze the report received at the end of the previous step. Thanks to this, it is possible to determine whether a real invasion of the firm's space is possible. A verdict is issued on the reliability and performance of existing technical protective equipment.

Since all organizations have different areas of work, the list of security requirements cannot be identical. For the inspected institution, a list is developed on an individual basis.

At this stage, weaknesses are also identified, the client is provided with data on potential attackers and impending threats. The latter is necessary in order to know from which side to expect a catch, and to pay more attention to this.

It is also important for the customer to know how effective the innovations and the results of the work of the expert commission will be.

The analysis of possible risks has the following goals:

  • classification of information sources;
  • identification of vulnerabilities in the workflow;
  • drawing up a prototype of a possible fraudster.

Analysis and audit allow you to determine how successful information attacks are. For this, the criticality of weak points and the ways of using them for illegal purposes are assessed.

What is the final stage of the audit?

The final stage is characterized by writing the results of the work. The resulting document is called an audit report. It reinforces the conclusion about the general level of security of the auditee. Separately, there is a description of the effectiveness of the information technology system in relation to security. The report also provides guidance on potential threats and describes a model of a possible attacker. It also prescribes the possibility of unauthorized intrusion due to internal and external factors.

Information security audit standards provide not only for an assessment of the state, but also for the provision of recommendations to an expert commission on the necessary measures. It is the specialists who carried out the complex work, analyzed the information infrastructure, and can say what needs to be done in order to protect against information theft. They will indicate the places that need to be strengthened. Experts also provide guidance on technological support, that is, equipment, servers and firewalls.

Recommendations represent the changes that need to be made to the configuration of network devices and servers. Perhaps the instructions will relate directly to the selected security methods. If required, experts will prescribe a set of measures aimed at further strengthening the mechanisms that provide protection.

The company should also carry out special explanatory work, develop a policy aimed at confidentiality. Perhaps there should be reforms in the security service. An important point is the regulatory and technical base, which is obliged to consolidate the provisions on the safety of the company. The team must be properly instructed. Spheres of influence and responsibilities are shared among all employees. If appropriate, it is better to conduct a course to improve the education of the team in relation to information security.

What types of audit are there?

An enterprise information security audit can be of two types. Depending on the source of implementation this process the following types can be distinguished:

  1. External form. It differs in that it is disposable. Its second feature is that it is produced by independent and unbiased experts. If it is of a recommendatory nature, then it is made by order of the owner of the institution. In some cases, an external audit is mandatory. This may be due to the type of organization as well as extraordinary circumstances. In the latter case, the initiators of such a check, as a rule, are law enforcement agencies.
  2. Internal form. It is based on a specialized regulation that prescribes auditing. Internal audit of information security is necessary in order to constantly monitor the system and identify vulnerabilities. It is a list of events that take place during a set period of time. For this work, a special department or an authorized employee is most often established. He diagnoses the state of protective equipment.

How is an active audit conducted?

Information security audit methods are also selected depending on the customer's goal. One of the most common ways to study the level of security is active audit. It represents the staging of a real hacker attack.

The advantage of this method is that it allows you to simulate the possibility of a threat as realistically as possible. Through active auditing, you can understand how a similar situation will develop in life. This method is also called instrumental security analysis.

The essence of an active audit is the implementation (with the help of special software) an attempt at unauthorized intrusion into the information system. In this case, protective equipment must be in a state of full readiness. This makes it possible to evaluate their work in similar case... A person who carries out an artificial hacker attack is provided with a minimum of information. This is necessary in order to recreate the most realistic conditions.

They are trying to expose the system to as many attacks as possible. Using different methods, you can evaluate those hacking methods to which the system is most susceptible. This, of course, depends on the qualifications of the specialist conducting this work... But his actions should not be of any destructive nature.

Ultimately, the expert generates a report on the weaknesses of the system and the information that is most available. It also provides recommendations for possible upgrades to ensure that security is increased to the proper level.

What is an expert audit?

Information security audits are also conducted to determine the firm's compliance with the established requirements. An example of such a task can be seen in the expert method. It consists in a comparative assessment with the initial data.

The same ideal work of protective equipment can be based on various sources. The client himself can make demands and set tasks. The head of the firm may want to know how far the security level of his organization is from what he wants.

The prototype against which the comparative assessment will be carried out may be generally recognized world standards.

According to the Federal Law "On Auditing", the executing company has enough authority to collect relevant information and conclude that the existing measures to ensure information security are sufficient. The consistency of regulatory documents and actions of employees with respect to the operation of protective equipment is also assessed.

What is the compliance check?

This type is very similar to the previous one, since its essence is also a comparative assessment. But only in this case, the ideal prototype is not an abstract concept, but clear requirements enshrined in regulatory and technical documentation and standards. However, it also determines the degree of compliance with the level set by the company's privacy policy. Without conforming to this point, one cannot talk about further work.

Most often, this type of audit is required to certify the security system operating at the enterprise. This requires the opinion of an independent expert. It is not only the level of protection that matters, but also its satisfaction with recognized quality standards.

Thus, we can conclude that in order to carry out this kind of procedure, you need to decide on the performer, as well as highlight the range of goals and objectives based on your own needs and capabilities.

Information systems audits provide up-to-date and accurate data on how IP works. Based on the data obtained, you can plan activities to improve the efficiency of the enterprise. The practice of conducting an audit of an information system - in comparison with the standard, the real situation. Explore the regulations, standards, regulations and practices that apply in other firms. During the audit, the entrepreneur gets an idea of \u200b\u200bhow his company differs from a normal successful company in a similar area.

General idea

Information technology in modern world extremely well developed. It is difficult to imagine an enterprise that is not armed with information systems:

  • global;
  • local.

It is through IP that a company can function normally and keep up with the times. Such methodologies are essential for the rapid and complete exchange of information with the environment, allowing the company to adapt to changing infrastructure and market demands. Information systems must meet a number of requirements that change over time (new developments, standards are introduced, updated algorithms are applied). In any case, information technologies make it possible to make access to resources fast, and this task is solved through IS. In addition, modern systems:

  • scalable;
  • flexible;
  • reliable;
  • safe.

The main tasks of the audit of information systems are to identify whether the implemented IS meets the specified parameters.

Audit: types

The so-called process audit of an information system is very often used. Example: external specialists analyze the implemented systems for differences from the standards, including studying the production process, the output of which is software.

An audit can be carried out to determine how correctly the information system is used in the work. The company's practices are compared with manufacturer's standards and well-known examples of international corporations.

An audit of an enterprise information security system affects the organizational structure. The purpose of such an event is to find bottlenecks in the staff of the IT department and identify problems, as well as form recommendations for their solution.

Finally, the audit of the information security system is aimed at quality control. Then the invited experts assess the state of the processes within the enterprise, test the implemented information system and draw some conclusions based on the information received. Typically the TMMI model is used.

Audit objectives

A strategic audit of the state of information systems allows you to identify weaknesses in the implemented IS and identify where the use of technologies turned out to be ineffective. At the end of such a process, the customer will have recommendations to eliminate the shortcomings.

The audit allows you to estimate how expensive it will be to make changes to the existing structure and how long it will take. Specialists studying the current information structure companies will help you choose the tools for implementing the improvement program, taking into account the specifics of the company. Based on the results, you can also give an accurate estimate of how much resources the firm needs. Intellectual, monetary, production will be analyzed.

Events

Internal audit of information systems includes such activities as:

  • iT inventory;
  • identifying the load on information structures;
  • assessment of statistics, data obtained during the inventory;
  • determining whether the business requirements and capabilities of the embedded IP are appropriate;
  • generating a report;
  • development of recommendations;
  • formalization of the NSI fund.

Audit result

A strategic audit of the state of information systems is a procedure that: allows to identify the reasons for the insufficient efficiency of the implemented information system; to forecast the behavior of IS when adjusting information flows (the number of users, the amount of data); provide informed solutions that help increase productivity (purchase of equipment, improvement of the implemented system, replacement); give recommendations aimed at increasing the productivity of company departments, optimizing investments in technology. And also to develop measures to improve the quality level of information systems service.

It is important!

There is no universal IP that fits any enterprise. There are two common bases on the basis of which you can create unique system for the requirements of a particular company:

  • Oracle.

But remember that this is only the basis, nothing more. All enhancements to make the business effective must be programmed taking into account the specifics of a particular enterprise. Surely you will have to introduce previously absent functions and disable those provided by the base assembly. Modern technology audit of banking information systems helps to understand exactly what features the IS should have, and what needs to be excluded in order for the corporate system to be optimal, efficient, but not too "heavy"

Information security audit

There are two types of analysis to identify threats to information security:

  • external;
  • interior.

The first involves a one-time procedure. It is organized by the head of the company. It is recommended to regularly practice such a measure to keep the situation under control. A number of joint-stock companies and financial organizations have introduced the requirement for an external audit of IT security to be mandatory.

Internal - these are regularly held activities, regulated by the local normative act "Regulations on internal audit". To carry it out, an annual plan is formed (it is prepared by the department responsible for the audit), approved by the CEO, another manager. IT audit - several categories of events, security audit is not the least important.

Objectives

The main purpose of an information system audit in terms of security is to identify the risks of IP related to security threats. In addition, activities help to identify:

  • weak points of the current system;
  • compliance of the system with information security standards;
  • the level of security at the current time.

During the security audit, as a result, recommendations will be formulated that will improve current solutions and implement new ones, thereby making the current IS safer and protected from various threats.

If an internal audit is being conducted to identify threats to information security, then the following is additionally considered:

  • security policy, the possibility of developing a new one, as well as other documents to protect data and simplify their application in the corporate production process;
  • formation of security tasks for employees of the IT department;
  • analysis of situations involving violations;
  • user training corporate system, maintenance personnel general safety aspects.

Internal audit: features

The listed tasks that are set for employees when an internal audit of information systems is carried out, in essence, is not an audit. In theory, the organizer of the event only as an expert evaluates the mechanisms by which the system is secure. The person involved in the task becomes an active participant in the process and loses independence, can no longer objectively assess the situation and control it.

On the other hand, in practice, it is almost impossible to remain on the sidelines during internal audit. The fact is that to carry out the work, a company specialist is involved, at other times busy with other tasks in a similar field. This means that the auditor is the same employee who has the competence to solve the tasks mentioned earlier. Therefore, one has to make a compromise: to the detriment of objectivity, involve the employee in practice in order to get a decent result.

Security audit: stages

These are in many ways similar to the steps of a general IT audit. Allocate:

  • start of events;
  • collection of a base for analysis;
  • analysis;
  • formation of conclusions;
  • reporting.

Initiation of the procedure

An audit of information systems in the aspect of security begins when the head of the company gives the go-ahead for it, since it is the chiefs who are those persons who are most interested in effective audit of the enterprise. An audit is not possible if management does not support the procedure.

Information systems audit is usually complex. It is attended by an auditor and several persons representing different departments of the company. Important joint work all participants in the audit. It is important to consider the following points when initiating an audit:

  • documentary fixation of duties, rights of the auditor;
  • preparation, approval of the audit plan;
  • documenting the fact that employees are obliged to provide the auditor with all possible assistance and provide all the data requested by him.

Already at the moment of initiating the audit, it is important to establish the boundaries of the audit of information systems. While some IS subsystems are critical and require special attention, others are not and are not important enough to be excluded. Surely there will be such subsystems, the verification of which will be impossible, since all information stored there is confidential.

Plan and boundaries

Before starting work, a list of resources is formed to be checked. It can be:

  • informational;
  • software;
  • technical.

They highlight on which sites the audit is carried out, for which threats the system is checked. There are organizational boundaries of the event, security aspects that must be taken into account during the audit. A priority rating is formed with an indication of the scope of the check. Such boundaries, as well as the plan of the event, are approved by the general director, but they are preliminarily brought out by the topic of the general working meeting, where heads of departments, auditor and company leaders are present.

Receiving data

When conducting a security audit, the standards for auditing information systems are such that the stage of collecting information is the most time-consuming and laborious. As a rule, the IS does not have documentation for it, and the auditor is forced to work closely with numerous colleagues.

In order for the conclusions drawn to be competent, the auditor must obtain as much data as possible. The auditor learns about how the information system is organized, how it functions and what state it is in from the organizational, administrative, technical documentation, in the course of independent research and application of specialized software.

Documents required for the auditor's work:

  • organizational structure of departments serving IS;
  • organizational structure of all users.

The auditor interviews employees, identifying:

  • provider;
  • data owner;
  • user data.

To do this, you need to know:

  • main types of IP applications;
  • number, types of users;
  • services provided to users.

If the company has IP documents from the list below, be sure to provide them to the auditor:

  • description of technical methodologies;
  • description of methods for automating functions;
  • functional diagrams;
  • working, project documents.

Revealing the IP structure

For correct conclusions, the auditor must have the most complete understanding of the features of the information system implemented at the enterprise. You need to know what the security mechanisms are, how they are distributed in the system by levels. To do this, find out:

  • the presence and characteristics of the components of the system used;
  • functions of components;
  • graphic quality;
  • inputs;
  • interaction with various objects (external, internal) and protocols, channels for this;
  • platforms used for the system.

Schemes will bring benefits:

  • structural;
  • data streams.

Structures:

  • technical means;
  • information support;
  • structural components.

In practice, many of the documents are prepared directly during the audit. Analyzing information is possible only when collecting the maximum amount of information.

IP Security Audit: Analysis

There are several techniques used to analyze the data obtained. The choice in favor of a specific one is based on the personal preferences of the auditor and the specifics of a specific task.

The most sophisticated approach involves analyzing risks. Security requirements are formed for the information system. They are based on the characteristics of a particular system and its environment, as well as the threats inherent in this environment. Analysts agree that this approach requires the most labor and maximum qualifications of the auditor. How good the result will be is determined by the information analysis methodology and the applicability of the selected options to the type of IP.

A more practical option would be to look at data security standards. These define the set of requirements. This is suitable for various IPs, since the methodology was developed on the basis of the largest firms from different countries.

From the standards it follows what are the security requirements, depending on the level of protection of the system and its belonging to one or another institution. Much depends on the purpose of the IP. The main task of the auditor is to determine correctly which set of security requirements is relevant in a given case. A method is chosen by which it is assessed whether the available parameters of the system meet the standards. The technology is quite simple, reliable, and therefore widespread. With a small investment, you can get accurate conclusions as a result.

It is unacceptable to neglect!

Practice shows that many managers, especially small firms, as well as those whose companies have been working for a long time and do not strive to master all the latest technology, refer to the audit of information systems rather negligently, since they simply do not realize the importance of this measure. Usually, only damage to the business provokes the authorities to take measures to check, identify risks and protect the enterprise. Others are faced with the fact that they steal data about the clientele, others have leaks from the databases of counterparties or information about key benefits a certain subject. Consumers lose confidence in a company as soon as a case goes public, and the company suffers more damage than just data loss.

If there is a possibility of information leakage, it is impossible to build efficient businesswell-positioned now and in the future. Any company has data that is valuable to third parties and needs to be protected. For protection to be on the highest level, an audit is needed to identify weak sides... It must take into account international standards, methods, and the latest developments.

When auditing:

  • assess the level of protection;
  • analyze the applied technologies;
  • adjust security documents;
  • simulate risk situations in which data leakage is possible;
  • recommend the implementation of solutions to eliminate vulnerabilities.

These events are held in one of three ways:

  • active;
  • expert;
  • identifying compliance with standards.

Audit forms

An active audit involves evaluating the system that a potential hacker is looking at. It is his point of view that auditors "try" on themselves - study network protection, for which specialized software and unique techniques are used. An internal audit is also required, also conducted from the point of view of the alleged criminal who wants to steal data or disrupt the operation of the system.

An expert audit checks how the implemented system corresponds to the ideal one. When identifying compliance with standards, an abstract description of the standards with which the existing object is compared is taken as a basis.

Conclusion

Correctly and efficiently conducted audit allows obtaining the following results:

  • minimization of the probability of a successful hacker attack, damage from it;
  • exclusion of an attack based on a change in the architecture of the system and information flows;
  • insurance as a means of reducing risks;
  • minimization of risk to a level where it can be completely ignored.

Collection, processing, storage and use of personal data are carried out in many areas of society and the state. For example, in the financial and tax spheres, with pension, social and medical insurance, in operational-search activities, labor and other areas of public life.

In various fields of activity, personal data is understood to mean often different sets of information. Definitions of personal data are contained in various federal laws, and the amount of information is defined in them in different ways.

With the development of information technology, everything greater importance acquires protection of commercial information, which allows the company to maintain the competitiveness of its products, organize work with partners and customers, and reduce the risks of sanctions from regulators.

It is possible to protect the company's commercial secrets and bring those responsible for disclosure to justice by introducing a commercial secret regime, that is, by taking legal, organizational and technical measures to protect the confidentiality of information.

Virus attacks continue to occur with alarming frequency today. The most effective attacks are those that use files opened by conventional applications... For instance, malicious code may be contained in files Microsoft Word or PDF documents. Such an attack is called an exploit and is not always detected by regular antivirus software.

Palo Alto Networks Traps provides advanced protection of workstations from targeted malicious attacks, prevents exploitation of vulnerabilities operating system and applications.

Recommendations for protecting information when working in RBS systems

AT recent times cases of fraudulent activities in remote banking systems (RBS) aimed at stealing secret keys of users and funds of organizations have become more frequent. In this article, we reviewed the practical measures necessary to reduce the likelihood of theft of funds and provided recommendations for responding to possible fraudulent activities.

The result of the auditor's work is the preparation of an auditor's report. In order to have a basis for conclusions on the main areas of the audit, the auditor must collect appropriate evidence. The information collected and analyzed by the auditor during the audit serves to support the auditor's conclusions and is called audit evidence. When collecting audit evidence, the auditor uses the following methods:

1. Methods of actual control

a) inventory;

b) control measurement.

2. Methods of documentary control

a) formal verification;

b) arithmetic check;

c) verification of documents on the merits.

3. Other methods

a) observation;

c) economic analysis.

Consider how effective each of these methods of collecting audit evidence is when checking property, plant and equipment.

Inventory is carried out in order to ensure the accuracy of accounting and reporting data. Immediately upon arrival at the organization, the auditor should clarify the date of the last inventory. If the inventory of fixed assets has not been carried out for more than 2-3 years, then the auditor may require it to be carried out, which will allow for a better consistent check and reduce the audit risk. The auditor can himself participate in the inventory or limit himself to monitoring its implementation. It is recommended that you ensure that the most expensive items are available. Part of the property may be missing, in this case it is necessary to check on what documents, to whom and when it was transferred. When employees use any property at home, the value of this property (computers, printers) can be considered as the taxable base (income) of employees. In the event that, during the inventory of fixed assets, it turns out that one of the shops of the inspected economic entity is occupied by another economic entity (there may be several signs of this: a sign with the name of another economic entity weighs; products are produced that do not correspond to the profile of the inspected economic entity, etc.) and the income from non-operating transactions does not include the item “rental income”, then we are talking about “hidden lease” and tax evasion. The auditor can conclude that the client has violated the legislation when performing financial and business transactions. Inventory of fixed assets is carried out on the basis of "Methodological guidelines for inventory of property and financial obligations" approved. Order of the Ministry of Finance of the Russian Federation dated June 13, 1995 No. 49.

The control measurement method is effective when checking the costs of repairs of fixed assets. The auditor can make a control measurement of the volume of repair work performed directly at the facilities, which will allow an objective assessment of the actual repair work and establish the amount of unjustifiably written off materials, as well as the amount of illegally paid wages, if, with the connivance of individual employees of the organization, the volume of work performed was overestimated.

When conducting a formal check of documents, the auditor visually examines the primary documents on accounting for fixed assets, inventory cards, order magazines, calculation tables, form No. 5, General Ledger, etc. It is necessary to check the compliance of documents with standard interdepartmental forms, the correctness of filling in all the details, the presence of unspecified corrections , erasures, additions in the text and numbers, authenticity of signatures of officials and financially responsible persons, instructions on the procedure for filling out standard forms of annual financial statements, signature cards of officials.

The arithmetic check method provides for checking the correctness of calculations, as well as the correctness of compiling calculation algorithms in the automation of accounting, checking the calculations of depreciation amounts, revaluation of fixed assets, the correct application of depreciation rates and conversion factors. Also, the data of analytical and synthetic accounts, order journals, general ledger, balance sheet, application to the balance sheet according to f. No. 5.

When checking documents, in essence, the legality and expediency of a business transaction, the correctness of attribution to accounts and inclusion in cost items are considered. When selling fixed assets to the side, the auditor needs to make sure that there is a written permission from the manager for this. If during the verification the primary document is in doubt, then it is necessary to obtain a written explanation from the persons responsible for this transaction, and make a counter verification.

Observation - getting an overview of the client's capabilities based on visual observation. The auditor observes how one or another operation for recording the movement of fixed assets is drawn up, primary documents and synthetic accounting registers are filled out. However, operations on accounting for fixed assets are not so diverse and frequent, especially in small enterprises, therefore, observation as an audit method is ineffective. More complete information can be obtained as a result of documentary verification, interviews with employees and economic analysis.

The auditor uses the method of economic analysis, as a rule, when checking financial statements, which reflects the condition of fixed assets (f. No. 1, f. No. 5). The auditor can analyze the use of fixed assets by the organization in terms of time and capacity, taking into account the specifics of the organization's production activities, as well as the efficiency of capital investments.

Survey - obtaining oral or written information from a client. A survey or conversation should be conducted with all employees involved in accounting for fixed assets and filing reports. In order for a conversation to produce results for the auditor, it, like all other audit procedures, must be carefully planned. To do this, the auditor prepares a questionnaire in advance, which includes a list of questions that the auditor plans to ask employees of the organization with multiple answers. The questionnaire is printed in the required number of copies, corresponding to the composition of the interviewed specialists. Each copy of the questionnaire contains the position, surname, name and patronymic of the person with whom the interview will be held. Based on the results of the survey, the auditor makes notes opposite the answer options chosen by the employees and draws a conclusion about the state of discipline in the organization of accounting for fixed assets and determines the degree of audit risk and the depth of subsequent procedures to verify the correctness of accounting for fixed assets.

The enterprise must conduct an information security audit. Let's consider what this is for and how to check. Almost all activities of organizations are related to computer processing of information.

The number and volume of operations is growing, requiring extensive use of a computerized information system.
If there are errors, the system may be blocked.

A chain reaction can be triggered, as a result of which the profitability of companies is reduced and their reputation is lost. That is why it is worth paying special attention to the information security audit.

What you need to know

Conducting an information security audit is an important procedure in which certain goals are pursued and a number of tasks are performed.

Necessary terms

Information security is called a systemic procedure in which objective qualitative and quantitative assessments of the current state of information security of an enterprise are obtained.

At the same time, they adhere to certain criteria and safety indicators. Information security is understood as the safety of information resources and the protection of the legal rights of the individual and society in the information industry.

Why is this needed?

With the help of an audit, you can assess the current security of the information system, assess and predict risks, manage their impact on the business process.

With a competent audit, the maximum return on funds is possible, which is invested in the creation and maintenance of the company's security system.

The purpose of the audit procedure:

  • risk analysis;
  • assessment of the current security levels of the information system;
  • localization of a bottleneck in the defense system;
  • give recommendations on how to implement and improve the efficiency of the information system security mechanism.

Task:

  • develop a security policy for data protection;
  • set tasks for IT employees;
  • sort out incidents related to information security breaches.

Legal regulation

Main legislative provisions:

  1. Methodical documentation.

Enterprise information security audit

The main direction of information security audit:

Attestation
  • certified automated systems, means of communication, processing and data transmission;
  • premises that are used in negotiations are certified;
  • technical means that are installed in a dedicated room are certified
Protected data control
  • technical channels of data leakage are revealed;
  • the effectiveness of the used data protection tools is monitored
Special study of technical means
  • computer, means of communication and data processing are investigated;
  • local computing system;
  • the results of the research are drawn up in accordance with the standards of the State Technical Commission
Objects are designed in protected versions
  • information security concept is being developed;
  • automated systems are designed, data processing in secure versions;
  • premises are designed that are necessary for negotiations

Applied techniques

It is possible to use the technique:

Expert audit, in which the degree of protection of that component of the information system is assessed Consists of several stages:
  • analysis of information systems;
  • significant assets are analyzed;
  • models of threats, violators are formed;
  • analyzes the security requirements of the data environment;
  • the current state is evaluated;
  • recommendations for elimination of shortcomings are developed;
  • a reportable recommendation is created
Active audit When conducting the test, it is possible to assess the security of information systems, detect weaknesses, check the reliability of the existing mechanism for protecting systems from illegal actions. The company receives detailed reports with the analysis results. The object of penetration testing is an external server, network hardware, separate service.

There are several types of testing:

  1. Black box method. The test is conducted without knowledge of the object being tested. Information is collected from a publicly available source.
  2. White box method. The objects are investigated in more detail. May request additional documents, source code, access to objects. The test simulates the situation that is possible with data leaks.
  3. Gray box method. Ignore known data and combine the above methods.

Stages of work on tests include:

  • analysis of available information;
  • implementation of instrumental scanning when specialized tools are used;
  • manual detailed analysis;
  • analysis and assessment of deficiencies
Checking web applications It is needed to detect and identify vulnerabilities. Required:
  • automatic scanning;
  • using the black and white box method;
  • risk assessment;
  • preparation of recommendations;
  • implementation of recommendations
Comprehensive audit It is possible to systematize the threat to information security and provide proposals for eliminating deficiencies. Technical verification of networks is carried out, penetration testing is carried out, etc.
Compliance audit The information security risk management system, regulation policy, principles of asset and employee management are analyzed and evaluated

Planning

When conducting an information security audit, a work plan and target definition are drawn up. Customers and contractors should agree on the scope and structure of the company that is affected by the audit.

Specify the responsibilities of each party. The plan should reflect:

  • the purpose of the check;
  • criteria;
  • the scope of verification, taking into account the identification of the organizational and functional unit and process that is to be audited;
  • date and place of the audit;
  • the duration of the check;
  • the role and obligations of members of audit teams and accompanying persons.

It is also possible to include:

  • a list of representatives of the audited enterprise that will provide support services for the audit team;
  • sections of the report;
  • technical support;
  • addressing confidentiality issues;
  • the timing and objectives of the next information security audit.

The plan is analyzed and presented to the auditee before the audit is carried out. The revised document is agreed by the involved party before proceeding with the audit.

Internal audit

The audit includes the following actions:

  • the process is initiated (the rights and obligations of the auditor are defined and enshrined in the documentation, an audit plan is prepared);
  • data is collected;
  • information is analyzed;
  • recommendations are developed;
  • a report is being prepared.

For the audit, the criteria are determined, which are reflected in the regulatory documentation. First, they organize the check, analyze the documents and prepare for the IS audit at the place of its implementation.

Be sure to appoint the leadership of the audit teams, determine the goals and scope of the audit, opportunities, establish initial contacts with the audited enterprise.

Small business nuances

In a small enterprise, information security is not given as much attention as in large firms.

Although the technical situation is such that information security protection is necessary just for small companies. Such enterprises have a small IT budget that would allow them to buy all the equipment and software.

That is why the audit would allow timely identification of vulnerabilities by checking:

  • how is used firewall to ensure the security of information;
  • is protection provided email (are there any necessary antiviruses);
  • whether antivirus protection is provided;
  • how work is organized in 1C enterprise;
  • how users' PCs are configured;
  • how the proxy server is used;
  • is the protection of the company's information environment ensured?

During the procedure in the bank

  • checking around the PC;
  • verification using a PC.

Control can be general and applied. Operations are considered general to provide confidence in the continuity of a computer system.

The following types of control are carried out:

  • organizational;
  • control of computers;
  • operating systems;
  • access control;
  • control of premises with technical objects;
  • systems development and maintenance.

Application control refers to the programmed process of specific application software and manual processes.

It is necessary to provide reasonable assurance that the automatic processing of information is complete, accurate and correct.

Presented by:

  • input control (this is weakness in information systems);
  • treatments;
  • withdrawal.

The audit program of the information system of banking institutions includes:

Involvement of internal auditors When developing systems and application software package
Review and confirmation Verifier of software changes
Internal control audit And tests with consistency and consistency
Checking computer software documentation Are there documents, are they updated, do they reflect the real situation
Conducting software checks The fact that there are no unauthorized changes, whether the information is complete
Assessment of purchased software For compliance with the description of prepared systems
Quarterly review and renewal of the action plan In case of force majeure and a critical situation

To prevent unwanted intrusions and attacks in the future, it is worth:

The auditor can carry out the following work:

Organization for government information systems

Let's consider the example of a school. The audit includes 3 stages. The institution must first submit all the required documents.

Determine the goal, check tasks, make up. Determine who will be part of the audit team. Make up verification programs.

The inspection itself is carried out in accordance with the audit program, which was developed and agreed with the school leadership.

The quality of the regulatory documents, the effective technical measures for data protection, as well as the actions of employees are checked and evaluated. Install:

  • is the ISPD classified correctly;
  • whether the information provided is sufficient;
  • whether the requirements for information security are met.

When conducting a technical check, expert, expert-documentary, instrumental methods are used. Based on the results of the check, they prepare where the shortcomings are spelled out and recommendations for their elimination are given.

Management systems certification

Verification and certification of compliance with standards are aimed at improving enterprise management, building confidence.

Although international standards have been established, at the moment certification for compliance with ISO 17799 is not carried out, since there is no part 2 of it describing certification of compliance with British standards BS 7799.

Conducted certification for compliance with British standards. Verification of compliance with standards is carried out by audit / consulting firms that are members of UKAS

BS 7799-2 certifications affect the quality of building information security management systems. A number of technical issues are being addressed.

State standards for systems management have not been adopted, which means that there is an analogue - Special requirements and recommendations for the protection of information of the technical plan of the State Technical Commission of Russia.

Presentation of results

At the end of the audit, a reporting document is drawn up, which is transferred to customers. The report should contain the following information:

  • the framework of the audit procedure;
  • the structure of the enterprise information system;
  • methods and means that are used in the audit;
  • descriptions of detected vulnerabilities and shortcomings, taking into account their level of risk;
  • recommendations for improving complex information security systems;
  • proposals for plans for the implementation of the event, which should minimize the identified risks.

The report should reflect complete, clear and accurate information on the security check of information. It is indicated where the audit was carried out, who is the customer and the contractor, what is the purpose of the audit.

Reports may include the following data:

  • inspection plan;
  • list of accompanying auditors;
  • a brief essence of the procedure, taking into account the element of uncertainty and problems that may affect the reliability of the conclusion based on the results of the audit;
  • any industries that are not covered by the audit, etc.

Information security audit is an effective tool that allows you to get an independent and objective assessment of the current stage of protection against a number of threats.

The result of the check will give the basis for the formation of strategies for the development of systems to ensure the company's information security.
But it's worth remembering that a security audit is not a one-off procedure.

Its conduct is mandatory on an ongoing basis. Only in this case there will be a real return and there will be an opportunity to improve information security.

Did you like the article? To share with friends:
You may also be interested in