Information security audit is a methodical, measurable assessment of how the organization’s information security is employed throughout the organization or a specific site. Information security audit is performed through understanding the information technology environment by conducting interviews, vulnerability scans, examination of system settings, network and communication analyses. The objective is to determine the information systems and information technology control weaknesses, i.e. security level of the Servers, Softwares, Business Applications, OS & Databases, and Network & Communications; identify the weaknesses if any; and make recommendations for improvements. Quality Aim’s Information Security Audit’s main focus is to:
Scoping: Identify scope of the Audit as well as project planning, scheduling and resourcing.
Information Gathering: Understand Organization’s current policies, processes and any industry’s best practices or standards it complies to. It is also mandatory to understand the organization’s current infrastructure and technical configurations. This activity helps in identifying personnel responsible for systems and process management.
Audit: Prepare an Audit checklist based on information gathering and review existing processes against that checklist. Also review OS, systems and application configurations against that checklist. Understand the vulnerabilities found and risks associated with them. Collect evidences to include in documentation. Also carry out auditing of computing environment with personnel interviews, discussions and application walk through.
Documentation: Prepare documentation on audit carried out and include evidences. Documentations should also include list of vulnerabilities and gaps found and their impact as well as recommend a comprehensive remedial plan to mitigate the vulnerabilities.
Solutions: Assist in corrective actions on the gap closure and also recommend preventive actions to prevent further gaps from appearing.