Information Security Audits
Technology audits examine the risk management controls within an Information technology (IT) environment. The evaluation of obtained evidence determines if the architecture design and implementation safeguards assets, maintains data integrity, and operates effectively to achieve the organization's goals or objectives.
CTSA provides assessments services across all information security activities including:
ACCESS CONTROL POLICIES (E.G., IDENTITY-BASED POLICIES, ROLE-BASED POLICIES, POLICY-BASED ACCESS, CONTROL MATRICES, CRYPTOGRAPHY) CONTROL ACCESS BETWEEN ACTIVE ENTITIES OR SUBJECTS (I.E., USERS OR PROCESSES ACTING ON BEHALF OF USERS) AND PASSIVE ENTITIES OR OBJECTS (E.G., DEVICES, FILES, RECORDS, DOMAINS) IN INFORMATION SYSTEMS.
INVOLVES POLICIES, STANDARDS, PROCEDURES, GUIDELINES, AND TECHNICAL CONFIGURATIONS RELATED TO THE SYSTEMS THAT MAINTAIN IDENTITY ACCOUNT MANAGEMENT AND AUTHENTICATION FUNCTIONS.
Why Engage CTSA?
For each technology audit CTSA personnel will –
Obtain an understanding of the activity being audited. The extent of the knowledge required should be determined by the nature of the enterprise, its environment, areas of risk, and the objectives of the engagement.
Consider subject matter guidance or direction, as afforded through legislation, regulations, rules, directives, and guidelines issued by government or industry.
Perform a risk assessment to provide reasonable assurance that all material items will be adequately covered during the engagement. Audit strategies, materiality levels and resource requirements can then be developed.
Develop the engagement project plan using appropriate project management methodologies to ensure that activities remain on track and within budget.
Include in the plan assignment-specific issues, such as:
Availability of resources with appropriate knowledge, skills, and experience
Identification of tools needed for gathering evidence, performing tests and preparing/summarizing information for reporting
Assessment criteria to be used – Reporting requirements and distribution
Document the technology audit or assurance engagement’s project plan to clearly indicate the:
Objective(s), scope, and timing
Roles and responsibilities
Areas of risk identified and their impact on the engagement plan
Tools and techniques to be employed
Fact-finding interviews to be conducted
Relevant information to be obtained
Procedures verify or validate the information obtained and its use as evidence