Info Tech Audit (ISMN 5750) Exam 1
- a key activity that involves the management of risk
What is an IT Security
Assessment?: - involves a risk-based approach to manage information security
1. categorizing the information system
2. selecting a baseline of controls based on the previous
categorization
3. implementing and documenting the security controls
Risk-based approach involves:
4. assessing the security controls to ensure they are producing the
desired results
5. authorizing the operation of the information system based
on an acceptable level of risk
6. monitoring the security controls continuously
1. identify weaknesses within the controls implemented on
information systems
An IT Assessment produces 2. remediate or mitigate previously identified weaknesses
information required to:
3. prioritize further decisions to mitigate risk
4. provide assurance so that associated risks are accepted and
authorized
5. provide support and planning for future budgetary requirements
- Network security architecture
- physical security
- vulnerability scanning/testing
, - review of policies and procedures
Types of IT Assessments: - social engineering
- applications
- security risks
An independent assessment of an organizations internal
What is an IT Security Audit?
policies, controls, and activities
, - assess the presence and effectiveness of IT controls
- ensure that those controls are compliant with policies
You can use an IT Audit to do
- provide assurance that organizations are compliant with
what?:
applicable regulations and industry requirements
- financial
- compliance
Common types of audits: - operational
- investigative
- information technology
determines whether an organizations financial statement
Financial Audit
reflects financial position of company
Compliance Audit determines adherence to applicable laws, regulations, and industry
requirements
Operational Audit reviews adherence to policies, procedures, and operational controls
Investigative Audit investigates records and processes based on suspicious activity or
alleged violations
Information Technology Audit addresses IT system risk exposures
- organizational
- compliance
Scope of a Security Audit
- technical
involves:
- application
- provides an objective and independent review of an
organizations policies, information systems, and
controls
An effective IT Security Audit
- provides reasonable assurance that appropriate and
program accomplishes the
effective IT controls are in place
- a key activity that involves the management of risk
What is an IT Security
Assessment?: - involves a risk-based approach to manage information security
1. categorizing the information system
2. selecting a baseline of controls based on the previous
categorization
3. implementing and documenting the security controls
Risk-based approach involves:
4. assessing the security controls to ensure they are producing the
desired results
5. authorizing the operation of the information system based
on an acceptable level of risk
6. monitoring the security controls continuously
1. identify weaknesses within the controls implemented on
information systems
An IT Assessment produces 2. remediate or mitigate previously identified weaknesses
information required to:
3. prioritize further decisions to mitigate risk
4. provide assurance so that associated risks are accepted and
authorized
5. provide support and planning for future budgetary requirements
- Network security architecture
- physical security
- vulnerability scanning/testing
, - review of policies and procedures
Types of IT Assessments: - social engineering
- applications
- security risks
An independent assessment of an organizations internal
What is an IT Security Audit?
policies, controls, and activities
, - assess the presence and effectiveness of IT controls
- ensure that those controls are compliant with policies
You can use an IT Audit to do
- provide assurance that organizations are compliant with
what?:
applicable regulations and industry requirements
- financial
- compliance
Common types of audits: - operational
- investigative
- information technology
determines whether an organizations financial statement
Financial Audit
reflects financial position of company
Compliance Audit determines adherence to applicable laws, regulations, and industry
requirements
Operational Audit reviews adherence to policies, procedures, and operational controls
Investigative Audit investigates records and processes based on suspicious activity or
alleged violations
Information Technology Audit addresses IT system risk exposures
- organizational
- compliance
Scope of a Security Audit
- technical
involves:
- application
- provides an objective and independent review of an
organizations policies, information systems, and
controls
An effective IT Security Audit
- provides reasonable assurance that appropriate and
program accomplishes the
effective IT controls are in place
