Site icon Eminence Papers

Information System Audit Plan

Perkins

Information System Audit Plan

Various reasons inform organizations of the urgency of undertaking information system audits. An information system audit is essential for the organization because it helps ensure that operations run effectively and comply with administrative and legal regulations. Undertaking an information system audit plan confirms to the management team that the business is functioning well and that the employees are prepared to meet potential challenges. Most importantly, the information system audit plan assures stakeholders of the organization’s operational, financial, and ethical well-being (Kim & Solomon, 2016). A critical component of the audit plan is the audit program, also identified as the work program. The audit program documents the specific procedures and steps used to test and verify control effectiveness. This paper enumerates the IS requirements for securing the system domain, evaluates the controls required for securing the application domain, compliance requirements that should be followed, best practices for system domain compliance, and corrective measures that can be adopted for audit findings. Do you need urgent assignment help ? Get in touch with us at eminencepapers.com.

Information Security Systems Requirements

Five general requirements for information security systems are necessary to secure the system/application domain. The first requirement calls for the identification and analysis of malicious code and activity. Some malicious codes that should be identified include code signing, sandboxing, scanners, and anti-malware. This requirement teaches IT professionals the mechanism they can use to identify malware and computer code that may compromise the functionality of the IT system (Lohiya & Thakkar, 2020). This requirement also covers tools and processes that employees can adopt to prevent exposure to malicious codes. Some exploitative techniques like phishing, spam, threats, and spoofing that hackers commonly use are extensively elaborated. The last component of this requirement is that countermeasures to malicious activity are enumerated, such as system hardening, patching, sandboxing, and isolation.

The other requirement for information systems adopted for securing the application domain is implementing and operationalizing endpoint device security. Modern endpoint security systems are developed to identify, assess, and quickly prevent the system from active attacks (Lohiya & Thakkar, 2020). Endpoint security is a strategy for preventing malicious threats from entering end-user devices such as laptops, desktops, and smartphones. This requirement also outlines the requirements that employees should adhere to while engaging in Mobile Device Management (MDM) processes such as COPE or BYOD. The benefits and drawbacks of Host-Based Intrusion Detection Systems (HIDS) are extensively elaborated together with secure browsing, and the application allows listing and issues related to trusted Platform Module (TPM) (Lohiya & Thakkar, 2020).

Configuring and securing virtual environments are the other information security requirements for securing the application domain. The requirement for cloud security configuration encompasses the five attributes of clouds, cloud deployment, and service models. Besides this, the requirement also covers the legal and privacy concerns by enumerating types of data that are considered sensitive, defining available levels of controls, and applying the defined controls as they relate to personally identifiable information (PII) (Lohiya & Thakkar, 2020). Apart from this requirement elaborating on the shared responsibility model, it also outlines proper ways of storing and sharing data, encryption, and masking. On the other hand, securing virtual environments involves preventing any form of attack from reaching the confidential data stored in space. Virtualization is a method of creating a virtual space to store the server operating systems (Lohiya & Thakkar, 2020). This requirement outlines how the Software-Defined Network (SDN) works, common virtualization attacks that may occur, and recommendations for overcoming them.

Controls For Securing The Application Domain

The controls needed for securing the application domain are threefold: technical controls, administrative controls, and physical controls. Technical security controls utilize technology to reduce vulnerabilities in hardware and software. The protection of the application domain under technical security controls lies in installing automated software tools followed by their configuration to leverage maximum protection. Some examples of technical security controls include firewalls, encryption, anti-malware software, and security information and event management (SIEM) systems (Kim & Solomon, 2016). Technical security controls can be executed through either access control lists (ACLs) or configuration rules. The access control lists entail the network traffic filters regulating incoming and outgoing data. These ACLs can be configured on network devices or servers, although they are common in routers or firewalls. Additionally, configuration rules entail instructional codes that inform the execution process within the system.

Administrative security controls are policies, procedures, or guidelines that define business practices following the organization’s security goals. Many organizations embrace the onboarding process to introduce new employees to the organization’s history. The newly hired employees may be requested to review the organization’s security policy. After acknowledging that one has read the organization’s policies, one is then accountable to the organization’s corporate policy (Kim & Solomon, 2016). The administrative controls can only be implemented by adhering to management and operational controls. Management controls are security measures that focus on management risks concerning information security. On the other hand, people execute operational controls instead of systems (Kim & Solomon, 2016). In this case, an excellent example is the security policy, which is a management control. However, the security requirements are operational controls because people execute them, while the systems are technical controls.

Lastly, physical controls are security measures in a properly defined structure to prevent unauthorized access to sensitive data. Some examples of physical controls include security guards, picture IDs, and thermal alarm systems (Kim & Solomon, 2016). Furthermore, locked steel doors are also examples of physical security control measures that prevent unauthorized entry. The last example of physical security controls is biometrics, which includes but is not limited to voice recognition, fingerprint, iris, handwriting, and other automated methods that recognize individuals with particular modes of access rights to certain places or specific pieces of data.

Compliance Requirements for the Application Domain

The following are the compliance requirements for the application domain;

  1. Install and maintain a firewall configuration to protect confidential information – this requirement ensures that the firewalls protect confidential data from unauthorized access. The firewall’s rules should be reviewed bi-annually to prevent any forms of insecure access rules that may grant access to confidential information (Kim & Solomon, 2016).
  2. Encrypt transmission of confidential data across open networks – organizations should ensure that confidential data being shared on the network is encrypted to prevent third parties from infiltrating the network and accessing this information.
  3. Utilize and regularly update anti-virus software – organizations and their users should ensure that their laptops, mobile devices, and PCs have anti-virus software (Kim & Solomon, 2016). The users in these organizations should ensure that the anti-malware programs are updated regularly to detect identified malware.
  4. Maintain secure systems and applications – organizations should move quickly to secure their application domain against exploits by deploying critical patches promptly. All the systems within the organization should be patched, such as firewalls, routers, operating systems, and databases.
  5. Assign a unique ID to each user within the organization – the organization should shun using shared users and passwords. For enhanced security of the application domain, every authorized user must possess a unique identifier, and passwords should be adequately complex and hard to guess (Kim & Solomon, 2016). However, for all non-console administrative access, two-factor authorization should be executed.

The General Procedures And Best Practices For System Domain Compliance

There are general procedures and best practices for system domain compliance. The first best practice is that domain admins should be limited to a few individuals. Members of the domain admins enjoy more privileges concerning systems, data, computers, and laptops. In the incidence that Domain Admins access is required, a user’s account can be temporarily placed in the DA group and removed upon the completion of the work (Johnson, Weiss & Solomon, n.d). The other general procedure is to secure the Domain Administrator account. Since the administrator account is used for domain setup and disaster recovery, no one should know the password for the domain administrator account. Lastly, all the local administrator accounts on all computers should be disabled because by simply compromising one system, attackers can now have all the local admin rights to control all the computers within the organization (Johnson, Weiss & Solomon, n.d).

Corrective Measures For Audit Findings

In conclusion, various corrective measures can be adopted for audit findings in the system. The first corrective measure for audit findings is determining whether the corrective action plan (CAP) is still relevant to the situation under consideration. In the case of a time lag between CAP development and its implementation, the organization must determine the presence of any underlying risks so that the CAP can be updated appropriately. The second corrective action is for the organization to identify responsible parties and the resources required. Process owners are critical for implementing CAPs as they know vast details. If budgetary allocation is required to resolve the CAP, management support and approval will be required to facilitate the process. The other corrective measures are the implementation of the CAP, updating the relevant documentation, and retesting the audited areas.

 References

Johnson, R., Weiss, M., & Solomon, M. G. (n.d.). Auditing IT infrastructures for compliance, 3rd Edition. O’Reilly Online Learning. Retrieved February 4, 2023, from https://www.oreilly.com/library/view/auditing-it-infrastructures/9781284236613/

Kim, D., & Solomon, M. G. (2016). Fundamentals of Information Systems Security: Print Bundle. Jones & Bartlett Learning.

Lohiya, R., & Thakkar, A. (2020). Application domains, evaluation data sets, and research challenges of IoT: A Systematic Review. IEEE Internet of Things Journal8(11), 8774-8798.

ORDER A PLAGIARISM-FREE PAPER HERE

We’ll write everything from scratch

Question 

Information System Audit Plan

The learning outcome for this unit involves the process of developing an information system (IS) compliance audit plan for an organization. Many factors are involved in this process, including examining the requirements, developing a plan, creating documentation, and anticipating corrective measures. All these considerations are brought together and addressed in this assignment.

Assume you are in charge of an anticipated IT compliance audit for the system/application domain. The chief information officer (CIO) wants to be prepared and asks you to create a plan. Address the following in your plan:

Your response must be at least four pages in length and double-spaced. Use two sources: the course textbook and a resource from the CSU Online Library. They must be referenced; paraphrased and quoted material must accompany APA citations.

Exit mobile version