Auditing the IT Security Function: An Effective Framework

Introduction

As businesses have come to depend very much on their information systems in the last half a century, the importance of having those systems in a fit state to run has become paramount. Not only is good, reliable Electronic Data Processing vital but an increasingly important part of the equation involves the IT Security Function. Without secure information systems a company is vulnerable to exploits from outside as well as within. In recognition of this, ways of measuring and monitoring the effectiveness of security controls and systems have been developed into internationally recognised standards, providing a valuable tool for Auditing the IT Security Function. Convincing management that the audit process is necessary to maintain good security is perhaps one of the main hurdles preventing good auditing practices to be adopted. There are, however, convincing arguments to help persuade those in control of budgets that they need to take responsibility for adequate security.

The Role of IT Security

The information age went international in the 1980s. However, the fact is that a series of corresponding security weaknesses also came. For example, electronic mails are widely applied in today's daily life and business, while the virus of one computer connected to many others in a honeycomb arrangement may affect another, as usually how great they are interconnected is unknown(Shain,1996). Therefore, information security is increasingly required to take on a considerably vital role in networks.

As Shain(1996) points out, security is a wide concept, it is a separated subject with its own theories, "which focus on the process of attack and on preventing, detecting and recovering from attacks". Certainly, these processes should be well organized in coping with the complex system issues. A coherent approach should be taken, which builds on established security standards, procedures and documentation. Actually, "the activities of the...