Understanding and Conducting Information Systems Auditing + Website
Format: PDF / Kindle (mobi) / ePub
A comprehensive guide to understanding and auditing modern information systems
The increased dependence on information system resources for performing key activities within organizations has made system audits essential for ensuring the confidentiality, integrity, and availability of information system resources. One of the biggest challenges faced by auditors is the lack of a standardized approach and relevant checklist. Understanding and Conducting Information Systems Auditing brings together resources with audit tools and techniques to solve this problem.
Featuring examples that are globally applicable and covering all major standards, the book takes a non-technical approach to the subject and presents information systems as a management tool with practical applications. It explains in detail how to conduct information systems audits and provides all the tools and checklists needed to do so. In addition, it also introduces the concept of information security grading, to help readers to implement practical changes and solutions in their organizations.
- Includes everything needed to perform information systems audits
- Organized into two sections—the first designed to help readers develop the understanding necessary for conducting information systems audits and the second providing checklists for audits
- Features examples designed to appeal to a global audience
Taking a non-technical approach that makes it accessible to readers of all backgrounds, Understanding and Conducting Information Systems Auditing is an essential resource for anyone auditing information systems.
composition of the password in terms of numbers and text, a compulsory change of password after a specific duration, and so forth. c03.indd 48 1/7/13 5:40 PM Elements of Software Security Ⅲ 6. 7. 8. 9. 10. 11. 12. c03.indd 49 49 d. Restricting connection time of users, depending on the nature of work performed, whereby the chance of leaving a logged-in system unattended is reduced. For example, in bank ATMs, after a specific time the user is requested either to log in again or to
strategy for reduction of adverse impacts on long-term sustainability, if any, including those on future sales or industry perception that may gradually convert themselves into financial loss. Some events may have a limited short-term adverse impact, but repetition of such events may seriously compromise long-term sustainability of the business. 7. Determination of level of tolerance defined in terms of maximum, acceptable, and permissible extent of service outage or corresponding financial loss.
reconcilement procedure covering all transactional capabilities of the e-commerce system. 2. Determine the scope and performance of reconciliation activity for incomplete transactions or for transactions where complete information is not available. 3. Confirm that adequate safeguards are in place to detect, prevent, and notify duplicate transactions. This control assumes criticality in cases of hotel or airline reservations where customer may be warned of an earlier purchase of a similar
AN INFORMATION SYSTEMS AUDIT 1 Chapter 1: Overview of Systems Audit 3 Information Systems Audit Information Systems Auditor Legal Requirements of an Information Systems Audit Systems Environment and Information Systems Audit Information System Assets Classiﬁcation of Controls The Impact of Computers on Information The Impact of Computers on Auditing Information Systems Audit Coverage Chapter 2: Hardware Security Issues 17 Hardware Security Objective Peripheral Devices and Storage Media
evidence. Thus, unless necessary, use of uncommon tools and techniques should be avoided. This does not mean that new tools and techniques will not be used. But in case these are used, the cyberforensics expert may be required to establish the credibility of the tools and techniques before defending the quality of the evidence. 8. Technical capability of the analyst: The cyberforensics experts may be required to prove their technical competence, which may come from professional qualifications,