Information Security Audit Analysis

2244 Words9 Pages

Introduction:-
Today organizations are facing with a wide range of potential threats to their information security (IS), are increasingly interested in high level security of it. One of the best ways to estimate, achieve and maintain security of information is an Information Security auditing. Auditing is a complex and many-stpes process involving high-qualified experts in IS, what makes it a quite expensive process. There are many types of audit, including certain security standards (e.g. ISO 27K) compliance audits. Generally, information security audit is conducted in the following steps:
1. Scoping and pre-audit survey: finding the main area of focus; establishing audit objectives.
2. Planning and preparation: usually made an audit plan/checklist. …show more content…

The knowledge in expert systems, commonly represented in form of IF-THEN type-rules, may be either expertise or knowledge that is generally available from written sources. We think that in IS field, along with human knowledge, security standards’ (ISO/IEC, COBIT and ITIL, in particular) recommendations can also serve as a source of expertise and may be translated into rules. Some of advantages of the use of expert systems, particularly in IS field are: • Reduced cost. Development of an expert system is relatively inexpensive. Taking into consideration an opportunity of repeated use by multiple organizations, the cost of the service per client is greatly lowered.
• Increased availability. Expert knowledge becomes available using any suitable device at any time of the day. Web-based expert systems open up ability to access expertise from any Internet connected device.
• Multiple expertise. Using knowledge from multiple sources increases total level of expertise of the system. In case of IS, a combination of number of security standards’ recommendations and knowledge of several independent specialists could be …show more content…

“Figure 1” shows the overall picture of the considered expert system, which consists of five parts: Database, interface for experts, interface for risk managers, interface for analytics and interface for information security officers. At first, we will get started with the description of Database. It contains questions, the list of users, answers, question weights, risk levels, recommendations, analysis results and tools. It is a main component of the Expert system, as each other component directly interacts with it. Top of the figure above is an interface for the target company. Employees are divided into categories. Interface for Information security experts/professional is shown on second part. Experts pass authorization phase, after that they determine the ranges for questions as set of linguistic variables like LOW, MEDIUM and HIGH that is relevant to set of numeric values. Third part presents an interface for risk managers. It is the same as for experts: the authorization and evaluation of risk level for questions. Fourth part shows the interface for analytics: authorization and own interface, in which analytics can run different calculations of results and take output results. Interface for providing recommendations based on the outputs by the Information Security Officer is shown in sixth

More about Information Security Audit Analysis

Open Document