Week Milestones

1 understanding the IS audit process and finalizing the process to be followed

2 Plan the Audit, Scope of the audit, system boundaries and deliverables of the audit
3 Identify the Assets of the lab
4 Performing the audit
5 Performing the audit
6 Preparation of report
7 Review and submission of report
of the audit
Physical and environmental review
This includes physical security, power supply, air conditioning, hu
System administration review This includes security review of the operating systems, database m
Application software review The business application could be payroll, invoicing, a web-based
Network security review Review of internal and external connections to the system, perime
Business continuity review This includes existence and maintenance of fault tolerant and red
Data integrity review The purpose of this is scrutiny of live data to verify adequacy of co
 pply, air conditioning, humidity control and other environmental factors.
ating systems, database management systems, all system administration procedures and compliance.
l, invoicing, a web-based customer order processing system or an enterprise resource planning system that act
ons to the system, perimeter security, firewall review, router access control lists, port scanning and intrusion de
e of fault tolerant and redundant hardware, backup procedures and storage, and documented and tested disaste
a to verify adequacy of controls and impact of weaknesses, as noticed from any of the above reviews. Such sub
compliance.
ning system that actually runs the business. Review of such application software includes access control and au
ning and intrusion detection are some typical areas of coverage.
ed and tested disaster recovery/business continuity plan.
ve reviews. Such substantive testing can be done using generalized audit software (e.g., computer assisted aud
access control and authorizations, validations, error and exception handling, business process flows within the a

omputer assisted audit techniques).

ess flows within the application software and complementary manual controls and procedures. Additionally, a re
res. Additionally, a review of the system development lifecycle should be completed.
 Area Description Deliverables
1. Vulnerability Scanning This involves scanning the Vulnerability Report: Presents
infrastructure set up to reveal any vulnerabilities in the company’s IS setup.
existing vulnerabilities.
2. Report Audit This involves auditing reports that Audit Report: An Audit report is prepared
are regularly generated as a part giving a security overview, and the
of the Security management results of all the audits and reports are
3. Security Architecture Audit This involves
process of theauditing the existing
organisation. Audits Security
preparedArchitecture Audit Report
and presented.
security architecture of the
are conducted on: Logs – logs that
organisation.
are maintained within the system
4. Baseline Auditing This involves
(syslogs) auditing
by the network,the system
security Baseline Auditing Report
setup to verify components.
and database that it is in IDS
accordance with the
Reports – reports thatsecurity
are
baseline
generated ofby
thethe
organisation.
Intrusion
Deviations are recorded
Detection System on an to on-going
analyse
basis. Any compliance during
other reports thatthe
are
audit period.
maintained/generated by the
5. Internal Control and organisation
This involvesas part ofthe
auditing its security
existing Internal Control and Workflow Audit
Workflow Audit maintenance
workflow program.
in the organisation to Report
ascertain whether it is sufficient to
handle and escalate response to
security issues.
6. Policy Audit The Security policy is audited to Policy Audit Report
ensure that it is in line with the
business objectives of the
organisation and complies with
standards that the company
follows or wishes to follow.
7. Threat/Risk Assessment Assessment of the various risks Threat/Risk Assessment Report:
and threats facing the company’s Presents the various threats and risks
Information systems. Taking into the company faces as a result of the
account the results of the audits, existing vulnerabilities including faulty
this assessment gives an overall policy, architecture, etc.
picture of the security risk/ threat
to the organisation.