Professional Documents
Culture Documents
IT Security Audit: June 2019
IT Security Audit: June 2019
net/publication/333682624
IT Security Audit
CITATIONS READS
0 9,459
1 author:
Micky Barzilay
London Metropolitan University
3 PUBLICATIONS 4 CITATIONS
SEE PROFILE
All content following this page was uploaded by Micky Barzilay on 25 June 2019.
The research measured IT managers and employees’ awareness to cybercrime risks; measured their
familiarity with IT security audit standards and guidelines; and measured the impact of IT security
audit on organization’s growth. This study used a company as a case study, evaluated the current IT
security audit status of the company and determined the flexibility for improvement of IT security
audit policy and procedure.
A quantitative research was carried out to obtain cybercrime data and gather more comprehensive
information about the subject matter. A statistical analysis of the survey showed that 50% of the
participants believed that a security audit has impact on an organization’s IT security, 36%
believed it only has a mild impact while 14% believed that it has no impact even though it is
important.
This study clearly showed that IT security audit is critical for the development of any organization
that uses IT.
1. INTRODUCTION
Cybercrime is a threat that is facing every organization and there is a growing concern on
how to counter it. Each day, cybercrime hits organizations’ information systems and causes them
trauma, significant financial loss and reputation damage.
There is no place to be complacent. A cybercrime can attack your business’s information system at
any time and you certainly dislike the idea that your organization’s data will be breached like more
than 43% of businesses in UK experienced a cyber-security breach or attack in the last 12 months
(Cyber Security Breaches Survey 2018).
Although some literature states that information security auditing, is a vital step in protecting
organization’s information system against Cybercrime, fraud and data breach should be carried out
regularly, as a systematic examination by an independent expert on adherence, to discover a
weakness in the organization’s IT (Pompon, 2016, p.3). Does an IT security audit really help the
organization to improve the information security and mitigate potential cybersecurity risks?
This research report will present the path and the procedure used to achieve a successful IT security
audit and will examine if the procedure helps to improve the IT security or not. To achieve this goal,
I will study the current auditing procedure of a Linux systems in a telecom business that I am
working for. Then, I will develop an IT audit programme for those systems, according to the
industry standards and guidelines, and finally implement the audit programme and issue an audit
reports that includes the findings and the follow-up actions that should be taken in order to mitigate
potential information security risks.
As a matter of fact, IT auditing requires significant resources including time and money. However,
the cost of a Cybercrime, fraud or data breach can be very high indeed. Therefore it pays to prevent
it.
“Worldwide spending on information security products and services will reach more than
$114 billion in 2018, an increase of 12.4 percent from last year, according to the latest
forecast from Gartner, Inc. In 2019, the market is forecast to grow 8.7 percent to $124
billion.”
The main aim of this study is to present the importance of IT security audit and to examine
the benefits of IT security auditing process as an important tool in improving the organization’s
information security.
Furthermore, the research investigates how the organization’s awareness to cybercrime risks, how
well they employ international security standards and guidelines and how they are performing IT
security audit regularly. An example of Israeli Telecoms Company is presented to examine the
implementation of IT security audit.
Table 1 lists the research’s objectives.
Table 1 Objective / Question
Descriptive To measure the awareness of IT managers and employees to
cybercrime risks.
To measure the familiarity of IT managers and employees with IT
security audit standards and guidelines.
To measure the assessment of IT managers and employees with the
argument that security audit procedure has impact on the
organization’s IT security improvement.
Evaluative To evaluate the present IT security auditing status of a company.
2. LITERATURE REVIEW
The growth of explosive in the digital and interconnected world in the last decade has
created huge opportunities and tremendous benefits to users, companies and organizations around
the globe, and is promoting globalization. The exponential and dramatic increase of data traffic will
reach 150,700 GB per second in 2022, more than triple compared to 2017 (Cisco white paper, 2018
p.5).
Gupta (2015) carried out a research on information system audit in Nepal, he found that cyber-
attacks is on the rise. The research carried out a survey involving 108 respondents; 30%
experienced a cyber-attack in 2014. Furthermore, Gupta found that only 55% of the audiences
follow the IT security standards and guidelines.
Therefore, information security is crucial, the organization’s data and information systems are their
assets, that is why the Board of Directors has overall responsibility for an organization’s risk
management and internal control systems, and should ensure that the organization’s information
system and data is secure, confidential and its integrity is not compromised. (The UK FRC, 2016
p.7).
One of the activities that enable a company to prevent and detect data breach, fraud and cybercrime
is regular but, systematic IT auditing process, which is a critical business process. (Carlin,
Frederick, 2017 p.87).
Organization’s policy should be established on international industry standard, guidelines and best
practices, for example the ISO/IEC 27001, NIST and SOX.
An important part of a quality audit is the audit department. While small size organizations
will choose an external security advisor company to create and implement an audit programme,
enterprise businesses do establish an internal security audit department to perform same function.
However, in addition to the internal security audit department, a third-party auditing by an
independent certified external body is required due to legal and regulatory requirements, for
example, a financial SOX (Sarbanes–Oxley Act) auditing.
ISO 19011, guidelines for auditing management systems, section 4 covers the six principles of the
auditor(s); Integrity, Fair Presentation, Due Professional care, Confidentiality, Independence and
Evidence-based Approach. These principles should help make the audit effective and reliable.
Ethics is tied up with recognizing what is correct versus what is wrong and making the best
choice every time. A professional security auditor will put the customers’ choices in front of their
own. An auditor is relied upon to respect the laws in addition to complying with the principles of
their experiences.
The expected ethical and professional principles from the auditor can also be found in the ISO and
NIST standards for information management and security. The IIA (Institute of Internal Auditors)
published a code of ethics for auditors which includes four fundamental atributes; Integrity,
Objectivity, Confidentiality, Competency. The auditors’ integrity creates confidence and thus
provides the basis for their judgment. Auditors should perform in a professional way, relate the
wisdom, qualifications, and skillset required in diligence and accordance to the standards, respect
the value and property of the information that they receive and keep the information safe.
ISACA (Information Systems Audit and Control Association) grouped the audit process into
three major phases: planning, fieldwork and reporting as shown in Figure 1.
Planning and executing audits vary from one organization to another. Each phase in the model
shown in Figure 1 can be divided into small steps to suit the circumstances of specific audits.
An important component of the audit plan phase is to develop an audit programme. The ISO 19011,
Guidelines for auditing management systems, (2011) p.5, section 5 (“Managing an audit
programme”), states:
“An organization needing to conduct audits should establish an audit programme that
contributes to the determination of the effectiveness of the auditee’s management system.
The audit programme can include audits considering one or more management system
standards, conducted either separately or in combination.”
An audit programme is a set of documents that specifies the objectives of the auditing process, the
expected audit’s results, identifies the risk management process, and also risk assessment.
Furthermore, the audit programme should contain a step-by-step instruction on how to prepare a
certain audit. This should include how to gather the required information, training, employees’
interviews, reviewing the results of previous audits, choosing the audit method and tools that will be
used to perform a certain audit. The purpose of the audit programme is to deliver an audit report to
In this phase, the audit activities are conducted by the audit team. Furthermore, the audit team walks
through the audit programme to collect evidence, perform a technology check by accessing the
systems, reviewing logs, using tools, scripts, etc., and gathering information to support the audit
activities and to analyze the risks.
The conformity and nonconformity of audit evidence, logs, results and observations should be
documented, and each finding can be classified. The documentation is crucial for the approval of
existing audit process to the organization itself and to the regulation authorities in case they will be
needed. In addition, the records will be used to correct the nonconformity objectives and for future
reference. The documentations should be kept in an electronic format or in an AMS (Audit
Management System).
Once the auditor’s team has found conformity and nonconformity issues in the area being audited,
they should test the results to ensure the accuracy of the results and develop solutions. At that point,
they can write a report that includes the auditor’s conclusions, opinions, recommendations and
improvements to mitigate the potential risks.
The report is the audit process “product” by which the auditor’s team conveys their findings to the
organization’s management.
The NIST’s Guide to auditing for controls and security state:
“Problems identified in the previous audit steps should result in audit recommendations,
assuming the variance identified is significant. The auditor should be able to identify the
potential impact of the variance prior to issuing an audit report recommending corrective
action. The audit report should be released prior to management's decision on whether or
The core of the report is a list of issues and actions needed to be taken as an audit follow-up to
correct, preventive or improve the weakness in the audited area.
It is imperative to understand that the goal of the audit is to improve the controls in the
environment, not to generate an audit report to prove the auditors work. Therefore, in case IT
team(s) resolved issues, during the audit, the audit team achieved their goal.
It is important to note that there are a several audit’s frameworks and methodologies to perform an
audit. However, it is essential to ensure, at the beginning of each audit, that the auditors, both
internal and external, have a deep understanding of the business they are reviewing, and they should
be familiar with the organization’s information systems. The auditors have the responsibility to
build an audit programme, execute it and issue a result report that describes the accurate status of
the IT systems being audited.
3. RESEARCH METHODOLOGY
In his book Jackson (2010), states that auditing is one of the most important phases to
protect the vulnerabilities of information systems. This research will examine the needs of an IT
security audit as effective process in improving the organization’s information security.
The research involved existing cybercrime surveys and reports, published research papers, journals,
international standards and guidelines such as NIST, ISO and ISACA along with a systematically
resources searching in the internet. Furthermore, the research also used papers published on IEEE
Xplore and the online library of London Metropolitan University.
Quantitative research was conducted to collect statistical data, such as cybercrime statistics,
supported the research to obtain a more comprehensive picture of the subject. The quantitative
research involved gathering information from surveys and reports published in the recent years by,
for example, Ernst Young and the UK Department for Digital, Culture, Media & Sport.
The IEEE Xplore online library was a great source for secondary research, offer access to extremely
number of published research papers, journal articles and study cases related to the IT Security
Auditing topic, that supported the argument that IT security auditing is a critical process to improve
business’s information system security and protect them against cybercrime, frauds and data leaks.
A survey was carried out, using a multiple reasonable choice questionnaire, based on the Google
Forms platform, which was sent to 50 IT managers and IT employees including, team leaders, IT
consultants, developers, System Administrators Security Administrators, to study the following:
The feedback that provided a better insight into the importance of IT security auditing procedure
involved in protecting the organization’s information system. The result of the survey is presented
and discussed in section 4.
Forty-three Israelis who are IT managers and IT employees have responded to the IT
Security Audit survey which was carried out in March 2019 as part of this research. The survey
showed that 50% of the participants agreed with the argument that security audit procedure has
impact on the organization’s IT security improvement, while 36% of the participants believed IT
audit could yield some improvement. The remaining 14% agreed that IT security audit is important
but has no impact on the information security improvement. Figure 2 further explains this.
Moreover, the survey results show that 100% of the participants are aware of cybercrime risks.
21% of the respondents have a deep knowledge in cybersecurity and they personally engage in the
subject. 28% of the respondents also have a deep knowledge in the topic but they do not engage in
cybersecurity. The distribution of participants based on their response is shown in Figure 3.
The research examined the familiarity of IT managers and employees with IT security audit
standards and guidelines, and the implementation of those within the organization. 57% claimed
they are very familiar with this and their organizations follow those standards and guidelines. 28%
of the participant are not familiar with the audit standards and guidelines. 7% claimed they are
familiar with the audit standards and guidelines but the organization does not follow them. The
distribution of participants is in Figure 4.
Based on the research results, it can be easily concluded that IT security audit is an important
process with a superb impact that should be carried out regularly to improve the security of the
organization’s information system, keeping the business’s data Confidentiality, Integrity, and
Availability.
The company I examined is one of the major telecoms businesses in Israel. The company
runs hundreds of systems in the business and information technology departments in one main Data
Center in addition to a DR (Disaster Recovery) Data Center.
A company has an IT department entail supporting systems which operates from northern region to
southern part of Israel, supporting its 3000 employees and its customers who are more than a
million.
Due to the fact that the company is a public and holds personal and sensitive information of
customers, the Israeli laws and regulations force strong security policies to be implemented on the
company’s databases systems and billing system. In addition, the regulation force a regularly
security auditing to be carry out on the financial systems according to the SOX (Sarbanes-Oxley
Act) standards to investigate fraud attempts and to prevent them.
I was discovered that a strong security policy and audit procedure along with a security and audit
tools (automatic and manual), for the business applications, for example, SAP and Oracle database
systems, which are running on top of the Linux operating system, are existing. Moreover, the
company is using the IBM Guardium system to log and protect the Oracle, Microsoft SQL and
additional database systems, and the Xpandion ProfileTailor GRC system that automatically audits
the access and the activities in SAP systems.
On the other hand, it’s shocking that currently, there is only a minimal reference to security, policy
and audit of Linux operating system servers themselves. This is expressed by blocking a remote
access to those servers from the world, outside the organization, using the external company’s
firewall and rarely reviewing system logs.
Obviously, this status is unacceptable and must be changed and improved. Such improvement will
mitigate and control the potential security risks, unauthorized access and fraud.
The organization is running critical business missions, in production environment, on those Linux
servers. That is exactly why Linux servers security auditing is crucial to mitigate potential
cybersecurity risks and ensure that the assets, and data, are protected. They must remain
confidential and their integrity must be maintained.
Once I was discovered that audit programme for Linux systems does not exists, the mission
was to developed an audit programme for those systems, after which I implemented an audit then
issue an audit report based on the audit’s findings.
ISACA guides, such as the “Information Systems Auditing: Tools and Techniques, Creating Audit
Programs” guide along with ISO and NIST standards and guides along with additional Linux
System auditing guides that I found on the Internet, was a tremendous sources to developed and
implement a comprehensive IT auditing of a Linux Systems as a practical case study. Moreover,
several tools were examined and used during the implementation of the IT auditing case study, just
to name some; OpenSCAP, Nessus, Linux Audit system.
The report was an assessment summary of a Linux systems audit that the researcher was
carried out in March 2019. During the audit, the researcher reviewed the baseline Linux security
configuration standards to ensure that the systems adequately were managed, secured and
controlled. Strong areas identified, for example, backup & restore policy, during the auditing in
addition to recommendation to improve immediately a weakness areas and objectives that was
found under this review, for example, Disable SSH Root Login option in the Linux systems, to
mitigate the potential risks from cybercrime, attacks, fraud or data breaches.
The following SWOT (stand for Strengths, Weaknesses, Opportunities and Threats) analysis
summarize the audit’s findings in effective matrix method.
The audit was the first comprehensive Linux Systems security audit done on the company,
which would help the IT department to improve the security in that area.
The provided audit programme was adopted by the Information Security department and will be
improved in the future. This, first audit in a specific area, would fill in as a security benchmark for
future reviews.
6. ANALYSIS of FINDINGS
The results indicated that forty three IT managers and employees took part in the survey that
was carried out regrading IT Security audit. From the survey, it was apparent that 50 % of the
participants agreed with the argument that security audit procedure has impact on the organization’s
IT security improvement, while 36% of the participants believed IT audit could yield some
improvement. The remaining 14% agreed that IT security audit is important but has no impact on
the information security improvement.
Moreover, the survey results show that 100% of the participants are aware of cybercrime risks.
21% of the respondents have a deep knowledge in cybersecurity and they personally engage in the
subject. 28% of the respondents also have a deep knowledge in the topic but they do not engage in
cybersecurity.
The research examined the familiarity of IT managers and employees with IT security audit
standards and guidelines, and the implementation of those within the organization. 57% claimed
they are very familiar with this and their organizations follow those standards and guidelines. 28%
of the participant are not familiar with the audit standards and guidelines. 7% claimed they are
familiar with the audit standards and guidelines but the organization does not follow them.
1. It measured the awareness of the IT managers and the employees to risks of cybercrime. The
research identified that some of members of the company in the case study were aware f the
risk of cybercrime.
2. Further, the research measured the familiarity of the IT managers with audit standards and
guidelines for IT security.
3. The research also identified that IT security audit procedure has a great impact on the
improvement of the IT Security if an organization. This answers the question of assessing
the argument among the IT managers and employees that IT Security audit has an impact on
improvement of the IT security.
4. The research also evaluated the audit status of the company, which in our case was Israeli
Telecoms.
7. CONCLUSION
This research has focused on the importance of IT security audits as the major process in
organizations that helps to improve the information security and protect the business’s data against
cybercrime, fraud or data breaches.
A case study of an Israeli telecoms company found that while there are a number of generally
followed procedures for different tasks, there is no a formal security policy with a specific
configuration and guidelines for Linux systems. The policy depends on the System Administrators
knowledge and may not be optimal, leaving servers vulnerable to cybercrime risks, attacks and
fraud. Numerous security objectives were resolved by the Linux team members during the audit
process to improve the access control and the vulnerability of the systems.
From this research, it can be concluded that IT security audit is a crucial activity that every IT
organization must make provision for and carry out from time to time.
Pompon R., (2016). IT Security Risk Control Management, An Audit Preparation Plan, Apress
Cyber Security Breaches Survey 2018, The UK Department for Digital, Culture, Media and Sport
Cisco public White paper, (2018). Cisco Visual Networking Index: Forecast and Trends, 2017–2022
Joshi H., (2017), Security and Privacy in the Digital World, Deloitte
Gupta A., (2015). Information System Audit; A study for security and challenges in Nepal
The United Kingdom Financial Reporting Council, (2016). Guidance on Audit Committees
Carlin A., Gallegos F., (2017). IT Audit: A Critical Business Process, California State Polythecnic
University, Pomona
Popescu G., Pupescu A., Pupescu C.R., (2008), Conducting an Information Security Audit, IT
Information Technology Manager No.7
International Standard, ISO/IEC 17021 2nd. ed., (2011), Conformity assessment - Requirements for
bodies providing audit and certification of management systems
International Standard, ISO/IEC 19011 2nd. ed., (2011). Guidelines for auditing management
systems
ISACA, (2016). Information Systems Auditing: Tools and Techniques, Creating Audit Programs
Moore S., Keen E., (2018). Gartner Forecasts Worldwide Information Security Spending to Exceed
$124 Billion in 2019, Garthner, viewed 01 April 2019,
<https://www.gartner.com/en/newsroom/press-releases/2018-08-15-gartner-forecasts-worldwide-
information-security-spending-to-exceed-124-billion-in-2019>.