See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/333682624

IT Security Audit

Research · June 2019

CITATIONS READS

0 9,459

1 author:

Micky Barzilay
London Metropolitan University
3 PUBLICATIONS   4 CITATIONS   

SEE PROFILE

All content following this page was uploaded by Micky Barzilay on 25 June 2019.

The user has requested enhancement of the downloaded file.

Table of Contents
ABSTRACT.........................................................................................................................................3
1. INTRODUCTION............................................................................................................................3
1.1 Research Aims & Objectives.....................................................................................................5
2. LITERATURE REVIEW.................................................................................................................5
2.1 The Importance of IT Security Auditing....................................................................................5
2.2 Who Carries Out the Audit?.......................................................................................................7
2.3 Auditor’s Ethical and Professional.............................................................................................7
2.4 IT Audit Process.........................................................................................................................8
2.4.1 Planing Phase.....................................................................................................................8
2.4.2 Fieldwork and Documentation...........................................................................................9
2.4.3 Reporting and Follow-up...................................................................................................9
3. RESEARCH METHODOLOGY...................................................................................................10
4. RESULTS AND DISCUSSION.....................................................................................................12
5. CASE STUDY – TELECOMS COMPANY..................................................................................13
5.1 Company’s Information Systems Brief....................................................................................13
5.2 Present IT Security Audit Status..............................................................................................14
5.3 Develop & Perform an Audit Programme...............................................................................15
5.4 Audit Summary Report............................................................................................................15
5.5 SWOT Analysis to Evaluate IT Security Audit’s Findings......................................................15
5.6 Case Study Summary...............................................................................................................17
6. ANALYSIS of FINDINGS.............................................................................................................17
7. CONCLUSION..............................................................................................................................18
8. REFERENCE LIST........................................................................................................................19

Micky Barzilay (May 2019) 2 of 20

 ABSTRACT
Cybercrime, fraud and data breach are menace constituting great threats to organizations. A lot has
been lost and companies need to find strategies to nip the threats in the bud and avert further
losses. This research examined the procedures involved in IT security audit and how an audit can
improve companies’ IT security.

The research measured IT managers and employees’ awareness to cybercrime risks; measured their
familiarity with IT security audit standards and guidelines; and measured the impact of IT security
audit on organization’s growth. This study used a company as a case study, evaluated the current IT
security audit status of the company and determined the flexibility for improvement of IT security
audit policy and procedure.

A quantitative research was carried out to obtain cybercrime data and gather more comprehensive
information about the subject matter. A statistical analysis of the survey showed that 50% of the
participants believed that a security audit has impact on an organization’s IT security, 36%
believed it only has a mild impact while 14% believed that it has no impact even though it is
important.

This study clearly showed that IT security audit is critical for the development of any organization
that uses IT.

1. INTRODUCTION

Cybercrime is a threat that is facing every organization and there is a growing concern on
how to counter it. Each day, cybercrime hits organizations’ information systems and causes them
trauma, significant financial loss and reputation damage.

There is no place to be complacent. A cybercrime can attack your business’s information system at
any time and you certainly dislike the idea that your organization’s data will be breached like more
than 43% of businesses in UK experienced a cyber-security breach or attack in the last 12 months
(Cyber Security Breaches Survey 2018).

A better information system security is crucial to protect an organization’s IT against cybercrime,

fraud and data breach. It is the duty of every organization to ensure that the organization’s data is
secure, confidential and its integrity is not compromised. The security of an organization depends

Micky Barzilay (May 2019) 3 of 20

on the user practices, the software and the information handling processes. But, how would
organization know what should be protected and how should it be protected? Where should the
organization start from?

IT Security Auditing, this is where it all begins.

Although some literature states that information security auditing, is a vital step in protecting
organization’s information system against Cybercrime, fraud and data breach should be carried out
regularly, as a systematic examination by an independent expert on adherence, to discover a
weakness in the organization’s IT (Pompon, 2016, p.3). Does an IT security audit really help the
organization to improve the information security and mitigate potential cybersecurity risks?

This research report will present the path and the procedure used to achieve a successful IT security
audit and will examine if the procedure helps to improve the IT security or not. To achieve this goal,
I will study the current auditing procedure of a Linux systems in a telecom business that I am
working for. Then, I will develop an IT audit programme for those systems, according to the
industry standards and guidelines, and finally implement the audit programme and issue an audit
reports that includes the findings and the follow-up actions that should be taken in order to mitigate
potential information security risks.
As a matter of fact, IT auditing requires significant resources including time and money. However,
the cost of a Cybercrime, fraud or data breach can be very high indeed. Therefore it pays to prevent
it.

In their research paper, Moore and Keen (2018) stated that:

“Worldwide spending on information security products and services will reach more than
$114 billion in 2018, an increase of 12.4 percent from last year, according to the latest
forecast from Gartner, Inc. In 2019, the market is forecast to grow 8.7 percent to $124
billion.”

Micky Barzilay (May 2019) 4 of 20

1.1 Research Aims & Objectives

The main aim of this study is to present the importance of IT security audit and to examine
the benefits of IT security auditing process as an important tool in improving the organization’s
information security.
Furthermore, the research investigates how the organization’s awareness to cybercrime risks, how
well they employ international security standards and guidelines and how they are performing IT
security audit regularly. An example of Israeli Telecoms Company is presented to examine the
implementation of IT security audit.
Table 1 lists the research’s objectives.
Table 1 Objective / Question
Descriptive To measure the awareness of IT managers and employees to
cybercrime risks.
To measure the familiarity of IT managers and employees with IT
security audit standards and guidelines.
To measure the assessment of IT managers and employees with the
argument that security audit procedure has impact on the
organization’s IT security improvement.
Evaluative To evaluate the present IT security auditing status of a company.

To determine the flexibility for improvement the IT security audit

policy/procedure.

2. LITERATURE REVIEW

2.1 The Importance of IT Security Auditing

The growth of explosive in the digital and interconnected world in the last decade has
created huge opportunities and tremendous benefits to users, companies and organizations around
the globe, and is promoting globalization. The exponential and dramatic increase of data traffic will
reach 150,700 GB per second in 2022, more than triple compared to 2017 (Cisco white paper, 2018
p.5).

Micky Barzilay (May 2019) 5 of 20

Currently, an organization’s value mainly depends on the amount and quality of data handled.
Information Security is about confidentiality, integrity and availability of information; the C.I.A.
triad. The growth, in the digital world, creates significant security risks like cybercrime, fraud and
data breaches. Therefore, the need to have information security has risen to a high level more than
the world has ever seen in the history of information system. (Joshi, 2017 p.3)

Gupta (2015) carried out a research on information system audit in Nepal, he found that cyber-
attacks is on the rise. The research carried out a survey involving 108 respondents; 30%
experienced a cyber-attack in 2014. Furthermore, Gupta found that only 55% of the audiences
follow the IT security standards and guidelines.

Therefore, information security is crucial, the organization’s data and information systems are their
assets, that is why the Board of Directors has overall responsibility for an organization’s risk
management and internal control systems, and should ensure that the organization’s information
system and data is secure, confidential and its integrity is not compromised. (The UK FRC, 2016
p.7).

One of the activities that enable a company to prevent and detect data breach, fraud and cybercrime
is regular but, systematic IT auditing process, which is a critical business process. (Carlin,
Frederick, 2017 p.87).

We understood that IT auditing is critical. Then, what is an IT security audit?

“A security audit is essentially an assessment of how effectively the organization’s security

policy is being implemented.” (Pupescu et.al, 2008 p.79)

Organization’s policy should be established on international industry standard, guidelines and best
practices, for example the ISO/IEC 27001, NIST and SOX.

Micky Barzilay (May 2019) 6 of 20

2.2 Who Carries Out the Audit?

An important part of a quality audit is the audit department. While small size organizations
will choose an external security advisor company to create and implement an audit programme,
enterprise businesses do establish an internal security audit department to perform same function.
However, in addition to the internal security audit department, a third-party auditing by an
independent certified external body is required due to legal and regulatory requirements, for
example, a financial SOX (Sarbanes–Oxley Act) auditing.

The ISO (International Organization for Standardization) / IEC (International Electrotechnical

Commission) standard number 17021 outlines the requirements for bodies providing audit and
certification.

ISO 19011, guidelines for auditing management systems, section 4 covers the six principles of the
auditor(s); Integrity, Fair Presentation, Due Professional care, Confidentiality, Independence and
Evidence-based Approach. These principles should help make the audit effective and reliable.

2.3 Auditor’s Ethical and Professional

Ethics is tied up with recognizing what is correct versus what is wrong and making the best
choice every time. A professional security auditor will put the customers’ choices in front of their
own. An auditor is relied upon to respect the laws in addition to complying with the principles of
their experiences.
The expected ethical and professional principles from the auditor can also be found in the ISO and
NIST standards for information management and security. The IIA (Institute of Internal Auditors)
published a code of ethics for auditors which includes four fundamental atributes; Integrity,
Objectivity, Confidentiality, Competency. The auditors’ integrity creates confidence and thus
provides the basis for their judgment. Auditors should perform in a professional way, relate the
wisdom, qualifications, and skillset required in diligence and accordance to the standards, respect
the value and property of the information that they receive and keep the information safe.

Micky Barzilay (May 2019) 7 of 20

2.4 IT Audit Process

ISACA (Information Systems Audit and Control Association) grouped the audit process into
three major phases: planning, fieldwork and reporting as shown in Figure 1.

Figure 1: Three major phases of an audit process

(Source: Information System, Auditing: Tools and Techniques, Creating Audit Programs (2016) p.5)

2.4.1 Planing Phase

Planning and executing audits vary from one organization to another. Each phase in the model
shown in Figure 1 can be divided into small steps to suit the circumstances of specific audits.

An important component of the audit plan phase is to develop an audit programme. The ISO 19011,
Guidelines for auditing management systems, (2011) p.5, section 5 (“Managing an audit
programme”), states:

“An organization needing to conduct audits should establish an audit programme that
contributes to the determination of the effectiveness of the auditee’s management system.
The audit programme can include audits considering one or more management system
standards, conducted either separately or in combination.”

An audit programme is a set of documents that specifies the objectives of the auditing process, the
expected audit’s results, identifies the risk management process, and also risk assessment.
Furthermore, the audit programme should contain a step-by-step instruction on how to prepare a
certain audit. This should include how to gather the required information, training, employees’
interviews, reviewing the results of previous audits, choosing the audit method and tools that will be
used to perform a certain audit. The purpose of the audit programme is to deliver an audit report to

Micky Barzilay (May 2019) 8 of 20

the organization’s CEO and Board of Directories, these audit reports will include the audit’s results
based on evidence, facts, recommendations and conclusions.
If the planning process is carried out efficiently, the audit team will be set up for success.

2.4.2 Fieldwork and Documentation

In this phase, the audit activities are conducted by the audit team. Furthermore, the audit team walks
through the audit programme to collect evidence, perform a technology check by accessing the
systems, reviewing logs, using tools, scripts, etc., and gathering information to support the audit
activities and to analyze the risks.

The conformity and nonconformity of audit evidence, logs, results and observations should be
documented, and each finding can be classified. The documentation is crucial for the approval of
existing audit process to the organization itself and to the regulation authorities in case they will be
needed. In addition, the records will be used to correct the nonconformity objectives and for future
reference. The documentations should be kept in an electronic format or in an AMS (Audit
Management System).

2.4.3 Reporting and Follow-up

Once the auditor’s team has found conformity and nonconformity issues in the area being audited,
they should test the results to ensure the accuracy of the results and develop solutions. At that point,
they can write a report that includes the auditor’s conclusions, opinions, recommendations and
improvements to mitigate the potential risks.
The report is the audit process “product” by which the auditor’s team conveys their findings to the
organization’s management.
The NIST’s Guide to auditing for controls and security state:

“Problems identified in the previous audit steps should result in audit recommendations,
assuming the variance identified is significant. The auditor should be able to identify the
potential impact of the variance prior to issuing an audit report recommending corrective
action. The audit report should be released prior to management's decision on whether or

Micky Barzilay (May 2019) 9 of 20

 not to proceed with the AIS (i.e., sign-off on the System Decision Paper).” (Ruthberg, et al.
1998 SP 500-153 p.88)

The core of the report is a list of issues and actions needed to be taken as an audit follow-up to
correct, preventive or improve the weakness in the audited area.

It is imperative to understand that the goal of the audit is to improve the controls in the
environment, not to generate an audit report to prove the auditors work. Therefore, in case IT
team(s) resolved issues, during the audit, the audit team achieved their goal.

It is important to note that there are a several audit’s frameworks and methodologies to perform an
audit. However, it is essential to ensure, at the beginning of each audit, that the auditors, both
internal and external, have a deep understanding of the business they are reviewing, and they should
be familiar with the organization’s information systems. The auditors have the responsibility to
build an audit programme, execute it and issue a result report that describes the accurate status of
the IT systems being audited.

3. RESEARCH METHODOLOGY

In his book Jackson (2010), states that auditing is one of the most important phases to
protect the vulnerabilities of information systems. This research will examine the needs of an IT
security audit as effective process in improving the organization’s information security.

The research involved existing cybercrime surveys and reports, published research papers, journals,
international standards and guidelines such as NIST, ISO and ISACA along with a systematically
resources searching in the internet. Furthermore, the research also used papers published on IEEE
Xplore and the online library of London Metropolitan University.

The NIST-800-53, NIST-800-100, NIST-800-18 and NIST-500-153 in addition to other NIST

standards and guidelines were reviewed to study and understand the IT security auditing process.

Micky Barzilay (May 2019) 10 of 20

Moreover, these standards and guidelines were used to develop and implement a successful IT
security audit programme in the case study section of this research.
The research also involved the ISO-19011, ISO-17021, ISO-27001 and ISO-27002 standards and
guidelines for the same purpose as the NIST.

Quantitative research was conducted to collect statistical data, such as cybercrime statistics,
supported the research to obtain a more comprehensive picture of the subject. The quantitative
research involved gathering information from surveys and reports published in the recent years by,
for example, Ernst Young and the UK Department for Digital, Culture, Media & Sport.

The IEEE Xplore online library was a great source for secondary research, offer access to extremely
number of published research papers, journal articles and study cases related to the IT Security
Auditing topic, that supported the argument that IT security auditing is a critical process to improve
business’s information system security and protect them against cybercrime, frauds and data leaks.

A survey was carried out, using a multiple reasonable choice questionnaire, based on the Google
Forms platform, which was sent to 50 IT managers and IT employees including, team leaders, IT
consultants, developers, System Administrators Security Administrators, to study the following:

• Are they aware of security risks of cybercrime?

• Does their organization experience cybercrime, fraud or data breach?
• Do they carry out an IT security audit? Is the audit external or internal?
• How does the audit procedure affect the organization’s IT security?
• Are they familiar with the IT security audit standards and guidelines?

The feedback that provided a better insight into the importance of IT security auditing procedure
involved in protecting the organization’s information system. The result of the survey is presented
and discussed in section 4.

Micky Barzilay (May 2019) 11 of 20

 4. RESULTS AND DISCUSSION

Forty-three Israelis who are IT managers and IT employees have responded to the IT
Security Audit survey which was carried out in March 2019 as part of this research. The survey
showed that 50% of the participants agreed with the argument that security audit procedure has
impact on the organization’s IT security improvement, while 36% of the participants believed IT
audit could yield some improvement. The remaining 14% agreed that IT security audit is important
but has no impact on the information security improvement. Figure 2 further explains this.
Moreover, the survey results show that 100% of the participants are aware of cybercrime risks.
21% of the respondents have a deep knowledge in cybersecurity and they personally engage in the
subject. 28% of the respondents also have a deep knowledge in the topic but they do not engage in
cybersecurity. The distribution of participants based on their response is shown in Figure 3.
The research examined the familiarity of IT managers and employees with IT security audit
standards and guidelines, and the implementation of those within the organization. 57% claimed
they are very familiar with this and their organizations follow those standards and guidelines. 28%
of the participant are not familiar with the audit standards and guidelines. 7% claimed they are
familiar with the audit standards and guidelines but the organization does not follow them. The
distribution of participants is in Figure 4.

Figure 2: The Impact of IT Audit on the business’s

Information Security Improvement

Micky Barzilay (May 2019) 12 of 20

 Figure 3: The Awareness for
Cybercrime Risks Figure 4: The familiarity with IT
Security Standards and Guidelines

Based on the research results, it can be easily concluded that IT security audit is an important
process with a superb impact that should be carried out regularly to improve the security of the
organization’s information system, keeping the business’s data Confidentiality, Integrity, and
Availability.

5. CASE STUDY – TELECOMS COMPANY

5.1 Company’s Information Systems Brief

The company I examined is one of the major telecoms businesses in Israel. The company
runs hundreds of systems in the business and information technology departments in one main Data
Center in addition to a DR (Disaster Recovery) Data Center.

A company has an IT department entail supporting systems which operates from northern region to
southern part of Israel, supporting its 3000 employees and its customers who are more than a
million.

Micky Barzilay (May 2019) 13 of 20

The Information Technology department includes System Operators, System & Network
Administrators, Information Security sub-department, Database Administrators, SAP consultant and
developers, Java and Dot.NET developers.

5.2 Present IT Security Audit Status

Due to the fact that the company is a public and holds personal and sensitive information of
customers, the Israeli laws and regulations force strong security policies to be implemented on the
company’s databases systems and billing system. In addition, the regulation force a regularly
security auditing to be carry out on the financial systems according to the SOX (Sarbanes-Oxley
Act) standards to investigate fraud attempts and to prevent them.

I was discovered that a strong security policy and audit procedure along with a security and audit
tools (automatic and manual), for the business applications, for example, SAP and Oracle database
systems, which are running on top of the Linux operating system, are existing. Moreover, the
company is using the IBM Guardium system to log and protect the Oracle, Microsoft SQL and
additional database systems, and the Xpandion ProfileTailor GRC system that automatically audits
the access and the activities in SAP systems.

On the other hand, it’s shocking that currently, there is only a minimal reference to security, policy
and audit of Linux operating system servers themselves. This is expressed by blocking a remote
access to those servers from the world, outside the organization, using the external company’s
firewall and rarely reviewing system logs.
Obviously, this status is unacceptable and must be changed and improved. Such improvement will
mitigate and control the potential security risks, unauthorized access and fraud.

The organization is running critical business missions, in production environment, on those Linux
servers. That is exactly why Linux servers security auditing is crucial to mitigate potential
cybersecurity risks and ensure that the assets, and data, are protected. They must remain
confidential and their integrity must be maintained.

Micky Barzilay (May 2019) 14 of 20

5.3 Develop & Perform an Audit Programme

Once I was discovered that audit programme for Linux systems does not exists, the mission
was to developed an audit programme for those systems, after which I implemented an audit then
issue an audit report based on the audit’s findings.

ISACA guides, such as the “Information Systems Auditing: Tools and Techniques, Creating Audit
Programs” guide along with ISO and NIST standards and guides along with additional Linux
System auditing guides that I found on the Internet, was a tremendous sources to developed and
implement a comprehensive IT auditing of a Linux Systems as a practical case study. Moreover,
several tools were examined and used during the implementation of the IT auditing case study, just
to name some; OpenSCAP, Nessus, Linux Audit system.

5.4 Audit Summary Report

The report was an assessment summary of a Linux systems audit that the researcher was
carried out in March 2019. During the audit, the researcher reviewed the baseline Linux security
configuration standards to ensure that the systems adequately were managed, secured and
controlled. Strong areas identified, for example, backup & restore policy, during the auditing in
addition to recommendation to improve immediately a weakness areas and objectives that was
found under this review, for example, Disable SSH Root Login option in the Linux systems, to
mitigate the potential risks from cybercrime, attacks, fraud or data breaches.

5.5 SWOT Analysis to Evaluate IT Security Audit’s Findings

The following SWOT (stand for Strengths, Weaknesses, Opportunities and Threats) analysis
summarize the audit’s findings in effective matrix method.

Micky Barzilay (May 2019) 15 of 20

 S W O T
STRENGTHS WEAKNESSES OPPORTUNITIES THREATS

Physical Security SSH Protocol Policies & Guidelines Use Vulnerabilities

Servers are located in a Systems access thought A comprehensive Exploit the Linux
well-protected data SSH protocol should be security Policy relating server by external or
center. improved. to Linux systems internal attack.
should be developed
Backup and Recovery Password Policy according, for example, Unauthorized Access
Good policies and Weak and empty to the ISO and NIST Possibility of data lose,
procedure were found. password were found. standards and data breach or fraud.
Replace weak and guidelines.
Linux Team Members empty passwords, and\ Server’s outage and
Very high technical increase password Vulnerability and unavailability of
skills were found. complexity policy. Security Scanner business functionality
Tool Systems are non-
3rd Party Auditing Linux Audit System Considering adoption compliance with
Tools “auditd” service was of a central security standards, guidelines
IBM Guardiom audits missing from the Linux scanner and auditing and organization’s
the database systems. systems when audited tool, for example, policy.
Xpandion ProfileTailor and should be installed Nessus Professional™
GRC is in use to and running.
auditing SAP systems.
Verify Firewall
System Logs Enabled
Central logger system, Enable the built-in
“GrayLog”, was firewall on the Linux
installed and systems and set
configured. appropriate roles to
enhance system
security posture.

Micky Barzilay (May 2019) 16 of 20

5.6 Case Study Summary

The audit was the first comprehensive Linux Systems security audit done on the company,
which would help the IT department to improve the security in that area.
The provided audit programme was adopted by the Information Security department and will be
improved in the future. This, first audit in a specific area, would fill in as a security benchmark for
future reviews.

6. ANALYSIS of FINDINGS

The results indicated that forty three IT managers and employees took part in the survey that
was carried out regrading IT Security audit. From the survey, it was apparent that 50 % of the
participants agreed with the argument that security audit procedure has impact on the organization’s
IT security improvement, while 36% of the participants believed IT audit could yield some
improvement. The remaining 14% agreed that IT security audit is important but has no impact on
the information security improvement.

Moreover, the survey results show that 100% of the participants are aware of cybercrime risks.
21% of the respondents have a deep knowledge in cybersecurity and they personally engage in the
subject. 28% of the respondents also have a deep knowledge in the topic but they do not engage in
cybersecurity.

The research examined the familiarity of IT managers and employees with IT security audit
standards and guidelines, and the implementation of those within the organization. 57% claimed
they are very familiar with this and their organizations follow those standards and guidelines. 28%
of the participant are not familiar with the audit standards and guidelines. 7% claimed they are
familiar with the audit standards and guidelines but the organization does not follow them.

Micky Barzilay (May 2019) 17 of 20

Therefore, the research answered the aims and objectives as follows:

1. It measured the awareness of the IT managers and the employees to risks of cybercrime. The
research identified that some of members of the company in the case study were aware f the
risk of cybercrime.
2. Further, the research measured the familiarity of the IT managers with audit standards and
guidelines for IT security.
3. The research also identified that IT security audit procedure has a great impact on the
improvement of the IT Security if an organization. This answers the question of assessing
the argument among the IT managers and employees that IT Security audit has an impact on
improvement of the IT security.
4. The research also evaluated the audit status of the company, which in our case was Israeli
Telecoms.

7. CONCLUSION

This research has focused on the importance of IT security audits as the major process in
organizations that helps to improve the information security and protect the business’s data against
cybercrime, fraud or data breaches.

A case study of an Israeli telecoms company found that while there are a number of generally
followed procedures for different tasks, there is no a formal security policy with a specific
configuration and guidelines for Linux systems. The policy depends on the System Administrators
knowledge and may not be optimal, leaving servers vulnerable to cybercrime risks, attacks and
fraud. Numerous security objectives were resolved by the Linux team members during the audit
process to improve the access control and the vulnerability of the systems.

From this research, it can be concluded that IT security audit is a crucial activity that every IT
organization must make provision for and carry out from time to time.

Micky Barzilay (May 2019) 18 of 20

 8. REFERENCE LIST

Pompon R., (2016). IT Security Risk Control Management, An Audit Preparation Plan, Apress

Jackson C., (2010). Network Security Auditing, Cisco Press

Cyber Security Breaches Survey 2018, The UK Department for Digital, Culture, Media and Sport

Cisco public White paper, (2018). Cisco Visual Networking Index: Forecast and Trends, 2017–2022

Joshi H., (2017), Security and Privacy in the Digital World, Deloitte

Gupta A., (2015). Information System Audit; A study for security and challenges in Nepal

The United Kingdom Financial Reporting Council, (2016). Guidance on Audit Committees

Carlin A., Gallegos F., (2017). IT Audit: A Critical Business Process, California State Polythecnic
University, Pomona

Popescu G., Pupescu A., Pupescu C.R., (2008), Conducting an Information Security Audit, IT
Information Technology Manager No.7

International Standard, ISO/IEC 17021 2nd. ed., (2011), Conformity assessment - Requirements for
bodies providing audit and certification of management systems

International Standard, ISO/IEC 19011 2nd. ed., (2011). Guidelines for auditing management
systems

ISACA, (2016). Information Systems Auditing: Tools and Techniques, Creating Audit Programs

Micky Barzilay (May 2019) 19 of 20

 Ruthberg Z.G., Fisher B.T., Perry W.E., Lainhart J.W., Cox J.G., Gillen M., Hunt D.B., (1998).
Guide to Auditing for Controls and Security: A System Development Life Cycle Approach, NIST,
Special Publication 500-153

Moore S., Keen E., (2018). Gartner Forecasts Worldwide Information Security Spending to Exceed
$124 Billion in 2019, Garthner, viewed 01 April 2019,
<https://www.gartner.com/en/newsroom/press-releases/2018-08-15-gartner-forecasts-worldwide-
information-security-spending-to-exceed-124-billion-in-2019>.

Micky Barzilay (May 2019) 20 of 20

View publication stats