concept
Information Security Audit mainly refers to information systems security-related activities to identify, record, store and analyze. Information security audit records for security-related events which occurred on checking the network, who (which user) is responsible for this activity.
contains the content
Security audit involves four basic elements: the control objectives, security vulnerabilities, control measures and control test. Wherein the control goal is a safe and controlled according to the specific requirements of enterprise computer applications, combined with the actual development unit out. Security Vulnerabilities are weaknesses in the security system, easy to be disturbed or local destruction. Control measure means safety control technology to achieve their business objectives set security control, configuration methods, and various regulatory regimes. Control Test is a variety of security measures to control the enterprise consistency with a predetermined safety standards compared to determine the presence or absence of the control measures, if implemented, to guard against vulnerabilities are valid evaluation of business safety measures may depend on the degree. Obviously, security audit as a special audit project, requires auditors must have a strong technical knowledge and skills.
security audit is an integral part of the audit. Due to computer network security environment will involve not only national security, but also involves the economic interests of the enterprise. Therefore, we believe that the country must quickly establish a social enterprise trinity of security audit system. Among them, the national audit institutions should be based on national security laws, in particular the computer network itself against various safety requirements, information security enterprise wide area network implementation Audit System. In addition, it should be the development of social intermediary organizations, to provide a secure computer network environment audit services, it accounting firms, law firms, social institutions are taking stock of the security of computer network systems business. When an enterprise network systems management authorities weigh the potential losses, they need to make inspection and evaluation of security through intermediaries. Further fiscal, financial audit also inseparable from the network security experts, to evaluate their security control network, helping CPAs authenticity of the information disclosure of the corresponding information processing systems, make the right judgments reliability.
According to the President of Internet Security Advisors Ira Winkler, security audits, vulnerability assessments and penetration testing are three main ways to secure diagnosis. These three different methods were used, each adapted to a particular target. Performance measurement information system security audit for a series of criteria. The vulnerability assessment involves a comprehensive study of the entire information system and the search for potential security vulnerabilities. Permeability testing is a covert operation, security experts to probe whether a large number of attacks similar system can withstand attacks from malicious hackers. In the permeability test, a fake attack could possibly include any real hacker social engineering attack may attempt. These methods have their inherent ability, combined use of two or more may be most effective.
function
Security audit trail function: to help security personnel audit system reliability and security; obvious attempt to prevent the system from running promptly reported to the security console, to take timely measure. General to establish security and confidentiality in the network system detection control center, responsible for monitoring the security of the system, control, and audit process. All the security and confidentiality of services, all layers of the network are related to the audit trail system.
historical development
audit, the English called "audit". The effectiveness and implementation of audit is to determine the reliability of the information, the system also provides an assessment of internal control. The goal is to assess the audit work in a test environment, and expressed assessments person / organization / system, etc. Due to limitations of the actual situation, the audit requirements provide only reasonable, no major errors assurance statements, audit often through statistical sampling. It can also be understood audit, audit (Audit) refers to the examination to verify the accuracy and completeness of the target for the detection and prevention of false data and fraud, and compliance with established standards, benchmarking and other auditing principles. National levels of government, the organization usually has a special independent audit department, the Audit Committee, the Audit Commission and other institutions. Previous audit concept is mainly used for the financial system. Financial audit is true and fair financial statements to be embodied. The traditional audit, mainly to obtain information on the financial statements of the financial system and financial records of the company or business. While at the same time with the development of science and technology of information technology, the majority of enterprises, institutions and organizations of the financial systems are running in the information system above, the information technology means to become a financial audit, financial audit also indirectly led to the general information system audit.