Information Security Audit
The terms Assessment and Audit are often used interchangeably. But, are they truly one and the same?
To differentiate these terms, ask yourself the following questions:
- Is the objective to determine compliancy with an established security policy? or,
- Is the objective to determine compliancy with a regulation (e.g. PCI, SOX, HIPAA, GLBA) or standard (e.g. ISO, COBIT)?
If you were to answer "yes" to either question, then it should be deemed an audit - often referred to as Gap Analysis.
Depending on the level of detailed analysis performed, the assessment of a security policy is often confused with an audit. However, security assessments do not have to be all-encompassing. An assessment can be performed on a specific aspect (i.e. wireless network, web applications, configuration of a firewall, etc...). An assessment is generally performed to obtain an objective evaluation of security posture and reveal weaknesses, risk or vulnerabilities.
Audit Elements
- Independent examination of a work product or a set of work products to assess compliance with specifications, standards, contractual agreements, or other set criteria (IEEE).
- Certification, or third party assessment, is carried out by an independent organization against a particular standard (ISO).
Result of an audit is - "pass" or "fail" - or - "compliance" or "non-compliance"
Compliance audits examine the compliance of an organization or a facility or operation with environmental regulations, permits, and limits, including corporate environmental policies.
Audit
- Formal detailed process designed to determine if a requirement is being met or not, by examining a representative sampling.
- An audit may be performed by an external third party (i.e. a financial audit does not look at every transaction but rather a sample of selected ones in great detail).