Table of Contents
The intent of testing is to appraise the level of security and identify vulnerabilities for mitigation measures. Vulnerability assessments identify and report on security weaknesses and vulnerabilities in the target system. This analysis is an important element of any activity in risk management. Vulnerability assessment components help in integrating all the steps in this analysis by automating the process of detecting, identifying, measuring, and understanding the vulnerabilities found in a target ICT system or infrastructure (Anderson & Rainie, 2010). In order to achieve this, the process involves both passive and active scanning, and this is important in verifying that the vulnerabilities are both present and exploitable.
In addition, tools used in vulnerability assessment are capable of performing on various network nodes including networking and networked devices such as printers, routers, and firewalls, as well as desktops, servers, and mobile devices, which present a new set of security issues that requires being handled (Price, 2003).
Penetration testing uses security tools and techniques that help identify and validate vulnerabilities. External penetration testing helps identify weaknesses in a company’s network that might be exploited by an attacker to attack the enterprise environment from the internet. Internal testing seeks to detect and exploit weaknesses to determine if the unauthorized access or other shady activity can be performed in the target network (Price, 2003). This gives an indication whether the system is able to withstand any attack emerging at the point where the test was accessed. By testing the security of the system in this way, we seek to answer this question: “Can an attacker exploit the identified weaknesses?”
This information is necessary to help the company’s security team gain experience in defending against cyber-crimes (Anderson & Rainie, 2010). It provides objectivity regarding the existing vulnerabilities and the efficacy of defense and mitigating mechanisms in place and those intended to be implemented in future.
Companies favor an integrated audit that covers financial controls as well as the information systems. Organizations have to ensure that they comply with the set audit standards and legislations in this process. An audit standard like Statement of Auditing Standard (SAS) number 70 complies with the American Institute of Certified Public Accountants (AICPA) and ensures that the measures of financial records and processes are sound (University of Maryland University College, 2010).
Integrating financial control and its audits is more practical for large organizations since most data are stored electronically and information systems are used in their day-to-day business. In addition, legislation like Sarbanes-Oxley requires companies to ensure compliance in both financial and IT systems audits (Nickell & Denyer, 2007). By complying with audit standards in their integrated audit, an organization is likely to detect any flaws in the financial controls as well as their ICT systems.
An integrated audit also requires the verification of an external auditor. This eliminates the probability of repeating any initial errors in input, processing, estimating or adjusting the audit report. External reviews are necessary to ensure that internal controls are effective and the recording of transactions is done appropriately (University of Maryland University College, 2010).
In an information systems audit, the quality of general applications, developmental and performance controls will be audited. The design and effectiveness of these controls is analyzed, and weaknesses are identified to assess the risks depending on the services provided by the company (Nickell & Denyer, 2007). These controls affect the financial reporting of an organization and any material weakness in the IT systems will be reflected in the financial reports.
As a result, many audit standards are being aligned to comply with legislations like the Sarbanes-Oxley that requires both financial and IT audits. Since there are various regulations and controls giving organizations the freedom to choose which control or audit they want to use as long as they comply with the requirements of legislation, the government has to establish a requirement to conform to a standard in order to make the auditing process be non-industry specific.