Has your organization ever
thought of complying with appropriate standards for the application in use? Or
are there any processes in place having checkpoints to test the controls
implemented? If both questions answer to no then it is essential to have your
internal team who would be managing the application follow certain steps that
would help you understand the security, risk or threat levels caused by various
factors to the information available. There would be a possibility that the
support to this application would be outsourced to a support cell and they
would be the best source for upholding the vigilance.
Prime objective to conduct
IT Audits and assessing the application in place is to ensure data is secure,
confidential and have a reasonable assurance that scope for fraudulent
transactions is minimum. Audit is never a guarantee since it is based on
sampling – auditing the whole population of date is nearly impossible and
highly expensive process. So it is very important that the Audit scope is
defined to measure the efficiency and effectiveness of the application and in
turn the business controls since inappropriate measure to manage the IT risks
leads to severe impacts on the business.
Major IT auditing
organizations structure their practices and processes around Control Objectives
for Information and Related Technology (COBIT) Framework and implement the
controls in the processes that suit their needs. Below would be a few processes
I feel that are important and common to majority applications from small scale
to large scale - to what extent are the controls applicable depend on the
requirements and suitability to the organization or department. Again the
mentioned points are just the most commonly looked at and
touched areas, there could be many more to speak about but I would limit the
blog to just add a flavor to the auditing sector for applications.
Change Management
It is essential that a certain workflow is
followed to handle and manage change request of the business as well as users
for the application. As per the type of change requests certain approvals
should always be obtained for proof. Post the changes have been deployed
sign-off from the requestor should be granted in order to close the request.
Security and Access control
A very important factor to
be considered - is about the security of an application. A strong grip can be
built by ensuring that the security structure and access control for the
application designed and planned well. For example during audits when the
vulnerability is checked it needs to be made sure that the application reflects
the true scenarios in line with the business.
- Users that no more exists in the organization or who do not work with the system need to be deleted from the application
- When creating / deleting / modifying users some aspects about the authenticity of the request need to be validate and then accepted as a request to be worked upon
- With the help of reasonable hierarchy and business need a matrix to access the application should be available and maintained
Problem Management
Problems are part and
parcel for any support activity and can be identified and realized with a
thorough assessments and analysis. To diminish the problems, they need to be
escalated to the right people who are capable of taking appropriate steps. So
in a gist, problems should be:
- Identified, recorded and classified
- Checking of trends and known problems to perform analysis
- Tracking of problem tickets and arriving on a final solution
- Problem Closure
Identify and Allocate
Costing
As per the business
necessities, a frequency should be decided to have a check on the cost
allocation towards the applications in use. The various costs that could be
incurred for an application is sustain cost, costs for changes and upgrades,
network infrastructure maintenance to keep the system running – example if it
is hosted by a 3rd party vendor and so on. Allocation of required costs and
conducting a check against the same is helpful to understand the agreed-upon
policy.
If an organization is
prepared for IT Audit and with the help of control environment and the internal
control framework, it becomes easier to see if expectations are realized. Also
the extent of variations are highlighted and become an eye opener towards the
calling changes needed to progress from point A to B. The policies that are
outlined, the governance structure and strategic direction for system access
controls can be examined and rectified if need be. By implementing these
practices it assures the business of plan towards betterment and having an
action plan in place for a successful compliance.
About Author:
Dimpy Thurakhia is a consultant in Systems Plus Pvt. Ltd. Within Systems Plus, she actively contributes to the areas of Technology and Information Security. She can be contacted at dimpy.t@spluspl.com
About Author:
Dimpy Thurakhia is a consultant in Systems Plus Pvt. Ltd. Within Systems Plus, she actively contributes to the areas of Technology and Information Security. She can be contacted at dimpy.t@spluspl.com
No comments:
Post a Comment