“ISACA’s audit programs can be used by auditors worldwide as a road map for specific assurance processes,” said Greg Grocholski, CISA, international president of ISACA and chief audit executive at The Dow Chemical Company. “They can be customized by IT auditors in any type of environment to help them conduct effective reviews that will help ensure trust and value in the enterprise’s information systems.”
The Cybercrime Audit/Assurance Program provides management with an independent assessment relating to the effectiveness of cybercrime prevention, detection and incident management processes, policies, procedures and governance activities. Reviews zero in on cybercrime management standards, guidelines and procedures, as well as the implementation and governance of those activities. The audit/assurance review will rely upon other operational audits of the incident management process, configuration management and security of networks and servers, security management and awareness, business continuity management, information security management, governance and management practices of both IT and the business units, and relationships with third parties.
Meanwhile, the Biometrics Audit/Assurance Program helps auditors provide management with an independent assessment of biometric systems and their alignment with enterprise policies and industry best practices. Reviews focus on the acquisition, architecture, rollout and security of biometric technologies, both the deployed and planned, including policies, standards and procedures, as well as resilience to major outages, intrusions or other failures.
The e-commerce and Public Key Infrastructure (PKI) Audit/Assurance Program’s objectives include providing management with an independent assessment of the effectiveness of the architecture and security of the e-commerce and PKI environments and their alignment with the enterprise’s IT security policies and architecture and with industry best practices. It also evaluates IT preparedness in the event of an intrusion or major failure of the e-commerce or PKI environments, and identifies issues that may impact the security of the enterprise’s e-commerce stance.
Finally, the VPN Security Audit/Assurance Program helps auditors provide management with an independent assessment of VPN implementation. Reviews rely upon other operational audits of the incident management process, configuration management and security of networks and servers, security management and awareness, business continuity management, information security management, governance and management practices of IT and business units, and relationships with third parties.
The audit/assurance programs are based on the standards and guidance in ISACA’s IT Assurance Framework (ITAF) and are meant to align with the COBIT business framework for governance and management of IT.
ISACA also said that it is updating its IS Audit and Assurance Standards and is seeking comments on the exposure draft. The comment period remains open through 28 Dec., 2012.