Requirements for Development of an Assessment System for IT&C Security Audit

IT&C security audit processes are carried out to implement information security management. The audit processes are included in an audit program as decision of the management staff to establish the organization situation against to the planned or expected one. The audit processes require evidence to highlight the above issues. The evidences are gathered by audit team and some automation processes to increase the productivity and accuracy of the audit are needed. The paper presents some issues of the requirements for development of an assessment system with some considerations for IT&C security audit. The emphasized issues are grouped in the following sections: IT&C security audit processes, characteristics of the indicators development process and implementation issues of an assessment system. Key-Words: assessment system, security audit, information security management. 1. IT&C Security Audit Processes for Information Security Management The audit is the process through competent and independent persons collect and evaluates proofs to set an opinion on correspondence degree among the observed things and some pre-defined criteria [1]. The distributed informatics systems are complex constructions. They are designed, implemented and maintained to resolve different business tasks in companies. Having in mind the human and financial resources consumption to develop a distributed informatics system, it is necessary to carry out some activities that lead to proposed objective. Also, the proposed objective must be reached in time with the established quality level and within the budget limits [2]. Principles that underlie the audit process are [3]:  Independence: auditors freely develop the audit program; information deemed to be relevant is examined and the content of the report is related to the scope of examination;  Use of audit evidence: it is the information that an auditor uses it for underling the conclusions and to draw up the audit report. Principles that the auditors must follow are [3]:  Ethical behavior: it is governed by independence, integrity, objectivity, professional competence, confidentiality, professional behavior and technical standards;  Correct reporting: the auditing report is written by persons with professional skills and high experience in the audited field; its content is based on audit evidences and information recommendations for the audit client;  Professional responsibility: auditors have the obligation to respect the principles of the audit process and to assume the consequences if they don’t do that. An IT&C system differs of a manual one through the way in which the results are obtained, the level of security and control, the risks associated to the processing. The potential impact of the risks is minimized through high standards of security and control [3]. In [4], there are presented some common instances of computer fraud and abuse: This is a post conference paper. Parts of this paper have been published in the Proceedings of the 2 International Conference on Security for Information Technology and Communications, SECITC 2009 Conference (printed version). Journal of Mobile, Embedded and Distributed Systems, vol. II, no. 2, 2010