The Simple Information Security Audit Process: SISAP
نویسندگان
چکیده
The SISAP (Simple Information Security Audit Process) is a dynamic security audit methodology fully compliant with the ISO 17799 and BS 7799.2, and conformant with the ISO 14508 in terms of its functionality guidelines. The SISAP employs a simulation-based rule base generator that balances risks and business value generation capabilities using the Plan-Do-Check-Act cycle imposed in BS 7799.2. The SISAP employs a concept proof approach based on 10 information security best practices investigation sections, 36 information security objectives, and 127 information security requirements, as specified in the ISO 17799. The auditor may apply, for collecting, analyzing, and fusing audit evidence obtained at various audit steps, selected analytical models like certainty factors, probabilities, fuzzy sets, and basic belief assignments. The SISAP adopts fully automated elicitation worksheets, as in SASA (Standard Analytic Security Audit), COBRA, and others.
منابع مشابه
Towards Continuous Information Security Audit
Requirement engineering calls for continuous possibility to check whether latest changes of significant requirements are met by the target systems. This review is important because the environment of the system, if impacted by changes, may lead to new exposures. Current paper reports on knowledge gained during the attempt to move towards continuous security audit by extending one business proce...
متن کاملRequirements for Development of an Assessment System for IT&C Security Audit
IT&C security audit processes are carried out to implement information security management. The audit processes are included in an audit program as decision of the management staff to establish the organization situation against to the planned or expected one. The audit processes require evidence to highlight the above issues. The evidences are gathered by audit team and some automation process...
متن کاملIT security auditing: A performance evaluation decision model
a r t i c l e i n f o Keywords: Information technology management Information technology audit Information systems audit Information security audit Audit decision Agency model Compliance with ever-increasing privacy laws, accounting and banking regulations, and standards is a top priority for most organizations. Information security and systems audits for assessing the effectiveness of IT contr...
متن کاملEffectiveness of the Auditor's Opinion Quality of Pygmalion Effect
The opinion of the audit is the final product of the audit process and a means of expressing the judgment of the auditor about the quality and content of the client's financial statements and plays a major role in creating confidence and convenience among users of financial statements, and at the top of their shareholders and investors. Since the audit report involves information and the means ...
متن کاملCompliance by design - Bridging the chasm between auditors and IT architects
System and process auditors assure – from an information processing perspective – the correctness and integrity of the data that is aggregated in a company’s financial statements. To do so, they assess whether a company’s business processes and information systems process financial data correctly. The audit process is a complex endeavor that in practice has to rely on simplifying assumptions. T...
متن کامل