Finance - Accountancy 81

Information Systems Security Audit

Abstract:The article covers:

Def i
ningani nformati onsystem;benef i
tsobtai
nedbyi ntroducingnew i nformati ontechnol
ogi
es;
IT management;
Def i
ningprerequisites,anal
ysi s,desi
gn,implementationofIS;
Inf ormati
onsecuri tymanagementsystem;aspectsregardi ngISsecuri typol icy;
Conceptualmodelofasecuri tysystem;
Audi ti
nginformati onsecuritysystemsandnetworki nfrastructuresecurity.
Key words:



1. Information Systems Development, throughout allm anagem ent decisionallevels

Audit, Security Policies

An information system




No. 6 ~ 2007
 82 Finance - Accountancy

Information systemsaudit represents a

level of informational activities automation. complexactivity for assessing an information sys-
M ost benefits are obtained in a business tem in order to set forth a qualified opinion re-
information tech- garding the conformity between the system and
nologies  the regulating standards, as well as over the infor-
mation system s capacity of achieving the organi-
 zations strategic obj ectives, by efficiently using
the informational resources and by ensuring the
 integrity of the processed and stored data.





the business; 
 is granted by ISACA CISA
 (Certified Information System Auditor).
the outcome and the objective;
  IT security
 
achieving the benefits.
The benefits achievement management


sors. 
IS Development 
 
British
Standard BS 7799
 Practical Code for In-
that must establish the necessary details for formation Security M anagement.

The said Standard


 1.
2.
sites 3. controlling the access to the system;
4.
defining the prerequisites, analysis, nance;
design, creating the IS. 5.

No. 6 ~ 2007
 Finance - Accountancy 83
6. conformity;
7. 
8.
9.
ment;
10.information resources classification 
and control.

In order for the ISO 17799 standard to 

sary of the BS 7799-2standard. Its advantage ers to be trained.
informa
tion security management system to be im 


a) defining the information security tives

b)
sary resources;
c) tegrity or ensuring business continuity;
ment; 
d) security
e) controls selection;
f)
g) 
IT Gov- ment in ensuring security
ernance Institute
of ISACAthe best practices for the
COBITControl
Objectives for Information and related Tech-
nology. COBIT structures the  In order to achieve security objectives
into four areas
a)
b) 
c)
d) monitoring and evaluation. ing levels
 application security, first of all im

tives.
The security policy 
(Secure Sockets Layer) etc.;

No. 6 ~ 2007
 84 Finance - Accountancy

system security 


The users are identified and authenticated
on a system level by a single security mecha resources;
 integrity
on the system;
network security
by means of the integrity it is ensured that in
Virtual Private Network) and gate-
ways; be modified;
physical security  availability it ensures that autho



organization security
 conformity
regulations and standards.
into consideration the training in the field 
security management system
ous advantages
of disaster. 
It is mandatory for the to



quently on the modality of configuring the
  safely accessing information (by em




rity measures can be also defined as the art of ment in and commitment to information se
curity;



The main security objectives regulations and local regulations;


 confidentiality  business continuity.

No. 6 ~ 2007
 Finance - Accountancy 85
 audit and
evaluation tools

standard access.

Logic access audit implies:


 evaluating controls regarding system

evaluating the control environment in


2. Information Systems sults;
Security Audit 

Information systems security audit
and logic 
access audit
must be used (aiming to test the security)
 
phases 
 researching of the ac


cess; 

 most times the .


establishing the data in custody; valuable source for the auditor. C onsequent
establishing the security administrator; auditor is entitled to request an inter



for accessing documents;
 

No. 6 ~ 2007
 86 Finance - Accountancy

The techniques used by the auditor

in testing the security are different. Some of


terminal identification; (that test is limited or has no information re
users identification and authentica
tion;
resources control; 
 


 
tion controls;


Techniques investigation also involves 4. Security M easures in the

Entity Client Relationship

Security of commercial transactions
The matter of security concerns the cli
3. Auditing Network
Infrastructure Security

Controls regarding network infrastruc- behalf are closely connected to disclosing
ture security audit involve verification by the




by the entity is that regarding the informa




Buyer-seller connection security

ternet. Ensuring trading transactions security
is not only a matter of security of the inter
Combining
or of
intrusion. These tests are of many 

No. 6 ~ 2007
 Finance - Accountancy 87
tion environment. An internet connection 

established by using the logic SSL module
(Secure Sockets Layer). SSL is integrated into 


 
SET (Secure Electronic Transaction). In this material and financial conditions in order to


and it is only then that they are sent to the
 
identification number and message returning for an information system to be totally secu







be identifiable.

Server securitizing

ling the requests addressed to such and se

it collaborates in order to return the service In conclusion

requested by the customers. G rounded on


firewall. A firewall configuration is made by
the security criteria established for filtering 
must not be neglected the fact that the securi


REFERENCES:
Oprea, Dumitru, Analysis and Design of Economic Information Systems -


No. 6 ~ 2007
 88 Finance - Accountancy

 Information Systems Audit Auditul sistemelor informatice



Munteanu, A, Accountancy Information Systems Audit Auditul sistemelor informationale
contabile

 
Gavrila AlInformation Systems Audit and Control Auditul si controlul sistemelor informationale


5. Popescu, Gheorghe, Internal Control Proceedings and Financial Audit Procedurile controlu-
lui intern si auditul financiar 

Popescu, Veronica, Expert Systems for Auditing M anagement Information Systems Sisteme
expert pentru auditarea sistemelor informatice de gestiune 

7. g
m

No. 6 ~ 2007