- Introduction
- Basic Security Principles
- Data Management: Determining and Maintaining Ownership
- Data Governance Policies
- Roles and Responsibilities
- Data Ownership
- Data Custodians
- Data Documentation and Organization
- Data Warehousing
- Data Mining
- Knowledge Management
- Data Standards
- Data Lifecycle Control
- Data Audits
- Data Storage and Archiving
- Data Security, Protection, Sharing, and Dissemination
- Privacy Impact Assessment
- Information Handling Requirements
- Record Retention and Destruction
- Data Remanence and Decommissioning
- Classifying Information and Supporting Asset Classification
This chapter is from the book
This chapter is from the book
This chapter is from the book
Data Audits
After all the tasks discussed so far in this chapter have been performed, the organization’s security management practices need to be evaluated periodically. This is accomplished by means of an audit process. The audit process can be used to verify that each individual’s responsibility is clearly defined. Employees should know their accountability and their assigned duties. Most audits follow a code or set of documentation. For example, financial audits can be performed using the Committee of Sponsoring Organizations of the Treadway Commission (COSO). IT audits typically follow the Information Systems Audit and Control Association (ISACA) Control Objectives for Information and Related Technology (COBIT) framework. COBIT is designed around four domains:
Plan and organize- Acquire and implement
- Deliver and support
- Monitor and evaluate
Although the CISSP exam will not expect you to understand the inner workings of COBIT, you should understand that it is a framework that helps provide governance and assurance. COBIT was designed for performance management and IT management, and it is considered a system of best practices. COBIT was created by the ISACA and the IT Governance Institute (ITGI) in 1992.
Auditors can use COBIT, and this framework is also useful for IT users and managers designing controls and optimizing processes.
Audits make it possible to verify that the controls put in place are working, that the policies that were written are being followed, and that the training provided to employees actually works. To learn more about COBIT, see www.isaca.org/cobit/. Another set of documents that can be used to benchmark the infrastructure is the ISO 27000 family of standards; for details, see www.27000.org.