The information age went international in the 1980s. However, the fact is that a series of corresponding security weaknesses also came. For example, electronic mails are widely applied in today's daily life and business, while the virus of one computer connected to many others in a honeycomb arrangement may affect another, as usually how great they are interconnected is unknown (Shain, 1996). Therefore, information security is increasingly required to take on a considerably vital role in networks.
As Shain (1996) points out, security is a wide concept, it is a separated subject with its own theories, "which focus on the process of attack and on preventing, detecting and recovering from attacks". Certainly, these processes should be well organized in coping with the complex system issues. A coherent approach should be taken, which builds on established security standards, procedures and documentation. Actually, "the activities of the IT security function are varying in accordance with the criteria of size and sector"(Osborne, 1998). There are an amount of core activities, including:
IT security policy creation and maintenance.
Standards, procedures and documentation.
Maintenance of capability.
Education and awareness.
Firstly, "The most widely recognized security standard is ISO 17799" (Information Security Policy World, 2001). Comprehensive analysis of security problems can be found in ISO 17799, especially followed by a large amount of control requirements, although some of which seem quite difficult to be put in practical way. ISO 17799 contains different topics in its ten major sections. Next, two more important topics will be emphasized ---policy and system maintenance. The IT security policy, like other policies of organizations or government, provides a guideline for the actions. The security policy will help the companies to achieve success in three ways (Dorey, 1996).
Most importantly, security requirements for the corporation are clear with a feasible security policy. It is hard to imagine how messy the security jobs are without this indicator light. And also, the policy contributes to the responsibility allocation, as well as the system control. To continue, it is also very important to maintain the security of system software and data, in order to guarantee the unhindered operation.
There is another system issue, risk assessment, which seems always not to be taken into much consideration (Weber, 1999).
Everybody knows the necessity and importance of security assessment; nevertheless, we are always not clear how to do it, when to do it, and who should take this responsibility.
Finally, what auditors are involved in the audit of IT security function is the education and awareness. Osborne (1998) claims, for one thing, if individual staff is highly educated to practice an IT security 'culture', the possibility of breaches of security exposures will be decreased. For another thing, when the staffs has a higher level of understanding the IT security needs, more benefits will be gained for the firm as a whole, especially, the productivity of the IT security function will be improved too.
IT auditing is the same as any other kinds of audits that helps assessing the security of the IT infrastructure of an ...