Study On The Issues Of Information System Security Audit

With the rapid development of information technology and information systems, more and more enterprises build their own information systems in order to improve their service and management for gaining competitive advantages. Specially, as the explosive growth of internet, information systems greatly influence enterprise management and our daily life. Meanwhile, information system security has attracts big attention due to the rise of IT-related risk and intrusion on important information systems and information asset. A need for the auditing services to certificate whether or not the security capability of information systems used by enterprises or clients satisfies the requirements of those enterprises or clients is rising. However, in China, there are still not the professional standards of information system audit recently. Needless to say, there are not any auditing guidelines as well as procedures for information system security auditing. Nowadays, audit objectives and scope of information system security are still not defined. Today's security auditing is generally done by auditing all activities during system life cycle, as well as assessing system functions and components. However, the method of information system security auditing not only costs high, but also takes a long time to finish. In order to solve these problems, my thesis intends to discuss the following issues: defines the objectives and scope of information system security audit, apply risk-based auditing method into information system security audit and at the same time, investigates the methods of risk recognition and assessment during the course of auditing. Therefore, the researches of the thesis will lay a good foundation on launching information system security auditing.The thesis divides into six chapters. The first chapter introduces the composition, development and risk of information system, and the policy of information system protection is also introduced. The second chapter investigates the meaning of information system security, and then introduces the meaning, occurrence and growth of information system security audit. The third chapter probes into the objectives and scope of information system security audit and some techniques for information system security auditing, which will lay a foundation on information system security auditing. The fourth chapter introduces how to perform information system auditing with risk-based auditing after investigating the definition and features of risk-based auditing. We also conduct researches on risk recognition and assessment of information system, making an audit plan and audit risk assessment for auditing information system security. The fifth chapter describes how to assess information system security capability. Then a proposal will be given how to describe security capabilities of audited information systems in audit report through the level of IT Governance Maturity as well as computer information system security. The sixth chapter discusses the strategies for developing security audit of information systems by analyzing the current development of information system security audit in our country.