Auditing an organisation’s information systems is a vital part of operating a business at any decent scale. Particularly from a security standpoint (Mohamed ElBorno, n.d.).
Information systems have many different facets and each organisation operates slightly differently, so while auditing can be handled the same on general shared traits, more bespoke business units and organisational structures should be taken into account when designing a well thought out auditing system that fully guarantees the security of an organisation’s systems.
In my current organisation – one of the largest world bank’s – there are many continual auditing processes going on throughout the year. In fact, auditing is such an important part of most financial services companies that there are whole teams and departments of people that strictly perform auditing tasks as their sole job.
While there are large companies such as Ernst & Young, Deloitte & Touche, Arthur Andersen, KPMG and PriceWaterhouseCoopers which are put in place and dedicated to auditing other companies around the world and do so throughout the many different business units; when it comes to information systems, there are a range of software tools that are available for any business to audit their own systems, such as:
- Splunk, Logstash, Loggly (Stackify, 2017)
Application and infrastructure logging
- NewRelic, AppDynamics, ServerDensity
Code and server analysis
- Google Analytics, Adobe Analytics, Statvoo Analytics
Website visitor and traffic analysis
- Kaspersky, McAfee, Symantec (Pamela S. Stevens, 2016)
Virus and threat protection
- AlertLogic, AWS WAF, Rapid7
Web Application Firewalls
It is not always possible to monitor and audit every part of your information system through the same tool, it is possible to do so with a combination of some of the best. Each specialise in what they are focused at and you can find out a lot of valuable real time information about the inner workings of every single part of your infrastructure, the resources used along the way as well as any potential errors or warnings found down the path.
There are a few main reasons to perform internal audits, such as making sure that your organisation remains in compliance with the regulatory bodies requirements as well as performing continual cost saving analysis. It is often only during audits that unnecessary software and licensing is removed to free up resources for the future (David Foxen, 2013).
There are some obvious things that you can do at the start of an audit. Usually 90 percent of users do not need administrator access to their computers, which can immediately prevent them from installing additional software which could hamper the auditing process further.
Mohamed ElBorno (n.d.) What is an audit? [Online] PriceWaterhouseCoopers, Available from: https://www.pwc.com/m1/en/services/assurance/what-is-an-audit.html (Accessed on 17 September 2017)
Stackify (2017) Best Log Management Tools: 51 Useful Tools for Log Management, Monitoring, Analytics, and More [Online] Stackify.com, Available from: https://stackify.com/best-log-management-tools/ (Accessed on 16 September 2017)
Pamela S. Stevens (2016) Best Antivirus Software for Business 2017 [Online] Tom’s IT Pro, Available from: http://www.tomsitpro.com/articles/enterprise-antivirus-solutions,2-705.html (Accessed on 16 September 2017)
David Foxen (2013) The importance of Internal Software Audits [Online] ITAssetManagement.net, Available from: https://www.itassetmanagement.net/2013/11/29/importance-internal-software-audits/ (Accessed on 16 September 2017)