Cyber Crime IT Security Auditing

Abstract
Cybercrime, data breaches, and fraud represent evils that significantly threaten businesses. Companies have, in the past, lost much to these crimes and, hence, must come up with plans to prevent such future occurrences. In this paper, the processes information technology security audits entail and how such audits enhance organizational IT security will be dealt with. According to research on the subject, IT security auditing constitutes a significant step in the safeguarding of corporate data against cybercrime, data breaches, and fraud. It must be performed from time to time in the form of a methodical analysis by an outside specialist on compliance, for identifying any chinks in the armor of the company's information technology system.
Introduction
ICT advancements have meant the availability of vast quantities of data, which also creates considerable risks to the data itself, computer systems, and critical infrastructures and operations it supports. Despite developments in information security, numerous information systems continue to display susceptibility to both external and internal breaches (Suduc, Bîzoi & Filip, 2010). Internal information security auditing enhances the likelihood of implementation of suitable security measures for averting such breaches and reducing their adverse impacts.
Security risks
Two classes of risks exist, against which corporate information systems require protection: logical and physical. The latter, more to do with devices as compared to the actual information system, encompasses natural calamities like floods, earthquakes, typhoons, among others, terror attacks, vandalism, fire outbreak, illegal tampering, power surges, and break-ins. Vlad and Lenghel (2017) put forward a collection of controls defending information systems from such physical threats.
The controls include different kinds of locks, hardware insurance coverage, and coverage of information recreation costs, having processes in place for everyday data and information system backups, tested, state-of-the-art disaster recovery interventions, and rotation and off-site backup data storage in a secure place. Logical risks denote illegal access and purposeful or inadvertent modification or destruction of information or the whole information system. Such threats may be reduced using logical security controls, limiting user system accessibility, and averting unauthorized system access. All of the precautions above prove ever more salient when one is dealing with central information systems.
Suduc and colleagues (2010) claim that modern-day corporations need to deal with the following major kinds of information technology risks: availability, security, compliance, and performance risks. Security risks constitute accessing data without permission, including information leakage, fraud, endpoint security, and data privacy. This class also encompasses broad threats from external sources (e.g., viruses), and more focused attacks on particular users, data, or applications. A survey performed by Ernst and Young revealed security incidents costing as much as 17-28 million dollars per case to organizations (Suduc et al., 2010). A second study conducted over 13 years using the assistance of a total of 522 American IT security experts revealed virus incidents as being the most frequent risk (49 percent of respondent firms). The next most commonly occurring event was insider network abuse (44 percent) and, subsequently, mobile device (including laptop) theft (42 percent) (Suduc et al., 2010). Even corporate security measures concentrate on external threats owing to their disturbingly high incidence (sometimes more than half the sum total of risks) and to their origins lying in legal network use.
Audit for IS Security
Khan (2017) reports that despite significant developments in the field of information security, like object/subject access matrix model, star-property- and information flow- reliant multilevel security, access control lists, cryptographic protocol, and public-key cryptography, several information systems continue to be at risk of internal as well as external attacks. Security setups are a time-consuming process and do not play any part in helpful output; hence, nobody will realize until an audit is done or the system is attacked, in case of an overly permissive setup. The above finding underscores the need for internal IT security auditing in all companies.
According to a Security Administrator and System Auditor having nearly two decades of experience, it is imperative to routinely monitor the following computer activity domains: user access control, audit trail, and system activity monitoring (Davis & Yen, 2019; Suduc et al., 2010). The abovementioned tasks are not open to primary security measure adoption mechanisms put forward by Suduc and coworkers (2010). These security measures include authenticating principals (including who said it, or which entities have access to that data – i.e., individuals, groups, programs, or devices). Moreover, these measures also include authorizing access ("Which entities are permitted to carry out what operations on a given object?") and decision auditing ("what occurred and what was the reason for its occurrence").
The goal of user access control security is the optimization of productive computing time, guaranteeing data confidentiality, mitigating fraud and error risks, and preventing unauthorized access. Further, permanent monitoring of system activity is vital, as malicious fraud and sabotaging will more likely take place in case of the low likelihood of detection. The following questions need to be posed concerning potential risk areas: (1) Can this event occur here? (2) In what form will it transpire? (3) Do security measures prove sufficient in threat prevention/detection? (4) How can the measures be improved upon? (Suduc et al., 2010). The application of sound system controls and security may, to a great extent, decrease risk event occurrence and adverse effects through improving chances of detection and prevention.
Maintenance of thorough logs of access time, credentials of the accessing individual, and whether a security breach was attempted constitutes a second essential security action. The above details prove highly informative to system auditors.
Audit frameworks
i. ISO 27001 Framework
ISO 27001, a kind of taxonomy of potential controls, outlines conditions for the establishment, adoption, monitoring, maintenance, operations, review, and improvement of a documented ISMS (Information Security Management System) for overall organizational risks. This standard aims at ensuring appropriate, reasonable security controls are chosen to safeguard data assets and create trust among interested entities. Accompanying it is the ISO 27002 standard (Almatari et al., 2018), setting down general rules and guidelines for the initiation, adoption, improvement, and maintenance of organizational information security management. Controls imply security measures, and their goals are termed as control objectives. ISO 27002 puts forward practice recommendations for control adoption. No official condition exists that the above two standards (i.e., ISO 27001 & ISO 27002) have to be applied together, but they commonly are applied together, with the former potentially being utilized for formal certifications against control aims.
ISO 27001 and ISO 27002 represent the best-known and most advanced standards in the series, with other associated standards being ISO 13335, ISO 17021, ISO 24760, BS7799-3, and BS25999.
ISO 27003 address the following control clauses, namely: (1) security policy; (2) HR security; (3) information security organization; (4) asset management; (5) access control; (6) physical security; (7) adherence; (8) ops and communications management; (9) information systems procurement, maintenance, and development; (10) information security event management; and (11) business continuity.
A point worth mentioning is ISO 27001 accords auditors some amount of leeway for facilitating successful ISMS adoption based on particular organizational information security needs.
For ensuring equally superior Europe-wide certification standards, the European Commission for Enterprise and Industry established a continent-wide accreditation policy, guaranteeing consistency within accreditation circles as well as consumer protection. Thus, all European Member States must compulsorily have a NAB (National Accreditation Body). No fixed regulation exists outside Europe; for instance, in America, several accreditation bodies can be found while Australasia has a Joint Accreditation System for New Zealand and Australia (Almatari et al., 2018; Manaseer & Alawneh, 2019). In the case of nations lacking a fixed NAB, the International Accreditation Forum (IAF) has published a list of member Abs only accrediting qualified bodies, thereby guaranteeing buyer confidence. Certifications against accepted national ISO/IEC 27001 variants (like the Japanese JIS Q 27001) by accredited CBs (Certification Bodies) is functionally equal to certification against the ISO/IEC 27001 standard itself.
Numerous global certification bodies may certify ISMSs as an adherent to ISO 27001; these bodies need, in turn, to themselves acquire accreditation from an International AB (for instance, Britain's UKAS). The leading experts performing ISMS audits are also required to acquire accreditation as Lead ISMS Auditor from the IRCA (International Register of Certificated Auditors) or any NAB-accredited CB.
Qualified CBs receive accreditation by Abs based on diverse ISMS accreditation scopes; furthermore, they carry out routine CB audits for guarantee adherence to accreditation standards (for instance, UKAS accreditation is annually confirmed via surveillance visits; a complete re-assessment is performed once in four years. Further, the first surveillance visit is scheduled for half a year following Grant of Accreditation). Violation sanctions are instantly imposed.
CBs having qualified personnel undertake regular re-assessments of certified ISMSs (usually once a year). CBs are also, themselves, required to undergo compliance audits by their respective ABs. The ISO 2700x family represents a cross-sector, horizontal information security standard family that can be banked on for diverse kinds of cases. A point to bear in mind is: ISO 27001 itself offers room for structured auditing of the adoption of information security measures by the company, listing an indicative likely control collection within the context of a given taxonomy (that can be extended when needed by implementers, depending on corporate security needs). Choice of control as well as, more importantly, chosen control intensity is wholly up to the company.
Top managers own the policy, with remaining control clauses being operational duties representing the link between control clauses (Diamantopoulou, Tsohou & Karyda, 2019).

ii. Sarbanes-Oxley (SOX)
The American SOX (Sarbanes Oxley Act), adopted in the year 2002 for safeguarding investors against fraudulent business accounting following the Enron, WorldCom, and Tyco scandals, has made stringent reforms mandatory for improving corporate financial disclosures and preventing accounting fraud. Every NY SEC (New York Security Exchange)-listed public company is bound to the SOX Act.
SOX's main provisions are as follows:
1. Section 302: which mandates management certification of organizational financial statement accuracy;
2. Section 404: which calls for auditors and managers to set up internal controls as well as reporting procedures for control adequacy. This section had considerable consequences in terms of cost for public-traded firms since internal control establishment and maintenance is a costly affair.
Furthermore, SOX's section 404 generically explains security measure recommendations, concentrating on the required result of security measures. The above strategy attempts at providing firms with flexibility when it comes to the implementation of suitable security measures, while at the same time leaving room for auditor interpretation, a decision that resulted in exorbitant compliance expenses for companies, particularly in the initial years following the act's adoption. Security measures frequently form an ISO 27002 and COBIT subset; there are personalized security measures unique to this setting.
SOX adherence is monitored by the American Congress-instituted not-for-profit agency, PCAOB (Public Company Accounting Oversight Board), which in turn is supervised by the NY SEC.
The PCAOB plays a dual role:
1. It establishes a generic structure for registered auditing/accounting companies qualified to conduct SOX 404 auditing.
2. It undertakes risk-based, periodic audits of registered companies for appropriate practices.

The following entities are involved in the SOX conformity check process:
· A registered auditing/accounting agency audits a corporation, followed by publishing its take on the company's adherence to SOX (usually through integrated auditing). The view of the agency is then divulged to the SEC and PCAOB.
· The PCAOB mainly audits effectiveness and (secondly) efficiency of SOX adoption, through checking companies which must conform to SOX as well as those authorized to carry out SOX audits. The Board has to report to particular state regulatory bodies and the SEC.
· The SEC oversees the PCAOB and is tasked with approving the PCAOB's budget, rules, and standards.

The enforcement of SOX section 404 has been divided into three components:
· Auditing/accounting organizations carry out SOX 404 auditing (commonly under integrated audits, or in other words, together with an audit of their financial statements).
· The PCAOB reviews registered audit/accounting companies to assess their conformity to rules, regulations, and professional auditing standards. It performs routine investigations of several hundred corporations and is entitled to impose severe sanctions on registered companies as well as individuals in the event violations of SOX are found. SOX calls for PCAOB adoption of a risk-based strategy (yearly reviews of companies' audit reports in case of over 100 enterprises, and no less than once in three years for smaller companies). In the year 2011, a total of ten registered corporations were audited every year.
· Finally, PCAOB reports on the abovementioned audits to state regulatory officials and the SEC, make only certain parts of the reports publicly accessible.
The ISO/IEC 18028-3, IT network security - Part 3: Security communications between networks using security gateways defines the term audit as an official investigation or analysis or fact corroboration against expectations, to check for adherence. An audit has also been described as an official assessment and authentication for whether a company is sticking to a given Standard for both record accuracy and the fulfillment of Efficiency targets. Audits can be performed by both external and internal entities.
ISO's ISO 27000 standard family addresses information security issues (Diamantopoulou et al., 2019):
· ISO 27001: Introduced in October of 2005, the rationale for the creation of this standard was: provision of a model to establish, put into practice, monitor, assess, improve, and maintain an ISMS;
· ISO 27002 (ISO 17799 renamed): This standard, primarily an information security practice code, instituted guidelines and overall rules for the initiation, adoption, improvement, and maintenance of corporate information security management;
· ISO 27003: Yet to be enacted, this standard attempts at offering assistance when it comes to the implementation of ISMSs;
· ISO 27004: Issued in December of 2009, this standard offers guidance on developing and employing measures, as well as measuring/assessing the efficacy of an already adopted ISMS and relevant controls, as ISO 27001 delineates;
· ISO 27005: This standard offers guidelines for organizational ISRM (information security risk management), with particular emphasis on ISMS requirements as defined under the ISO 27001 standard;
· ISO 27006: Formally titled "Information technology – Security techniques. Requirements for bodies providing audit and certification of information security management systems", the above standard is meant to be utilized together with various other standards, providing guidelines for accrediting companies that provide ISMS-linked registration and certification and registration. Also, the conditions of the standard record besides those that have been laid down by the ISO 17021 standard, which specifies broader requirements.
Audit plan
Listed below are the chief aims of security audits (Davis & Yen, 2019; Suduc et al., 2010):
· Checking for the presence of security policies, processes, standards, and rules;
· Identification of shortcomings, and reviewing the efficacy of extant policies, processes, standards, and rules;
· Identification and understanding of extant risks and vulnerabilities;
· Offering improvement suggestions as well as required corrective action; and
· Review of extant security controls on administrative, functional, and management challenges, and guaranteeing conformity to the minimum standards of security.
For guaranteeing security policy adherence and ascertaining the minimum control set needed for the reduction of risks to a satisfactorily low level, security audits ought to be carried out from time to time (environmental risks and susceptibilities can change over time and with changes to the environment). These audits may assume the form of new enhancement/ installation auditing, routine auditing, unplanned, spontaneous auditing, or audits performed in non-office hours.
Auditing methods adopted in this regard may encompass automated audit instruments such as off-the-rack security auditing systems or auditor-developed instruments, or even manual review methods like auditing checklists and social engineering attack checklists.
Audit processes involve several steps. According to 3D Networks, auditing is a 7-step process (Suduc et al., 2010), the steps being as follows: (1) vulnerability scanning – which entails scanning of infrastructure, (2) security architecture auditing – which involves auditing of extant security infrastructure, (3) report auditing – covering auditing of reports such as logs and unauthorized entry/breach detection system reports, (4) workflow and internal control auditing – auditing of extant workflow, (5) baseline auditing – encompassing auditing of organizational security setup in order for ensuring that it conforms to the company's security baseline, (6) risk/threat analysis – evaluation of the many threats and risks the information systems of the organization encounter, and (7) policy auditing – which is an audit of the firm's security policy for making sure it is aligned with the firm's business aims.
In the course of, as well as, after the culmination of, security auditing, a succession of reports can be described, including reports identifying susceptibilities in the information system of the company, reports addressing the risks and threats encountered by the firm owing to extant susceptibilities such as infrastructure and faulty policy, and audit reports that present security overview as well as audit results.
Suduc and colleagues (2010) offer a second view on the subject of security auditing, segregating the process into the following six steps: (1) planning – for the ascertainment and selection of sound, successful techniques to conduct a security audit and procure all desired data; (2) collection of audit information – in order to ascertain the kind and quantity of data to be procured, and how this data, as well as audit logs, are to be filtered, stored, accessed, and analyzed; (3) performance of audit tests – a broad examination of current security standards, policies, technical tests, or security configurations; (4) audit outcome reporting – presenting the existing security environment in the organization; (5) safeguarding of audit instruments and information – ensuring the safety of audit instruments and information for use in the future or the subsequent audit; (6) follow-up and improvements – undertaking corrective action where needed.
As information systems grow ever more sophisticated, security auditing is becoming increasingly challenging; however, security auditors have automated audit tools at their disposal to facilitate the process.
Conclusion
A variety of different security methods may be adopted. The choice of security process set depends on likely risks. However, for proper, successful company asset protection, there is a need for assessing its security measures. Both external and internal security audits form an ideal means of ascertaining the firm's security efficacy. Numerous security auditing standards exist that outline procedure to adhere to for guaranteeing adequate protection of a company's IT resources. Firms suffering from huge losses on account of inadequate information system security should consider implementing security audits.
References
Almatari, O. and Helal, I., and Mazen, S., and El Hennawy, S. (2018). "Cybersecurity Tools for IS Auditing." The 6th International Conference on Enterprise Systems, At Limassol, Cyprus 10.1109/ES.2018.00040.
Davis, W. S., & Yen, D. C. (Eds.). (2019). The information system consultant's handbook: Systems analysis and design. CRC press.
Diamantopoulou, V., Tsohou, A., & Karyda, M. (2019). From ISO/IEC 27002: 2013 Information Security Controls to Personal Data Protection Controls: Guidelines for GDPR Compliance. In Computer Security (pp. 238-257). Springer, Cham.
Khan, M. (2017). Computer security in the human life. International Journal of Computer Science and Engineering (IJCSE), 6(1), 35-42.
Lenghel, R. D., & Vlad, M. P. (2017). INFORMATION SYSTEMS AUDITING. Quaestus, (11), 178.
Manaseer, S., & Alawneh, A. (2019). ON CYBERSECURITY AUDITING AWARENESS: CASE OF INFORMATION AND COMMUNICATION TECHNOLOGY SECTOR. International Journal of Computer Science and Information Security (IJCSIS), 17(7).
Suduc, A. M., Bîzoi, M., & Filip, F. G. (2010). Audit for information systems security. Informatica Economica, 14(1), 43.