One audit standard fits all?

O
  1. Challenges Policy Makers face to Counter Cybercrime
  2. Cybercrime vs Traditional Crime
  3. Risks, Threats and Vulnerabilities
  4. Security Policies
  5. Cost and Challenges with E-Government
  6. Cultural Values and Moral Legitimacy
  7. One audit standard fits all?
  8. Mobile Security
  9. Will the Mandiant Report Raise Public Awareness?
  10. Ethical vs Non-Ethical Hackers
  11. Motivation and Intent of Hackers
  12. Hacking as an Addiction
  13. Online Anonymity: Good or Bad?
  14. Identity Theft and Inexperienced Internet Users
  15. Regulation vs Innovation
  16. 3D Printing, Copyright and Legal Matters
  17. Software Piracy on an International Scale
  18. Workplace Monitoring and Blocking Software

Computer applications are constantly evolving; while web based systems continue to grow in complexity.  It is essential that these systems are properly secured both at the server level as well as at the code or application level, therefore Information Systems audit standards, more specifically focused on application and development measures provide some of the most useful valuable information at an organizations disposal.  System audits should be carried out before deployment of new and rebuilt systems using a mix of outside consultants or security professionals as well as software solutions.

Software audits can be performed using software such as HP WebInspect, a security testing suite that provides comprehensive scanning for enterprise level applications.  According to HP (2010), “HP WebInspect easily tackles today’s most complex Web application technologies—including JavaScript, Adobe® Flash, Ajax and SOAP, utilizing HP’s breakthrough testing innovations, for fast and accurate application security tests.”  There are other similar tools that can be used for application audits that should be employed and continually revisited as software requirements change and applications become more complex.  Standards should be continually revised.  It is not enough for organizations to simply follow regulations.  In reality “a program that is designed from the outset to exceed the current regulation, and be adaptable to changes to existing or entirely new regulation, represents a much smarter investment.”  (Bosworth et la. 2009).

There is a reason that the United States legislation is sectoral in nature, where laws are drawn along industry lines.  We see this in current regulations such as FISMA which regulates federal government agencies, while the Gramm Leach Bliley Act regulates financial institutions.  Schwartz (2009) argues if we were to go against this approach and try to implement a non-secular set of regulations, such a law would be difficult to amend, and would, therefore, become outdated as technological changes undermine such a stature’s regulatory assumptions.”  If one set of regulations could ‘fit all’ industries, then it have to be very general and much less specific to the actual needs of the organizations effected.  Likewise, it is not realistic to assume that an all-encompassing non-industry specific set of audit standards could be designed to comprehensively work with the organization.

References:

  1. Bosworth, S., Kabay, M.E., & Whyne, E. (2009).  Computer Security Handbook.  Volume 2.  Hoboken, NJ: John Wiley & Sons, Inc.
  2. HP. (2010). HP WebInspect Datasheet.  Retrieved from http://www8.hp.com/us/en/software-solutions/software.html?compURI=1341991#.UTf0Fhxwp-0
  3. Schwartz, P., M. (2009). Preemption and Privacy. 118 YALE L.J. 902, 906–22 pt. I. Retrieved from: http://www.ntia.doc.gov/comments/100402174-0175-01/attachments/preemption_and_privacy.pdf

About the author

Ian Carnaghan

I am a software developer and online educator who likes to keep up with all the latest in technology. I also manage cloud infrastructure, continuous monitoring, DevOps processes, security, and continuous integration and deployment.

About Author

Ian Carnaghan

I am a software developer and online educator who likes to keep up with all the latest in technology. I also manage cloud infrastructure, continuous monitoring, DevOps processes, security, and continuous integration and deployment.

Follow Me