Select Page

One audit standard fits all?

One audit standard fits all?

Computer applications are constantly evolving; while web based systems continue to grow in complexity.  It is essential that these systems are properly secured both at the server level as well as at the code or application level, therefore Information Systems audit standards, more specifically focused on application and development measures provide some of the most useful valuable information at an organizations disposal.  System audits should be carried out before deployment of new and rebuilt systems using a mix of outside consultants or security professionals as well as software solutions.

Software audits can be performed using software such as HP WebInspect, a security testing suite that provides comprehensive scanning for enterprise level applications.  According to HP (2010), “HP WebInspect easily tackles today’s most complex Web application technologies—including JavaScript, Adobe® Flash, Ajax and SOAP, utilizing HP’s breakthrough testing innovations, for fast and accurate application security tests.”  There are other similar tools that can be used for application audits that should be employed and continually revisited as software requirements change and applications become more complex.  Standards should be continually revised.  It is not enough for organizations to simply follow regulations.  In reality “a program that is designed from the outset to exceed the current regulation, and be adaptable to changes to existing or entirely new regulation, represents a much smarter investment.”  (Bosworth et la. 2009).

There is a reason that the United States legislation is sectoral in nature, where laws are drawn along industry lines.  We see this in current regulations such as FISMA which regulates federal government agencies, while the Gramm Leach Bliley Act regulates financial institutions.  Schwartz (2009) argues if we were to go against this approach and try to implement a non-secular set of regulations, such a law would be difficult to amend, and would, therefore, become outdated as technological changes undermine such a stature’s regulatory assumptions.”  If one set of regulations could ‘fit all’ industries, then it have to be very general and much less specific to the actual needs of the organizations effected.  Likewise, it is not realistic to assume that an all-encompassing non-industry specific set of audit standards could be designed to comprehensively work with the organization.

References:

  1. Bosworth, S., Kabay, M.E., & Whyne, E. (2009).  Computer Security Handbook.  Volume 2.  Hoboken, NJ: John Wiley & Sons, Inc.
  2. HP. (2010). HP WebInspect Datasheet.  Retrieved from http://www8.hp.com/us/en/software-solutions/software.html?compURI=1341991#.UTf0Fhxwp-0
  3. Schwartz, P., M. (2009). Preemption and Privacy. 118 YALE L.J. 902, 906–22 pt. I. Retrieved from: http://www.ntia.doc.gov/comments/100402174-0175-01/attachments/preemption_and_privacy.pdf

Related Articles

Series Navigation<< Cultural Values and Moral LegitimacyMobile Security >>

About The Author

Ian Carnaghan

I am a software developer and online educator who likes to keep up with all the latest in technology. I also manage cloud infrastructure, continuous monitoring, DevOps processes, security, and continuous integration and deployment. In my spare time I teach undergraduate classes in web development.

Leave a reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.