Computer applications are constantly evolving; while web based systems continue to grow in complexity. It is essential that these systems are properly secured both at the server level as well as at the code or application level, therefore Information Systems audit standards, more specifically focused on application and development measures provide some of the most useful valuable information at an organizations disposal. System audits should be carried out before deployment of new and rebuilt systems using a mix of outside consultants or security professionals as well as software solutions.
Software audits can be performed using software such as HP WebInspect, a security testing suite that provides comprehensive scanning for enterprise level applications. According to HP (2010), “HP WebInspect easily tackles today’s most complex Web application technologies—including JavaScript, Adobe® Flash, Ajax and SOAP, utilizing HP’s breakthrough testing innovations, for fast and accurate application security tests.” There are other similar tools that can be used for application audits that should be employed and continually revisited as software requirements change and applications become more complex. Standards should be continually revised. It is not enough for organizations to simply follow regulations. In reality “a program that is designed from the outset to exceed the current regulation, and be adaptable to changes to existing or entirely new regulation, represents a much smarter investment.” (Bosworth et la. 2009).
There is a reason that the United States legislation is sectoral in nature, where laws are drawn along industry lines. We see this in current regulations such as FISMA which regulates federal government agencies, while the Gramm Leach Bliley Act regulates financial institutions. Schwartz (2009) argues if we were to go against this approach and try to implement a non-secular set of regulations, such a law would be difficult to amend, and would, therefore, become outdated as technological changes undermine such a stature’s regulatory assumptions.” If one set of regulations could ‘fit all’ industries, then it have to be very general and much less specific to the actual needs of the organizations effected. Likewise, it is not realistic to assume that an all-encompassing non-industry specific set of audit standards could be designed to comprehensively work with the organization.
References:
- Bosworth, S., Kabay, M.E., & Whyne, E. (2009). Computer Security Handbook. Volume 2. Hoboken, NJ: John Wiley & Sons, Inc.
- HP. (2010). HP WebInspect Datasheet. Retrieved from http://www8.hp.com/us/en/software-solutions/software.html?compURI=1341991#.UTf0Fhxwp-0
- Schwartz, P., M. (2009). Preemption and Privacy. 118 YALE L.J. 902, 906–22 pt. I. Retrieved from: http://www.ntia.doc.gov/comments/100402174-0175-01/attachments/preemption_and_privacy.pdf