IS Audit is a Must!
Information System is a working system that is associated with capture, transmit, store, retrieve, manipulate and display of information to its customer, clients, suppliers, employees within an organization. Information Technology is a computerized way of maintaining Information System to make communications faster and increase productivity. As well as efficiency of an organization. Information Security is a system that helps to preserve confidentiality, authentication and integrity of sensitive information of an organization that uses Information Technology as a gateway while collecting, storing and transmitting that information. Often Information Systems (acronym as IS), Information Technology (acronym as IT) and Information Security (acronym as INFOSec or IS) is confusing with each other. Furthermore, Information Security IS audit in Nepal requires providing more awareness about the topic.
The demand for digital information is high around the globe and is widely implemented. The outage in Information Systems can cause a huge loss to any organization. And auditing is the only way to keep track of risks that an organization’s information is exposed to. This demands a need to understand Information Systems (IS) Audit, Information Technology (IT) Audit and Information Security (IS) Audit in Nepal.
An information system is a system that collects, stores and processes data with a purpose to provide knowledge, information and other forms of digital products. Organizations rely on these systems to provide services to customers. Also carry out and manage daily organizational activities, communicate information with customers, suppliers and even collect information back from them. Many top corporations like eBay, Amazon, Alibaba, Google, Facebook, Twitter are built around Information Systems. These corporations collect revenues by collecting, processing, generating and flowing valuable information to people around the globe. Conducting activities like socializing, studying, shopping, banking and even entertainment is dependent on information systems today and are mostly internet-based.
Information system makes the meaningful connection for business organizations with computer science. A misconception prevails about Information Security IS Audit in Nepal that all information systems are computer-based systems. This makes people unable to distinguish between IS (Information Systems) Audit and IT (Information Technology) Audit in Nepal. However, an Information System is a piece of documented paper stored in a cabinet within an organization. In today’s world, Information Systems are highly dependable with technological systems. But in fact, it has a broader meaning and can include non-technological systems as well. So, Information Technology is a part of an Information system. Extending its usability in making operations and management of organizations effective. Telecommunications, hardware and software, databases, data warehouses, human resources and procedures are some of the components included in Information Systems.
Information Technology is a digital and computerized technology designated for effective business communication, storage of data, transportation and manipulation of data and electronic execution of business processes. The hardware and software systems ranging from firewalls, routers, switches, servers, personal computers, smartphones, tablets, cameras, sensors, etc. and even security is included in Information Technology.
Information Technology is a path to quickly deliver the purpose of collecting, storing and processing data of an Information System. It is also related with studying, designing, implementing, supporting and managing computerized Information Systems. Database and Networks management is include in Information Technology.
Information Technology is establish under an Information Systems IS umbrella and deals with the technology involved within systems. These technologies are utilize by an organization to improve efficiency and develop advancement in business goals. In other words, the deployment of Information Technology acts as a booster for running any business organization and its growth.
Advancement in Information Technology offers several components under it like: cybersecurity, Network Administration, Database Administration, Business Intelligence or Enterprise Resource Planning, Infrastructure Management, Computer programming and software development and Applications Deployment.
Information Security is a process that is design for the protection of confidential and sensitive data which is in printed, electronic or any other form. From unauthorized and unauthenticated access and implemented to prevent use, misuse, destruction, modification, disclosure or disruption of this sensitive information. Ensure that the technology implement is secure and protect from any kind of attacks and threats. Security. Although, Information Security and Information Technology are related and work together to strengthen the productivity. And security of an organization, their jobs are as different as two sides of a coin.
Information Security ensures that information flow system achieved via Information Technology achieves the objective to make information flow environment secured. It works to achieve the following attributes:
The objective of achieving confidentiality is to make the sensitive data of an organization secured and unavailable to unauthorized persons.
The objective of achieving Authentication is to make the sensitive data of an organization available and accessible to only known and authorized persons.
Integrity ensures that the sensitive data of an organization cannot be altered through unrecognized and unauthorized persons enabling an increase in consistency, accuracy and trustworthiness of the information.
This objective is achieve through the maintenance of hardware. Like, immediate hardware repairs is in need so as to achieve information flow without any interruption. The information flow system can optimally perform when no physical and software conflicts are present in the system.
The objective for achieving Non-Repudiation is to assure the validity of information and information flow. And this ensures the authenticity of the origin of data and its integrity. In a wider sense, Information security provides security to Information Technology used by an organization. For effective communication or flow of information that is utilize by an Information system of an organization. There is a huge difference between Information Security and Information Technology. And are two pages within the same book of Information System which is mention as IS most of the time.
- Information Security IS and Information Technology IT can be distinguish through various aspects.
- Also, Information Technology ensures that hardware, software and other network components implemented by an organization remain functional.
- Information Security on the other hand functions to protect the information and assets of an organization.
- The responsibility of Information Technology IT is towards maintaining hardware, software and new technology.
- The responsibility of system processes and risks posed by end-users falls under the shoulder of Information Security IS.
- While Information Technology IT implements controls over hardware, software and other network components. Information Security deals with the identification and testing of controls to make sure they are working properly
- Update In Information Technology IT hardware, software and applications.
- Information Security needs to keep updated with new and emerging attacks and threats.
- Information Technology IT measure in term of uptime and response time of the information flow system. For mitigating risks, action plans and solutions is recommend by an Information Security.
- Information Technology follows “Fix it First” approach and Information Security follows “Secure it First” approach
IS AUDIT and IT AUDIT
An organization needs to audit on time and again to protect themselves from interruption or outages. Which comes with significant financial loss and loss of trust of clients or customers. While Information Security Audit follows in Information Technology IT Audit, it is necessary to understand the confusion a simple IS Audit term can bring forward. The term can either refer to Information Systems Audit or Information Security Audit. It is essential to understand the requirements to understand which Audit is suitable and required for an organization. Due to digitalized or heavily computerized information systems today an Information System Audit and Information Technology. Audit is similar in certain cases in some organizations. But it is not mandatory to be the same.
IS Audit is an important part of IT Audit. The scope of Information Technology covers Systems and Applications Audit, Information Processing Audit. Also, Systems Development Audit, Management of IT and Enterprise Architecture Audit, Client/Servers, Intranets and Extranets Audit. Moreover, IS Audit include topics like physical security of Datacenters, logical security for databases, Components of servers and network infrastructures, Network Security, Applications Security, Cloud Security.
The evolving nature of these topics demands IT Auditors and IS Auditors to continuously expand their knowledge of these systems. Also, organizations need to become aware about the differences in Information Systems, Information Technology and Information Security. And determine which Audit system best suits for the organization.
In Nepal, Information Security IS Audit was first regulated by Nepal Rastra Bank’s IT policy and IT guidelines (2012). Since 2019, it is mandatory in Nepal to perform IS Audit by certain categories of organization. Due to increase in use of technology by organizations. There is a surge in performing Information Security IS Audit just for the compliance with government rules in Nepal. However, this should not be the case. IS Audit helps finding weaknesses and loopholes within the information flow system that uses different technology to compete in the market. The attackers find these loopholes and try to exploit them in order to expose sensitive data. Prevention of private and sensitive information is a must and top priority for organizations. Thus, using technology means an organization is liable to protect and provide security to this sensitive information and IS Audit is a MUST.