Security Management Techniques and Tools for IS Auditing

Abstract

Every organization needs to constitute a strong information system (IS) and security management in order to improve its business processes with the best practices. Information system processes must be reviewed and audited by IS auditors. IS auditors use a set of tools and techniques to perform the auditing process on the organizations. In this paper, we evaluate a set of tools and techniques which perform the security management of the organizations. Also, we classify the security management into five domains such as processes of auditing, governance and management, IS acquisitions and development, IS operations and support, and protection of information assets. Each domain has a set of auditing tasks. These tasks need inputs from various knowledge sources such as planning, risk assessment, evidence collection, laws and regulations, etc. Moreover, these tasks are performed through a number of tools and techniques in order to automate the security management process for IS auditors. The evaluation of tools and techniques target the security areas such as management, risk management and internal auditing controls with auditing tasks. Our main contribution is to determine the processes, tasks, and the suitable tools/techniques for each information system area from cybersecurity perspective. Moreover, each organization can analyze the security gaps in order to find a suitable solution for bridging these gaps.