Managing an IT Infrastructure Audit

The above is every organization’s duty towards its stakeholders including the clients, employees, and suppliers. Currently, Information Technology (IT) has become an integral part of every business enterprise. However, it is also one that has helped to open doors to many possibilities and opportunities, especially for hackers. Therefore, it is essential to ensure that issues in our IT systems are identified, and addressed immediately. An organization is equivalent to a body and is, therefore, made up of parts. Goals and Objectives The main goal of this exercise will be to ensure the business risk is minimized. However, below are some specific goals which will help to explain the main goal: • Evaluate whether the recommendations from any previous IT internal audit have been fully implemented.

• Ensure compliance with the set rules, standards, and regulations. • Ensure the CIA triad or the confidentiality, integrity, and availability of the information systems is maintained. • Evaluate the information system’s as well as the infrastructure’s efficiency and effectiveness. These must be upheld at all times. This IT internal audit will be conducted in accordance with the guidelines and standards set forth by the Institute of Internal Auditors. It will also be carried out in accordance with the government auditing standards or GAGAS. Additionally, it also upholds the Standards for Professional Practice of Internal Auditing as well as the Professional Practices Framework. Ethics is indeed key in any auditing process, and this internal audit seeks to ensure all the necessary and applicable codes are upheld or sustained while conducting an auditing exercise.

This internal audit will include as many areas as possible including: • Information security. Entails an analysis of the systems’ vulnerability, assessment of the enterprise’s information security program, and finally, an assessment of the current threat and vulnerability management system or program in place. • Analysis of the business continuity programs that exist. This includes the disaster recovery and crisis management audits. • Evaluation of the vulnerabilities of private devices. The main issues here will include activities which help create or increase risk levels, the policies currently helping to manage the use of social media in the organization, and the employees’ social media activities against the rules and policies in place towards the same. • Data. Evaluation of the policies and measures in place to help ensure data is protected, the privacy of data is ensured, and access to the same is managed as per the set privileges.

After an internal audit has been conducted, it is always essential to ensure the recommendations are implemented immediately. Frequency The frequency of conducting is not necessarily an important issue. However, it is essential to consider several factors including the size of an organization before deciding on the appropriate risk management plan. The proposed plan for this internal audit is the Enterprise-wide risk management or ERM. IIA (2009) defines it as: A structured, consistent and continuous process across the whole organization for identifying, assessing, deciding on responses to and reporting on opportunities and threats that affect the achievement of its objectives. Activities expected in this plan include: • Establishing the organization’s risk appetite. • Identifying some of the potential risks the organization might be exposed to.

• Determine or establish the various ways to fill the skill gaps present in the organization. • Assess the software acquisition methods in place (third-party contracting and in-house development). This will help to establish the high-risk areas in the organization. • Evaluation of the data extraction methods. • Evaluation of the databases connected with the systems software and he various applications within the organization. • Session and user administration. • Public key infrastructure and the preferred encryption techniques. • Security of the virtual private networks. • Evaluation of the physical security of the infrastructure. • Assessment of the security software including the firewalls, IDS, and the antivirus being used. instead of having a physical one. Through virtualization, organizations have been able to increase their level of efficiency while reducing certain costs.

However, there could be loopholes that can be exploited and which can eventually cause a firm to lose millions of dollars. To avert such costs in the long-run, this internal audit will incorporate the following in its plan: • An assessment of the virtualization management architecture. This will be inclusive of the network and hardware supporting infrastructure. • Evaluation of the protection and detection mechanisms in place. g) BCP and DRP BCP or Business Continuity Plan is a strategic design whose purpose is to help a business sustain its processes during and after any disruption. DRP or Disaster Recovery Plan is one which applies solely after the occurrence of a major disruption which has rendered normal functionalities null and void. Both plans are crucial to an organization.

However, they need to paint a clear picture and provide guidance on what a business ought to do in case a disruption occurs. Helps to determine or establish the high-risk areas within the network system. • Assessment of network availability policies. • Analysis of the policies and practices regarding network security. • Analyze the changes in the network threats. • Evaluate the security of the internal and external network infrastructure. • Create smaller disaster recovery teams charged with handling the different activities to help spearhead the recovery process. • Provide the disaster recovery teams with the goals and objectives of the entire exercise. • Install a secondary site to be used to help restore or resume the business operations. • Record the events and actions of the all the teams during the recovery process.

• Provide a summary of the damage caused, the cost of resuming operations, and the activities undertaken to restore business operations. Below is a list of activities the recovery management team will follow to prevent any data loss, protect the organization’s critical systems, and to ensure the organization’s chief operations are still ongoing: • Identify and declare the disaster. • Activate or initiate the disaster recovery plan. • Communicate the disaster to the different departments, disaster recovery teams, and the stores all over the country. • Conduct full assessment of the damage and initiate procedures to prevent further damage. • Setup and activate the recovery facilities. Institute of Internal Auditors. IIA Position Paper: The Role of Internal Auditing In Enterprise-Wide Risk Management. IIA. Nastase, F.

Nastase, P.