|
|
|
IT Assurance Services:
Risk Assessment
Information technology is not usually
considered an area of revenue generation
and as such is the department or function given the least attention,
budget, and management support. The lack of involvement leads to
insufficient or ineffective controls that have been designed to
mitigate and lower risks. This can result in non compliance with laws
or regulations governing your industry. Understanding those risks and
lowering them is part of the Risk Management lifecycle, and Genesis can
help you with reaching compliance.
Genesis has years of experience with
performing information security risk assessments including the analysis
of threats and vulnerabilities to produce meaningful results that can
be applied for compliance with many laws and regulations.
Information Technology Audit
Beyond effective risk management, there must
also be an effective auditing
program in place to ultimately validate that risks stay at the levels
accepted by
management. Genesis can provide either internal or external IT audit
services. The
primary objectives of an information technology audit will vary, but
the overall goal will be to assure that risks to the
confidentiality, integrity, and availability of information are reduced
to acceptable levels. Depending on the type of audit requested then the
following objectives would be considered.
Internal Audit Engagement - May include either
control monitoring or control auditing, but to maintain independence
requirements will not include both responsibilities. Clients requesting
internal audit support may also require assistance
risk assessments, participation in IT Steering Committees, or even
development projects. Internal audits are usually a year round
activity. Control monitoring and control auditing functions provide
separate objectives to consider:
• Control Monitoring - If the institution has completed a risk
assessment and identified the controls to mitigate risks, then the
institution may engage you to perform the analysis and monitoring of
the controls to ensure that risk remains at acceptable levels. The
objective is to provide the technical expertise in understanding,
consolidating, and providing timely monitoring of those controls
identified in a risk assessment to ensure their effectiveness.
Additional objectives would be to assist with the annual risk
assessment, provide audit guidance, and be a liasion to the external
auditors.
• Control Auditing - If a risk assessment has been performed
and control monitoring responsibilities have already been assigned to
internal employees, then the internal audit objective should focus on
testing the effectiveness of those controls being monitored to assure
that risk remains at acceptable levels. The objective is to provide
the expertise in testing and validating the effectiveness of control
tests that may be very technical. Additionally, it may be necessary to
perform in depth audits or reviews of critical areas or systems to
determine whether additional monitoring controls can be
incorporated into the existing control and audit framework.
External Audit Engagement - Is usually a once
a year audit that includes a full review and audit of all information
technology related processes and systems. It will also include sample
testing of both monitored and audited controls identified in risk
assessments. The objectives of this audit are to determine that control
monitoring and control auditing are both effective. Another objective
is to determine whether all risks have been identified by reviewing the
operation of processes, systems, and personnel and compare them against
institution policies, best practices, or security vulnerabilities.
|
|
|
|