another / different viewpoint on "what Audit" / "what Audit"

text from: John J. Kinyon - Motorola on 10 September 1997
----------------------------------------------------- -------

An audit provides independent verification that appropriate security
practices are being followed.  This ensures that security risks
(confidentiality, integrity, availability, accountability) are
controlled to an approriate (cost-effective) level; that the "standard
of due care" is met (so as not to be found negligent when compared to
industry practices); and verifies compliance with regulatory and
contractual requirements.  Company officers and certain other
employees can be held personally criminally liable should there be a
security breach.

It's just the time-tested audit function, applied to information
systems.  Some of the audit can be automated, but part of it is an
examination of practices and procedures.  What is measured depends on
the specific situation and it's inherent risk profile.

 Topics include:

- Information classification and labelling - 
- Management of systems,applications, and data - 
- Risk assessment methodology -
- Process to detect and correct problems - 
- Account and privilege management -
- Efficacy of controls - 
- User and administrator education - 
- Physical security - 
- Environmental controls - 
- Information backup and disaster recovery tests - 
- Software licensing - 
- Compliance with company standards and practices - 
- Log creation, review, and record retention
------------------------------------------------------------------------