Describe the role of IS auditor with respect to
i) Physical access controls
ii) Environmental controls
i) Role of IS Auditor in Physical Access Controls: Auditing Physical Access requires the auditor to review the physical access risk and controls to form an opinion on the effectiveness of the physical access controls. This involves the following:
Risk Assessment: The auditor must satisfy himself that the risk assessment procedure adequately covers periodic and timely assessment of all assets, physical access threats, vulnerabilities of safeguards and exposures there from.
Controls Assessment: The auditor based on the risk profile evaluates whether the physical access controls are in place and adequate to protect the IS assets against the risks.
Planning for review of physical access controls: It requires examination of relevant documentation such as the security policy and procedures, premises plans, building plans, inventory list and cabling diagrams.
Testing of Controls: The auditor should review physical access controls to satisfy for their effectiveness. This involves:
Tour of organizational facilities including outsourced and offsite facilities. Physical inventory of computing equipment and supporting infrastructure.
Interviewing personnel can also provide information on the awareness and knowledge of procedures.
Observation of safeguards and physical
i. Core computing facilities.
ii. Computer storage rooms.
iii. Communication closets.
iv. Backup and off site facilities.
v. Printer rooms.
vi. Disposal yards and bins.
vii. Inventory of supplies and consumables.
This would also include inspection of:
Review of physical access procedures including user registration and authorization, authorization for special access, logging, review, supervision etc. Employee termination procedures should provide withdrawal of rights such as retrieval of physical devices like smart cards, access tokens, deactivation of access rights and its appropriate communication to relevant constituents in the organization.
Examination of physical access logs and reports. This includes examination of incident reporting logs and problem resolution reports.
ii) Role of IS Auditor in Environment Controls:
The attack on the World Trade Centre in 2001 has created a worldwide alert bringing focus on business continuity planning and environmental controls. Audit of environment controls should form a critical part of every IS audit plan. The IS auditor should satisfy not only the effectiveness
of various technical controls but that the overall controls assure safeguarding the business against environmental risks. Some of the critical audit considerations that an IS auditor should take into account while conducting his audit are given below:
Audit Planning and Assessment: As part of risk assessment:
♦ The risk profile should include the different kinds of environmental risks that the organization is exposed to. These should comprise both natural and man-made threats. The profile should be periodically reviewed to ensure updation with newer risk that may arise.
♦ The controls assessment must ascertain that controls safeguard the organization against all acceptable risks including probable ones and are in place.
♦ The security policy of the organization should be reviewed to access policies and procedures that safeguard the organization against environmental risks.
♦ Building plans and wiring plans need to be reviewed to determine the appropriateness of location of IPF, review of surroundings, power and cable wiring etc.
♦ The IS Auditor should interview relevant personnel to satisfy himself about employees‘ awareness of environmental threats and controls, role of the interviewee in environmental control procedures such as prohibited activities in IPF, incident handling, and evacuation procedures to determine if adequate incident reporting procedures exist.
Administrative procedures such as preventive maintenance plans and their implementation, incident reporting and handling procedures, inspection and testing plan and procedures need to be reviewed.