Describe the role of system auditor in ensuring the following:
i) Arrangement of high availability setup for a major enterprise e-commerce system.
ii) Setup of mechanism to ensure system security and transaction security of an online payment system.
Role of IS Auditor in Physical Access Controls: Auditing Physical Access requires the auditor to review the physical access risk and controls to form an opinion on the effectiveness of the physical access controls. This involves the following:
Risk Assessment: The auditor must satisfy himself that the risk assessment procedure adequately covers periodic and timely assessment of all assets, physical access threats, vulnerabilities of safeguards and exposures there from.
Controls Assessment: The auditor based on the risk profile evaluates whether the physical access controls are in place and adequate to protect the IS assets against the risks.
Planning for review of physical access controls: It requires examination of relevant documentation such as the security policy and procedures, premises plans, building plans, inventory list and cabling diagrams.
Testing of Controls: The auditor should review physical access controls to satisfy for their effectiveness. This involves:
Tour of organizational facilities including outsourced and offsite facilities. Physical inventory of computing equipment and supporting infrastructure.
Interviewing personnel can also provide information on the awareness and knowledge of procedures.
Observation of safeguards and physical access procedures. This would also include inspection of:
i) Core computing facilities.
ii) Computer storage rooms.
iii) Communication closets.
iv) Backup and off site facilities.
v) Printer rooms.
vi) Disposal yards and bins.
vii) Inventory of supplies and consumables.
Review of physical access procedures including user registration and authorization, authorization for special access, logging, review, supervision etc. Employee termination procedures should provide withdrawal of rights such as retrieval of physical devices like smart cards, access tokens, deactivation of access rights and its appropriate communication to relevant constituents in the organization.
Examination of physical access logs and reports. This includes examination of incident reporting logs and problem resolution reports.