:: SYNAPTIC SOLUTIONS - just software

IT audit

What does IT audit represent?

A widely accepted management principle says that an activity cannot be administered and managed if it cannot be measured. The IT audit offers this measure of the computer system within a company.

The IT audit represents an in-depth analysis of the computer system of a company. It is a very important tool for the management of the company, a tool which assesses the efficiency and effectiveness of the use of IT resources (hardware and software).

The IT technologies are in continuous development, both the security systems and the means of attack are analysed and optimised daily. The only means for a company to keep itself protected through the implementation of the best practices in the field is through the performance of an audit of the computer system.

The IT audit must be performed by a specialized company, an independent company and under no circumstances by a company which has provided implementation services for the respective computer system.

The IT audit represents a sort of “insurance” that things are going on the right path and that the possible inconsistencies shall be analysed and eliminated and that the computer system of the company is in conformity with the security, quality and legal standards and in accordance with the domain of the company.

A generally accepted definition says that the IT audit represents the only and the best way for the management of the company to make sure that the security technologies and used practices are of high performance, in accordance with the established specifications and requirements.

The purpose of the IT audit

Auditing the structure of the computer system within a company requires, in whole, a high level of analyse; the integration of applications, the systems, the infrastructure shall be analysed in particular, as well as the way in which they affect the whole computer system of your company.

·         The identification and elimination of the weak spots of the computer system;
·         Minimising the risks which the company is exposed to;
·         Making employees aware of the potential risks that the current computer system implies in     project development and the critical points where intervention is necessary in order to eliminate these risks;
·         The use under secure conditions of an up to date developed technology through the set up of security policies which would comply with your company’s specific conditions;

The IT audit process helps companies to reduce their costs though the identification of more efficient ways to protect their hardware and software, it allows a better management related to the application and use of process security technologies.

As a result of this audit, a set of suggestions regarding the changes to be made within the structure of the current computer system shall be made available.

The audit methodology

The audit report is based on the interrogation of the IT personnel in order to assess and control the current policies and documents, the analysis of risks implied by the work stations, the servers and the whole network, as well as the assessment of the network services and set up files. The assessment shall set out the potential errors and/or security breaches present within the computer system.

STEP 1:

1. Meetings, interviews and direct observation of the personnel at the headquarters of the company;
2. The collection, centralization and review of the current documentation, the verification of the licenses for the installed software applications. The analysis of all IT policies on which the operation of the whole system is based upon (policies regarding the terms for the use of the IT infrastructure, the policy regarding the use of the Internet, the e-mail, the backup policy, passwords, access to resources etc);
3. The analysis of the flow of documents in electronic format within the company, as well as outside the network, with the external partners (clients and suppliers);

STEP 2:

4. Analysis of IT requirements within the company;
5. Assessment of the human factor within the IT department. The classification of the IT personnel based on qualifications and professional abilities;
6. Performance assessment within the IT department based on the measurement of the time interval in which the respective person responds and solves the potential issues;

STEP 3:

7. Assessment and verification of hardware infrastructure (work stations);
8. Assessment and verification of software infrastructure (installed applications, licenses);
9. Assessment and verification of servers in respect to hardware, software and traffic;

STEP 4:

10. IT system analysis with respect to its security;
11. Analysis of connectivity within locations, as well as with the exterior (locations, internet connections, VPN channels, remote access);
12. Analysis of network topology in locations;

STEP 5:

13. Assessment of IT personnel based on the know-how method (knowledge over the processes); possibility of training some of the members of the IT personnel;
14. Verification of IT applications widely used within the company;

STEP 6.

15. Verification of the backup/restore procedure;
16. Analysis of recovery from disaster plan;

STEP 7:

17. Analysis of purchase services;
18. Analysis of IT technologies used within the activity of the company;

Audit Report

The Audit Report shall be formed of two sections:

- the results of IT system assessment in present;
- our recommendations following the analysis performed in the assessment stage.

In the end, the audit report shall be materialized in a set of documents which set out an objective assessment over the IT system, thing which allows the implementation of all measures necessary for the correction and elimination of potential errors.

Post-audit implementation steps

The most important result of this audit shall be the list of discovered vulnerabilities. Simply being aware of the specific vulnerabilities your company faces is a positive step towards the elaboration of a comprehensive program for the elimination of these set-backs, thus avoiding the creation of dysfunctions in the daily activity.

1.    The set up of priorities
Following the audit report you shall receive a high volume of information – of different importance. A certain level of risk shall be allocated to the different types of information. The most critical points, of course, shall refer to the most critical systems, public access to the network or aspects which imply critical data transfer.

2.    Role allocation
It is very important to decide who shall manage each task. Make sure that the necessary resources shall be allocated, such as budget and/or time for each employee in order to perform each project.

3.    Report request
After the allocation of roles to each individual involved in the correction process of weak points following the audit, you want to make sure that the project is accomplished as promised and within a certain deadline. A regulated statute must be requested, a report, so as to stipulate the possible delays or issues which may arise.

4.    Assessments on our own
Once you have started the corrections of any security or equipment reconfiguration wholes, you may begin testing of corrections that have been performed. Before programming and requesting a second audit, you must make sure that the weak points detected during the first audit have been corrected.

This type of approach shall help you develop a continuous improvement plan within the company. If management status reports could be presented and if a permanent dialog shall be maintained regarding the status of projects, you shall prove that you’re on top of any issue and you would be able to justify the continuous support for the audit processes and corrections.

5. Scheduling the next IT audit
Rarely shall a company come back for a second audit even if it has not succeeded in the first one. Nevertheless, companies should have periodic assessments. The domain of application and frequency shall depend upon "who you are and what you do". Ideally, we recommend that a company should perform a computer system audit every 6 months.

Since the business systems are in a continuous growth, development and change, the IT audit process can be seen as a regular control of your systems. Once you’ve repaired a problem, another one is likely to appear, but as long as you run regular assessments and audits, you can continuously improve your systems.

That is why we consider that the analysis process of the computer system must be continuous.