1.
What is the Intergovernmental Information Security
Audit Forum?
2 . My audit organization does not perform information
security audits. How can we get started?
3 . What audit tools and guidelines exist for information
security auditors to use?
4 . I am looking for sample audit programs to audit
IS. Can you suggest a resource?
5 . What is the process to join the Members Only
section?
6 . How can I submit information to share on this
Web site?
1.
What is the Intergovernmental Information Security Audit Forum?
This forum
is a federal/state/local partnership to address the growing
gap between emerging needs and existing competencies relating
to information system security and controls with the government
audit community.
2.
My audit organization does not perform information security audits.
How can we get started?
The Management
Planning Guide for Information Systems Security Auditing
was published as a joint initiative between NASACT and the GAO
in December 2001. The guide is intended to help audit organizations
respond to the expanding use of IT. Directed primarily at executives
and senior managers, it covers the steps involved in establishing
or enhancing an information security auditing capability: planning,
developing a strategy, implementing the capability, and assessing
results. The guide can be found on this Web site under "Publications."
3.
What audit tools and guidelines exist for information securty
auditors to use?
Recent surveys
have documented that many state, local, and federal audit organizations
have implemented the U.S. General Accounting Office Federal
Information System Controls Audit Manual (FISCAM), a methodology
for performing information security audits. Also used is the
Control Objectives for Information and related Technologies
(COBIT), a methodology published by the Information Systems
Audit and Control Association.
A discussion
titled Identify and Select Automated Tools for use in
identifying security vulnerabilities, is included in The
Management Planning Guide for Information Systems Security Auditing
which can be found on this website under publications. The discussion
includes key considerations in selecting security software.
In addition,
Appendix A - Inventory of Tools and Software, in the white paper
Joint Information Security (IS) Audit Initiative: Survey
of IS Auditing in Certain Organizations identifies over
30 such tools. This document is available on the members only
section of the NASACT web site.
4.
I am looking for sample audit programs to audit IS. Can you suggest
a resource?
Sample IS
audit programs are submitted by federal, state, and local government
auditors into the Shared Knowledge Database, an idea conceived
and made possible by the Forum. To use the Shared Knowledge
Database, select the "Search/Update the Database"
link located at the top of this page. You will be taken to the
Members Only login screen where you can enter your user ID and
password and begin searching the Shared Knowledge Database.
If you do not have a Members Only user ID and password, please
see FAQ #6 for instructions on how you may obtain one. If you
have sample IS audit programs to share, the Forum encourages
you to submit a few to the Shared Knowledge Database as well!
5.
What is the process to join the Members Only section?
Access
to the Members Only section is provided to the principal state
auditor, comptroller and treasurer and members of their staffs
in the 50 states. Click here
to fill out the form to join today!
6.
How can I submit information to share on this Web site?
Any Forum
related document, presentation or report deemed sensitive by
the federal, state, and local government audit community should
be submitted to the Shared Knowledge Database. All materials
suitable for posting to the pages accessible to the public (including
suggestions for links) should be emailed to Webmaster.
