Development of a Security Audit Framework for an Organization

Abstract

Now-a-days in the modern organizations, Information and Communication Technologies are used to support the organizations’ activities. To manage the quality of the organization processes, audit processes are implemented. Auditing Information Systems Security is difficult and becomes crucial to ensure the daily operational activities of organizations as well as to promote competition and to create new business opportunities. With a large number of parameters in the global standards, managing a conceptual security framework to manage and audit Information System Security especially for small to medium companies in Bangladesh is really cumbersome and a daunting process to follow. The purpose of this work is to propose a security audit framework for small to medium level organizations based on the ISO/IEC_JCT1 standards, to assist organizations to better manage their In-formation Systems Security. To evaluate the proposed framework, some questionnaires were prepared and testing results of the effectiveness of IT Governance and Security controls mechanism based on the framework were shown to prove the efficacy of the approach. The framework should help an organization to minimize vulnerabilities, ensure smooth and transparent governance and protect information assets.