Aura E Solutions Pvt Ltd

A proper, complete security audit must take information security management elements into account and expose their weaknesses and gaps just as it does with software design and configuration flaws. In fact, an experienced auditor should easily pinpoint the cases where technical issues are rooted in management problems or involve legal issues. A specific area that closely binds technical, management and legal aspects of information security is reviewing and assessing security policies, procedures, guidelines and other related documentation, like confidentiality agreements, disaster recovery plans and data handling sections of employment contracts. All these documents must strictly adhere to the on-going information security demands of your company or organisation, determined by the character of it's business operations, types of data handled, legal, compliance and regulatory requirements and other factors. They must fully cover appropriate information classification schemes, access levels and controls, separate the roles of all involved personnel, state acceptable user behaviour rules and disciplinary measures for violations, outline security baselines while pointing out responsibilities of their maintainers and so on. Absence, incompleteness or inaccuracy of such documents create gaps in the corporate information security management and controls. As time passes, these gaps tend to spawn technical flaws and cause legal issues.

Another highly important element of maintaining a decent level of information security is personnel training, awareness and control. Various popular expressions stating that "in securing data and systems human factor is the weakest link" were justified thousands of times. All employees without exemption must be trained to recognise and counter social engineering attacks. Technical IT personnel has to be sufficiently skilled at least at preventing and deflecting commonplace hacking attempts. At the same time, company management must take an active part in controlling information security risks by enforcing security policy statements, allocating relevant roles, responsibilities and budgets, taking disciplinary and even legal measures against proven offenders and so on. Directly or not, these and other aspects of information security management are assessed during security audits, especially the internal ones.

Finally, if a company or organisation needs formal certifications that cover various aspects of information security (these may range from the obvious security-dedicated ISO27001:2005 and PCI DSS to Basel II Accord, Sarbanes-Oxley and FSA), our auditors will always treat these compliance demands with utmost attention. We will put a much higher emphasis on the areas specifically examined in the certification process and target problems, known to stand on the way of getting accredited to ensure that these are fully eliminated in a due time. If upholding the certification requires regular information security audits on the annual, biannual or quarterly basis we would provide them in a strict accordance with all certification-imposed demands.