A Framework for development of an information security auditing capability
Abstract
The aim of this study was to determine how Kenyan organizations have embraced
Information System (IS) security audit and development of a framework which the
organizations can use to develop or enhance their IS security audit capability.
The study determined the structure of the IS security audit department, skills of IS security
audit personnel, IS security auditing tools, IS security standards, associated costs and how the
organizations evaluate or monitor there IS security audit capability if any.
The study involved development of a framework which will help organizations define
mission and objectives of the IS security audit capability and activities that support these
objectives, determine the audit environment, address legal and reporting issues, identify
security risks, assess skills, determine how to fill skill gaps, identify and select audit tools,
assess associated costs and devise a criteria for selecting systems for audit.
This study relied largely on the pnmary data collected through field survey usmg
questionnaires and interviews. The sampling frame in this survey was organizations in the
city of Nairobi.
IS security audit problems identified in this study are:
Lack of IS security audit function in many organizations, lack of IS security audit skills, lack
of IS security audit tools, lack of monitoring and evaluation of IS security audit capability
and lack of a strategic plan for an IS security audit capability.
Based on these findings, this study recommends that organizations use the framework
developed in this study to guide them during the development or enhancement of their IS
security audit capability.
Publisher
School of Computing and Informatics
Subject
Security AuditingDescription
MSc