An IS audit is not entirely similar to a financial statement audit. An IS audit tends to focus on determining risks that are relevant to information assets, and in assessing controls in order to reduce or mitigate these risks. An IT audit may take the form of a “general control review” or a “specific control review”. Regarding the protection of information assets, one purpose of an IS audit is to review and evaluate an organization’s information system’s availability, confidentiality, and integrity by answering the following questions:

• Will the organization’s computerized systems be available for the business at all times when required? – Availability
• Will the information in the systems be disclosed only to authorize users? – Confidentiality
• Will the information provided by the system always be accurate, reliable, and timely? – Integrity.

Vulnerability Assessment:

Vulnerability assessment is the process of identifying and quantifying security vulnerabilities in an environment. It is an in-depth evaluation of your information security posture, indicating weaknesses as well as providing the appropriate mitigation procedures required to either eliminate those weaknesses or reduce them to an acceptable level of risk.

Steps to vulnerability assessment:

• CatLog assets and resources in a system
• Assign quantifiable value and importance to the resources
• Identify the security vulnerabilities or potential threats to each resource
• Mitigate or eliminate the most serious vulnerabilities for the most valuable resources

Penetration Test

Penetration testing (also called “pen testing”) is the practice of testing a computer system, network or Web application to find vulnerabilities that an attacker could exploit.

Pen tests can be automated with software applications or they can be performed manually. Either way, the process includes gathering information about the target before the test (reconnaissance), identifying possible entry points, attempting to break in (either virtually or for real) and reporting back the findings

The main objective of penetration testing is to determine security weaknesses. A pen test can also be used to test an organization’s security policy compliance, its employees’ security awareness and the organization’s ability to identify and respond to security incidents.

Why Penetration Test?

• A penetration test helps organizations to understand their current security posture by identifying gaps in security. This enables organizations to develop an action plan to minimize the threat of attack or misuse.
• A well-documented penetration test result helps managers in creating a strong business case to justify a needed increase in the security budget or make the security message heard at the executive level.
• Security is not a single point solution, but a process that requires due diligence. Security measures need to be examined on a regular basis to discover new threats. A penetration test and an unbiased security analysis enable organizations to focus internal security resources where they are needed most. In addition, the independent security audits are rapidly becoming a requirement for obtaining cyber-security insurance.
• Meeting regulatory (Bangladesh Bank Self-Assessment of Anti-Fraud Internal Controls, Serial No 35) and legislative requirements are a must for conducting businesses today. Penetration testing tools help organizations meet these regulatory compliances.
• One of the core objectives of an e-business initiative is to enable close working with strategic partners, suppliers, customers and others upon whom the e-business depends. To accomplish this goal, organizations sometimes allow partners, suppliers, B2B exchanges, customers and other trusted connections into their networks. A well-executed penetration test and security audits help organizations find the weakest links in this complex structure and ensure that all connected entities have a standard baseline for security.
• Once security practices and infrastructure is in place, a penetration test provides critical validation feedback between business initiatives and a security framework that allows for successful implementation at minimal risk.

Vulnerability Assessment Vs Penetration Test

Vulnerability assessment is a process for assessing the infrastructure security controls by identifying the threats that pose serious exposure to the organization’s assets. This technical infrastructure evaluation not only points at the risks in the existing defences, but also recommends and prioritizes the remediation strategies. Each asset on the network is rigorously tested against multiple attack vectors to identify unattended threats and quantify the reactive measures. Depending on the type of assessment being carried out, a unique set of testing processes, tools, and techniques are followed to detect and identify vulnerabilities in the information assets in an automated fashion.

On the other hand, penetration testing goes beyond the level of identifying vulnerabilities and step into the process of exploitation, privilege escalation, and maintaining access to the target system (measuring the impact of these flaws on the given system). Another major difference between these two terms is that the penetration testing is considerably more intrusive and aggressively applies all the technical methods to exploit the live production environment.