Computing and Information Systems - Theses

Permanent URI for this collection

Search Results

Now showing 1 - 1 of 1
  • Item
    Thumbnail Image
    An exploratory study of information security auditing
    Kudallur Ramanathan, Ritu lakshmi ( 2016)
    Management of Information security in organizations is a form of risk management where threats to information assets are managed by implementing various controls. An important task in this cycle of Information Security risk management is Audit, whose function is to provide assurance to organizations that their security controls are indeed working as intended. Numerous frameworks and guidelines are available for auditing Information security. However, there is scant empirical evidence for the process followed in practice. This research explores how security audits are conducted in practice. In order to do so, a qualitative study is conducted where 11 auditors are interviewed. The findings indicate a gap between what is expected of audit and what actually happens in practice. On exploring the Accounting roots of audit, we postulate that this gap is due to the differences in conceptualization of risk between the Accounting and Information Security discipline.