Information security audit –an understanding

A healthcare organization’s most precious information is kept in its IT systems, quite naturally. So, it is imperative for the organization to keep a complete tab on its IT security. The method in which this is done is what is called information security audit.

Patient records and the organization’s finances are just two of the myriad documents of crucial importance that a healthcare organization’s IT systems hold in them. If there is vulnerability in these systems, it backfires on the business, as security lapses that lead to leaks of important data not only undermine the healthcare organization’s reputation; it could also invite class action lawsuits.

Information security audit is acquiring importance in business circles to the extent that many financial institutions, investors and even customers insist on it before going ahead with dealing financially with healthcare organizations.

What are the ways in which an information security audit is to be carried out?

Information security audit is carried out through a well laid out, thorough process. It consists of the following steps:

Planning and preparation with the auditor: All the details relating to the information security audit should be discussed with the auditor. Most organizations take the services of external, independent auditors for the information security audit. Since information security audit covers all aspects of the information security, the healthcare organization should make clear to the auditor all the aspects of IT, such as the organization’s IT policy, details of the operating systems and software applications and other aspects, and so on.

Having clear audit objectives: This is a major step that decides what exactly the organizations wants audited to mitigate risk. This helps the auditor determine if there are proper controls and security measures in place.

Carrying out the audit review: The auditor usually does this by physically going to the data center and getting a complete idea of the way in which it processes information and carries out its set procedures.

Review: This is done after the information security audit is carried out. During this review, the client and the auditor discuss the entire exercise of the information security audit.

What should be audited?
An information security audit has to look at the all the areas that matter to the IT security of the healthcare organization. It should look specifically for the following:

  • Network vulnerabilities, since it is through networks that data is transmitted
  • Structural security
  • Specific tools used in network security, such as anti-virus software, logical security and access controls, firewalls and proxy servers, and auditing systems such as log management.
  • Encryption and IT
  • Controls


Author: compliance4all

Compliance4All, the ultimate continuing professional education provider offers you regulatory and compliance trainings from the industry's leading experts, but with one crucial difference -the cost. Compliance4All's objective is to be a platform that provides regulatory and compliance trainings with all the class and features that come with these trainings, at a lower price. Compliance4All seeks to make regulatory and compliance trainings low-hanging fruits. Industries We Focus On: • Trade & Logistics • Aerospace Defense • Banking & Insurance • Food & Beverages • Auditing/Accounting & Tax • Energy • Environment • Education • Automotive Transport • Science and Technology • Government • Construction • Electronics & Semiconductor • Operation • Engineering/Science • Purchasing & Vendor Relation • General counsel/Accountant • Geology & Mining • Documentation/Records

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s