IT revision
The increasing frequency of attacks on the information systems of organizations and institutions, along with legal obligations, has led to the need to assess the adequacy of measures related to information system security.
An overview of the state of the information system is the first and most crucial step in establishing a secure working environment. This involves taking measures to prevent short-term and long-term consequences, such as direct losses due to system downtime and loss of trust and reputation with clients.
Standards like ISO 27001 are used to evaluate the effectiveness of information security management systems, and the assessment process is conducted through IT audits. This process includes document analysis, process verification, risk analysis, audit execution, and results analysis. The final step is the IT audit report, which includes opinions and recommendations, followed by its presentation.
Goals of IT Audits:
- Systematization and improvement of business procedures, encompassing business information within the system.
- Risk identification to define controls for IT-supported processes.
- Accelerated information gathering.
- Centralized control systems, eliminating bottlenecks in data flow.
- Compliance with regulatory requirements.
- Reduction of IT-related costs.
- Ensuring data confidentiality, integrity, and availability.
- ERP system evaluation before and after implementation.
- Alignment of IT assessment with IT strategy.
- Implementation of IT governance standards.
IT audits provide a robust framework for defensive measures and value creation through offensive strategies. Organizations should adopt a proactive approach to risk management, viewing it as a strategic factor in achieving business results.
Legal Framework:
Key regulations include the Law on Information Security and the Law on Personal Data Protection. The Law on Information Security designates RATEL (Regulatory Agency for Electronic Communications and Postal Services) as the national center for ICT system risk prevention. More details are available on CERT RS.
The ICT System Security Act mandates security measures, defines responsibilities for ICT system management, and assigns authorities for implementing protective measures.
Financial Sector:
Banks, insurance companies, and financial institutions focus on IT audits due to regulations by the National Bank of Serbia (NBS) and other agencies. The NBS defines standards for ICT system management through its decision on minimum standards for financial institutions, detailed on the NBS website.
Efficient risk management in ICT systems is critical to preventing material losses, reputational damage, and business interruptions, highlighting its role in successful organizational management.