Object-oriented software for auditing information systems security

Abstract

Information systems (IS) need permanent attention. Auditors must have effective tools to estimate their level of security and make recommendations to the management, according coherence and optimisation of the resources affected to maintain confidentiality, integrity and availability.Most of the time, risks have various and complex origins. A methodology is needed to analyse the coherence of the factors applied to the security and to suggest appropriate countermeasures, making part of a security policy regarding the objectives of the organization. There is a high demand for improved methodologies supported by software. A methodology for IS risk analysis and optimisation per level named MARION is presented. It has been developed in France from 1984 by APSAD, an association grouping together French insurance companies, and CLUSIF, an association in the area of computer security, MARION works in different contexts: mainframe mono-sites, networks and distributed systems, industrial computing, small and middle sized companies or systems, and microcomputing: involving technical tables, actualized and delivered by APSAD every year. The audit part of the methodology has been implemented in MacMARION , an object-oriented software working on a Macintosh platform, under MacOS operating system and programmed in the C++ language, making adaptation and reusability very easy. Input represents a personal appreciation provided by answer to questions. Output is quantitative and graphical, in the form of tables, roses and differential diagrams, which suggest coherence and relative seriousness with effort to accomplish regarding factors, categories of risks and losses. MacMARION offers an opportunity for self-assessment and a better productivity for auditors who can spend more time for details investigation and higher tasks, detailed investigation of higher or hidden risks.