Information Security and IS Audit Articles
from the Henderson Group 		This page is:
ARTICLES: AUDIT REPORT GUIDELINES

Quick Links:
HOME PAGE

CONTACT US

INFOSEC TRAINING

IT AUDIT TRAINING

NEWSLETTERS AND USER GROUPS

ARTICLES

PRIVACY STATEMENT

ABOUT US

OTHER INFO SOURCES

Guidelines for Writing Audit Reports

sponsored by the Henderson Group
Computer Security Consulting and Training

Every organization has its own format for audit reports. Your reports will be more effective however if you keep these guidelines in mind, and consider following them unless there is some overriding reason not to:

  • Relate your findings to business risk. Don't say the "PROTECTALL option is not on. It should be." Say rather:"PROTECTALL is not on. This allows non-standard dsnames to be used, which can result in datasets not being protected when they should be. This also makes it more difficult to manage DASD space and enforce naming standards."
  • Review your recommendations in draft form with the person you will be suggesting carry them out. Always ask that person if he or she knows of any additional steps which should be taken (and give that person credit for the suggestion).
  • Use the active voice (not the passive), and be specific. Instead of "Controls should be strengthened.", say "The security administrator should define all disk and tape datasets to the security software. Senior management should create a task force to develop a policy which specifically assigns responsiblity for approving access rules for each application's data. Those department heads identified in the policy should indicate in writing to the security administrator who should be allowed to read, and who to write, each application's data."
  • Provide specific detail in your recommendations to allow anyone to determine clearly whether the recommendation has been carried out. Rather than "Datasets should be better protected.", recommend that "The security administrator should define every production dataset to the security software by year-end."
These suggestions come from www.stuhenderson.com. Please send comments and suggestions for additional suggestions to stu@stuhenderson.com.

Return to HG Home Page (www.stuhenderson.com)
========================================================

About the Author

Stuart Henderson is an experienced consultant and trainer who specializes in effective information technology audits and information security. He has helped hundreds of organizations make better use of security software such as RACF, ACF2, and TopSecret. He has also helped these organizations address the technical and organizational issues surrounding cross-platform security. As President of the Henderson Group, he directs a variety of activities in support of the information security and IT audit communities. These include: seminars, consulting services, articles, and speeches. He is an experienced system programmer who has earned the Certified Internal Auditor, Certified Management Accountant, and Certified Data Processor designations. His seminars on computer security and audit of: MVS, DB2, RACF, VTAM, Windows NT, Windows 2000, and other subjects are taught nationwide. He teaches Certified Information Systems Auditor review courses for the National Capital Area Chapter of the ISACA.

He speaks to groups such as the Vanguard conference, the DPMA, the ISSA, and the ISACA. Some of his topics have been: "What System Programmers Know that DSOs and EDP Auditors Should (or How I Would Break into Your System and What You Should be Doing to Stop Me)", What Non-Data Processing Executives Should Know and Do About Computer Security", "Combining VAX/VMS Security with IBM Mainframe Security", and "Tools for Maintaining Single Point of Control for Security". He is founder of the New York RACF Users Group and Editor of its newsletter. He also edits the free, email newsletter "Mainframe Audit News". His website is http://www.stuhenderson.com. He can be reached at (301) 229-7187 or stu@stuhenderson.com.

Return to Home Page