What is the difference between an “information security” audit and an “application/operational area” audit?
procedures. These are done on a routine basis and normally are full in scope. In other words the security audit would include a full review of access rules, access violations, etc. The key words are routine and full scope. An application/operation audit on the other hand is a periodic examination to ensure compliance to company standards for application development (system life cycle methodology), change/migration management, security (as it relates to the application specifically), end user balance and control processes, and compliance to internal policies and external regulations and laws. The same is true for an operational audit. The difference is that the audit focuses on processes and not systems. What was the hardest aspect of it? The most difficult issue is the evaluation of how system access and system and application privileges are properly segregated to impose an effective system of control. For example, there should be a way to restrict a system’s administrator from perform
