International Journal of Computer Science and Information Security (IJCSIS),

Vol. 13, No. 11, November 2015

Information System Audit;

A study for security and challenges in Nepal.

Abhijit Gupta Subarna Shakya

School of Computer Science and IT Department of Electronics and Computer Engineering,
Singhania University Institute of Engineering, Tribhuvan University,
Rajasthan, India Kathmandu, Nepal

Abstract—Life can be made better and easier with the

growing information and communication technology. Efficient II. OBJECTIVES
Software and Hardware together play a vital role giving relevant The main objective of this research is to study Security and
information which helps improving ways we do business, learn,
Challenges of Information System Audit and its importance.
communicate, entertain and work. This exposes to an
environment with significant risks which are vulnerable to inside The researcher shall conclude its current status in Nepal.
or outside attacks. System audit, thus, becomes important and is
III. LITERATURE REVIEW
a key process to assure security, reliability and our dependency
on such systems. The information system audit for security can Information System Audit helps in auditing risks and thus
increase the chances of adopting sufficient preventive and improves the organization security system by evaluating
security measures for prevention or lowering of consequences. system processes of organization and controls against a
This paper is prepared upon exploration and studies on baseline. Audits are planned and designed to give an
information system security and challenges in Nepal. Data is independent evaluation and assessment. Audits may also
collected by online survey and the analysis of data helps to provide a gap analysis or operating effectiveness of the internal
explore its current status of security and challenges for controls [1].
Information System Audit in Nepal.

Keywords— Information System; IS Audit; System Audit;

A. Security Risks and Challenges
Security; Challenges; Risks; Risk is a potential of losing something which can be
categorized in two groups, that is, physical risks and logical
I. INTRODUCTION risks. Physical Risks are more closely related to physical
equipments which could be damaged by natural disaster such
Information and Communication Technology (ICT) has
as earthquakes, floods, fire, bombings, theft, vandalism etc.
participated its’ best in the development and growth of any
Champlain has distinguished a list of controls that can help in
industry or organization, however, it has also created
significant and unprecedented risks. Information Security (IS) the protection of IS against above physical menaces or threats
can be referred to any processes, activities, or set of tasks that such as:
safeguards the integrity, confidentiality, and accessibility of • different types of security locks,
information [12]. • procedures to perform timely backups of the IS and
data,
Internet is global and in the internet, almost all are
• insurance coverage for hardware crash or loss,
interconnected and able to reach data at different geographical
locations. This has been boon to mankind to be able to live in • costs to restore or recreate or regenerate data,
an era where information in no matter of time can be obtained • offsite backup and storage,
but at the same time it also opens up the risks of sabotage, • rotation of backup devices/ media to secured location,
fraud, malicious or mischievous acts which could lead to • tested disaster and recovery management programs
several problems such as privacy issue, financial loss etc. (Business Continuity Program -BCP) [3].
These risks have to be controlled and minimized. There are Logical Risks are such risks that do not occur physically
several ways of applying security techniques. The application but occur logically. They can be unauthorized access or breach
of security techniques solely depends on the nature of risks. It to the system such as by accident or intention for IS and data
becomes priority to identify the potential risks before destruction or alteration. Mitigation of such threats are done
techniques are selected to provide the security for the data or by logical security controls such as by writing policy for user
the system or organizations. Audit is inspection or assessment access to the IS and preventing unauthorized access of system.
of the process or outcome against defined standards or As per Symantec, Organizations should address following
guidelines. Information System Audit (IS-A) is the assessment four main types of ICT risks and they are
of Information System against the standards or guidelines.

1 https://sites.google.com/site/ijcsis/
ISSN 1947-5500
 International Journal of Computer Science and Information Security (IJCSIS),
Vol. 13, No. 11, November 2015

• security risks, which includes several external logical • ISO27007 is a standard for auditing ISMS against ISO
threats such as virus, targeted attacks on applications or 27001. It suggests principle of Auditing, Audit
users or information etc. Activities and Competence and Evaluation of Auditors.
• availability risks, • ISO27008, approved in April 2008, is a standard for
• performance risks, which includes failing to perform as Information and Security Management Auditing with
designed and respect to security controls unlike ISO27007 which
• compliance risks of failing regulatory compliance focuses on ISMS latter rather than specific controls.
regulatory that could expose to legal penalties, financial [10]
forfeiture [4]. C. Audit Security Framework
The security risks are major with the unauthorized
Security audit’s underlying structure or framework
information access such as data privacy/ leakage, fraudulent
consists of several policies, well defined standards,
and forgery, and end-point security.
streamlined procedures which can be used as mandatorily
Obstacles and Challenges in cyber security of Nepal are
required components for any security system at an
debilitating disruption of operation of the information system,
organizational level [7].
spam mails, online frauds, sniffing of passwords etc [5].
B. Audit Standards
“International Organization for Standardization”, ISO has
several standards and among all of them ISO 27000 is on
information security [2][10]:
• ISO27001 is a standard published on October 2005
with an objective of providing “a model for
establishing, implementing, operating, monitoring,
reviewing, maintaining, and improving an Information
Security Management System”.
• ISO27002 is a standard formerly known as ISO17799 is
a code of exercising information security. This standard
established guidelines and general principles for
initiating, implementing, maintaining, and improving
information security management within an
organization.
• ISO27003 standard aims to provide help and guidance
in implementing an Information Security Management
System (ISMS).
• ISO27004 is a standard first published in December
2009 with an objective to provide guidance on the
development and use of measures, standards and Fig. 1. Adopted: Security audit framework [7]
measurement for the evaluation and assessment of the
effectiveness of an implemented information security D. Audit Plan
management system and controls, as mentioned in A security audit has certain goals which must be achieved
ISO27001. in right way. Some of such goals are:
• ISO27005 provides instructions and standards for • To check existing security policy, guidelines, standards,
Information Security Risk Management (ISRM) for and procedures;
such organizations that support the requirements of an
• To identify and examine effectiveness and laggings of
ISMS defined by ISO27001.
existing policy, guidelines or standards.
• ISO27006 is a standard that provides guidelines for the
• To examine existing standards, policy, procedures and
accreditation of organizations offering ISMS
guidelines.
certification. Its formal title is "Information technology
- Security techniques. Requirements for bodies • To identify and understand the possible existing risk
providing audit and certification of information security and vulnerabilities.
management systems". It is a standard intended to be • To review existing security controls on operational,
used in conjunction with a number of others standards administrative and managerial issues and ensure
and offers instructions and guidelines for the compliance to minimum security standards.
accreditation of organizations which offer certification • To provide recommendations for existing system.
and registration with respect to an Information Security • To provide corrective actions that could be used for the
Management System. improvements of IS and its effective implementations.
[8]

2 https://sites.google.com/site/ijcsis/
ISSN 1947-5500
 International Journal of Computer Science and Information Security (IJCSIS),
Vol. 13, No. 11, November 2015

IV. RESEARCH METHODOLOGY hurt someone and for personal benefit being aware of negative
Quantitative Research Methodology has been used in this outcomes and consequences.
research. The research theory of this paper has been to
construct knowledge and meaning from Researchers
experience, that is, Constructivism, which has direct
application to education. The research theory indicates
technological Constructivism. [13]
Primary data was collected by means of online survey
where professionals from different areas of ICT were chosen,
as shown in Fig. 2, which helped to study current situation in
Nepal. Secondary data was collected from several comparative
studies of different research papers/ journals which helped to
gather information on international level.
V. RESULTS AND DISCUSSION Fig. 4. Motivation for Information System misuse
A survey was conducted to support this research and
different charts are presented for further clarifications. There Fig. 5. shows attacks from 2007 to 2014 has been growing
were 108 respondents to qualify in Fig. 2. relatively with prominent probability of attacks in any
components of security audit mentioned in Fig. 1.

Fig. 2. Respondends and their area

Fig. 5. Attack Analysis
Fig. 3. shows the result of survey done to check how many
of sample audiences follow security guidelines for any Fig. 6. depicts experience on the different types of attacks
information system development or implementation. The or vulnerabilities experienced by user from 2007-2014 by ICT
result showed that only 54.6% followed it, 36.1% only users from different fields as in Fig-1. The maximum attacks
followed it in some cases and 9.3% did not follow it at all. or vulnerabilities experienced by 87% are through computer
viruses and then 42% of the troubles are because of website or
system hack. User has least experience with DDOS as it is
more of system level attack and usually is fixed once the
system administrator knows about it.

Fig. 3. Follow of Security Guidelines for IS development or implementation

Fig. 4. shows what leads users for Information System

misuse. Majority of people were found to be misuing IS for
personal gain without intention to hurt someone with 34%,
28% were found to be doing it as an intellectual challenge, Fig. 6. Experince on type of Attacks
26% was found to be doing it out of curiousity and 9% and
4% of users were found to be doing it with a bad intention to

3 https://sites.google.com/site/ijcsis/
ISSN 1947-5500
 International Journal of Computer Science and Information Security (IJCSIS),
Vol. 13, No. 11, November 2015

Fig. 7 depicts IS Audit Awareness in Nepal by 83.58% scholars in my university such as Mr. Rajendra Man Banepali,
which looks promising as IS Audit practicing would not be Mr. Shreedhar Marasini and Mr. Mahesh Maharjan for their
very difficult job to begin [11]. valuable input and assistance on my research.
Furthermore, I would like to thank all those respondents
who participated in my online survey and helped me in the
data collection. Last but not least, I would like to thank you all
who has gone through my paper and I would appreciate if you
can give me your feedback on this.
REFERENCES
[1] C. S. Wright, “A Taxonomy of Information Systems Audits,
Assessments and Reviews”, SANS Institute, 2007 Pp 4.
[2] A. M. Suduc, M. BÎZOI, F. G. Filip, “Audit for Information
System Security,” Informatica Economică, vol.14 No. 1 2010.
[3] J. J. Champlain, “Auditing Information Systems”, 2nd ed.,
Hoboken, New Jersey: John Wiley & Sons, 2015.
[4] A. M. Suduc and F. G. Filip, “Riscuri ale utilizarii inadecvate a
sistemelor informatice (Risks of Information Systems Misuse),”
Studii si cercetari economice, No. 72, 2008.
Fig. 7. IS Audit Awareness in Nepal [11] [5] L.K. Shrestha, Nepal Telecom, Cyber Security in context of
Nepal, n.d.
[6] Networks, 3. (n.d.), “Security Audit”. Retrieved 2015 October,
VI. CONCLUSION from Scribd, Available at: http://www.scribd.com/doc/
12734608/Security-Network-Audit-Steps
This research was conducted to explore security and
[7] Onwubiko (2009), A Security Audit Framework for Security
challenges in Nepal in IS Audit. The study adds empirical Management in the Enterprise, C.: Proceeding of the
knowledge of security and auditing and helps to figure out International Conference on Global Security, Safety and
current situation of IS and its Audit in Nepal. It suggests ways Sustainability (ICGS3) , 1-2, Sept. 2009, London, UK
to execute security auditing indicative for readiness. [8] OGCIO, Security Risk Assessment and Audit Guidelines, 2006,
The data interpretation helps to conclude that a special Retrieved January 2010, from Office of the Government Chief
Information Officer, Available at: http://www.ogcio.gov.hk/eng/
attention and care is required to keep the system free from prodev/download/g51_pub.pdf
viruses, as more problems in IS Security is seen because of [9] Networks, 3. (n.d.), Security Audit. Retrieved 2015 September,
Viruses. Furthermore, there are various types of security from Scribd, Available at: http://www.scribd.com/
techniques or patches that must be applied based on the doc/12734608/Security-Network-Audit-Steps
appearance or expectation of security threats or risks. [10] ISO, “The ISO 27000 Directory”, Retrieved 2015, from
There are several Audit standards guided by ISO which http://www.27000.org/
can be followed for optimum safeguard of IS or resources. [11] A. Gupta, S. Shakya, “Information System Audit: An Overview
Study of E-Government of Nepal”, International Conference on
Information System Audit programs are mandatorily Green Computing and Internet of Things, India, 2015,
recommended to make IS function effectively and efficiently. unpublished.
[12] NIST (National Institute of Technical Standards). (1995) An
ACKNOWLEDGEMENT introduction to computer security: the NIST handbook, Special
Publication 800-12.
I would like to express my sincere gratitude towards my
[13] A. Bhattacherjee, "Social Science Research: Principles,
family for their kind help and support. I would like to thank Methods, and Practices", USF Open Access Textbooks
my Supervisor Prof. Dr. Subarna Shakya for his kind support Collection, Book 3, Pp 6, 2012.
and help on this research. I would like to thank other research

4 https://sites.google.com/site/ijcsis/
ISSN 1947-5500