A case study on the security audit methodologies in the context of information system's life cycle

Current information security management and audit methods are not effective enough to meet the increased corporate needs on information security. This paper attempts to compare, analyze, and apply to case study, some security audit and evaluation methods of Korea and other countries. In Korea, there is the Information Systems Security/Control Audit Guideline of NCA and the Information Security Management Systems Certification Guideline of KISA for information security audit. The SSE-CCM, BS 7799, NIST SP 800-26, and the ISG of ISACA are some of the better known criteria in other countries. The Information Systems Security/Control Audit Guideline of NCA, SSE-CCM and the ISG of ISACA are the process evaluation methods and the Information Security Management Systems Certification Guideline of KISA, BS 7799 and NIST SP 800-26 are the control evaluation methods. Based on application of the two major methods to a Korean case company, we conclude that process evaluation method needs to be more detailed and control evaluation method needs a modification of the levels of evaluation.