Tools for automatic collection of IT assets supporting information security process

Abstract

Information and communication technologies (ICT) and various computing resources, such as network devices, end devices, cloud services and storage and last, but not least, application software are an integral part of every organization. All these key information assets play an important role in organizations. IT assets serve to fulfil business goals and achieve the company's profit. For these reasons, great emphasis and priority has been placed on information and cyber security in recent years. At a time when IT extends in every domain, it is important for organizations to acquire and maintain a strong information and cyber security profile. Critical IT assets must be protected, and organizations see this as a complex problem. To ensure this goal, organizations are forced to use multiple tools that focuses on different aspects of security, including security processes as a security audit. Tools that cover the field of information and cyber security can be divided into several categories such as risk management tools, inventory tools, network scanning tools, and information gathering tools. The audit of information systems is becoming more and more demanding. This happens mainly due to the development of technologies and the emergence of new technological threats and associated risks. Therefore, it is necessary for auditors to have a wide theoretical knowledge and practical skills. And for the purpose of auditing, they are forced to use various available tools that cover various sub-processes. All this increases the complexity of the process and the demands placed on auditors. Risk management can be defined as pre-set and coordinated activities, the aim of which is to control the level of risk affecting the organization. A cyber security audit verifies and assesses the compliance of the security measures taken with the requirements, whether according to the law, standards, or special regulations. These paper presents our expanding research and further describes possible areas of automation of the risk management and audit process, which will make it easier for auditors to perform IT audits more often. We mainly focus on a comparative analysis of available software tools that cover one of the main sub-processes of the risk management. Namely information gathering and network scanning. The analysis outputs point to available tools suitable for automatization and that provides required information as inputs to mentioned subprocesses. The paper presents which of investigated tools are the most effective from the point of view of speed, the amount of information obtained, and the amount of knowledge needed to operate the tool.