According to the Russian standards in the field of information security management (IS), which are authentic international standards, such as [1, 2], the organization must regularly conduct an internal audit of the information security management system. An audit is an independent review and evaluation of an organization's activities by analyzing and evaluating processes, projects, reports, and products. Audit, as an activity, is not static, unchanging, it evolves. From the point of view of leading international audit companies, in particular [3, 4], the current stage of audit evolution is the transition from reactivity (identifying shortcomings after the fact) to proactivity (predicting the results of actions or events before their completion). The validity of the statement for the Russian Internal Audit is confirmed by the results of the IX National Scientific and Practical Conference [5]. The movement towards proactivity in the audit determines the relevance of the following tasks: 1) processing up to 100 % of the information generated by the activity that is the focus of the audit; 2) processing information in a close-to-online mode; 3) the availability of powerful tools for data analysis and modeling on their basis the further development of the investigated events, as well as the appropriate skills of working with it from the auditors. When conducting audits, the auditors have a dilemma – on the one hand, they are obliged to provide the owners/shareholders/management of the organization with data as close as possible to the reliable state of the information security management processes, information about the identified shortcomings and recommendations for their elimination, on the other hand: the audit time is strictly limited; unloading the initial data from the organization's information systems takes considerable time; the data obtained from various information systems and other sources have different, not always standard formats; the tools used have disadvantages, since the most frequently used spreadsheets (MSExcel, LOCalc), due to internal limitations, are no longer able to provide the required functionality. The above-mentioned factors, as well as other factors, such as unwillingness to cooperate, hidden opposition of the personnel of the audited organization, evaluation of the work of auditors only by quantitative indicators (the number of observations or the time spent on one observation), lead to the fact that the checks are carried out superficially. At the same time, shortcomings in the information security management processes can be detected, but it becomes difficult to explain their nature and give effective recommendations to the business auditor. As a result, the goal of independent audits defined in GOST ISO/IEC 27002-2012 – “ensuring confidence in the continued efficiency, adequacy and effectiveness of the organization's approach to information security management” [2] – cannot be achieved. One of the options for eliminating some of the above-mentioned shortcomings is the use of programs developed by the auditors themselves and designed for operational data processing, the so-called “small automation”, during audits. This approach, although it is a low-level link in the chain of automation of audit procedures and, nevertheless, is within the framework of the audit development paradigm in the direction of robotization of procedures and the use of artificial intelligence, which is discussed, for example, in the works [3, 6, 7], and also confirmed by the results of conferences of the Institute of Internal Auditors [8].
Read full abstract