Algorithms of Internal Information Security Audit in the Company

Relevance of the research topic. Currently, in the context of widespread digitalization, ensuring information security is one of the most important tasks. And in order to be sure of ensuring an appropriate level of information protection, it is necessary to constantly monitor the compliance of the information security system with the tasks assigned to it. The main measure of such control is an audit, but organizations that implement information protection often do not have an idea of how to conduct an information security audit, respectively, their information security audit algorithms do not provide a correct and complete assessment of compliance, and therefore organizations expose themselves to the risk of implementing various threats to information security. That is why it is very important to form the correct algorithm for conducting an information security audit, based on standards, recommendations and theoretical basis on this issue. The purpose of the study is to form an information security audit algorithm for the organization of LLC "Diasoft". As a result of the research, the algorithm of information security audit in the organization of LLC "Diasoft" is formulated. To achieve this goal, the following tasks were formulated: to analyze the theoretical basis for the aspects of information security audit; to analyze the current algorithms for information security audit in LLC "Diasoft" and their results; to formulate a new algorithm for information security audit in LLC "Diasoft" and to conduct an audit of the information security system in LLC "Diasoft". In the process of solving the tasks set, the following main conclusions were made: 1. Information security audit is presented in the form of a set of measures that allow you to check the current level of information security on the basis of the formed system of criteria. 2. There are many different audit methodologies presented both in the form of regulations and standards, and in the form of non-legally binding recommendations from various specialists. Basically, these methods involve the division of the audit into several stages: the formation of an initiative for conducting an audit; the collection of a detailed database of information for conducting an audit; the analysis of the audit information base; the formation of a list of measures to improve the information security system; the preparation and provision of an audit report to the customer. 3. Based on the analysis of the information security audit algorithms performed in LLC "Diasoft", the following shortcomings were identified: the probability of threat implementation through vulnerabilities is not evaluated; the criticality of threat implementation is not evaluated; the overall level of threats to the resource is not determined and alternative options for organizing the information security system are not offered. 4. The audit of information security of LLC "Diasoft" was proposed to be carried out in 4 stages of the main process, in addition to the preliminary and final stages, namely, the planning of the audit and the preparation of the audit report: at the initial stage, preliminary data collection will be carried out with the implementation of the categorization of information assets and their classification; at the next stage, the classification of information assets will be carried out and the assessment of the level of security of information assets with the identification of threats and vulnerabilities; at the third stage, the threat level will be assessed for all vulnerabilities, the resource risk in monetary terms will be determined, and then the proposed set of recommendations will be justified. 5. Based on the information security audit performed by Diasoft LLC, it can be concluded that the transition to an alternative information security system will strengthen data protection and reduce the risk of information security threats in monetary terms. Keywords: audit, information security, information security audit, information security audit algorithms.