ABSTRACT
External auditors such as financial statement auditors might assess security over a system to understand the extent of security controls implemented and whether these controls are adequate to allow them to rely on the data processed by the systems. Potential partners for a merger might assess the security of an organization’s systems to deter-mine the effectiveness of security measures and to gain a better under-standing of the systems’ condition and value. Internal risk assessments should be completed by the information security officer or an internal audit department on an annual basis and more often if the frequency of hardware and software changes so necessitates. The security life-cycle model contains all of the elements of security for a particular component of security of an information technology as seen in Exhibit 21-2. A risk assessment is an active process that is used to evaluate the security of an IT environment.
