National Security Auditing Criteria, KATAKRI: Leading Auditor Training and Auditing Process

摘要

The National Security Auditing Criteria, KATAKRI, were published in 2009, revised in 2011, and version III is currently under revision. The root of KATAKRI is to preserve the confidentiality of any confidential and classified information held by the organisation concerned. One of KATAKRI's aims is to combine the actions of authorities when verifying the security level of a company or other corporation by carrying out security auditing. From the enterprise operators' point of view, the focus of security auditing is to eliminate unfair competition and maintain an equal opportunity field for operators. Another of KATAKRI's aims is to improve national security when Finnish Defence Forces or other security authorities apply subcontracting. KATAKRI is also intended to help companies and corporations when they are developing their own security level. The purpose of this case study is to find out: what is expected from the security auditing process and from the leading auditor; what kind of competence the auditor should have; and how the security auditing training and qualification should be developed to correspond with the needs of the security field. The empirical research was conducted in the form of interviews, questionnaires and observations made as a student during the first KATAKRI leading auditor course executed 2/2/2012-12/12/2012. The combined results showed that deep knowledge of the security field and competence to manage overall security is required from security auditors. Furthermore, it was concluded that qualifications for security auditors should be created in accordance with ISO Standard 19011:2011, which provides a very strong competence model. In light of the above, it is recommended that the academic level, content and requirements of future audit and security auditing training should be clearly defined, and the quality of the training should be standardised and certified. The results also indicate that KATAKRI version II still has defects due to its inconsistency. One task of auditing processes should be collecting information about KATAKRI's shortcomings, and they should be systematically analysed. Future leading auditor courses would be suitable scenes to analyse shortcomings and to propose improvements to KATAKRI. KATAKRI should be revised every second or third year.