Upload File

contentserver (5)

3
EDITED BY STEVE MAR ITAUDIT The Five C's of IT Policy Reviewing the effectiveness of information security policies is a key part of IT audit plans. BY ISHWAR CHANDRA NSURING DATA INTEGRnY AND CONF- identiality in an environment of fast access to confidential information is a real challenge for management. Security breaches can result in monetary losses and threaten an organization's reputation and survival. In fact, 85 percent of respon- dents to Ejnst ÔC Young's 2008 Global Information Security Survey say a secu- rity incident would significantly impact their organization's brand or reputation. Moreover, organizations may face legal sanctions. The U.S. Federal Rules of Civil Procedure and the UK Civil Procedure Rules mandate carefi.1l handling of elec- tronically stored information, while some state and local laws require organizations to disclose any security breach that results in the theft of personal data. There is little wonder then that infor- mation security management is the IT initiative that has the greatest impact on organizations, according to the American Institute of Certified Public Accountants' IT Initiative Survey. Organizations need a robust information security system that ensures data integrity and confidenti- ality, protects information assets, and encourages efficient and effective use of information systems. An information security policy, approved by the highest level of management, is an initial step toward demonstrating the organization's commitment to security and increasing awareness of security needs. This docu- ment provides a reference framework for information security comprising guidance on risk assessment, control implementa- tion, and the authority and responsibili- ties for compliance. As a part of the IT audit program, senior management expects internal auditors to provide assurance that suitable informa- tion security mechanisms are in place to comply with laws and regulations, meet industry standards, prevent breaches, and prompt management to take corrective actions. A key audit objective is evalu- ating the effectiveness of the informa- tion security policy and recommending improvements based on five characteris- tics: comprehensive, current, communi- cated, compliant, and convertible. COMPREHENSIVE The information security policy should cover all information system elements, including data, programs, computers, networks, facilities, people, and pro- cesses. The security value of each element and the need to protect them based on security parameters — confidentiality, integrity, and availability — varies for dif- ferent organizations. Some organizations rate the confidentiality of information as their highest priority, while for others the priority is the availability of information and systems. A systematic risk assessment is essential for formulating information security policies and should address these basic questions: • What are the key elements of infor- mation systems (e.g., applications, servers, and networks)? • What are their ratings in terms of security needs {e.g., critical, vital, sensitive, and noncritical)? • What are the vulnerabilities associ- ated with these information systems? • What are the possible external and internal threats to each element of information systems? • What are the potential risks from these threats on the business? • What controls address these risks? • What are the residual risks — after reduction, avoidance, and transfer — to be accepted by the organization? While reviewing management's assessment of information security risk. DECEMBER 200B INTERNAL AUDITOR

Upload: w-mohd-w-ismail

Post on 18-Dec-2015

241 views

Category:

Documents


0 download

Report

Tags:

TRANSCRIPT

  • EDITED BY STEVE MAR ITAUDIT

    The Five C's of IT Policy

    Reviewing the

    effectiveness of

    information security

    policies is a key part

    of IT audit plans.

    BY ISHWAR CHANDRA

    NSURING DATA INTEGRnY AND CONF-identiality in an environment of fastaccess to confidential information is areal challenge for management. Securitybreaches can result in monetary lossesand threaten an organization's reputationand survival. In fact, 85 percent of respon-dents to Ejnst C Young's 2008 GlobalInformation Security Survey say a secu-rity incident would significantly impacttheir organization's brand or reputation.Moreover, organizations may face legalsanctions. The U.S. Federal Rules of CivilProcedure and the UK Civil ProcedureRules mandate carefi.1l handling of elec-tronically stored information, while somestate and local laws require organizationsto disclose any security breach that resultsin the theft of personal data.

    There is little wonder then that infor-mation security management is the ITinitiative that has the greatest impact onorganizations, according to the AmericanInstitute of Certified Public Accountants'IT Initiative Survey. Organizations needa robust information security system thatensures data integrity and confidenti-ality, protects information assets, andencourages efficient and effective use ofinformation systems. An informationsecurity policy, approved by the highestlevel of management, is an initial steptoward demonstrating the organization'scommitment to security and increasingawareness of security needs. This docu-ment provides a reference framework forinformation security comprising guidanceon risk assessment, control implementa-tion, and the authority and responsibili-ties for compliance.

    As a part of the IT audit program, seniormanagement expects internal auditors toprovide assurance that suitable informa-tion security mechanisms are in place tocomply with laws and regulations, meet

    industry standards, prevent breaches, andprompt management to take correctiveactions. A key audit objective is evalu-ating the effectiveness of the informa-tion security policy and recommendingimprovements based on five characteris-tics: comprehensive, current, communi-cated, compliant, and convertible.

    COMPREHENSIVEThe information security policy shouldcover all information system elements,including data, programs, computers,networks, facilities, people, and pro-cesses. The security value of each elementand the need to protect them based onsecurity parameters confidentiality,integrity, and availability varies for dif-ferent organizations. Some organizationsrate the confidentiality of information astheir highest priority, while for others thepriority is the availability of informationand systems. A systematic risk assessmentis essential for formulating informationsecurity policies and should address thesebasic questions: What are the key elements of infor-

    mation systems (e.g., applications,servers, and networks)?

    What are their ratings in terms ofsecurity needs {e.g., critical, vital,sensitive, and noncritical)?

    What are the vulnerabilities associ-ated with these information systems?

    What are the possible external andinternal threats to each element ofinformation systems?

    What are the potential risks fromthese threats on the business?

    What controls address these risks? What are the residual risks after

    reduction, avoidance, and transfer to be accepted by the organization?While reviewing management 's

    assessment of information security risk.

    D E C E M B E R 2 0 0 B I N T E R N A L A U D I T O R

  • internal auditors should check that man-agement has considered relevant laws andregulatory requirements. While draftingthe security policy document, it is essen-tial that all related departments riskmanagement, IT, auditing and compli-ance, legal, and human resources pro-vide input and spell out their roles andresponsibilities for enforcing the policyto make it effective.

    Auditors should determine the devel-opment methodology and coverage of thepolicy by scrutinizing policy documenta-tion, questioning management, and tap-ping their own knowledge of businessgained. They should especially examinewhether all mission-critical informationsystems in-house and outsourced have been identified and covered in thepolicy. Auditors should check whetherthe relevant laws, regulations, and secu-rity standards have been used as refer-ences. For instance, the Payment CardIndustry Data Security Standard couldbe used as a reference framework forevaluating the organization's electronicpayment systems.

    A second element auditors shouldexamine is whether policy formulationis based on a systematic risk assessment.They should analyze the vulnerabilitiesand threats and the resulting monetaryand nonmonetary losses, including theirimpact on business continuity. Auditorsshould check whether the assessment of ITsystem vulnerabilities has been performedby technically competent people.

    The third element to examine is whetherall related departments were involved inthe policy formulation. Alternatively,auditors should determine whether theorganization has assessed the impact onits risk profile of departments that werenot involved in making the policy.

    CURRENTThe information security policy shouldbe updated regularly and promptly. Gen-erally, organizations must update theirsecurity policy for three reasons: Change in the organization's risk

    profile due to change in businessfiinctions or processes and in IT andcommunication systems, such as com-puters, networks, and applications.

    Amendments to legal and regulatoryrequirements.

    Developments such as new encryp-tion and data security technologies.

    Periodic management review is key tokeeping the policy current. Policy updatesshould reflect the changes as documentedand approved by the appropriate level ofmanagement. Auditors should reviewdocumentation and question managementto ascertain whether all relevant techno-logical developments and legal/regula-tory requirements are studied regularlyby appropriate personnel and whetherthe resulting need to modify the policyis assessed promptly. Moreover, auditorsshould determine whether the organiza-tion follows adequate change managementprocedures, assesses the impact changeshave on the risk profile of the organiza-tion's IT system, and amends the policytimely to reflect such changes.

    COMMUNICATEDTo be enforceable, effective communica-tion of the information security policy toall employees, partners, vendors, and cus-tomers is crucial. Communicated objec-tives and intent should be the same. Forexample, management's intent to protectsensitive data using a system for main-taining hardware and registering mediamovement must be communicated well orstaft may perceive the policy to be merely ameasure to control physical losses of hard-ware and media. Communication gapscould not only lead to noncompliance,but also may have an adverse impact onconstituents' perceptions of the policy.

    Auditors should determine the vari-ous ways management has adopted tocommunicate the policy throughout theorganization. They can assess the effec-tiveness of communication by inter-viewing sample employees and solicitingfeedback through questionnaires.

    COMPLIANTCompliance with the information secu-rity policy should not be left to choice orchance. Instead, it should be compulsoryto everyone at all levels of the organiza-tion and should state the consequencesfor noncompliance clearly.

    Auditors should determine, from avail-able documentation and managementinquiries, whether there is a suitablemechanism outlining the authority andresponsibility to ensure policy compli-ance. There also should be a well-deflnedmanual or automated procedure in placeto handle all security breaches, analyzethe reasons why they occurred, and

    check whether such incidents recurred.Moreover, the policy should incorporateadequate measures to promote voluntarycompliance, such as including compliancein employee job descriptions.

    CONVERTIBLEThe information security policy commu-nicates, in broad terms, senior manage-ment's philosophy and directions aboutprotecting data and information systems.Compliance depends on converting therelevant preventive, detective, and cor-rective controls designed for each secu-rity element into actionable instructions,such as: Framing rules regarding usage of cor-

    porate e-mail and Internet systems. Framing rules regarding workplace

    use of portable devices. All suchdevices should be recorded in theorganization's hardware/software reg-ister along with the user's name.

    Having employees sign off that theyunderstand the IT security policy andtheir responsibility for compliance.Auditors should determine whether

    the policy encompasses a manual ofguidelines, procedures, rules, and exam-ples, and not merely a broad statement ofmanagement's objectives. Per their auditobjectives, they should check whether therelevant controls are in auditable formwith a complete audit trail.

    POLICY AUDITS YIELD BENEFITSReviewing the effectiveness of the orga-nization's information security policy isnot merely a compliance issue for orga-nizations it provides strategic value.An ineffective policy may provide a falsesense of security. Conversely, an effectivepolicy can yield tangible and intangiblepay-offs, such as effective control moni-toring, timely detection of breaches, andreduced losses and legal sanctions. Suchgains can enhance stakeholders' confi-dence in the organization.

    ISHWAR CHANDRA, FCA, CISA. is a charteredaccountant practicing auditing in Agra, India.

    To comrner)t on this article, e-mail the authorat ishwar.chor}[email protected].

    Send story ideas about cuirenl IT issues andbest practices for "ITAudit" to:Steve Mar, [email protected].

    IHTERNAL AUDITOR DECEMBER 2008


ContentServer (11).pdf

ContentServer (2)utu6u

ContentServer (6)a

ContentServer (6)

ContentServer Completo

EMC Documentum ContentServer

ContentServer diasgnostico

ContentServer (2)

ContentServer (1)

ContentServer (8)

ContentServer (10).pdf

ContentServer (3)

ContentServer (5)

ContentServer (4)

ContentServer (21)

ContentServer (10)

ContentServer (3).pdf

ContentServer (15)

ContentServer (7)

Cópia de ContentServer

ContentServer (9)

ContentServer (1).pdf

ContentServer (23)

ContentServer Olinsky

ContentServer 15.Aspx