Information Technology Reference
In-Depth Information
8.5.2
Audit Process
A generic audit process consists of:
n
−
−
Audit trigger event; something that kicks off an audit task
Calendar-driven (e.g., quarterly, annually, coincides with fiscal year)
Event-driven (e.g., security incident)
Audit notification
Determining responsibilities
Audit performance
Analysis of discovery data
Reporting results
Organizational review and internal feedback
n
n
n
n
n
n
The following sections elaborate on the audit process.
8.5.2.1 Audit Trigger Events
An audit policy includes statements regarding potential audit trigger events, for
example:
n
−
Calendar-driven
An audit specifically related to system vulnerabilities shall be performed
on each segment of the Company X network, at least annually.
Company X reserves the right to audit all or any part of the Company X
network as often as deemed necessary.
Following security breach or incident investigation
Following significant IT or IA infrastructure modifications
Following any indication that the information security or business threat
environment has changed or is about to change significantly
−
n
n
n
8.5.2.2 Audit Notification
The audit policy provides parameters for notification of audit and may include
statements such as the following:
n
Under normal operations, department/team X notifies the CTO and affected
business unit prior to the initiation of any audit.
Prior to the initiation of any audit under this policy, the prospective auditors
shall notify the Company X CTO and the affected business unit CIO(s).
A formal approval by the CSO shall direct the scheduling of corporatewide
audits for vulnerabilities.
n
n
