Information Technology Reference
In-Depth Information
n
Formal approval is required under normal operating circumstances; no for-
mal approval for audit is necessary under the following conditions:
Following a security breach or incident investigation
Following a significant IT or IA infrastructure configuration changes
(e.g., hardware upgrades, application changes or upgrades)
Immediately following any indication that the information security
or business threat environment has changed or is about to change
significantly
−
−
−
The focus above is vulnerability management-centric. Similar audit notifica-
tions are appropriate for HIPAA, Sarbanes-Oxley, or other compliance manage-
ment processes that require audits. A more efficient approach is to abstract all the
above into a general audit policy and call out specifics only when necessary.
8.5.2.3 Audit Responsibilities and Performance
IA
2
identifies audit responsibilities including the use of both internal and external
auditors. Internal audits are both
means to an end
(a preliminary task prior to a
formal external audit) and
an end unto itself
. An internal audit as preliminary activ-
ity to an external audit provides internal operations the insight and opportunity to
correct any obvious noncompliance issues. The internal audit process also prepares
personnel to deal with external audits more effectively.
The audit policy should state that all personnel, subcontractors, consultants,
business partners, vendors, and personnel affiliated with third parties who have
access to organizational and client data shall ensure compliance with the audit
policy. Audit policy specifies the primary group responsible for conducting network
security audits, who implements audit policy, who coordinates audits, and who
approves audit and assessment tools.
8.5.2.4
Reporting Results
he IA
2
Process identifies who and how audit results are owned, secured, and main-
tained. The storage and disclosure of audit data is to be fully compliant with privacy
laws, regulations, and policies applicable in the area where the data resides.
8.5.2.5 Organizational Feedback
The purpose of the assessment or audit is to provide verification that existing X
functions as intended, or identify gaps and a gap closure plan. The final step is to
provide the insights garnered from the assessment or audit back into organizational
structure, policy, standards, procedures, operations, relationships, etc.
