Information Technology Reference
In-Depth Information
vironment. Nowadays enterprises rely on third parties to provide informa-
tion technology services. It is the responsibility of the IS auditor to regularly
review supplier relationships in order to ensure provision of secure and ap-
propriate services.
•
Information Security Incident
- Incident management is critical to the man-
agement of security. The enterprise should be able to have a robust record of
incidents if they have a system for recording and resolving incidents. Many
enterprises today use electronic systems to manage incidents. The IS auditor
is required to review the incident management systems to assess their effect-
iveness in the enterprise.
•
Business Continuity Management
- An enterprise should put in place a busi-
ness continuity management plan which will ensure that the business con-
tinues operations in the event of a disaster. Business continuity involves the
whole enterprise and includes recovery of IT systems which is normally in-
cluded under disaster recovery. The IS auditor using appropriate tools is re-
quired to review implementation and management of the enterprise business
continuity plan.
•
Compliance
- The enterprise should ensure compliance with the IT policy
and procedures developed and implemented by the enterprise. It also in-
volves compliance with regulation and laws of the country. Most countries
have enacted laws concerning personal privacy, keeping of electronic re-
cords, and protection of information. It is the role of the IS auditor to ensure
that the enterprise is in compliance with policies, regulations, and laws
through regular audits.
Security Management Structure
In order to have an effective implementation of security in the enterprise, it is recommen-
ded that a suitable organisational structure is put in place to support operations of inform-
ation security. The IS auditor should review the security organisation in order to determine
that it is suitable for implementing and maintaining a good security infrastructure.
The overall responsibility of ensuring security in the enterprise rests with the board of dir-
ectors who will issue directives through senior management. The structure of the secur-
ity function will depend on the size of the enterprise and level of security required in the
enterprise. Very large enterprises such as multinational corporations usually have formal
functions with several full-time employees. Medium to small enterprises might have one
or two security specialists. In other small enterprises, the security function might use part-
Search WWH ::
Custom Search