Information Technology Reference
In-Depth Information
The audit of senior management's security responsibilities should be the same as outlined
at board and security-committee level. The level of detail will definitely be higher consid-
ering that the role of senior management is more operational than that of the board and
security committee. The IS auditor should also review how regular senior management re-
ceives security reports from the security committee and security department. This ordin-
arily would be the same report unless there are specific requirements to submit different
reports to the security committee and senior management.
The IS auditor should also take particular interest in the content of the security reports so
that the security function provides senior management and the security committee with suf-
ficient information to make decisions at that level. It is common to find that senior man-
agement receive too much or little information. The frequency of reporting should also be
a subject of audit as it will indicate how often senior management receives reports.
It is also important to assess whether there is feedback from senior management on the
various reports which they receive from the security function. The effectiveness of the se-
curity function will depend on how information received by senior management is used to
ensure security of the enterprise.
In most large enterprises, the IS auditor will find a full-time security function or department
which handles everyday implementation, management, and monitoring of security in the
enterprise. The department is responsible for generating most of the security reports and
also is involved in management of security in the enterprise. The function will also monitor
all security activities and make necessary recommendations to management.
Within the security department, there are various security specialists who work on specific
security tasks, such as implementation, operations, reviewing, monitoring, compliance, and
reporting. In smaller enterprises, these responsibilities can be performed by a single secur-
ity specialist or a part-time security coordinator. External security coordinators are often
hired by enterprises to perform similar functions as internal security specialists.
Auditors reviewing work of a security function would have to conduct detailed investiga-
tions as the department generates a lot of security data and is involved in managing various
areas of security. What is important here is that the IS auditor should be able to collect all
necessary evidence to support assertions made by security management. There are various
security areas the IS auditor might review, and this can be done over a specific period and
focusing on different areas at a time.
Information Security Awareness Program
Information security involves all users in the enterprise, and they should be made aware of
their responsibilities as regards security. Information security, when it involves all stake-
holders, is more robust. It is often said that the weakest security point in an enterprise is
Search WWH ::
Custom Search