Information Technology Reference
In-Depth Information
a) Has your enterprise implemented an information security policy?
If the client confirms existence of an information security policy, they should provide evid-
ence in the form of a policy document which was approved by the board or senior man-
agement. Approval evidence could be in the form of board minutes, endorsement on the
original copy, or a letter from senior management. The IS auditor might further enquire by
finding out if they are supporting security procedures which have been developed and im-
plemented. Some enterprises maintain a separate security procedures document which is
used by operational staff.
Implementing a security policy might in many cases require establishing a department to
oversee the security function headed by manager or director with supporting security spe-
cialist staff. In smaller or medium-sized enterprises who cannot afford a full-time security
department, they have the option of hiring external IS auditors or engaging one person to
manage the security function on a full-time or part-time basis.
Where an information security policy has not been implemented, the IS auditor can recom-
mend implementation of the security policy. In some enterprises, security is implemented
in a piecemeal fashion and without a formal policy position from management. In this case,
the IS auditor should still recommend that a formal policy be implemented to ensure robust
and effective protection of data and IT systems.
b) What standard has the enterprise used to develop the information security
policy?
It is important that information security is based on best practices, and there are many in-
formation security standards which have been developed by standards and professional or-
ganisations. Typical examples of security standards and frameworks include ISO 27001,
ISO 17799, BS 7799, and COBIT for information security.
Usually the drafters of the policy document would indicate which standard the enterprise
used to develop and implement the policy. Enterprises have the option to select only relev-
ant areas of the standard to include. It is not a must that all areas in the standard should be
included. This is because security requirements are not the same in all enterprises.
Some enterprises may opt to use internally developed standards. The IS auditor should re-
quest for such a standard and review it and determine if it meets best practice as recom-
mended by international standards organisations.
It is unlikely that an enterprise might have an information security policy without using
any specific standards. Where this is the case, the IS auditor would recommend a review
of the policy so that it is based on an appropriate standard or other acceptable best practice
document.
Search WWH ::
Custom Search