Information Technology Reference
In-Depth Information
c) How does the enterprise ensure that all users are aware of the information secur-
ity policy and procedures?
One of the requirements when implementing information security is to ensure that all users
are aware of the information security policy and security procedures used in the enterprise.
Information security is about everyone in the enterprise, not just IT staff, or management.
There are a number of methods which can be used to provide information security aware-
ness training. The traditional one being regular workshops which are delivered via Power-
Point presentations, lecture style, or group discussions. Other methods would include use
of online web technologies, podcasts, video, regular alerts, and bulletins sent by email or
phone messages such as Short Message Service (SMS). Users can also attend awareness
programs by completing online sessions which automatically email results to the training
coordinators.
Information collected from the client should show evidence of users having attended
awareness programs conducted by the enterprise. The IS auditor, apart from collecting
evidence on awareness programs, should also assess effectiveness of the awareness pro-
grams. Users should be able to show that they understand information security require-
ments after the training. This information can be collected through interviewing users in
selected departments.
From the explanation above, the IS auditor should be able to develop a number of follow-
up questions which can be used to collect more detailed responses from the client.
d) Are there procedures which ensure that users are compelled to maintain confid-
entiality of company information?
The board and senior management should ensure that all employees sign a confidentiality
agreement upon employment. This is an undertaking that company information will not be
disclosed to unauthorised parties both within and outside the enterprise. Such a requirement
protects the enterprise and compels employees against disclosing company information.
The IS auditor could request to perform a review confirming if all new joiners signed
the confidentiality agreement. Some enterprises require staff to renew the confidentiality
agreements every year. The existence of confidentiality agreements would be evidence that
staff signed the agreements and are aware of this requirement. In other enterprises, the con-
fidentiality clause is in the employee manual, and it is taken that once a new employee ac-
cepts employment, he or she also agrees to obligations outlined in the employee manual.
If the enterprise does not have a confidentiality agreement procedure in place, it would
be the responsibility of the IS auditor to recommend that management implements such a
procedure. In some countries, this requirement is a legal obligation, and all employees are
Search WWH ::
Custom Search