Information Technology Reference
In-Depth Information
required to sign the agreement especially in public organisations such as government insti-
tutions.
The IS auditor should be able to collect some copies of the signed confidentiality agree-
ments, employee manual, and privacy policy in support of the positive response from the
client.
e) How does the enterprise maintain personal privacy of customer data and inform-
ation?
Maintaining privacy for customer data is a legal requirement in most countries. Most en-
terprises have implemented internal policies to ensure that personal privacy is maintained
for customers and other information maintained for staff or suppliers.
Since it is a legal requirement in most countries, it is important that enterprises in such jur-
isdictions ensure that the board and senior management monitor implementation of privacy
policy and regularly reviews its operation.
The IS auditor is required to collect evidence on how the enterprise is maintaining personal
privacy requirements. A starting point would be to collect the company privacy policy and
associated procedures. The IS auditor might also request for reports from staff responsible
for implementation and monitoring of the policy. A review of these documents would give
an indication how the enterprise is implementing the personal privacy policy.
Where a personal privacy policy is not available, it is again the responsibility of the IS aud-
itor to advise the board and senior management on the need to observe personal privacy
especially if it is a legal requirement.
f) What procedures do you have for granting access to IT systems on the enterprise
IT infrastructure?
An enterprise should have access control procedures which require all users to be author-
ised before they can access IT systems. Access controls determine who can access the sys-
tems and what they can do on the system. Users are given different user rights depending
on their job roles.
In order to access systems, users need to be authorised by their functional managers. This
is a requirement in many enterprises and is a formal process where new or old users are
required to sign access request forms whether manual or online.
The IS auditor can collect the access request forms as evidence and review them in order
to verify that the procedure is being followed. The IS auditor should also check for evid-
ence that user rights are regularly reviewed by system owners or managers. The IS auditor
might also check the existence of dormant accounts and whether accounts for employees
who have left the enterprise have been disabled or deleted.
Search WWH ::




Custom Search