IT 5C 政策:检查信息安全政策的有效性是IT审计计划关键一部分The five C's of IT policy: reviewing the effectiveness of informati

The five C's of IT policy: reviewing the effectiveness of information security policies is a key part of IT audit plans IT 5 C政策:检查信息安全政策的有效性是IT审计计划关键一部分
Abstract:摘要
Ensuring data integrity and confidentiality in an environment of fast access to confidential information is a real challenge for management. Security breaches can result in monetary losses and threaten as organization's reputation and survival. In fact, 85 percent of respondents to Ernst & Young's 2008 Global Information Survey say a security incident would significantly impact their organization's brand or reputation. Moreover, organizations may face legal sanctions. The U.S. Federal Rules of Civil Procedure and the UK Civil Procedure Rules mandate careful handling of electronically stored information, while some state and local laws require organizations to disclose any security breach that results in the theft of personal data.
确保数据完整和机密环境中，快速访问机密信息的管理是一个真正的挑战。安全漏洞可能导致货币损失并威胁组织的声誉和生存。事实上,针对安永(Ernst & Young)的2008年全球信息调查，85%的受访者说安全事故会极大地影响他们组织的品牌和声誉。此外,该组织还可能面临法律制裁。
1.COMPREHENSIVE 全面了解
There is little wonder then that information security management is the IT initiative that has the greatest impact on organizations; according to the American Institute is Certified Public Accountants' IT Initiative Survey. Organizations need a robust information security system that ensures data integrity and confidentiality, protects information assets, and encourages efficient and effective use of information system. A information security policy, approved by the highest level of management, is an initial step toward demonstrating the organization's commitment to security and increasing awareness of security needs. This document provides a reference framework for information security comprising guidance on risk assessment, control implementation, and the authority and responsibilities for compliance.
As a part of the IT audit program, senior management expects internal auditors to provide assurance that suitable information security mechanisms are in pace to comply with laws and regulations, meet industry standards, prevent breaches, and prompt management to take corrective actions. A key audit objective is evaluating the effectiveness of the information security policy and recommending improvements based on five characteristics: comprehensive, current, convertible.
据美国注册会计师协会倡议调查。令人惊奇的是,信息安全管理,对组织的影响最大。
The information security policy should cover all information system elements, including data, programs, computers, networks, facilities, people, and processes. The security value of each element and the need to protect them based on security parameters--confidentiality, integrity, and availability--varies for different organizations. Some organizations rate the confidentiality of information as their highest priority, while for others the priority is the availability of information and systems. A systematic risk assessment is essential for formulating information security policies and should address these basic questions:#p#分页标题#e#
* What are the key elements of information systems (e.g., applications, servers, and networks)?
* What are their ratings in terms of security needs (e.g., critical, vital, sensitive, and noncritical)?
* What are the vulnerabilities associated with these information system?
* What are the possible external and internal threats to each element of information systems?
* What are the potential risks form these threats on the business?
* What are the residual risks--after reduction, avoidance, and transfer--to be accepted by the organization?

While reviewing management's assessment of information security risk, internal auditors should check that management has considered relevant laws and regulatory requirements. While drafting the security policy document, it is essential that all related departments--risk management, IT, auditing and compliance, legal, and human resources--provide input and spell out their the policy to make it effective.

Auditors should determine the development methodology and coverage of the policy by scrutinizing management, and tapping their own knowledge of business gained. They should especially examine whether all mission-critical information systems in-house and outsourced--have been identified and covered in the policy Auditors should check whether the relevant laws, regulations, and security standards have been used as references. For instance, the Payment Cared Industry Data Security Standard could be used as a reference framework for evaluating the organization's electronic payment systems.

A second element auditors should examine is whether policy formulation is based on a systematic risk assessment. They should analyze the vulnerabilities and threats and the resulting monetary and nonmonetary losses, including their impact on business continuity. Auditors should check whether the assessment of IT system vulnerabilities has been performed by technically competent people.

The third to examine is whether all related departments were involved in the policy formulation. Alternatively, auditors should determine whether the organization has assessed the impact on its risk profile of departments that were not involved in making the policy.

2.CURRENT 当前情形
The information security policy should be updated regularly and promptly. Generally, organizations must update their security policy for three reasons:

* Change in the organization's risk profile due to change in business functions or processes and in IT and communication systems, such as computers, networks, and applications.
* Amendments to legal and regulatory requirements.
* Developments such as new encryption and data security technologies.

Periodic management review is key to keeping the policy current. Policy updates should reflect the changes as documented and approved by the appropriate level of management. Auditors should review documentation and question management to ascertain whether all relevant technological developments and legal/regulatory requirements are studied regularly by appropriate personnel and whether the resulting need to modify the policy is assessed promptly. Moreover, auditors should determine whether the organization follows adequate change management procedures, assesses the impact changes have on the organization's It system, and amends the policy timely to reflect such changes.#p#分页标题#e#

3.COMMUNITCATED 沟通
To be enforceable, effective communication of the information security policy to all employees, partners, vendors, and customers is crucial. Communicated well or staff may perceive the policy to be merely a measure to control physical losses of hardware and media. Communication gaps could not only lead to noncompliance, but also may have an adverse impact on constituents' perceptions of the policy.

Auditors should determine the carious ways management has adopted to communicate the policy throughout the organization. They can assess the effectiveness of communication by interviewing sample employees and soliciting feedback through questionnaires.

4.COMPLIANT 兼容
Compliance with the information security policy should not be left to choice or chance. Instead, it should be compulsory to everyone at all levels of the organization and should state consequences for noncompliance clearly.

Auditors should determine, from available documentation and management inquires, whether there is a suitable mechanism outlining the authority and responsibility to ensure policy compliance. There also should be a well-defined manual or automated procedure in place to handle all security breaches, analyze the reasons why they occurred, and check whether such incidents recurred. Moreover, the policy should incorporate adequate measures to promote voluntary compliance, such as including compliance in employee job descriptions.

5.CONVERTIBLE 可转化
The information security policy communicates, in broad terms, senior management's philosophy and directions about protecting data information systems. Compliance depends on converting the relevant preventive, detective, and corrective controls designed for each security element into actionable instructions, such as:

* Framing rules regarding usage of corporate e-mails and Internet systems.
* Framing rules regarding workplace use of portable devices. All such devices should be recorded in the organization's hardware/software register along with the user's name.
* Having employees sigh off that they understand the IT security policy and their responsibility for compliance.

Auditors should determine whether the policy encompasses a manual of guidelines, procedures, rules, and examples, and not merely an broad statement of management's objectives. Per their audit objectives, they should check whether the relevant controls are in auditable from with a complete audit trail.

6.POLICY AUDITS YIELD BENEFITS 审计政策受益
Reviewing the effectiveness of the organization's information security policy is not merely a compliance issue for organizations--it provides strategic value. An ineffective policy may provide a false sense of security. Conversely, an effective policy can yield tangible and intangible and intangible pay-offs, such as effective control monitoring, timely detection of breaches, and reduced losses and legal sanctions. Such dance in the organization.#p#分页标题#e#