IT 5C 政策:檢查信息安全政策的有效性是IT審計計劃關鍵一部分The five C's of IT policy: reviewing the effectiveness of informati

The five C's of IT policy: reviewing the effectiveness of information security policies is a key part of IT audit plans IT 5 C政策:檢查信息安全政策的有效性是IT審計計劃關鍵一部分
Abstract:摘要
Ensuring data integrity and confidentiality in an environment of fast access to confidential information is a real challenge for management. Security breaches can result in monetary losses and threaten as organization's reputation and survival. In fact, 85 percent of respondents to Ernst & Young's 2008 Global Information Survey say a security incident would significantly impact their organization's brand or reputation. Moreover, organizations may face legal sanctions. The U.S. Federal Rules of Civil Procedure and the UK Civil Procedure Rules mandate careful handling of electronically stored information, while some state and local laws require organizations to disclose any security breach that results in the theft of personal data.
確保數據完整和機密環境中，快速訪問機密信息的管理是一個真正的挑戰。安全漏洞可能導致貨幣損失并威脅組織的聲譽和生存。事實上,針對安永(Ernst & Young)的2008年全球信息調查，85%的受訪者說安全事故會極大地影響他們組織的品牌和聲譽。此外,該組織還可能面臨法律制裁。
1.COMPREHENSIVE 全面了解
There is little wonder then that information security management is the IT initiative that has the greatest impact on organizations; according to the American Institute is Certified Public Accountants' IT Initiative Survey. Organizations need a robust information security system that ensures data integrity and confidentiality, protects information assets, and encourages efficient and effective use of information system. A information security policy, approved by the highest level of management, is an initial step toward demonstrating the organization's commitment to security and increasing awareness of security needs. This document provides a reference framework for information security comprising guidance on risk assessment, control implementation, and the authority and responsibilities for compliance.
As a part of the IT audit program, senior management expects internal auditors to provide assurance that suitable information security mechanisms are in pace to comply with laws and regulations, meet industry standards, prevent breaches, and prompt management to take corrective actions. A key audit objective is evaluating the effectiveness of the information security policy and recommending improvements based on five characteristics: comprehensive, current, convertible.
據美國注冊會計師協會倡議調查。令人驚奇的是,信息安全管理,對組織的影響最大。
The information security policy should cover all information system elements, including data, programs, computers, networks, facilities, people, and processes. The security value of each element and the need to protect them based on security parameters--confidentiality, integrity, and availability--varies for different organizations. Some organizations rate the confidentiality of information as their highest priority, while for others the priority is the availability of information and systems. A systematic risk assessment is essential for formulating information security policies and should address these basic questions:#p#分頁標題#e#
* What are the key elements of information systems (e.g., applications, servers, and networks)?
* What are their ratings in terms of security needs (e.g., critical, vital, sensitive, and noncritical)?
* What are the vulnerabilities associated with these information system?
* What are the possible external and internal threats to each element of information systems?
* What are the potential risks form these threats on the business?
* What are the residual risks--after reduction, avoidance, and transfer--to be accepted by the organization?

While reviewing management's assessment of information security risk, internal auditors should check that management has considered relevant laws and regulatory requirements. While drafting the security policy document, it is essential that all related departments--risk management, IT, auditing and compliance, legal, and human resources--provide input and spell out their the policy to make it effective.

Auditors should determine the development methodology and coverage of the policy by scrutinizing management, and tapping their own knowledge of business gained. They should especially examine whether all mission-critical information systems in-house and outsourced--have been identified and covered in the policy Auditors should check whether the relevant laws, regulations, and security standards have been used as references. For instance, the Payment Cared Industry Data Security Standard could be used as a reference framework for evaluating the organization's electronic payment systems.

A second element auditors should examine is whether policy formulation is based on a systematic risk assessment. They should analyze the vulnerabilities and threats and the resulting monetary and nonmonetary losses, including their impact on business continuity. Auditors should check whether the assessment of IT system vulnerabilities has been performed by technically competent people.

The third to examine is whether all related departments were involved in the policy formulation. Alternatively, auditors should determine whether the organization has assessed the impact on its risk profile of departments that were not involved in making the policy.

2.CURRENT 當前情形
The information security policy should be updated regularly and promptly. Generally, organizations must update their security policy for three reasons:

* Change in the organization's risk profile due to change in business functions or processes and in IT and communication systems, such as computers, networks, and applications.
* Amendments to legal and regulatory requirements.
* Developments such as new encryption and data security technologies.

Periodic management review is key to keeping the policy current. Policy updates should reflect the changes as documented and approved by the appropriate level of management. Auditors should review documentation and question management to ascertain whether all relevant technological developments and legal/regulatory requirements are studied regularly by appropriate personnel and whether the resulting need to modify the policy is assessed promptly. Moreover, auditors should determine whether the organization follows adequate change management procedures, assesses the impact changes have on the organization's It system, and amends the policy timely to reflect such changes.#p#分頁標題#e#

3.COMMUNITCATED 溝通
To be enforceable, effective communication of the information security policy to all employees, partners, vendors, and customers is crucial. Communicated well or staff may perceive the policy to be merely a measure to control physical losses of hardware and media. Communication gaps could not only lead to noncompliance, but also may have an adverse impact on constituents' perceptions of the policy.

Auditors should determine the carious ways management has adopted to communicate the policy throughout the organization. They can assess the effectiveness of communication by interviewing sample employees and soliciting feedback through questionnaires.

4.COMPLIANT 兼容
Compliance with the information security policy should not be left to choice or chance. Instead, it should be compulsory to everyone at all levels of the organization and should state consequences for noncompliance clearly.

Auditors should determine, from available documentation and management inquires, whether there is a suitable mechanism outlining the authority and responsibility to ensure policy compliance. There also should be a well-defined manual or automated procedure in place to handle all security breaches, analyze the reasons why they occurred, and check whether such incidents recurred. Moreover, the policy should incorporate adequate measures to promote voluntary compliance, such as including compliance in employee job descriptions.

5.CONVERTIBLE 可轉化
The information security policy communicates, in broad terms, senior management's philosophy and directions about protecting data information systems. Compliance depends on converting the relevant preventive, detective, and corrective controls designed for each security element into actionable instructions, such as:

* Framing rules regarding usage of corporate e-mails and Internet systems.
* Framing rules regarding workplace use of portable devices. All such devices should be recorded in the organization's hardware/software register along with the user's name.
* Having employees sigh off that they understand the IT security policy and their responsibility for compliance.

Auditors should determine whether the policy encompasses a manual of guidelines, procedures, rules, and examples, and not merely an broad statement of management's objectives. Per their audit objectives, they should check whether the relevant controls are in auditable from with a complete audit trail.

6.POLICY AUDITS YIELD BENEFITS 審計政策受益
Reviewing the effectiveness of the organization's information security policy is not merely a compliance issue for organizations--it provides strategic value. An ineffective policy may provide a false sense of security. Conversely, an effective policy can yield tangible and intangible and intangible pay-offs, such as effective control monitoring, timely detection of breaches, and reduced losses and legal sanctions. Such dance in the organization.#p#分頁標題#e#