1.5 Information Asset Security and Control

Information security is an essential component of governance and management that affects all aspects of entity-level controls

information security management function responsible for

governance

Policy

enforcement

monitoring and
innovation

necessary for the modern business to establish cost-effective information security processes

while providing adequate information security assurance within the risk appetite and budget of the organization.

control framework

set of fundamental controls that helps support and protect an enterprise by preventing/minimizing financial or information loss and adding/preserving value.

AUDITING THE INFORMATION SECURITY
MANAGEMENT FRAMEWORK

involves the audit of logical access the use of investigation techniques the use of techniques for testing security

Comprise of

Reviewing Written Policies, Procedures and Standards

Policies and procedures provide the framework and guidelines for maintaining proper operation and control

IS auditor should review them

to determine if they define proper security

and provide a means for assigning responsibility for maintaining a secure information systems environment

ensure that documents remain current and meet organizational information security needs.

Formal Security Awareness and Training

if employees know what is expected of them and their responsibilities and repercussions for violations

Promoting security awareness is a preventive control.

This can also be a detective measure, because it
encourages people to identify and report possible security violations.

How? new employee orientation process+ Ongoing awareness includes articles in company newsletters, visible and consistent security enforcement and short reminders during staff meetings

To determine the effectiveness of the program, the IS auditor should interview a sample of employees to determine their overall awareness.

Data Ownership

classification of data elements and the allocation of responsibility for protecting data for ensuring that they are kept confidential, complete and accurate.

IS auditor can use this information to determine if proper ownership has been assigned and whether the data owner is aware of the assignment.

should also review a sample of job descriptions to ensure that responsibilities and duties are consistent with the information security policy.

review the classification of data and evaluate their
appropriateness, as they relate to the area under review.

Responsibilities include identifying and classifying data based on associated risk, authorizing access to data, review access controls, determine protection mechanism for data owned by them.

Data Owners

Data owners are generally managers and directors responsible for using information for running and controlling the business

security responsibilities include

regularly review access rules for the data for which they are responsible.

ensuring that access rules are updated when personnel changes occur, and

authorizing access,

Data Custodians

responsible for storing and safeguarding the data

include IS personnel, such as systems analysts and computer operators.

Security Administrator

responsible for providing adequate physical and
logical security for IS programs, data and equipment.

New IT Users

New IT users (employees or third parties) and, in general, all new users who are assigned PCs or other IT resources should sign a document stating the main IT security obligations that they are thereby engaged to know and observe.

• Read and agree to follow security policies.

• Keep logon IDs and passwords secret.

• Create quality passwords according to policy.

• Lock terminal screens when not in use.

• Report suspected violations of security.

• Maintain good physical security—keep doors locked, safeguard access keys, do not disclose access door lock combinations and question unfamiliar people.

• Conform to applicable laws and regulations.

• Use IT resources only for authorized business purposes.

Data Users

include internal and the external user communities

levels of access should be authorized by the data owners and restricted and monitored by the security administrator.

Their responsibilities regarding security are to be vigilant regarding the monitoring of unauthorized people in the work areas and comply with general security guidelines and policies.

Documented Authorizations

Data access should be identified and authorized in writing

IS auditor can review a sample of these authorizations to determine if the proper level of written authority was provided.

facility practices data ownership, only
the data owners provide written authority.

Terminated Employee Access

can occur in the following circumstances:

• On the request of the employee (voluntary resignation from service)

• Scheduled (retirement or completion of contract)

• Involuntary (forced by management in special circumstances)

Similar procedures should be in place to terminate access for third parties upon terminating their activities with the organization.

logical and physical access rights of employees to the IT infrastructure should either be withdrawn completely or highly restricted as early as possible,

it is management’s prerogative to decide whether access is restricted or withdrawn.

This depends on:

• The specific circumstances associated with each case

• The sensitivity of the employee’s access to the IT infrastructure and resources

• The requirements of the organization’s information security policies, standards and procedures