1.5 Information Asset Security and Control (information security…
1.5 Information Asset Security and Control
Information security is an essential component of governance and management that affects all aspects of entity-level controls
information security management function
necessary for the modern business to establish cost-effective information security processes
while providing adequate information security assurance within the risk appetite and budget of the organization.
set of fundamental controls that helps support and protect an enterprise by preventing/minimizing financial or information loss and adding/preserving value.
AUDITING THE INFORMATION SECURITY
involves the audit of logical access the use of investigation techniques the use of techniques for testing security
Reviewing Written Policies, Procedures and Standards
Policies and procedures provide the framework and guidelines for maintaining proper operation and control
IS auditor should review them
to determine if they define proper security
and provide a means for assigning responsibility for maintaining a secure information systems environment
ensure that documents remain current and meet organizational information security needs.
Formal Security Awareness and Training
if employees know what is expected of them and their responsibilities and repercussions for violations
Promoting security awareness is a preventive control.
This can also be a detective measure, because it
encourages people to identify and report possible security violations.
How? new employee orientation process+ Ongoing awareness includes articles in company newsletters, visible and consistent security enforcement and short reminders during staff meetings
To determine the effectiveness of the program, the I
S auditor should interview a sample of employees to determine their overall awareness.
classification of data elements and the allocation of responsibility for protecting data for ensuring that they are kept confidential, complete and accurate.
Responsibilities include identifying and classifying data based on associated risk, authorizing access to data, review access controls, determine protection mechanism for data owned by them.
IS auditor can use this information to determine if proper
ownership has been assigned
whether the data owner is aware of the assignment
should also review a
sample of job descriptions
to ensure that
responsibilities and duties are consistent with the information security policy.
review the classification of data and evaluate their
appropriateness, as they relate to the area under review.
Data owners are generally managers and directors responsible for using information for running and controlling the business
security responsibilities include
regularly review access rules for the data for which they are responsible.
ensuring that access rules are updated when personnel changes occur, and
responsible for storing and safeguarding the data
include IS personnel, such as systems analysts and computer operators.
responsible for providing adequate physical and
logical security for IS programs, data and equipment.
New IT Users
New IT users (employees or third parties) and, in general, all new users who are assigned PCs or other IT resources should sign a document stating the main IT security obligations that they are thereby engaged to know and observe.
• Read and agree to follow security policies.
• Keep logon IDs and passwords secret.
• Create quality passwords according to policy.
• Lock terminal screens when not in use.
• Report suspected violations of security.
• Maintain good physical security—keep doors locked, safeguard access keys, do not disclose access door lock combinations and question unfamiliar people.
• Conform to applicable laws and regulations.
• Use IT resources only for authorized business purposes.
include internal and the external user communities
levels of access should be authorized by the data owners and restricted and monitored by the security administrator.
Their responsibilities regarding security are to be vigilant regarding the monitoring of unauthorized people in the work areas and comply with general security guidelines and policies.
Data access should be identified and authorized in writing
IS auditor can review a sample of these authorizations to determine if the proper level of written authority was provided.
facility practices data ownership, only
the data owners provide written authority.
Terminated Employee Access
can occur in the following circumstances:
• On the request of the employee (voluntary resignation from service)
• Scheduled (retirement or completion of contract)
it is management’s prerogative to decide whether access is restricted or withdrawn.
This depends on:
• The specific circumstances associated with each case
• The sensitivity of the employee’s access to the IT infrastructure and resources
• The requirements of the organization’s information security policies, standards and procedures
• Involuntary (forced by management in special circumstances)
logical and physical access rights of employees to the IT infrastructure should either be withdrawn completely or highly restricted as early as possible,
Similar procedures should be in place to terminate access for third parties upon terminating their activities with the organization.