Please enable JavaScript.

Coggle requires JavaScript to display documents.

1.1.5 (AUDITING THE INFORMATION SECURITY MANAGEMENT FRAMEWORK (involves,…

- - - - risk management,
      - risk assessment results,
      - control design and
      - incident management among other areas.
  - - - This policy review should also include reviewing the date of the last update to ensure that documents remain current and meet organizational information security needs.
  - - - This can also be a detective measure, because it encourages people to identify and report possible security violations
    - - To determine the effectiveness of the program, the IS auditor should INTERVIEW a sample of employees to determine their overall awareness.
  - - - the classification of data elements
        
        The auditor should review the classification of data and evaluate their appropriateness, as they relate to the area under review
      - and the allocation of responsibility for ensuring that they are kept confidential, complete and accurate.
        
        by assigning responsibility for protecting data to particular employees, accountability is established.
        
        The IS auditor
        
        use this information to determine if PROPER OWNERSHIP has been assigned and whether the data owner is aware of the assignment.
        
        should also review a sample of JOB DESCRIPTIONS to ensure that responsibilities and duties are CONSISTENT with the information security policy #
    - - identifying and classifying data based on associated risk,
      - authorizing access to data,
      - review access controls,
      - determine protection mechanism for data owned by them.
  - - - authorizing access
      - ensuring that access rules are updated when personnel changes occur,
      - and regularly review ACCESS RULES for the data for which they are responsible
  - - - systems analysts
      - and computer operators.
  - - - (The physical security may be handled by someone else, not always by the security administrator.)
  - - - These obligations are:
        
        • Read and agree to follow security policies.
        
        • Keep logon IDs and passwords secret.
        
        • Create quality passwords according to policy.
        
        • Lock terminal screens when not in use.
        
        • Maintain good physical security—keep doors locked, safeguard access keys, do not disclose access door lock combinations and question unfamiliar people.
        
        • Report suspected violations of security.
        
        • Conform to applicable laws and regulations.
        
        • Use IT resources only for authorized business purposes.
  - - - • On the request of the employee (voluntary resignation from service)
        
        voluntary or scheduled termination of employment, it is management’s prerogative to decide whether access is restricted or withdrawn.
        
        This depends on:
        
        • The specific circumstances associated with each case
        
        • The sensitivity of the employee’s access to the IT infrastructure and resources
        
        • The requirements of the organization’s information security policies, standards and procedures
      - • Scheduled (retirement or completion of contract)
      - • Involuntary (forced by management in special circumstances)
        
        the logical and physical access rights of employees to the IT infrastructure should either be withdrawn completely or highly restricted as early as possible, before the employee becomes aware of the termination or its likelihood.
        
        This ensures that terminated employees cannot continue to access potentially confidential or damaging information from the IT resources or perform any action that would result in damage of any kind to the IT infrastructure, applications and data
  - - - meet organizational objectives for separating duties,
      - prevent fraud or error,
      - and meet policy requirements for minimizing the risk of unauthorized access.
- - - - selection of controls requires the evaluation and implementation of the right control in the right way.
        
        Based on data collected through an analysis method (e.g., cost-benefit, return on investment [ROI] and risk assessment results), management will decide on the best available control, or group of controls, to mitigate a specific risk