The Five Cs of IT Policy

Reviewing the effectiveness of information security policies is a key part of IT audit plans.
Ishwar Chandra, FCA, CISA

nsuring data integrity and confidentiality in an environment of fast access to confidential

information is a real challenge for management. Security breaches can result in monetary losses and threaten an organizations reputation and survival. In fact, 85 percent of respondents to Ernst & Youngs 2008 Global Information Security Survey say a security incident would significantly impact their organizations brand or reputation. Moreover, organizations may face legal sanctions. The U.S. Federal Rules of Civil Procedure and the UK Civil Procedure Rules mandate careful handling of electronically stored information, while some state and local laws require organizations to disclose any security breach that results in the theft of personal data. There is little wonder then that information security management is the IT initiative that has the greatest impact on organizations, according to the American Institute of Certified Public Accountants IT Initiative Survey. Organizations need a robust information security system that ensures data integrity and confidentiality, protects information assets, and encourages efficient and effective use of information systems. An information security policy, approved by the highest level of management, is an initial step toward demonstrating the organizations commitment to security and increasing awareness of security needs. This document provides a reference framework for information security comprising guidance on risk assessment, control implementation, and the authority and responsibilities for compliance. As a part of the IT audit program, senior management expects internal auditors to provide assurance that suitable information security mechanisms are in place to comply with laws and regulations, meet industry standards, prevent breaches, and prompt management to take corrective actions. A key audit objective is evaluating the effectiveness of the information security policy and recommending improvements based on five characteristics: comprehensive, current, communicated, compliant, and convertible.

COMPREHENSIVE
The information security policy should cover all information system elements, including data, programs, computers, networks, facilities, people, and processes. The security value of each element and the need to protect them based on security parameters confidentiality, integrity, and availability varies for different organizations. Some organizations rate the confidentiality of information as their

highest priority, while for others the priority is the availability of information and systems. A systematic risk assessment is essential for formulating information security policies and should address these basic questions:

What are the key elements of information systems (e.g., applications, servers, and networks)? What are their ratings in terms of security needs (e.g., critical, vital, sensitive, and noncritical)? What are the vulnerabilities associated with these information systems? What are the possible external and internal threats to each element of information systems? What are the potential risks from these threats on the business? What controls address these risks? What are the residual risks after reduction, avoidance, and transfer to be accepted by the

organization? While reviewing managements assessment of information security risk, internal auditors should check that management has considered relevant laws and regulatory requirements. While drafting the security policy document, it is essential that all related departments risk management, IT, auditing and compliance, legal, and human resources provide input and spell out their roles and responsibilities for enforcing the policy to make it effective. Auditors should determine the development methodology and coverage of the policy by scrutinizing policy documentation, questioning management, and tapping their own knowledge of business gained. They should especially examine whether all mission-critical information systems in-house and outsourced have been identified and covered in the policy. Auditors should check whether the relevant laws, regulations, and security standards have been used as references. For instance, the Payment Card Industry Data Security Standard could be used as a reference framework for evaluating the organizations electronic payment systems. A second element auditors should examine is whether policy formulation is based on a systematic risk assessment. They should analyze the vulnerabilities and threats and the resulting monetary and nonmonetary losses, including their impact on business continuity. Auditors should check whether the assessment of IT system vulnerabilities has been performed by technically competent people. The third element to examine is whether all related departments were involved in the policy formulation. Alternatively, auditors should determine whether the organization has assessed the impact on its risk profile of departments that were not involved in making the policy.

CURRENT
The information security policy should be updated regularly and promptly. Generally, organizations must update their security policy for three reasons:

Change in the organizations risk profile due to change in business functions or processes and

in IT and communication systems, such as computers, networks, and applications.

Amendments to legal and regulatory requirements. Developments such as new encryption and data security technologies.

Periodic management review is key to keeping the policy current. Policy updates should reflect the changes as documented and approved by the appropriate level of management. Auditors should review documentation and question management to ascertain whether all relevant technological developments and legal/regulatory requirements are studied regularly by appropriate personnel and whether the resulting need to modify the policy is assessed promptly. Moreover, auditors should determine whether the organization follows adequate change management procedures, assesses the impact changes have on the risk profile of the organizations IT system, and amends the policy timely to reflect such changes.

COMMUNICATED
To be enforceable, effective communication of the information security policy to all employees, partners, vendors, and customers is crucial. Communicated objectives and intent should be the same. For example, managements intent to protect sensitive data using a system for maintaining hardware and registering media movement must be communicated well or staff may perceive the policy to be merely a measure to control physical losses of hardware and media. Communication gaps could not only lead to noncompliance, but also may have an adverse impact on constituents perceptions of the policy. Auditors should determine the various ways management has adopted to communicate the policy throughout the organization. They can assess the effectiveness of communication by interviewing sample employees and soliciting feedback through questionnaires.

COMPLIANT
Compliance with the information security policy should not be left to choice or chance. Instead, it should be compulsory to everyone at all levels of the organization and should state the consequences for noncompliance clearly. Auditors should determine, from available documentation and management inquiries, whether there is a suitable mechanism outlining the authority and responsibility to ensure policy compliance. There also should be a well-defined manual or automated procedure in place to handle all security breaches, analyze the reasons why they occurred, and check whether such incidents recurred. Moreover, the policy should incorporate adequate measures to promote voluntary compliance, such as including compliance in employee job descriptions.

CONVERTIBLE
The information security policy communicates, in broad terms, senior managements philosophy and directions about protecting data and information systems. Compliance depends on converting the

relevant preventive, detective, and corrective controls designed for each security element into actionable instructions, such as:

Framing rules regarding usage of corporate e-mail and Internet systems. Framing rules regarding workplace use of portable devices. All such devices should be Having employees sign off that they understand the IT security policy and their responsibility

recorded in the organizations hardware/software register along with the users name. for compliance. Auditors should determine whether the policy encompasses a manual of guidelines, procedures, rules, and examples, and not merely a broad statement of managements objectives. Per their audit objectives, they should check whether the relevant controls are in auditable form with a complete audit trail.

POLICY AUDITS YIELD BENEFITS

Reviewing the effectiveness of the organizations information security policy is not merely a compliance issue for organizations it provides strategic value. An ineffective policy may provide a false sense of security. Conversely, an effective policy can yield tangible and intangible pay-offs, such as effective control monitoring, timely detection of breaches, and reduced losses and legal sanctions. Such gains can enhance stakeholders confidence in the organization.

How Do I ... Write an Effective Audit Report?

A sound approach to audit reporting can help facilitate the writing process and ensure reports deliver information clearly and effectively. By following 10 simple rules, auditors can compose informative, concise audit reports.

1.State the critical issue first. Clients, senior executives, and audit committee members want a
succinct description of the issue, its level of risk, and the recommended mitigating or corrective actions. Presenting background first is unhelpful to busy readers.

2.Illustrate the risk. Audit reports need to communicate the severity of risk in a way that clients
can easily grasp. If the stated issue could lead to decreased revenues, for example, the report should quantify the potential loss in a dollar amount.

3.Focus on the findings, not the auditor. Auditors should avoid describing their findings with
phrases such as, "During our review we noted that," or "it was noted that." Instead, the report should simply tell readers what the audit revealed.

4.Avoid jargon. Internal auditing, like all professions, has its own jargon. Report writers need to
translate their technical language for nonauditors.

5.Don't rely on the thesaurus. Although word repetition may be inappropriate for many types of
writing, it's perfectly acceptable practice for business documents.

6.Use concrete nouns. Some writers mistakenly think they can impress readers by starting their
sentences with long, abstract nouns. Readers, however, are best served by more concrete sentences.

7.Don't overstuff sentences. Cramming too many ideas into one sentence can compromise
document readability and confuse readers. Whenever possible, writers should break information into shorter, more digestible units.

8.Simplify ideas with lists. List constructions can help readers digest information, enabling
them to process short items one at a time. Each item in a list should contain the same sentence pattern, or what grammarians call parallel structure.

9.Emphasize potential for improvement. Auditors can often achieve the best results by
pointing out the potential for improvement, rather than highlighting the negative consequences of failing to take corrective action.

10.

Avoid negative language. Using words with a pejorative tone can immediately raise

reader defenses. Negative words have a tendency to antagonize and may dissuade rather than convince audit clients.