IT Audit Program
Key Elements

IT audit program business slide

The IT Audit Program key elements documented here comes from an audit compliance, or auditors perspective. If you implement an IT Audit Program, you will enable great results that follow with fewer (maybe zero) information security incidents, and fewer (maybe zero) audit comments written during an external IT audit.

Background

An effective Information Security Program includes awareness, education, training,  policies, procedures, controls, reviews, and especially, separation of responsibilities. However, good Information Security Practices require more than correct practices to be effective. They must have real and continued management backing and involvement.

Management must be pro-active regarding Information Security Practices. They must let their people know it's important through example. They must take pride in their program. They must help bring about attitudinal changes in their people through;

  • strongly administered security awareness programs
  • bringing about a clear understanding of the reasoning behind Information Security Practices;
  • instilling real concern about Information Security
  • instilling dissatisfaction with anything less than great Information Security.

Executive management must apprised newly appointed management detail of the company's information security practices, and annually refresh existing management too.

In addition, to be successful with Information Security Practices and pass an IT Audit Program, management must also organize their team with clearly defined roles and responsibilities, with no conflicts of interest. Separation of responsibilities must be an integral part of Information Security. Training must be provided as required.

PDCA Complete is an organizational task management system with built-in continuous improvement tools. Includes projects, meetings, audits and more.

Built by Quality Assurance Solutions.

PDCA Complete

Note: Proof must be produced during an IT Audit Program to substantiate ones practices. Archive audit documentation a minimum of six-months.

Further, management must also learn to manage "smarter". The multitude of information security practices required to address the major concerns and issues, and the associated workload to do so, mandates that management be imaginative in administering the responsibilities to put these practices initially in place, and keep them in place on an ongoing basis.

IT Audit Program Current Situation Assessment

  • IT Audit Program consistently turn up fundamental Information Security violations.
  • Managers do not consistently promote or enforce good Information Security practices in their work groups.
  • Employees do not view software copyright violations as serious offenses.
  • Employees are not aware of the Information Security issues related to networks.
  • Viruses are an increasing threat to company computing systems.
  • Employees do not consistently backup and place offsite their work to facilitate recovery in the event of a disaster.
  • Crisis and Contingency Management plans are not consistently in place across the entire company.
  • Employees do not view telecommunication fraud or misuse as serious offenses.
  • Distributed processing lacks the same level of controls that exist in mainframe environments.
  • Increased "hacking".
  • Increased theft of laptops.
  • Increase of widespread disasters such as earthquakes, floods, fires.
  • No consistency of Contingency Management plans across all platforms.
  • No consistent Information Security Awareness Program across the Company's Business Entities.

TrainingKeeper Software. Keep, organize and plan all your employees' training and activities. Software includes multi-user support with reports, certs, and calendars.

TrainingKeeper Software

High Level Needs Determination

A robust Information Security Awareness Program will always support Corporate IT Policy and organizational goals and objectives:

  • Corporate IT Policy will state the need for Information Security Awareness, and if it doesn't, it should.
  • In general, most IT Audit Program looks at an Information Security Awareness Program as being visible with surface proof that management is concerned, the business is controlled, information is adequately protected, and laws are not being violated.
  • The value can be articulated to leadership in terms of their objectives.
  • The results can anticipate and satisfy company and customer unspoken needs.

Organizational Needs Identification

Personal Computer User Issues:

  • Corporate policy
  • Individual responsibility
  • Software usage / licensing concerns
  • Unauthorized software
  • Back-ups
  • CD / USB / SD and other media security
  • Practice and risks of exchanging media between work and home
  • Virus protection
  • Business / non-business use
  • Housekeeping
  • Physical protection
  • Failing to logoff
  • Risks to system

Get certified in Risk Management through our completely on-line training system. Study at your own pace.

Risk Management Certification

Manager's Responsibility Issues:

  • Corporate policy
  • Protection and integrity of assets under their control
  • Promotion of Information Security
  • Review and resolve unauthorized access violations
  • Investigate and correct exposures
  • Notification of personnel transfers and terminations
  • Material disposal
  • Segregation of duties
  • Secure the environment
  • Provide customer support
  • Perform random reviews of employee activity
  • Control of corporate resources
  • Ensure compliance to corporate policy
  • Authorize access and review privileges
  • Compliance with security policy
  • Compliance with business continuity policy
  • Compliance with network access policy

Employee Responsibility Issues:

  • Corporate policy
  • Individual responsibility
  • Ethical responsibility
  • Compliance with corporate and local policies
  • Material disposal
  • Protection and integrity of assets under their control
  • Passwords; sharing; writing down
  • Secure environment
  • Business continuity
  • Physical security
  • Knowledge of customer information
  • Clean desk practice

Employee Handbook Kit includes two Employee Handbook templates for Professional & Manufacturing. Includes over 60 policies and benefits templates.

Employee Handbook Policies & Benefits

Contingency Management Issues:

  • Corporate policy
  • Individual responsibility
  • Customer service level requirements
  • Prevention procedures
  • Backup, off-site storage, and recovery
  • Alternate processing strategy
  • Network recovery strategy
  • Documenting disaster recovery plans
  • Customer reaction plan
  • Disaster recovery plan testing
  • Continuous improvement process

Crisis Management Issues:

  • Corporate policy
  • Individual responsibility
  • Evacuation
  • Severe weather actions
  • Bomb threats
  • What to do; where to go; who to contact

Retention, Disposal, and Handling Issues:

  • Corporate policy
  • Individual responsibility
  • Identifying sensitive information
  • Classifying sensitive information - company
  • Classifying sensitive information - customer
  • Printing sensitive information
  • Faxing sensitive information
  • Voice transmissions
  • Distribution of sensitive information
  • Inquiries from outside of company
  • Retention and storage of sensitive information
  • Reproduction of sensitive information
  • Disposal of sensitive information

Get Green Belt Certified with this extensive on-line course. Learn the Six Sigma tools and steps. Earn 25 PMI PDU. Start implementing Six Sigma today

Green Belt Certification

Telecommunication Issues:

  • Corporate policy
  • Individual responsibility
  • Disaster recovery
  • Modems
  • Encryption
  • Networks
  • PBX toll fraud
  • Cellular phones
  • Travel call cards
  • Awareness
  • Voice mail protection

LAN / WAN Issues:

  • Corporate policy
  • Individual responsibility
  • Virus protection
  • Backup and recovery
  • Theft prevention
  • Copyrights and licensing
  • Secure data
  • Password standards
  • Housekeeping practices
  • Policy and procedures
  • Client server risks
  • Dialup access controls
  • Modems

Get certified in Risk Management through our completely on-line training system. Study at your own pace.

Risk Management Certification

Risk Identification

The IT Audit Program identifies potential risks to your business and your customers' business exist if no formal Information Security Awareness Program exists. You may not know about or be able to comply with corporate policies, procedures, and sound business practices, potentially resulting in the following:

  • Poor audit compliance reports; in addition to loose security, this is usually a career limiting event
  • Loss of customer confidence in your business
  • Increased risk of loss of customer information
  • Risk to information integrity
  • Risk to information confidentiality
  • Risk to information availability
  • Increased vulnerability to theft
  • Increased vulnerability to unauthorized access
  • Increased risk to personal / physical safety
  • Unpreparedness for a disaster

Some areas of vulnerability or risk associated with Information Security are:

  • Ethical practices
  • Computer viruses
  • Personal safety
  • Software piracy
  • Handling of sensitive information
  • PC security practices
  • Building access
  • Telecommunications fraud
  • Leadership example / practices
  • Crisis management
  • Contingency management

Employee Handbook Kit includes two Employee Handbook templates for Professional & Manufacturing. Includes over 60 policies and benefits templates.

Employee Handbook Policies & Benefits

Value Determination

An Information Security Awareness and an IT Audit Program enables your business to accomplish the following:

  • Improve the morale of employees by providing them with information they need to perform their jobs effectively.
  • Present Information Security issues to the company leadership on a consistent basis so that Information Security is identified as important and integral to the way you do business.
  • Help to ensure good audit reports by providing employees with knowledge on Information Security issues.
  • Strengthen the relationship with your customer by reinforcing good Information Security practices.
  • Make employees aware of their responsibilities.
  • Help to ensure the protection of information / assets.
  • Help to ensure timely recovery in the event of a disaster.

Legal and other Requirements

Federal

  • ANTITRUST LAWS - May not share competitively sensitive information with competitors about prices, future product plans, marketing strategies, etc.
  • FOREIGN CORRUPT PRACTICES ACT (FCPA) - Makes all managers and directors personally liable for the protection of company assets under their control, specifically information.
  • COPYRIGHT LAWS - Copying of copyrighted software must be in strict compliance with all appropriate licensing agreements.

State:

Generally speaking, these laws make it illegal to attempt an unauthorized access or assist in an unauthorized access of a computer system.

Corporate Requirement:

Employees must understand the requirements of the Corporate IT Policy.

Your ISO 9001:2015 Kit includes Templates, QA Manual, Implementation Guide and a Gap Assessment Internal Audit Tool for ISO 9001:2015

ISO 9001:2015 QMS Implementation Kit

Manager Requirements

  • corporate policy - company and customer
  • individual responsibility / liability
  • responsibility for the protection and integrity of assets under their control
  • responsibility to promote Information Security Awareness
  • obligation to see that unauthorized access violation reports are reviewed and resolved
  • obligation to investigate and correct known exposures
  • responsibility to ensure that information security personnel are expeditiously informed of all personnel transfers and terminations in order to remove system access privileges
  • responsibility to ensure that material is disposed of properly
  • responsibility to incorporate the segregation of duties concept where it makes good business sense
  • responsibility to ensure that the overall work environment is secure, and that information is protected during all phases of testing, and that the test and production environments are kept separate
  • perform periodic random reviews of employee activities and datasets to act as a deterrent against non-business use of company resources
  • responsible for compliance with all corporate policy, especially Information Security and Business Continuity

Employee Requirements

Employees need to know:

  • Sensitive information handling practices
  • Ethical responsibility
  • Individual responsibility
  • Evacuation plans
  • Severe weather actions
  • Off-site usage of computer resources
  • Proper PC backup procedures
  • Voice mail protection
  • Etc.

Customer Requirements

Employees must be aware of customer policies and requirements for handling of customer data.

Audit Requirements

Employees must be aware of and exercise proper information handling procedures.

Your company can address all of the issues surfaced during an IT Audit Program through a robust Information Security Awareness Program. These are all real business issues that any legitimate business would take action to address - action begins with AWARENESS.

Widget is loading comments...

More Info

  • Learn the steps to conduct software installation and upgrade process within your business to prevent mishap.

    Software Installation and Upgrade Process

    Learn the steps to conduct software installation and upgrade process within your business to prevent mishap.

  • Learn how to protect against phishing. This article identifies the most common phishing attacks and the steps your company can take to eliminate them.

    How To Protect Against Phishing

    Learn how to protect against phishing. This article identifies the most common phishing attacks and the steps your company can take to eliminate them.

  • This article discusses how to prevent computer virus download. It covers methods of virus attacks, how to prevent company damage, and much more.

    Prevent Computer Virus Download

    This article discusses how to prevent computer virus download. It covers methods of virus attacks, how to prevent company damage, and much more.

  • Review this building security checklist for a list of do's and don'ts. Use this article to teach your employees about building security and social engineering threats.

    Building Security Checklist

    Review this building security checklist for a list of do's and don'ts. Use this article to teach your employees about building security and social engineering threats.

  • The future of computer security is biometric verification

    Biometric Verification

    The future of computer security is biometric verification

  • Learn how to backup computer data for company PCs. This article lists questions your company should ask when setting up a backup system.

    Backup Computer Data

    Learn how to backup computer data for company PCs. This article lists questions your company should ask when setting up a backup system.

  • This article discusses business methods to prevent scary emails such as legal liability issues and describes other risks for allowing them.

    Prevent Scary Emails

    This article discusses business methods to prevent scary emails such as legal liability issues and describes other risks for allowing them.

  • This article covers network security information which focuses on IT Policy, Information Security Awareness, and IT Compliance

    Network Security Information

    This article covers network security information which focuses on IT Policy, Information Security Awareness, and IT Compliance

  • Data protection tips for your company. This article covers important issues for business data protection and data recovery

    Data Protection Tips

    Data protection tips for your company. This article covers important issues for business data protection and data recovery

  • This article covers a detailed corporate email policy. You can also freely download this policy.

    Corporate Email Policy

    This article covers a detailed corporate email policy. You can also freely download this policy.

  • This corporate internet policy covers criteria, personal use, violations, best practices and more. Download it for free and use it for your business!

    Corporate Internet Policy

    This corporate internet policy covers criteria, personal use, violations, best practices and more. Download it for free and use it for your business!

  • Company Strike Preparation guidelines minimize company risks and downtime during a company strike.

    Strike Preparation Guidelines

    Company Strike Preparation guidelines minimize company risks and downtime during a company strike.

  • Review this IT audit tool and guide. We cover scope, physical, access control, data and applications security issues. Learn what to look for and questions to ask during the audit. We also cover what to do prior and during an IT audit.

    IT Audit Tool and Guide

    Review this IT audit tool and guide. We cover scope, physical, access control, data and applications security issues. Learn what to look for and questions to ask during the audit. We also cover what to do prior and during an IT audit.

  • This article on information security notes and policy covers many key items your business needs to consider when setting up an information security system.

    Information Security Notes and Policy

    This article on information security notes and policy covers many key items your business needs to consider when setting up an information security system.

  • This article provides guidelines for creating a computer protection security policy at your workplace. It covers general principles, passwords, copyrights, licensing, protection, prevention, and security

    Computer Protection Security Guidelines

    This article provides guidelines for creating a computer protection security policy at your workplace. It covers general principles, passwords, copyrights, licensing, protection, prevention, and security


Quality Assurance Solutions
Robert Broughton
(805) 419-3344
USA
email
Enjoy this page? Please pay it forward. Here's how...

Would you prefer to share this page with others by linking to it?

  1. Click on the HTML link code below.
  2. Copy and paste it, adding a note of your own, into your blog, a Web page, forums, a blog comment, your Facebook account, or anywhere that someone would find this page valuable.

All Products

Software, Videos, Manuals, On-Line Certifications

PDCA Complete

An Organizational Task Management System. Projects, Meetings, Audits & more

8D Manager

Corrective Action Software

TrainingKeeper Software

Plan and Track Training

Snap Sampling Plans!

AQL Inspection Software

QAS Business Slide Deck

450+ Editable Slides with support links

TRIZ Kit

Learn and Train TRIZ

ISO 9001:2015 QA Manual

Editable Template

ISO 9001:2015 QMS Kit

Templates, Guides, QA Manual, Audit Checklists

ISO 14001:2015 EMS Kit

EMS Manual, Procedures, Forms, Examples, Audits, Videos

On-Line Accredited Certifications

Six Sigma, Risk Management, SCRUM

All Products

Software, Videos, Manuals, On-Line Certifications