Evaluating IS Management Practices to Ensure Compliance with IS Policies, Standards, and Procedures

Previous page
Table of content
Next page

As stated earlier, reviewing the business strategy, the IT strategy, and associated policies and procedures before conducting interviews and observations should provide the auditor with a clear view of the organization's objectives and mission and any potential gaps in policy or procedures. As a part of the interview and observation process, the auditor should observe personnel in the performance of their duties and assist in identifying the following:

  • Organizational functions Ensure the individual who is assigned and authorized to perform a particular function is the person who is actually doing the job. This process allows the auditor to ensure that the organizational chart and job descriptions reflect the individuals actually performing the function.

  • Process/procedures (actual vs. documented) Direct monitoring of process/procedures as they take place, and perform walk-through and gather evidence of compliance or any deviations.

All procedures should incorporate controls over the business process. As a part of the planning phase, the IS auditor should identify control objectives associated with each business process and ensure that the procedure is followed and that controls meet the control objectives. IT control objectives enable the IS auditor to more clearly understand the desired result or purpose of implementing specific control procedures. The IS auditor should check to see that the procedures are understood and executed correctly, determine whether control objectives are fulfilled, and should determine whether a review process is in place for change control. When auditing this area of IT, the auditor should look for areas of concern that could indicate potential problems. This can include the following:

  • No review process in place for strategy, policies, or procedures

  • Deviations from existing policy or procedures

  • Reliance on key personnel for procedures instead of those documented

  • The lack of documented procedures or outdated procedures

  • Policies or procedures that are not in compliance with laws

  • Undefined processes relating to hardware/software acquisition and implementation

  • Undefined processes for managing projects (personnel, milestones, budget)

During the IT audit process, the auditor should ensure that a process exists for strategy, policy and procedure development, communication, and review. This review process can be part of a change-control process (CCP). The CCP is implemented in organizations as a way to provide a formal review and change-management process for systems and associated documentation. The change-control board (CCB) similar to the IT steering committee, is a formal process, that is chartered by senior management. The CCB should accept requests for changes to systems and documentation, and should review and approve or deny recommended changes. The CCB also might be charged with the periodic review of strategy, policies, and procedures as part of its charter.

As an example of an ad-hoc procedure that is not aligned with a documented procedure, we can review the following example.

Imagine that the IS auditor is reviewing the back-up procedures for the organization's servers. The documented procedure states that the backups are performed by the backup operator who is responsible for configuring the backups, labeling the tapes, managing off-site storage, and performing log review. The procedure further states that a backup job is scheduled to run every evening to back up the organization's servers. The backup software should be configured to connect to the server, back up the data, verify that the data was backed up, log any anomalies, and move to the next server. While monitoring the process, the auditor finds that the data is being backed up and logged, and the backup software then connects the next server.

While questioning the backup operator, the IS auditor inquires about why the data backed up on the tape is not verified and then logged. The backup operator states that the procedure was created when the company had only five servers, which could be backed up and verified in about eight hours. With the addition of 10 servers, the backup procedure cannot back up and verify all the servers in the environment in the eight-hour backup window. The backup operator asked for additional equipment after the servers were installed but has not received it. The backup operator therefore changed the actual procedure to back up the servers without verifying, to ensure that all 15 servers could be backed up during the eight-hour backup window.

This scenario identifies a few areas of concern:

  • The planning/acquisition process might not be working correctly because the new servers did not include capacity planning for backup software, hardware, and tapes.

  • There might not be a process for reviewing procedures to ensure that they are aligned with the strategy and actual processes in the environment.

  • Removing the verification procedure in the process could lead to the inability to recover from a disaster or data loss.

  • The backup operator might not have the proper level of training to perform the function because he might not understand the potential risk of disabling the verification function.

In this case, the difference between the actual documented procedure and the ad-hoc procedure on the surface appears small, but it can have far-reaching effects. This type of scenario could be an indicator of risk in the environment.


Previous page
Table of content
Next page
Exam Cram 2. CISA
Cisa Exam Cram 2
ISBN: B001EEFNHG
EAN: N/A
Year: 2005
Pages: 146
BUY ON AMAZON
Inside Network Security Assessment: Guarding Your IT Infrastructure
Cisco IP Telephony (CIPT) (Authorized Self-Study) (2nd Edition)
Network Security Architectures
Cisco IOS in a Nutshell (In a Nutshell (OReilly))
.NET System Management Services
GDI+ Programming with C#
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy