A.3 ABC Inc. InfoSec Audit Policy

Policy No. 2

Effective date Month / Day / Year

Implement by Month / Day / Year

1.0 Purpose

To provide the authority for members of ABC Inc.'s InfoSec team to conduct a security audit on any system at ABC Inc. Audits may be conducted to:

• Ensure integrity, confidentiality, and availability of information and resources

• Investigate possible security incidents

• Ensure conformance to ABC Inc. security policies

• Monitor user or system activity where appropriate

• Measure and report on risk

2.0 Scope

This policy covers the following:

• All computer and communication devices that are part of, or associated with, the ABC Inc. Network

• All information stored on ABC Inc. media (digital and hard copy information)

3.0 Policy

When requested , and for the purpose of performing an audit, any access needed will be provided to members of ABC Inc.'s InfoSec team. This access may include:

• User level and/or system level access to any computing or communications device

• Access to information (electronic, hardcopy, etc.) that may be produced, transmitted, or stored on ABC Inc. equipment or premises

• Access to work areas (labs, offices, cubicles, storage areas, etc.)

• Access to interactively monitor and log traffic on ABC Inc. networks

4.0 Enforcement

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

5.0 Definitions

6.0 Exceptions

Exceptions to information system security policies exist in rare instances where a risk assessment examining the implications of being out of compliance has been performed, where a Policy Exception Form <Insert Link> has been prepared by the data owner or management, and where this form has been approved by both the CSO or Director of InfoSec and the Chief Information Officer (CIO).

7.0 Revision History

Date ___/____/_____

Version:_______________________

Author:____________________________________

Summary:__________________________________