MGMT-1216-02 - Security Auditing and Governance

Information Security
Policy Audit
Zafar Pathan & Ulfat Rafik Akbani
100946341 & 100949835
MGMT-1216-02 - Security Auditing and Governance

Table of Contents
Introduction ........................................................................................................................... 2
Analysis ................................................................................................................................. 2
1. Policy Documentation and Management's Intent ......................................................... 2
2. Policy Alignment and Review ....................................................................................... 2
3. Policy Scope and Objectives ....................................................................................... 3
4. Framework for Controls and Risk Management ............................................................ 3
5. Employee Acknowledgment ........................................................................................ 3
6. Policy Content ............................................................................................................ 3
7. Policy Ownership and Maintenance ............................................................................ 4
8. Auditing Policies ......................................................................................................... 4
9. Control and Compliance Indicators............................................................................. 4
Conclusion ............................................................................................................................ 5
References ............................................................................................................................ 5

1
MGMT-1216-02 - Security Auditing and Governance

Information Security Policy Audit

Introduction
This report evaluates the information security policy outlined in the Harvard Enterprise
Information Security Policy document that was provided. The audit assesses the policy's
robustness, comprehensiveness, and effectiveness in protecting the organization's information
assets and ensuring compliance with applicable standards and regulations.

Analysis
1. Policy Documentation and Management's Intent
Does the information security policy clearly articulate management’s statement of intent?

The policy document starts with a clear statement of intent from management, emphasizing the
importance of information security and the commitment to protecting organizational
information assets. This statement is crucial as it sets the tone for the rest of the policy and
demonstrates management's support.

Is the policy documented in a way that is easily accessible and understandable to relevant
stakeholders?

The policy is well-documented, using clear language and structured sections. It is designed to
be accessible and understandable to all relevant stakeholders, ensuring that everyone from
employees to external auditors can comprehend its contents.

2. Policy Alignment and Review

How does the department's information security policy align with the corporate policies?

The policy aligns closely with broader corporate policies, ensuring consistency across the
organization. This alignment is evident through references to corporate standards and
integration with other departmental policies.

What process is in place for the periodic review of the information security policy?

The policy outlines a clear process for periodic reviews, typically on an annual basis. This
process involves stakeholders from various departments to ensure comprehensive updates that
reflect current threats and regulatory requirements.

Does the policy review ensure that the information security policy does not hinder
business operations?

The review process considers the impact on business operations, striving to balance security
requirements with operational efficiency. This approach helps in maintaining a secure yet agile
business environment.

2
MGMT-1216-02 - Security Auditing and Governance

3. Policy Scope and Objectives

Does the information security policy include an overall objective and scope?

The policy includes a well-defined scope and objectives, focusing on the protection of
organizational information and related technologies. It specifies the types of information
covered and the intended outcomes of the policy.

How does the policy incorporate frameworks like ISO/IEC 27001 & 27002?

The policy incorporates internationally recognized frameworks such as ISO/IEC 27001 & 27002.
These frameworks provide a solid foundation for the policy, ensuring it meets global standards
for information security management.

Are the objectives of the policy aligned with the protection of organizational information
and related technologies?

Yes, the objectives are clearly aligned with the protection of organizational information and
technologies. The policy outlines specific goals aimed at mitigating risks and safeguarding data.

4. Framework for Controls and Risk Management

What framework does the policy establish for defining controls and managing risks?

The policy establishes a comprehensive framework for defining controls and managing risks,
utilizing a risk assessment methodology to identify, evaluate, and mitigate potential threats.

Are there clear requirements related to regulatory, legal, and contractual obligations?

The policy includes clear requirements for compliance with regulatory, legal, and contractual
obligations. This ensures that the organization adheres to necessary standards and avoids legal
complications.

Are there defined consequences for violations of the information security policy?

Yes, the policy outlines specific consequences for violations, ensuring that all stakeholders are
aware of the repercussions of non-compliance.

5. Employee Acknowledgment
Is there a process in place for employees to sign off on the information security policy,
indicating that they understand and agree to abide by it?

The policy includes a process for employee acknowledgment, requiring signatures to confirm
understanding and agreement. This practice reinforces accountability and compliance.

6. Policy Content
Does the policy contain sensitive information that should not be disclosed publicly?

The policy is designed to avoid containing sensitive information that could compromise security
if disclosed. It focuses on guidelines and procedures without revealing specific vulnerabilities or
strategies.

3
MGMT-1216-02 - Security Auditing and Governance

7. Policy Ownership and Maintenance

Who is the designated owner responsible for keeping the information security policy up to
date?

A designated policy owner is responsible for maintaining and updating the policy. This role
typically falls to the Chief Information Security Officer (CISO) or a similar position.

Is the policy reviewed at least annually or more frequently as needed to address changes
in the environment?

The policy is reviewed at least annually, with provisions for more frequent reviews as needed to
address changes in the security landscape.

How does the review process look for ways to improve upon security?

The review process includes a thorough evaluation of current security measures and the
exploration of new technologies and methodologies to enhance security.

8. Auditing Policies
How is risk management used to define policies?

Risk management is a core component in defining policies, ensuring that all potential risks are
identified and addressed appropriately within the policy framework.

Are the information security policies appropriately approved, and is there a clear policy
approval process?

The policy includes a clear approval process involving relevant stakeholders and executives.
This ensures that policies are thoroughly vetted and authorized at the highest levels.

How effective is the implementation of the information security policies?

The implementation of the policies is effective, with clear guidelines and procedures in place.
Regular audits and reviews help ensure adherence and identify areas for improvement.

What training and awareness programs are in place to ensure understanding and
compliance with the policies?

Comprehensive training and awareness programs are integral to the policy, ensuring that all
employees are informed about security protocols and best practices.

How are policies reviewed and updated, and is there a process for this?

The review and update process is well-defined, involving regular assessments and input from
various departments to ensure policies remain current and effective.

9. Control and Compliance Indicators

Are undefined or loose policies present, indicating a lack of control within the
organization?

The policy avoids undefined or loose guidelines, maintaining strict control over information
security measures. This helps in minimizing vulnerabilities and ensuring robust protection.

4
MGMT-1216-02 - Security Auditing and Governance

Conclusion
The information security policy provided is comprehensive and well-aligned with industry
standards such as ISO/IEC 27001 & 27002. It effectively addresses the protection of
organizational information and technologies, incorporates robust risk management
frameworks, and ensures compliance with regulatory, legal, and contractual obligations. The
policy includes clear processes for documentation, review, employee acknowledgment, and
policy maintenance. Overall, the policy demonstrates a high level of effectiveness in
safeguarding the organization's information assets.

References
• ISO 27001 Information Technology – Security Techniques Information Security –
Management Systems - Requirements. https://pecb.com/whitepaper/iso-27001-
information-technology--security-techniques-information-security--management-
systems---
requirements#:~:text=An%20overview%20of%20ISO%2027001,which%20are%20likely
%20to%20happen.

• Force, J. T. (2017, August 15). Security and privacy controls for information systems and
organizations.
https://csrc.nist.gov/pubs/sp/800/53/r5/ipd#:~:text=This%20publication%20provides%
20a%20catalog,natural%20disasters%2C%20structural%20failures%2C%20human

• COBIT 2019 Framework: Introduction and Methodology. (2019). In ISACA (pp. 2–4)
[Book].
https://community.mis.temple.edu/mis5203sec003spring2020/files/2019/01/COBIT-
2019-Framework-Introduction-and-Methodology_res_eng_1118.pdf

• CIS controls. (n.d.). CIS. https://www.cisecurity.org/controls