Determine
Audit Criteria
Before you carry out an Information Security Audit it is
important to determine the questions you will be asking.
If you are auditing against a standard then you can derive
questions from the standard. If you are auditing against
policy and procedures then you can derive questions from
those.
Senior
Management Authorisation and Backing
If you are not a Senior Manager you should get backing and
authorisation from Senior Managers to carry out such an
audit.
Senior Managers
should be seen to support what you are doing. This will
make things easier for you when you are performing the audit.
People may not have time to answer your questions and may
not like the intrusion. However, if they know that Management
are backing the audit they are more likely to be helpful.
Management authorisation
is also important for you the person carrying out the audit.
If you uncover some sensitive security issues, you could
find yourself in trouble if you have not received the necessary
permission. It is not a good idea to carry out audits of
your own volition. In fact many companies see unauthorised
audits as a disciplinary offence.
Planning
and Communication
Make sure that you plan the audit such that the necessary
people are available, that they know the purpose of the
audit and what you will want to see and do during the audit.
If possible an agenda should be provided to those participating
in the audit, along with a list of what will need to be
reviewed.
What
to Look For
An audit can be carried out in three stages. Firstly asking
questions about levels of compliance. Secondly requesting
to see any supporting documentation and logs. Thirdly asking
to be shown what has been described where this is possible.
How
to Document
You need to document the dates of the audit, who you saw,
findings, and action points. You can produce your own work
papers and a formal report to be given to Management.
How
to Get Changes Made
Once you have performed the audit, you may be asked to facilitate
any identified changes. To be effective it is important
that you have Senior Management backing and that you explain
to the people making the changes why it is important to
them and the Business. It may also be useful to hold regular
meetings to determine the status of the changes being made.
