Information Technology Audit Policy and Plans

Executive Summary

Cybersecurity is becoming increasingly important for organizations in the modern world as technology advances. It entails the protection of systems connected to the internet including data, software, and hardware from cyber threats. Every organization should strive to enhance protection against unauthorized access to computerized systems and data centers. It is necessary to ensure an effective security posture to hinder malicious attacks targeted to extort, destroy, access, alter, and delete sensitive and user’s system data (Alshare et al., 2018). Moreover, cybersecurity attempts to hinder attacks that are likely to disrupt or disable the operations of devices or systems. Organizations need to ensure effective system security and trusted infrastructure through the adoption of robust IT security procedures and policies. Committee members and audit boards should show commitment to discovering and assessing potential threats by conducting internal audits.

Red Clay Renovations has shown determination in the adoption of emerging technology to improve its operations while offering beneficial services such as the Internet of Things and Smart Homes. Achieving the objects requires the organization to adopt and implement important auditing policies to enable the tracking of vulnerabilities (Chua et al., 2018). It focuses on the establishment of all the necessary measures to attain effective solutions to the issue of cyber threats. This can ensure that its operations run uninterrupted and its data remains secure.

Executive Summary for the Policy Briefing Package

The organization’s auditing document covers key areas such as the audit plan for IT security policy awareness and compliance, as well as, plan for IT security policies audit, and IT security policy compliance audit. The policy for IT security policy compliance audit attempts to explain the organization’s data access control and it entails a policy introduction covering five specific characteristics. The audit also covers the policy solution, policy content with definitions, compliance requirements, applicability, as well as point of contact (Aurigemma & Mattson, 2017). The security awareness audit plan and compliance consider best practices to be implemented to promote IT systems and improve the awareness of vulnerabilities and threats. The audit approach and NIST SP 800-53 objectives will be included in this part and will cover major data collection elements as well as the checklist question.

The plan for IT security policies audit document will require regular reviews to promote cybersecurity. The section will also entail a comprehensive discussion of potential risks or threats facing the organization, and IT security policies and procedures on security control. It will offer the company’s contact information for issues regarding procedures and policies (Trang & Brendel, 2019). Audit objectives will be provided to explain procedures, policies as well as security controls. This implies that the audit approach will entail the question list, data collection elements, and approach for data collection.

Policy for IT Security Policy Compliance Audits

Policy Introduction

Red Clay Renovation has an effective IT auditing policy to enhance compliance with the established policy measures. It supports auditing based on the company’s IT security policies in its policy systems. The development of various policies has enabled its workers to gain a better understanding of the need of promoting security measures and network resources (Chen et al., 2018). Employees have gained interest in the safeguarding of stored information and sensitive data both in the database and networks. This shows that the company’s security policies are important in the achievement of cybersecurity. The policy is necessary because the company gathers, processes as well as promote personal information for its customers.

The development of an effective policy is essential because the company is involved in sensitive activities such as credits card payments and credit checks on clients. It is focused on enhancing clients’ confidence and trust when transacting in the network (Trang & Brendel, 2019). Moreover, the company interacts with health practitioners and insurance companies including Medicare and Medicaid to enhance the health of its employees. Ensuring the appropriate insurers’ reimbursements implies that the company has to receive, process, store, as well as send health information from health providers to customers and vice versa.

The company has various operation offices and centers that are spread in three states namely Delaware, Baltimore, and Philadelphia. Every state has specific regulations regarding data breaches and information protection. The company is expected to comply with state laws including reporting regulations. For instance, the company is required to adhere to the Health Insurance Portability and Accountability Act (HIPAA) security rules covering the operating center and Protected Health Information (PHI) in its computer system. The IT security system uses the guidance framework obtained from the National Institute of Standards and Technology (NIST). The company must meet every requirement indicated in the NIST 800-53 regarding privacy and security control for the Federal Information Systems (Aurigemma & Mattson, 2017). According to the policy, every organization must be examined and assessed by conducting interviews. Red Clay Renovations encourage anyone with inquiries or anything that requires clarification to send an email or make a call.

Policy Issue

The company’s Chief Information Security Officer (CISO) is responsible for the maintenance and development of programs, strategies, and vision to enhance the protection of technologies and information assets (Chen et al., 2018). The officer has been directing staff during the identification of areas requiring improvement, implementation, and maintenance of programs to enhance information security. This ensures that the company complies with IT security laws as established in the FIP S 199/200 standards under Revision 4 and NIST SP 800-53. The establishment of effective technical and management controls, as well as operational controls have seen the company realize improved information security at the baseline. The NIST SP 800-53 revision 4 provides 18 security families that facilitate the development of policies and procedures to enhance security controls (Trang & Brendel, 2019). The AC-1 policy tends to influence the organization to establish and document access control policy. This implies that the company is determined to certify the required policies while ensuring that they are properly approved and vetted.

Policy Solution

The NIST 800-53A and federal information systems support the assessment of security and privacy controls of the organization. It facilitates the establishment of effective assessment plans and verification of the policy objectives. This ensures that the right rules and procedures are put in place to support the achievement of organizational security goals (Chen et al., 2018). It supports auditing of policies to ensure that they are in line with the federal laws including executive orders, directives, standards, guidance, and regulations.

Policy Applicability

All the users of the network computers in the Red Clay Renovations can apply the policy including the management and employees. The policy supports the available IT resources implying that it can help the organization achieve its security objectives (Chen et al., 2018). Moreover, it applied to every employee and the management team including the chief information officer, the director of IT services management, as well as the system controllers.

Policy Compliance

The company will apply every security family provided in the NIST 800-53A and the policy security control assessment guidance. It will support the identification of the security and privacy weaknesses and deficiencies stipulated in the organization’s security policies. The noted issues will be eliminated with the improved assessment and subsequent management of the available resources (Chen et al., 2018). The NIST 800-53A will assess the IT security policies annually and support the making of effective corrective measures.

Point of Contact

Anyone with a question concerning the policy is encouraged to contact the chief security officer for an explanation. The company encourages the public to ask for clarification whenever the need arises (Nasir et al., 2018). This helps improve communication and promotes the coordination of the security team and plays a role in the elimination of challenging issues. Contact details for the chief security officer are provided to make it easier for people to reach out in case they require any assistance.

Security Awareness Audit Plan

Audit Background

Poor protection of information technology is a major risk affecting the company since it can result in potential security incidences. The evaluation indicates that the company lacks appropriate engagement of workers to support the improvement of security measures. However, it conducts credit checks from time to time to understand its potential customers. Since the company is involved with credit card payment services, it is expected to enhance the protection of essential information including phone numbers and cardholders (Chen et al., 2018). Customer details stored in the computer systems must be safeguarded to ensure safe transactions. Working with other healthcare insurance providers indicates that employees are exposed to multiple risks when obtaining reimbursement.

The company employees are exposed to the risk of poor password security, inappropriate use of the network, failure to report suspicious activities, disclosure of sensitive data. Workers need to understand and adhere to the established policies and procedures that are necessary for securing the network system. Using the National Institute of Standards and Technology (NIST) helps guide the IT security programs (Chen et al., 2018). It ensures that the established audit program satisfies all the requirements of the NIST 800-53 in both the awareness and training on the security control family. It supports the implementation of the privacy and security controls provided for federal organizations and information systems. Moreover, the policy enhances the company security awareness and training necessary to ensure compliance to the PHI, HIPAA, and the PCI Data Security Standard (PCI DSS) security rules. Any question concerning the policy should be directed to the chief security officer.

Audit Objective

The company is determined to satisfy the requirements of information security as defined in the FIPS 199/200 standards and NIST SP 800-53 revision 4. The CISO is expected to implement and support the NIST SP 800-53 standard while paying attention to the 159 security controls. The company must make every effort to safeguard confidentiality, integrity, as well as ensure the security of the network resources and sensitive information. The training and awareness family also needs to offer guidance to the workers (Nasir et al., 2018). The implementation of the awareness and training security controls will consider four key areas namely, role-based security training, security training records, awareness training, and training procedures, policy, and awareness.

Audit Approach

The audit approach will be designed to determine the effectiveness and strength of the awareness program depending on the web survey. The establishment of an awareness survey will support the improvement of employee knowledge and help enhance their role in the promotion of security policies. This will offer guidance and support the development of better skills to respond to security questions and situations. The survey will apply an interview strategy and will remain anonymous. It will be supported by up to ten multiple-choice questions covering critical policies and personal responsibilities (Chen et al., 2018). These questions will aim to boost compliance by ensuring that everyone understands the established rules and the need of respecting them. Obtained results will be important in the determination of the effectiveness of the information training and awareness program stipulated from the NIST 800-53 AT 1 to 4 security controls. The considered information security questions are provided below and they will be included in the web survey.

1. Are you aware of the existing security policy updates in the company?
2. Where can one find information regarding the security policies and are they easy to understand?
3. Are there provisions for installing and downloading software in the workplace?
4. Are you aware of the common cyber threats and potential attacks that can occur in the company?
5. How often is the necessary information such as security awareness bulletins on newsletters provided to workers?
6. Are you aware of the information security policies provided in the employee’s handbook and have you read and signed them?
7. In case of a breach, do you believe that it could be easy to reach out to the security team for mitigation measures?
8. Can you remember a time when you shared a network password and what was your experience?
9. What would be your response in case your computer is hacked or infected by a virus?
10. Do you know how to check the presence of anti-virus in the system and regular updates?

IT Security Policies Audit Plan

Audit Background

An information security plan entails a set of policies, standards, and regulations defining sensitive information in the organization. It offers a strategic roadmap to support effective security management controls and practices, explain the response to the breach of information and analyze involved risk. It also covers the assignment and identification of responsibilities and roles for diverse aspects of information security (Nasir et al., 2018). The information security program has various fundamentals including security screening, organization-wide security policy, and identification of assets. The presented information security policies and plans from the security team and CISO can promote the confidentiality, availability, and integrity of the system. It can also support adherence to regulatory compliance requirements. The established information security procedures and policies are meant to address existing risks during day-to-day activities.

The company’s information security policy is focused on promoting protection while hindering the accessibility of data to unauthorized individuals. It achieved the security objective by establishing a general approach to information protection, complying with the regulatory and legal requirements, and documenting security measures (Nasir et al., 2018). It establishes measures to detect and reduce the negative impact of compromised information assets including misuse of mobile devices, networks, applications, computers, and networks.

Information security plays a role in the protection of the company’s reputation while enhancing mechanisms to respond to queries and complaints associated with security risks including malware, phishing, as well as ransomware. It limits the accessibility to information technology assets to hinder system intruders (Nasir et al., 2018). Ensuring compliance and the establishment of an effective information security policy is beneficial in the prevention of security incidents such as data breaches and leaks. Increasing digitalization in the company is an indication that every worker is creating data that needs protection. Intellectual property, personally identifiable information, and sensitive data are highly protected.

The information security policy is broad and covers key areas such as security training, lifecycle management, physical security, and IT security. The plan explains where and to who the policies apply to boost accountability. The objective is to increase the availability of IT systems to workers, data integrity, and confidentiality. Integrity promotes accuracy, completeness and ensures that data remains intact (Nasir et al., 2018). The company promotes compliance with every security control as shown in the table below.

Table 1: Procedures Security Controls and NIST 800-53 Policy

NIST SP 800-53 provides diverse security controls that can be adopted to manage risks and promote the protection of information systems and sensitive data. As noted in the table below, many security controls need to be considered including the insider threat program, rule of behavior, information system inventory, risk management strategy, as well as the system security plan (SSP) (Anderson et al., 2017). The application of security controls can enable the company to achieve efficiency in its operations.

Table 2: Plan Security Controls and NIST 800-53 Program

Access Control Policy and Procedures (AC-1)

It ensures that the IT network and system are accessible by authorized personnel and those without permission are not allowed. This helps maintain the appropriate documentation to offer the right information to workers and create the required awareness (Cuganesan et al., 2018). Everyone is encouraged to take part in the improvement of the company system security to facilitate the achievement of the IT objectives. Policy and procedures play a role in the elimination of risks and vulnerabilities through closing gaps that can be utilized by attackers.

System and Information Integrity Policy and Procedures (SI-1)

They are meant to address vulnerabilities in the security system including information mishandling, unauthorized access, hacking, or malicious codes. They play a role in the improvement of system integrity by encouraging the adoption of the best practices during the handling of information (Anderson et al., 2017). Adhering to these procedures and policies improves coordination of the security team and the establishment of effective measures to handle vulnerabilities and risks.

Personal Security Procedures and Policy (PS-1)

The policy focuses on the improvement of the safety of the IT system through screening to mitigate risks and eliminate vulnerabilities. It explains the employee transfer process and encourages the establishment of effective measures to deal with uncertainties (Cuganesan et al., 2018). They promote the protection of personal details stored in the system ensuring that they remain inaccessible to third parties who are unauthorized. Moreover, they ensure that the right process is followed during the acquisition and retrieving of data.

Security Planning Procedures and Policy (PL-1)

They enhance documentation and understanding of policies that define responsibilities and roles in the organization. They also cover all the involved including people the management, employees, and executives to support the adoption of desirable security measures. Following procedures ensure that the right channel is followed during the communication and planning process (Anderson et al., 2017). Procedures and policies are important during the decision-making process since they offer guidance and support the achievement of the set security objectives.

Environmental and Physical Protection Procedures and Policies (PE-1)

Red Clay Renovations depends on the physical environment to enhance its operations including computers and servers. These valuables assets require protection to boost information and data security in the IT and network systems (Cuganesan et al., 2018). It ensures that appropriate security measures are established to offer improved security to the database and improve preparedness to respond properly in case of an attack. These procedures and policies enable the management to understand their operating environment and make the right decision to mitigate risks.

Media Protection Procedures and Policy (MP-1)

These rules are designed to promote integrity standards in the media to enhance customer engagement. It eliminates inappropriate comments that can mislead people or affect the communication process (Cuganesan et al., 2018). It determines the roles and responsibilities of managers in data security and protection. Moreover, it explains necessary protections to media equipment and owners by ensuring that offensive or inappropriate information is not used during the communication process.

System Maintenance Procedures and Policies (MA-1)

These policies and procedures promote the security and support optimal functionality of the IT security network. They offer guidance on the scheduling of maintenance activities and updating of the system. This helps identify areas requiring improvement and make an effort to address arising issues (Anderson et al., 2017). Moreover, they make it more difficult for intruders to access secured information in the IT system. They also enable managers to plan properly for the expected or routine activities.

System and Communications Protection Policy and Procedures (SC-1)

Effective communication is an important aspect of the organization since it supports the smooth flow of information and effective utilization of the available resources. Protection of communications and system procedures and policies helps secure the available data to hinder intruders and ensure its safety. Since Red Clay Renovations operates in different states, it must ensure effective communication to pass information to remote workers and motivate them to support the organization’s security measures (Cuganesan et al., 2018). Moreover, the company needs to establish measures to handle challenges emerging from the misconfiguration of hardware and software, denial of services attacks as well as data transfer to enhance communication. A communication protection procedure and policy can promote efficiency and help implement a beneficial system.

Tamper Detection and Resistance (SA-18)

The dependence on technology exposes the company to the risk of IT system hacking and sabotage. This problem can be addressed by the adoption of a temper resistance and detection system to provide information in case of malfunctioning and offer corrective measures (Anderson et al., 2017). This can enable the management to make swift decisions to ensure that the system remains secure. Early detection can provide a better opportunity to handle uncertainties and ensure that necessary measures are taken.

Services and System Acquisition Procedures and Policy (SA-1)

The policy and procedures are established to support the management of the IT system’s servicing as well as the acquisition of better technology and equipment. They help handle challenges in the system and facilitate the development of an appropriate solution (Cuganesan et al., 2018). They also facilitate the maintenance and establishment of policies to support the acquisition of both hardware and services while ensuring the necessary documentation. This supports the satisfaction of the security measures and compliance with the audit requirements.

Risk Assessment Procedure and Policy (RA-1)

This supports the organization and enables period risk assessment to improve the safety of the IT systems and computers. It facilitates the development of the right countermeasures through improving the awareness of the existing vulnerabilities (Anderson et al., 2017). It promotes the security of the system by pointing out areas requiring corrective actions. This ensures that all the risks are identified and considered during the development of IT security decisions.

Incident Response Procedure and Policy (IR-1)

It offers detailed guidance for the handling of incidences to ensure an appropriate response. It ensures effective containment of incidences to prevent them from spreading to other areas. Limiting the spread of virus ensures that other systems or computers remain safe making it easier to handle the affected area (Schatz & Bashroush, 2017). It promotes timely and effective response to threats and attacks to influence faster recovery and the establishment of better security measures.

IT Security Policies Audit Plan: Audit Objectives

The Security Management Control Framework

ISO 27001/27002 and NIST SP 800 series are some of the standards that the company can use based on its current security standards.

Administrative Security

• It promotes appropriate documentation to secure data and needs to contain various documents.
• Risk assessment.
• Risk management.
• Workforce security training.
• Incidence response training.

Physical Security

• Biometric control access Fencing.
• Surveillance cameras.
• Use of access control cards.
• Smoke detectors. Locks.

IT Security

The security will depend on the 18 procedures and policies listed in NIST SP 800-53. These are SI-1, SC-1, SA-18, SA-1, RA-1, PS-1, PL-1, PE-1, MP-1, MA-1, IR-1, IA-1, CP-1, CM-1, CA-1, AU-1, AT-1, and AC-1.

Audit Approach

Major Elements in the Data Collection Strategy

Data to be Collected

• Standard documents in the company.
• Issued certificates enabling the company to maintain and operate its current IT system.
• Signed documents confirming that every worker has been trained on data protection.

Collection Method

• Mailed questionnaire.
• Online questionnaire.
• Testing.
• Face to face interview.
• Telephone interview.
• Examination.

Measuring Method

Employee satisfaction will be measured using a rating scale marked yes or no. Satisfied workers will be required to tick on the “yes” box while dissatisfied ones put their mark on the “no” box. The results will be determined by counting the number of yes answers against no to offer an indication of the satisfaction level (Alshare et al., 2018). This will help explain whether workers are supporting the IT security policies.

Survey Questions

The provided questions will require a yes or no answer without explanations:

• Is the company’s policy audit effective?
• Is effective data safety practiced in the company?
• Does the company value information security?
• Are the IT security policy and procedure reviewed and updated regularly?
• Does the company show determination in the protection of employee and customers’ information?
• Does the company offer training to its workers to improve their knowledge and awareness of IT security policies?

The information security team and CISO will evaluate the response provided in the checklist. The obtained information will help develop a policy program assessment report which would then be handed to the Chief information officer and IT governance board within 90 days upon its completion (Moody et al., 2018). This report will be beneficial since it would reveal possible weaknesses and strengths of the company’s policy program (Xu et al., 2017). It will also come with a recommendation to support the plan of action including the identification of priorities, vulnerabilities, and threats that compromise the system.

The Measurements Effectiveness and the Audit Approach

An effective audit approach provides the necessary information and plays a role in the achievement of effective measurement of the security control implementation. This implies that it is necessary to apply the right procedures in the audit approach to extend a positive outcome. An audit approach that is well organized and follows the right procedure is more likely to influence the achievement of required results (Schatz & Bashroush, 2017). It supports the achievement of the appropriate security controls and the adoption of effective policies.

References

Alshare, K., Lane, P. L., & Lane, M. R. (2018). Information security policy compliance: A higher education case study. Information and Computer Security, 26(1), 91–108.

Anderson, C., Baskerville, R. L., & Kaul, M. (2017). Information security control theory: Achieving a sustainable reconciliation between sharing and protecting the privacy of information. Journal of Management Information Systems, 34(4), 1082-1112.

Aurigemma, S., & Mattson, T. (2017). Deterrence and punishment experience impacts on ISP compliance attitudes. Information & Computer Security, 25(4), 421–436.

Chen, X., Chen, L., Wu, D., & Perspective, A. (2018). Factors that influence employees’ security policy compliance: An awareness-motivation-capability perspective. Journal of Computer Information Systems, 58(4), 312–324.

Chua, H. N., Wong, S. F., Low, Y. C., & Chang, Y. (2018). Impact of employees’ demographic characteristics on the awareness and compliance of information security policy in organizations. Telematics and Informatics, 35(6), 1770-1780.

Cuganesan, S., Steele, C., & Hart, A. (2018). How senior management and workplace norms influence information security attitudes and self-efficacy. Behaviour and Information Technology, 37(1), 50–65.

Moody, G. D., Siponen, M., & Pahnila, S. (2018). Toward a unified model of information security policy compliance. MIS Quarterly, 42(1), 285–312.

Nasir, A., Arshah, R. A., & Hamid, M. R. A. (2018). The Formulation of Comprehensive Information Security Culture Dimensions for Information Security Policy Compliance Study. Advanced Science Letters, 24(10), 7690-7695.

Schatz, D., & Bashroush, R. (2017). Economic valuation for information security investment: A systematic literature review. Information Systems Frontiers, 19(5), 1205–1228.

Trang, S., & Brendel, B. (2019). A meta-analysis of deterrence theory in information security policy compliance research. Information Systems Frontiers, 21(6), 1265-1284.

Xu, F., Luo, X. R., Zhang, H., Liu, S., & Huang, W. W. (2017). Do strategy and timing in IT security investments matter? An empirical investigation of the alignment effect. Information Systems Frontiers, 1–15.