Policies

"…IT security policy for IT auditor day to day perspective.."

I've been working for the IT security policy and procedures making for the last four years. And my main responsibility for that period is doing consulting services for the company who need to comply with some kind of security standard such as Sarbanes Oxley, ISO 27001 or event just some guidelines from our government.

Security policy and procedures are my main deliverables. So if you see my client you will see that in their office, there are a lot of policy and procedures that created by many prestigious company, my company is also contributed there. They took international standard such as COBIT or ITIL to ensure that the company confidential data is keep secure

The written policy should clear up confusion, not generate new problems. When preparing a document for a specific audience, remember that the writer will not have the luxury to sit down with each reader and explain what each item means and how it impacts the user's daily assignments. Know the audience for whom the policies are being developed. Remember the reading and comprehension level of the average employee. When writing the policy, remember the "5 Ws of Journalism 101":

What: what is to be protected (the topic)
Who: who is responsible (responsibilities)
Where: where within the organization does the policy reach (scope)
How: how compliance will be monitored (compliance)
When: when does the policy take effect
Why: why the policy was developed

If you’re the first person responsible for performing information system audit in your company, then what is your first priority? Repairing the IT process in your company? Prepare risk control matrices or just recruit another experience IS auditor for brainstorming with you?

In my experience, all start from planning first. Yes IT planning plays the significant role at this stage. Remember that auditing mean a lot of interaction with a lot of departments and function across the company. So coordination is the first issue to be noted.

Have you ever be in this situation?

The cornerstones of effective information security programs are well-written policy statements. This is the wellspring of all other directives, standards, procedures, guidelines, and other supporting documents. As with any assessment process, it is important to ensure that policies establish the direction management wants to go with regard to security

When reviewing policies, Thomas R. Peltier in his book about Managing a Network Vulnerability Assessment said that it will be necessary to remember that there are three general types of policies:

General or global policies.
These are high-level policy statements that define the intent of a specific topic and its scope within the organization. It also assigns responsibilities for implementation and compliance with the policy. Typical information security general or global policies include:

Enabling audit log is an issue -as we discussed before. But leave it to management how to decide this feature, because whatever the decision we still need to making audit log policy to ensure the activities become effective.

Here is some topics that should be put clear in audit log policy

1. Event logging

What kind of activity that should be logged. All administrator activities or only sensitive activity for several users. Other approach such as based on hour log -the audit log will be enabled only in working hours. Auditor should clearly state which event that should be logged.

2. Log recording and archiving

Archiving log to write once disk, archiving to tape storage or just put in hard disk is also a must stated in log policy. How long any security breaches will be archived.

The latest update of Linkedin.com one of the most popular social networking site for professional, is proven evidence that the social network is become very important in our life. The function is shift, not only as communication media but its also become place to find new career, develop larger network to corporate research.

However the massive usage of social network website also becomes another challenge for industry to create good enterprise policy for this matter. Any other idea, how to develop social networking website policy?

Read also:
Social networking threats manageable with good enterprise policy.
LinkedIn's latest updates take a few hints from Facebook

 

This policy provides guidance to ensure that company use of blogging and online dialogue appropriately considers the responsible engagement in this new, rapidly growing space of relationship, learning and collaboration.

1. Knowing and following Company Code of Conduct
2. Blogs are not corporate communications but are individual interactions. Identify yourself but ensure to protect your privacy,
3. Use a disclaimer when posting a blog that has something to do with work or subjects associated with Company.
4. Respect copyright, fair use and financial disclosure laws.
5. Don't provide confidential or other proprietary information.
6. Don't cite or reference clients, partners or suppliers without their approval.
7. Respect your audience and show proper consideration for others' privacy on topics that can be inflammatory such as politics and religion.
8. Find out who else is blogging on the topic and cite them.