Information systems security guidelines are also established by senior management and are intended to help ensure the achievement of the IS security policy. Guidelines are similar in format to standards in that they provide detailed specifications for individual IS controls. Where they differ from standards is in their implementation. In some firms, management may direct staff to implement only those guidelines that they judge to be pertinent or useful. In others, they may be understood to be the equivalent of standards. Since guidelines are not necessarily required by management to be implemented, they can prove to be somewhat of an anomaly to auditors. For example, in a firm that has IS security guidelines but no standards, an auditor may use the guidelines as a benchmark against which the adequacy of controls of a particular information system can be assessed. When recommending improvements in those controls to line management in charge of the system, using the guidelines as the benchmark, the auditor may encounter resistance to change because line management does not consider the guidelines to be requirements. It is for this reason that the use of the term guidelines is inappropriate when referring to IS security controls. All firms should develop IS security standards that are clearly defined and enforceable.

It should not be surprising when one is unable to locate adequate IS security policies, standards, or guidelines within ...

Get Auditing Information Systems, Second Edition now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.