Auditing Information Systems, Second Edition by Jack J. Champlain

4.1. INFORMATION SYSTEMS SECURITY POLICIES

Information systems security policies are high-level overall statements describing the general goals of an organization with regard to the control and security over its information systems. Policies should specify who is responsible for their implementation. Policies are usually established by management and approved by the board of directors. Because most boards meet only monthly, changes to policies can often take several months to become official. If the change is significant, the board may request additional information or research before it will vote on the change. If the change is relatively minor, there may not be sufficient time in their agenda to address minor policy changes. For these reasons, it is important that the IS security policy not be too specific. For example, the policy should require that the organization provide adequate physical and logical security controls over computer hardware, software, and data to protect them against unauthorized access and accidental or unintentional damage, destruction, or alteration. However, the policy should not specify detailed controls, such as the minimum number of characters required for passwords or the maximum number of unsuccessful sign-on attempts allowed before suspending a user ID. If this were the case, senior management would be constantly submitting policy change requests to the board. As we all know, often controls that were thought to be strong have been rendered inadequate ...