208 7.8 Auditor’s Role in Developing Security Policies
Monies are increasingly transferred electronically between and among
organizational agencies, commercial enterprises, and individuals.
Organizations are rapidly expanding their use of electronic com-
National defense and intelligence communities increasingly rely on
commercially available information technology.
Public utilities and telecommunications increasingly rely on com-
puter systems to manage everyday operations.
More and more sensitive economic and commercial information is
exchanged electronically.
Computer systems are rapidly increasing in complexity and intercon-
Easy-to-use hacker tools are readily available, and hacker activity is
Paper supporting documents are being reduced or eliminated.
Each of these factors significantly increases the need for ensuring the pri-
vacy, security, and availability of state and local government systems.
Although as many as 80 percent of security breaches are probably never
reported, the number of reported incidents is growing dramatically. For
example, the number of incidents handled by Carnegie-Mellon Universitys
Coordination Center (CERT/CC) has multiplied more than 86
times since 1990, rising from 252 in 1990 to 21,756 in 2000. Furthermore,
CERT® received 3,784 vulnerability reports and handled more than
137,529 incidents during 2002, according to their annual report [4]. Simi-
larly, the Federal Bureau of Investigation (FBI) reports that its caseload of
computer intrusion–related cases is more than doubling every year. The
fifth annual survey conducted by the Computer Security Institute in coop-
eration with the FBI found that 70 percent of respondents (primarily large
corporations and government agencies) had detected serious computer
security breaches within the last 12 months, and that quantifiable financial
losses had increased over past years.
7.8 Auditor’s Role in Developing Security Policies
According to Alan Oliphant, in his series of articles about computer audit-
ing [5], policy and standards are of critical importance to an information
7.8 Auditor’s Role in Developing Security Policies 209
Chapter 7
systems security (ISS) auditor. Organizations should define their aims and
objectives clearly in order to support their business strategies. This is often
expressed in strategic plans and policy statements. When they lack a clear
statement of direction, organizations can lose focus and become ineffective.
They rapidly find themselves performing well below expectations. Organi-
zations with clearly defined aims and objectives tend to be more successful
Oliphant contends that because the IT facilities of any organization
have become vital to the functioning of the organization, clear policy state-
ments regarding all aspects of IT have become a necessity. The computer
auditor should conduct auditing from precisely this point of view. Policies
should be reviewed to ensure they are comprehensive and support control
and security concepts. This provides an auditor with the necessary founda-
tion essential for reviewing the computing standards implemented in the
organization. Such standards are the means used to effect policy. Without
standards to base an audit opinion against, any audit opinion can be con-
strued as pure conjecture. Thus, management’s duty lies in defining stan-
dards and implementing them in the form of policy.
As an auditor, your role is to assess the adequacy of organizational stan-
dards and look for compliance with such standards. Computer auditors
should examine the policies of IT and the level of security and privacy
required, including rights of access to specific types of information, owner-
ship of information, and processes and policies referring to employment in
sensitive areas. Once each of the organizations specific policies have been
scrutinized, the standards of the organization should also be reviewed to
determine whether or not they actually help to mitigate the organizations
identified risks (identified from a risk analysis). The standard may imple-
ment all facets of a policy for an organization, but if the policy does not
serve the purpose for which it was intended, all the standards in the world
cannot help fix the problem. The point here is that policies should be
focused on addressing specific risks. They should define the tasks that need
to be done to prevent the risk from becoming a problem. Standards, on the
other hand, are used to implement the “how-to” portion of the policy.
All work performed in an IT organization should be done in a con-
trolled and standardized manner. This ensures the objectives of the organi-
zation are met. The computer auditor should be acquainted with the
relevant IT standards prior to conducting the audit, in order to perform the
work adequately. The work performed by an auditor should be able to with-
stand review by objective third parties.

Get Business Continuity and Disaster Recovery for InfoSec Managers now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.