7.8 Auditor’s Role in Developing Security Policies 209
Chapter 7
systems security (ISS) auditor. Organizations should define their aims and
objectives clearly in order to support their business strategies. This is often
expressed in strategic plans and policy statements. When they lack a clear
statement of direction, organizations can lose focus and become ineffective.
They rapidly find themselves performing well below expectations. Organi-
zations with clearly defined aims and objectives tend to be more successful
organizations.
Oliphant contends that because the IT facilities of any organization
have become vital to the functioning of the organization, clear policy state-
ments regarding all aspects of IT have become a necessity. The computer
auditor should conduct auditing from precisely this point of view. Policies
should be reviewed to ensure they are comprehensive and support control
and security concepts. This provides an auditor with the necessary founda-
tion essential for reviewing the computing standards implemented in the
organization. Such standards are the means used to effect policy. Without
standards to base an audit opinion against, any audit opinion can be con-
strued as pure conjecture. Thus, management’s duty lies in defining stan-
dards and implementing them in the form of policy.
As an auditor, your role is to assess the adequacy of organizational stan-
dards and look for compliance with such standards. Computer auditors
should examine the policies of IT and the level of security and privacy
required, including rights of access to specific types of information, owner-
ship of information, and processes and policies referring to employment in
sensitive areas. Once each of the organization’s specific policies have been
scrutinized, the standards of the organization should also be reviewed to
determine whether or not they actually help to mitigate the organization’s
identified risks (identified from a risk analysis). The standard may imple-
ment all facets of a policy for an organization, but if the policy does not
serve the purpose for which it was intended, all the standards in the world
cannot help fix the problem. The point here is that policies should be
focused on addressing specific risks. They should define the tasks that need
to be done to prevent the risk from becoming a problem. Standards, on the
other hand, are used to implement the “how-to” portion of the policy.
All work performed in an IT organization should be done in a con-
trolled and standardized manner. This ensures the objectives of the organi-
zation are met. The computer auditor should be acquainted with the
relevant IT standards prior to conducting the audit, in order to perform the
work adequately. The work performed by an auditor should be able to with-
stand review by objective third parties.