Critical Incident Management

Audit policies and procedures are needed to ensure that employees are meeting management objectives, legal and regulatory requirements, and addressing risks. Auditing is covered in the next chapter, so it is only going to be lightly addressed here. Management audits assure that resources are being properly utilized and monitored:

• Develop and implement policies addressing human resources management, data, and facilities.

• Ensure that projects are completed on schedule and within budget.

• Ensure that projects have been completed utilizing quality models such as the SDLC.

• Develop and maintain business priorities and long-term strategies.

• Assure that controls are in place for risk detection, prevention, and correction.

Systems Development and Programming Policies

These audits are more technical than management audits and require more knowledge and detail. Frequently, organizations do not have policies governing operations, so employees are left to their own devices, making decisions they are not qualified to make. Systems development involves activities ranging from purchasing commercial off-the-shelf software systems, to developing in-house systems, to purchasing turnkey systems. All systems development must be considered in the light of confidentiality, integrity, and availability.

Organizations must have written policies and auditing programs for:

• Systems design and development through quality models

• Systems selection and procurement criteria

• Systems application development

• Program testing

• Systems implementation

• Systems monitoring

• Systems disposal

• Systems change controls

• Systems documentation

• Systems quality assurance

Data Controls

Data control policies have the objectives of addressing confidentiality, integrity, and availability of data. These features are audited in the following areas:

• Input controls to any operation must be addressed by policies and procedures. Because input varies considerably, so will policies.

• Output controls address electronic and printed media.

• Database management controls must be established by policies with compliance assured by audit activities.

• Database information backup and storage policies.

Disaster Recovery and Business Continuity

Disaster recovery audit policies also address business continuity. Audit policies must require that auditors obtain evidence that these are in place and combined with regular unannounced testing. Audits of this nature address the existence of the following policies:

• Establishment of a Risk Management team

• Critical asset identification and prioritization

• Threat: impact analysis

• Existence of critical asset safeguards

• Disaster recovery plan

• Establishment of Disaster Recovery team

• Designated employees to address public and press inquiries

• Business continuity plan

• Plan testing

Workstation Audit Policies

These audits address the use of workstations and all company-owned equipment and facilities, including:

• Access restrictions to workstations

• Inventory of software and hardware reconciled with licensing and purchase documents

• Evidence of policy and individual compliance for the procurement and installation of software and hardware

• Evidence of individual compliance with policy regarding official use

• Evidence of individual compliance with policy regarding network and workstation security

• Policy and individual compliance with regular data backup

• Evidence of policy and individual compliance with workstation housekeeping