Other user-based policies might cover data and application ownership, appropriate use of equipment, e-mail, and the Internet, user account and password management and selection guidelines, security awareness training and testing, incident reporting, and virus handling.

Administrator policies cover the management of standard and privileged user accounts, security configurations, exception handling, and incident reports and responses, among other things.

"Policies should be written to be applicable to all scenarios within the organization," Addison said. "It is surprising how many people write policies biased toward their own technology knowledge. For example, if the security policy writer has a background with mainframe computers, guess what slant the policies will have."

[an error occurred while processing this directive]

An assessment on policy awareness. Auditors should also talk with different enterprise divisions and query employees on policy knowledge. Simple interviews with various members of the front and back office staff often reveal whether employees have a good awareness and understanding of various IT security policies as they might apply to them.

An examination of the policies in action. It's not enough to establish policy strategies, write them up, and educate the staff. To be effective, policies must also be implemented.

"People generally have a sense for what types of policies are necessary, but they don't follow through into their environments," Lindstrom explained.

To ease the implementation process, he advocates using automated solutions, such as PoliVec's Scanner, Builder, and Enforcer software. This tool allows administrators to define, deploy, and evaluate IT security policies across the network.

A review of policy compliance data. The last step of an audit, according to experts, is a deep review of documentation that demonstrates how effective the policies are once they're operational. Tests and reports generated from automated systems can quickly reveal whether policies have been effectively integrated and updated as needed.

Wrapping up the audit. No matter how dedicated an enterprise has been in its security efforts, a policy audit typically reveals some flaw that requires corrective action, Addison said.

"The board should also be made aware if there are serious problems, not necessarily viewing the full audit, but certainly the main thrust. They can then mandate the necessary remedial actions with sufficient authority to ensure that the actions themselves are taken."

Audit IT policies to ensure their effectiveness
First published on August 12, 2002
By David Southgate

Has your company performed a security audit? What improvements did you make a result? TalkBack below or e-mail us with your thoughts.
TechRepublic provides insight, advice, and technical information written by IT professionals for IT professionals.
Have the top IT experts by your side today--FREE!

Previous page |   1 2

[an error occurred while processing this directive]

[an error occurred while processing this directive]