Internal IT Audit Policy
Overview
An IT audit policy outlines the measures that are to be implemented to avoid risks affecting the IT infrastructure and, eventually, the entire organization (AFROSAI-E, 2017). This is mainly implemented as management control.
Scope
The IT audit policy covers all IT gadgets and infrastructure. In this case, the audit would cover all offices and stores, cloud environments, PCs, networks, remote access, employees’ gadgets brought to work, credit card transactions, and servers. Operations, policies and infrastructure would be evaluated to ensure that all risk factors are catered for or eliminated (UNDP, 2019). Do you need urgent assignment help ? Get in touch with us.
Goals and Objectives.
The objectives of this type of audit are to evaluate all IT resources to ensure that they work as expected to fulfill the organization’s goal (UNDP, 2019). For example, the organization in question operates a large number of stores in the United States. It would be important to check whether the IT infrastructure is efficient in serving its customers and employees. The infrastructure would be evaluated for efficiency, security, availability, and cost. Customers should be able to use the organization’s IT infrastructure with ease. They should also spend less time making online purchases. When there is a technical issue, IT support should be able to solve it in the shortest time possible so that the infrastructure is always available to its customers. When making payments online or physically at the store, credit cards should be handled with adequate measures. For example, the electronic payment system should be well encrypted so data will not be sniffed, phished, or exposed in any way. The IT infrastructure should also be cost-friendly such that the acquisition cost is not exorbitant compared to its delivery or ability to meet user requirements. The organization should send reasonable money on IT infrastructure purchases.
Compliance with Applicable Laws and Regulations.
IT audits must check on compliance to ensure that the organization does not get into trouble with the authorities (AFROSAI-E, 2017). This would involve two major compliances: licensing and data security. Licensing is mostly on software copyrights. All operating systems on PCs and servers should have a valid license to avoid fines from software companies. For example, Windows Servers are not open source; they require licensing on CALs or the number of users. Using counterfeit windows for PCs and/or servers would result in fines. The organization would have to pay the fine and then acquire software licenses. Therefore, it would be ideal to use genuine operating systems from the start. Another software copyright issue would occur if the organization uses custom-made software, but a large part of the code used to develop the software is copied from another software. This, too, would lead to lawsuits and hefty fines. On data security, the audit policy would ensure that security measures are implemented and are effective. For example, customers and employees would require usernames and passwords for them to access the organization’s IT infrastructure. All users should be educated on the importance of using strong passwords. Customers would be educated not to share their personal information, such as PINs, with anyone. Employees would be required to use customer data only to execute their work duties. A data security breach would require the organization to notify and compensate all the affected customers. This would negatively affect the face of the organization and, ultimately, its business returns.
Management Oversight and Responsibility.
The management of an organization is responsible for IT infrastructure security (Colorado Department of Education, 2020). This includes designing cybersecurity and organization policies that mitigate security incidents. For example, employees should ensure that they use their work accounts only for their work duties. They should collect customer data and share it with anyone outside of their job functions. They should also always log out of their work accounts when they are not using the account. The management should ensure that all employees are aware of and trained on cybersecurity. Customers should regularly be reminded of their role in cybersecurity when using the store’s systems. Management should ensure that all copyright issues are eliminated by acquiring genuine software licenses. Network security measures such as VPN should be implemented for secure remote access. Computer hardware and software should only be purchased from authorized vendors.
Areas Covered in the IT Audits.
This would include security vulnerabilities, automated tools, and administrative safeguards (Colorado Department of Education, 2020). Administrative safeguards include cybersecurity policies and incident response. Automated tools would be used to evaluate the entire IT infrastructure security measures to ensure that there are no loose ends. These would include network scanning software. The identified security vulnerabilities will be eliminated through the recommended measures by NIST. For example, patching the network as well as software by implementing security updates.
Frequency of The Audits.
IT audits could be done in two ways: periodically and ad hoc (UNDP, 2019). The two would be used based on the security circumstances. For example, patch and antivirus updates are usually periodic. In comparison, ad-hoc audits could be triggered by an update from NIST on a list of current vulnerabilities with proposed solution(s).
References
AFROSAI-E. (2017). IT AUDIT MANUAL (1st ed.). African Organisation of English-Speaking Supreme Audit Institutions. https://afrosai-e.org.za/wp-content/uploads/2019/07/IT-Audit-Manual-2017-1st-Edition.pdf
Colorado Department of Education. (2020). Information Systems Audit Policy. https://www.cde.state.co.us/dataprivacyandsecurity/informationsystemsauditpolicy
United Nations Development Programme (UNDP). (2019). IT Audit Manual. https://www.undp.org/content/dam/albania/docs/STAR/IT%20AUDIT%20MANUAL.pdf
ORDER A PLAGIARISM-FREE PAPER HERE
We’ll write everything from scratch
Question
This assignment consists of four distinct elements: an internal IT audit policy, a management plan, a project plan, and a disaster recovery plan. You must submit all four sections as separate files. Name each file as indicated in the instructions below.
Make any assumptions needed for the completion of this assignment, and base your work on the following scenario:
You are an information security manager for a large national retailer and are directly responsible for the planning and oversight of IT audits. At the request of the board of directors, the CEO has tasked you with developing a plan for conducting regular audits of the IT infrastructure. The planning and management aspects of IT audit are critical to the overall success of the audit and, consequently, the overall success of the systems implemented in the organization.
You must develop a policy for conducting IT audits and develop a project plan for conducting two-week IT audits.
In addition to the typical networking and Internetworking infrastructure of a medium-sized organization, the organization has the following characteristics:
They have a main office and 268 stores in the United States.
They use a cloud computing environment for storage and applications.
Their IT infrastructure includes Cisco workgroup and core switches, Cisco routers, Cisco firewalls and intrusion prevention systems, and servers running Microsoft Windows Server 2012.
They have over 1,000 desktops and approximately 500 organization-owned laptops at the main headquarters.
They allow employees to bring their own devices into the organization; however, they are subject to search upon entry and exit from the building.
They enable remote access to corporate information assets for employees and limited access to extranet resources for contractors and other business partners.
They enable wireless access at the main office and the stores.
They process an average of 67.2 credit card transactions per hour, every day, at each location and via their corporate website.
Instructions
Section 1: Internal IT Audit Policy.
Write a 3–4 page paper in which you:
Develop an internal IT audit policy, which includes at a minimum:
Overview.
Scope.
Goals and objectives.
Compliance with applicable laws and regulations.
Management oversight and responsibility.
Areas covered in the IT audits.