1: Auditing Security Management

Question 1

Auditing security management activities require attention to keys such as

Answer 1

• Policies, processes, procedures, and standards
• Records
• Security awareness training
• Data ownership and management
• Data custodians
• Security administrators
• New and existing employees

Question 2

Policies, processes, procedures, and standards

Answer 2

The auditor should request and examine information security policies to see what processes are required. This should be followed by requests to examine process and procedure documentation for key processes that are cited in security policies.

Question 3

Records

Answer 3

the auditor should examine business records to see whether processes are active.

Question 4

Security awareness training

Answer 4

The auditor should examine training materials, training procedures, and training records to determine the effectiveness of the organization’s security awareness training program.

Question 5

Data ownership and management

Answer 5

The IS auditor should inquire about the methodology used to determine ownership and management of business data. The key point with data ownership and management is accountability:

Question 6

Data custodians

Answer 6

the IS auditor should identify whether data custodians effectively carry out the wishes of the data owner, or act on their own as if they are the owner.

Question 7

Security administrators

Answer 7

The IS auditor should determine if IT staff are knowledgeable about these duties and qualified to carry them out.

Question 8

New and existing employees

Answer 8

The IS auditor should determine if any policies exist on this topic and whether security awareness training covers this theme.