IT Policies Flashcards
T/F: All policies need to be linked to entity’s strategy and objectives?
TRUE- Need to have owner who is responsible for ensuring the policy is updated and evolves with change.
They should include a title, purpose, and context, and statements of responsibilities.
IT Policies and COSO
- Policies are central to internal control
- Reflect managements intentions regarding actions
- Procedures are actions to implement policies
Why do we have IT Policies?
Help establish a shared organizational understanding of IT
Help in managing cyber risk
Valuable in decentralized or geographically distributed entities
What are then nine important IT policies?
1) Values and service culture- what is expected of IT functions with personnel and interaction with clients and others.
2) Contractors, employees and sourcing: Why, when, and how an entity selected human resources from employees vs outside contractors
3) Electronic communication- Policy related to employee use of the internet, intranet, email, blogs, chat rooms and telephone
4) Use and connection Policy- Entity’s position on the use of personal devices and applications in the workplace and connection to the entity’s systems.
5) Procurement- Policy on procurement processes for obtaining IT services
6) Quality- Statement of IT performance standards
7) Regulatory compliance- statement of regulatory compliance for IT systems, example: banking, investment systems, or related to data privacy
8) Security: How we are guarding against physical or electronic threats to IT
9) . Service management and operational service problem solving- policies for ensuring quality of live IT services
COSO is concerned with monitoring of policies including:
- Monitoring audit internal audit staff
- May be continuous or periodic
- Analysis of IT help calls and operational reports provide evidence of policy noncompliance, use, and understanding