IT Policies Flashcards

1
Q

T/F: All policies need to be linked to entity’s strategy and objectives?

A

TRUE- Need to have owner who is responsible for ensuring the policy is updated and evolves with change.

They should include a title, purpose, and context, and statements of responsibilities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

IT Policies and COSO

A
  • Policies are central to internal control
  • Reflect managements intentions regarding actions
  • Procedures are actions to implement policies
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Why do we have IT Policies?

A

Help establish a shared organizational understanding of IT

Help in managing cyber risk

Valuable in decentralized or geographically distributed entities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are then nine important IT policies?

A

1) Values and service culture- what is expected of IT functions with personnel and interaction with clients and others.
2) Contractors, employees and sourcing: Why, when, and how an entity selected human resources from employees vs outside contractors
3) Electronic communication- Policy related to employee use of the internet, intranet, email, blogs, chat rooms and telephone
4) Use and connection Policy- Entity’s position on the use of personal devices and applications in the workplace and connection to the entity’s systems.
5) Procurement- Policy on procurement processes for obtaining IT services
6) Quality- Statement of IT performance standards
7) Regulatory compliance- statement of regulatory compliance for IT systems, example: banking, investment systems, or related to data privacy
8) Security: How we are guarding against physical or electronic threats to IT
9) . Service management and operational service problem solving- policies for ensuring quality of live IT services

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

COSO is concerned with monitoring of policies including:

A
  • Monitoring audit internal audit staff
  • May be continuous or periodic
  • Analysis of IT help calls and operational reports provide evidence of policy noncompliance, use, and understanding
How well did you know this?
1
Not at all
2
3
4
5
Perfectly