Audit Risks and Program Management

The organisation is vulnerable to the activities of untrained employees, contractors and third-party users. There is a risk of them producing incorrect and corrupted information or losing it completely. Untrained personnel can take wrong actions and make mistakes through ignorance. All personnel should be trained in the relevant policies and procedures, including security requirements and other business controls. They should also be trained to use all the IT products and packages required of their position, as well as in the relevant security procedures.

The organisation should consider when training should be repeated and updated. Training might be required at different levels as follows.

  • Basic security awareness: every employee, and where relevant, contractor and third-party user, should be given a foundational level of security awareness training. A course should convey to them the organisation’s security policy, objectives and framework within which they are expected to work. Essential procedures should be provided and described. The material supporting this training (including procedures and policies) should be made readily available to employees, and updates circulated whenever any changes are made, ideally to only those affected by the changes. Awareness should be refreshed as necessary and through ongoing action.
  • Technical security training: staff with special responsibilities for security (not only security-dedicated roles) should, in addition to basic training, be provided with relevant, specialist training. A training plan should be developed for each individual according to the specific knowledge and skill required for their role. The general development of security knowledge can benefit significantly from employees attending suitable conferences and carefully selected events, which are frequently free. All training and relevant event attendance should be recorded in the individual’s training record. Training should be available to employees, agency staff and third-party users as appropriate. Ensure that training suppliers use appropriately qualified staff, and that the syllabus is clear and consistent with the organisation’s requirements. Generic training will not be retained nearly so well as training that reflects the ethos and culture of an organisation.
  • Auditors should confirm that access control rights and rules are clearly defined in the access control policy, and that they are consistent with the classification and handling requirements for the information.
  • Suitable mechanisms for enforcement of this policy should be in place and implemented. An access right to an asset should be traceable to a risk assessment and authorised by the correct asset owner.
  • Any access to sensitive information, or to information processing facilities, should be based on the ‘need to know’ and ‘need to use’ principles, i.e. justified by business requirements and necessary for the task at hand. Role-based access should be implemented where possible.
  • Auditors should be prepared to question why certain roles, especially senior ones, have access to certain information if this access is not sufficiently justified.
  • Check also that access to sensitive information takes place in line with the classification given, and that the access permissions given have been checked to ensure that they are consistent with applicable legislation and regulations.
  • Also check that personnel with access to sensitive or confidential information have been properly trained, since unrestricted use of such information by untrained staff can have disastrous consequences.
  • The auditor should also check that the organisation has procedures in place to re- view the access control policy, taking account of employees leaving the organisation, job functions and requirements changing, etc.
  • These procedures should include that any access rights that are found to be no longer necessary are removed immediately. Records should exist to show that this is the case.
  • The unjustified allocation of access rights increases the organisation’s vulnerability to breaches of confidentiality, loss of data integrity and availability through misuse.
  • A user registration form should be prepared, upon which the information system, network, service or application(s) required is described, as well as the conditions of access.
  • This should be signed by the applicant to document their acceptance of the conditions, and by the system owner or custodian to document their authorisation for the applicant to be registered.
  • This form should have the user ID added to it and then be archived. It is equally important that user access to resources is promptly disabled when someone ceases to have a business reason to access the resources, for example termination of
    employment or internal job move.
  • Procedures should be put in place to ensure this. There should be notification procedures, and clearly defined responsibilities and actions if employees leave the organisation or change their employment.
  • Role-based access should be considered, as this can be easier to manage, and re- duces the chances of ‘special cases’; or, if they do appear, it makes them more visible and therefore harder to authorise without adequate justification.