Companies face a wide array of governmental regulations and legal requirements. Public companies must have their financial statements and the information technology (IT) systems that store them audited on a regular basis in accordance with the Sarbanes-Oxley Act. The Payment Card Industry Data Security Standard requires that companies which process credit cards be audited to ensure their computer systems are configured securely. Companies hire third-party auditing firms to inspect their systems and verify compliance with these standards.
Auditors look for a few basic things upon arriving at a company. These include documented policies and processes and evidence that those policies and procedures are followed. The more detailed a company's policies are the easier it is for the auditor to do his work. Companies must establish a framework upon which to build their policies and processes. IT auditors are familiar with standards, such as Control Objectives for IT (COBIT) or ISO 27001. Each of these guide companies by providing checklists of how to secure sensitive data. Auditors use these checklists to ensure a thorough audit.
Sample Documentation, Policies and Procedures Checklist
- Determine whether a change management process exists and is formally documented.
- Determine if change management operations has a current list of system owners.
- Determine accountability for managing and coordinating changes.
- Determine the process for escalating and investigating unauthorized changes.
- Determine the change management flows within the organization.
Sample Change Initiation and Approval Checklist
- Verify a methodology is used for initiation and approval of changes.
- Determine if priorities are assigned to the change requests.
- Verify estimated time to completion and costs are communicated.
- Evaluate the process used to control and monitor changes.
Sample IT Security Checklist.
- Confirm that all unnecessary and insecure protocols are disabled.
- Verify that minimum password lengths are set to 7 characters.
- Verify that complex passwords are used.
- Ensure that the system is up to date with patches and service packs.
- Verify that password aging is set to 60 days or less.