Things to watch

Many organisations are unaware of the legislation that they are covered by and that they have to comply with in this country. Most have heard of data protection and health and safety and some of software piracy and that is about it. The Auditor will ask various Auditees which legislation and regulations are relevant to them. It is often the case that senior management are also unaware of their responsibilities. There are a number of offences that the individual can be personally prosecuted for (rather than the organisation assuming vicarious liability) and this is often a real 'eye opener' for them when they find this out.

If this is the case for legislation and regulations in this country, it is of little surprise that even fewer understand the requirements of other countries where the organisation either has a presence or can have its data accessed.

Software piracy is a simple matter - just copying a file can constitute a breach. Many organisations feel that they are covered by site agreements but in reality this is not the case for software that is not covered by such agreements (e.g. other software manufacturers). Few organisations are able to immediately produce, when asked, proof that they are compliant with the relevant licenses and copyright laws. The Auditor will be checking to see that this is the case and that the law is not being broken. Typically they will want to see the process that manages compliance and if you have no process to perform this task then the Auditor will be certain to draw certain conclusions.

The law also stipulates a number of retention periods for documents and a document retention schedule should be available to the Auditor so that they can check compliance. In addition to legal requirements there are operational requirements to safeguard organisational records. This is closely related to the backup process for electronically held media. The Auditor will be looking for proof.

A number of countries (not just the UK or EEA) have legislation regarding personal data and it's processing. There are a number of requirements and principles in the UK legislation that organisations (and individuals) must obey if they process personal data. The Seventh Principle relates to the protection of personal data, and the requirement for information security. The Commissioner has indicated that compliance with ISO 27002 (or BS 7799 as it was) is an appropriate method of proving appropriate security.

With these days of increasing litigiousness it is essential to collect and present evidence is the manner required by civil or criminal process required. Very few organisations have professionals in the staff who know how to do this and this can often lead to a case being lost or dismissed because of incorrect procedures, handling or processing of evidence. The Auditor will check for evidence of the knowledge of these processes.

Having a set of security standards and procedures is often thought of as being enough as it is assumed that the staff will comply with them. After all everyone complies with the speed limit - don't they? The Auditor will check that there is proof that the standards and procedures for information security are actually enforced. Typically this will involve random checks as well as reviews of all recent audits (carried out by anyone). Some of the checks may require specialised software. If this is not available in the organisation the Auditor may well wonder how you can be sure that these checks are carried out. These tools will also have to be adequately protected.

Have these been checked recently?

Be assured, the Auditor will check.

An Introduction To Information, Network and Internet Security
Things to watch Many organisations are unaware of the legislation that they are covered by and that they have to comply with in this country. Most have heard of data protection and health and safety and some of software piracy and that is about it. The Auditor will ask various Auditees which legislation and regulations are relevant to them. It is often the case that senior management are also unaware of their responsibilities. There are a number of offences that the individual can be personally prosecuted for (rather than the organisation assuming vicarious liability) and this is often a real 'eye opener' for them when they find this out. If this is the case for legislation and regulations in this country, it is of little surprise that even fewer understand the requirements of other countries where the organisation either has a presence or can have its data accessed. Software piracy is a simple matter - just copying a file can constitute a breach. Many organisations feel that they are covered by site agreements but in reality this is not the case for software that is not covered by such agreements (e.g. other software manufacturers). Few organisations are able to immediately produce, when asked, proof that they are compliant with the relevant licenses and copyright laws. The Auditor will be checking to see that this is the case and that the law is not being broken. Typically they will want to see the process that manages compliance and if you have no process to perform this task then the Auditor will be certain to draw certain conclusions. The law also stipulates a number of retention periods for documents and a document retention schedule should be available to the Auditor so that they can check compliance. In addition to legal requirements there are operational requirements to safeguard organisational records. This is closely related to the backup process for electronically held media. The Auditor will be looking for proof. A number of countries (not just the UK or EEA) have legislation regarding personal data and it's processing. There are a number of requirements and principles in the UK legislation that organisations (and individuals) must obey if they process personal data. The Seventh Principle relates to the protection of personal data, and the requirement for information security. The Commissioner has indicated that compliance with ISO 27002 (or BS 7799 as it was) is an appropriate method of proving appropriate security. With these days of increasing litigiousness it is essential to collect and present evidence is the manner required by civil or criminal process required. Very few organisations have professionals in the staff who know how to do this and this can often lead to a case being lost or dismissed because of incorrect procedures, handling or processing of evidence. The Auditor will check for evidence of the knowledge of these processes. Having a set of security standards and procedures is often thought of as being enough as it is assumed that the staff will comply with them. After all everyone complies with the speed limit - don't they? The Auditor will check that there is proof that the standards and procedures for information security are actually enforced. Typically this will involve random checks as well as reviews of all recent audits (carried out by anyone). Some of the checks may require specialised software. If this is not available in the organisation the Auditor may well wonder how you can be sure that these checks are carried out. These tools will also have to be adequately protected. Have these been checked recently? Be assured, the Auditor will check.	The Security Practitioner An Introduction to Information Security
Return To An Introduction to Information Security