Things to Watch

It is essential to manage information security throughout the organisation and management is a 'people' thing. Many organisations do not give enough visibility to the management of information security and assign the responsibility at too low a level in the organisation. Information security needs an independent reporting channel to the top-level management. Too often the person responsible for security has to report to the very people that he should be reporting on. The Auditor will ensure that there is an appropriate process for managing information security and will typically look at minutes of meetings to determine that actions assigned have indeed been cleared and that the meetings are more than just a middle management talking shop - many are.

Many organisations have allowed (by accident or design) a number of facilities (hardware, software or network connections) to be added or connected to their IT infrastructure without any formal process of authorisation for. If there has been no formal process to go through there is a fair bet that there has never been a risk assessment of the connection undertake. Where connections are discovered an Auditor will ensure that there has been a risk assessment carried out. One of the ways to assign risk in this area is to have a strong set of security requirements in all external (as well as internal) party contracts, many contracts seen have weak or no security requirements. The Auditor will evaluate the strength of the risk assignment in the contract and how compliance is managed and monitored. A similar process will be undertaken for all outsourcing contracts.

One of the common failings with managing third parties is the failure to manage the relationship properly or to try to solve an internal problem by outsourcing it. Outsourcing a problem, as many organisations have found to their cost, is not a solution to poor internal management and control.