Things to Watch

There are a number of areas that are frequently not well addressed in this Clause. The most important one is that the responsibility for the recruitment process for third parties (e.g. contractors and temporary staff) is usually not managed in the same way as permanent staff. Contractors are often recruited by Line Managers who have little idea of the required process for recruitment and screening. The Auditor will typically spend time determining how these staff are recruited, and if recruited by Line Managers, the Auditor will find out what advice and training they have received for recruiting staff.

The Auditor will determine what security responsibilities are in place in job descriptions and contracts for a random selection of permanent staff as well as contractors and other third parties. There are many contracts that do not ensure that the employer is adequately protected and many contracts for permanent staff that breach the Employee Rights Act.

User training to reinforce the security message is essential to ensure that all users of corporate information processing facilities are aware of their responsibilities. The Auditor will examine centrally held records to determine this as well as question a random sample of Auditees.

There are often cases where a member of staff has been guilty of some disciplinary charge but they have not been dealt with according to published disciplinary procedures (e.g. downloading pornography, unauthorised software loading or email abuse). This almost always sends the wrong message to staff that sees someone 'getting away with it' and this does little to reinforce the security message.

The auditor will probably have checked the asset register as part of asset management or as part of the ISMS process. What is certain in almost all cases to be audited is the termination process of staff and third parties with access to organisational facilities. This will include determining who has left without returning corporate assets (Laptops, portable phones, PDAs and credit cards are common issues) as well as who has left but still has an enabled user account on a corporate information processing system. If the person leaving had heightened access, it is likely that the auditor will check to see that administrative access facilities have had their password changed.

An Introduction To Information, Network and Internet Security
Things to Watch There are a number of areas that are frequently not well addressed in this Clause. The most important one is that the responsibility for the recruitment process for third parties (e.g. contractors and temporary staff) is usually not managed in the same way as permanent staff. Contractors are often recruited by Line Managers who have little idea of the required process for recruitment and screening. The Auditor will typically spend time determining how these staff are recruited, and if recruited by Line Managers, the Auditor will find out what advice and training they have received for recruiting staff. The Auditor will determine what security responsibilities are in place in job descriptions and contracts for a random selection of permanent staff as well as contractors and other third parties. There are many contracts that do not ensure that the employer is adequately protected and many contracts for permanent staff that breach the Employee Rights Act. User training to reinforce the security message is essential to ensure that all users of corporate information processing facilities are aware of their responsibilities. The Auditor will examine centrally held records to determine this as well as question a random sample of Auditees. There are often cases where a member of staff has been guilty of some disciplinary charge but they have not been dealt with according to published disciplinary procedures (e.g. downloading pornography, unauthorised software loading or email abuse). This almost always sends the wrong message to staff that sees someone 'getting away with it' and this does little to reinforce the security message. The auditor will probably have checked the asset register as part of asset management or as part of the ISMS process. What is certain in almost all cases to be audited is the termination process of staff and third parties with access to organisational facilities. This will include determining who has left without returning corporate assets (Laptops, portable phones, PDAs and credit cards are common issues) as well as who has left but still has an enabled user account on a corporate information processing system. If the person leaving had heightened access, it is likely that the auditor will check to see that administrative access facilities have had their password changed.	The Security Practitioner An Introduction to Information Security
Return To An Introduction to Information Security