AuditNet®

Exec Information Security Check List

by Ron Lepofsky

ERE Information Security Auditors

 

In 2008 compliance to security and privacy standards is a motivator for executives invest in minimizing both their personal and corporate liability.

 

Indeed there are a plethora of standards including:

  • Sarbanes – Oxley in the USA and the comparable Bill 198 in Canada, for publicly listed corporations.

  • NERC CIP for electricity generation / transmission utilities, both in the USA and Canada.

  • Privacy standards such as HIPAA in the USA and many Canadian standards such as PHIPA, FIPPA, PIPEDA, and RCMP/CSE TRA for custodians of medical and personal information.

  • Industry standards such as ISO 27002, ISO 17799, NIST, ITIL, CISA (ISACA), CobiT.

Not surprisingly these various standards all require basic age tested security fundamentals.  An executive concerned about security and privacy may want to take action if any of the following 10 simple facilities are not in place:

1.       There is a well documented security / privacy process, including a business continuity plan or at least a disaster recovery plan. 

2.       A published, clear end-user policy is delivered to each employee, who acknowledges receipt in writing, and who in turn receives regular training updates.

3.       The end-user policy is uniformly enforced by the executive committee.

4.       A third party impartial security / privacy audit has been conducted in the last year.

5.       The recommendations of the audit have been implemented.

6.       Access controls and authentication processes are kept current, including very basics such as: user name and password, access control lists, email account ownership.

7.       Up to date patch management for all servers.

8.       Firewall rules are regularly purged of outdated and inaccurate content and the correct order of rules is stringently maintained.

9.       Event logs for critical assets (servers, applications, firewalls) are retained in an easily accessible / auditable format.

10.   The security / IT operations / privacy team have adequate time and processes in place to monitor the security / privacy technology and to reporting process for any suspicious or threatening events.

 

Although security and privacy standards and regulations target specific compliance groups and allocate liability, the basics of security remain the same; diligence and enforcement.

 

About the Author

Ron Lepofsky is the President and CEO of ERE Information Security Auditors, who are information security and security standards compliance auditors.  ERE provides TRA / PIA services to privacy compliant institutions with regard to medical / patient data, security audit services to  large publicly traded corporations


 

 

 

 


The opinions, beliefs and viewpoints expressed by the various authors and forum participants on this web site do not necessarily reflect the opinions, beliefs and viewpoints of AuditNet® .