December 2008

The Five C’s of IT Policy

Reviewing the effectiveness of information security policies is a key part of IT audit plans.

Ishwar Chandra, FCA, CISA

Ensuring data integrity and confidentiality in an environment of fast access to confidential information is a real challenge for management. Security breaches can result in monetary losses and threaten an organization’s reputation and survival. In fact, 85 percent of respondents to Ernst & Young’s 2008 Global Information Security Survey say a security incident would significantly impact their organization’s brand or reputation. Moreover, organizations may face legal sanctions. The U.S. Federal Rules of Civil Procedure and the UK Civil Procedure Rules mandate careful handling of electronically stored information, while some state and local laws require organizations to disclose any security breach that results in the theft of personal data.

There is little wonder then that information security management is the IT initiative that has the greatest impact on organizations, according to the American Institute of Certified Public Accountants’ IT Initiative Survey. Organizations need a robust information security system that ensures data integrity and confidentiality, protects information assets, and encourages efficient and effective use of information systems. An information security policy, approved by the highest level of management, is an initial step toward demonstrating the organization’s commitment to security and increasing awareness of security needs. This document provides a reference framework for information security comprising guidance on risk assessment, control implementation, and the authority and responsibilities for compliance.

As a part of the IT audit program, senior management expects internal auditors to provide assurance that suitable information security mechanisms are in place to comply with laws and regulations, meet industry standards, prevent breaches, and prompt management to take corrective actions. A key audit objective is evaluating the effectiveness of the information security policy and recommending improvements based on five characteristics: comprehensive, current, communicated, compliant, and convertible.


The information security policy should cover all information system elements, including data, programs, computers, networks, facilities, people, and processes. The security value of each element and the need to protect them based on security parameters — confidentiality, integrity, and availability — varies for different organizations. Some organizations rate the confidentiality of information as their highest priority, while for others the priority is the availability of information and systems. A systematic risk assessment is essential for formulating information security policies and should address these basic questions:

  • What are the key elements of information systems (e.g., applications, servers, and networks)?
  • What are their ratings in terms of security needs (e.g., critical, vital, sensitive, and noncritical)?
  • What are the vulnerabilities associated with these information systems?
  • What are the possible external and internal threats to each element of information systems?
  • What are the potential risks from these threats on the business?
  • What controls address these risks?
  • What are the residual risks — after reduction, avoidance, and transfer — to be accepted by the organization?

While reviewing management’s assessment of information security risk, internal auditors should check that management has considered relevant laws and regulatory requirements. While drafting the security policy document, it is essential that all related departments — risk management, IT, auditing and compliance, legal, and human resources — provide input and spell out their roles and responsibilities for enforcing the policy to make it effective.

Auditors should determine the development methodology and coverage of the policy by scrutinizing policy documentation, questioning management, and tapping their own knowledge of business gained. They should especially examine whether all mission-critical information systems — in-house and outsourced — have been identified and covered in the policy. Auditors should check whether the relevant laws, regulations, and security standards have been used as references. For instance, the Payment Card Industry Data Security Standard could be used as a reference framework for evaluating the organization’s electronic payment systems.

A second element auditors should examine is whether policy formulation is based on a systematic risk assessment. They should analyze the vulnerabilities and threats and the resulting monetary and nonmonetary losses, including their impact on business continuity. Auditors should check whether the assessment of IT system vulnerabilities has been performed by technically competent people.

The third element to examine is whether all related departments were involved in the policy formulation. Alternatively, auditors should determine whether the organization has assessed the impact on its risk profile of departments that were not involved in making the policy.


The information security policy should be updated regularly and promptly. Generally, organizations must update their security policy for three reasons:

  • Change in the organization’s risk profile due to change in business functions or processes and in IT and communication systems, such as computers, networks, and applications.
  • Amendments to legal and regulatory requirements.
  • Developments such as new encryption and data security technologies.

Periodic management review is key to keeping the policy current. Policy updates should reflect the changes as documented and approved by the appropriate level of management. Auditors should review documentation and question management to ascertain whether all relevant technological developments and legal/regulatory requirements are studied regularly by appropriate personnel and whether the resulting need to modify the policy is assessed promptly. Moreover, auditors should determine whether the organization follows adequate change management procedures, assesses the impact changes have on the risk profile of the organization’s IT system, and amends the policy timely to reflect such changes.


To be enforceable, effective communication of the information security policy to all employees, partners, vendors, and customers is crucial. Communicated objectives and intent should be the same. For example, management’s intent to protect sensitive data using a system for maintaining hardware and registering media movement must be communicated well or staff may perceive the policy to be merely a measure to control physical losses of hardware and media. Communication gaps could not only lead to noncompliance, but also may have an adverse impact on constituents’ perceptions of the policy.

Auditors should determine the various ways management has adopted to communicate the policy throughout the organization. They can assess the effectiveness of communication by interviewing sample employees and soliciting feedback through questionnaires.


Compliance with the information security policy should not be left to choice or chance. Instead, it should be compulsory to everyone at all levels of the organization and should state the consequences for noncompliance clearly.

Auditors should determine, from available documentation and management inquiries, whether there is a suitable mechanism outlining the authority and responsibility to ensure policy compliance. There also should be a well-defined manual or automated procedure in place to handle all security breaches, analyze the reasons why they occurred, and check whether such incidents recurred. Moreover, the policy should incorporate adequate measures to promote voluntary compliance, such as including compliance in employee job descriptions.


The information security policy communicates, in broad terms, senior management’s philosophy and directions about protecting data and information systems. Compliance depends on converting the relevant preventive, detective, and corrective controls designed for each security element into actionable instructions, such as:

  • Framing rules regarding usage of corporate e-mail and Internet systems.
  • Framing rules regarding workplace use of portable devices. All such devices should be recorded in the organization’s hardware/software register along with the user’s name.
  • Having employees sign off that they understand the IT security policy and their responsibility for compliance.

Auditors should determine whether the policy encompasses a manual of guidelines, procedures, rules, and examples, and not merely a broad statement of management’s objectives. Per their audit objectives, they should check whether the relevant controls are in auditable form with a complete audit trail.


Reviewing the effectiveness of the organization’s information security policy is not merely a compliance issue for organizations — it provides strategic value. An ineffective policy may provide a false sense of security. Conversely, an effective policy can yield tangible and intangible pay-offs, such as effective control monitoring, timely detection of breaches, and reduced losses and legal sanctions. Such gains can enhance stakeholders’ confidence in the organization.

Ishwar Chandra, FCA, CISA, is a chartered accountant practicing auditing in Agra, India.

Share This Article:    


Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.





To make something bold:
<strong>Text to bold</strong>

To make something italic:
<em>Text to italicize</em>

To make a hyperlink:
<a href="URL">Text to link</a>


Subscribe_June 2014