We Care Auto Insurance Policy Library Computer Systems Acceptable Use Audit Plan We Care Auto Insurance Policy Library Table of Contents WeCare Auto Insurance Acceptable Use Policy ...........................................................................................3 Audit Plan ...................................................................................................................................................................3 1. Purpose......................................................................................................................................................3 2. Evaluation .................................................................................................................................................3 2.1. Policy Review ......................................................................................................................................3 Audit Procedure ..............................................................................................................................................3 2.2. Awareness and Training .................................................................................................................4 Audit Procedure ..............................................................................................................................................4 2.3. Preventive Controls ..........................................................................................................................4 Audit Procedure ..............................................................................................................................................4 2.4. Detective controls .............................................................................................................................4 Audit procedure ..............................................................................................................................................5 2.5. Corrective Controls and Plan of Action .....................................................................................5 Audit procedure ..............................................................................................................................................5 3. Conclusion ................................................................................................................................................5 4. Audit Resources and Schedule .........................................................................................................6 Page 2 of 6 We Care Auto Insurance Policy Library WeCare Auto Insurance Acceptable Use Policy Audit Plan 1. Purpose The purpose of this audit plan is to perform a thorough audit of WeCare Auto Insurance (WAI) Acceptable Use Policy (AUP). The scope is to evaluate and measure the level of compliance of WAI systems and networks and its employees to the AUP. This audit plan is also intended to address known risks and determine the policy’s effectiveness in protecting WAI systems. The result of the audit will serve as a baseline for the frequent improvement of the AUP in alignment with WAI business goals. 2. Evaluation There are several key areas of the AUP that need to be periodically evaluated: Policy Review Awareness and Training Preventive Controls Detective Controls Corrective Controls A full set of recommendations will be issued at the completion of the evaluation based on the findings of the audit. These fact-based findings will spell out new risk exposure, gaps in compliance and other areas of AUP that contradict or are otherwise misaligned with the most current business goals of WAI as defined by leadership. Each finding will be accompanied by a recommendation on whether to accept that risk or how best to implement necessary controls to either mitigate or transfer that risk. 2.1. Policy Review The AUP policy is clearly documented, formally reviewed and approved by Sr. management and QA team. The purpose and scope should immediately convey why the policy exists. Similarly, each incidence of noncompliance should be documented for archival posterity and to maintain a record of individual violations. The WAI AUP should include verbiage outlining the procedure by which management should document incidents at discovery as well as distinct verbiage outlining how the security team should document their subsequent review of each incident. Audit Procedure 1. Review the policy and ensure that it is clearly and adequately defined 2. Review the approval process and amendments of the policy 3. Inspect if the changes to the policy have been clearly approved and logged Page 3 of 6 We Care Auto Insurance Policy Library 2.2. Awareness and Training The most current version of the AUP policy will be posted on WAI’s intranet and be accessible to all WAI employees. All WAI employees and affiliates should receive notifications requiring acceptance of the AUP and go through AUP training prior to each device initial log-in to the WAI network and upon the release of each subsequent version of the AUP for accepted devices. Access to WAI networks will be contingent upon continual active acceptance of AUP terms on each device used to access WAI information. Active acceptance can be further enhanced through a passive reminder of employee responsibilities on the credential screen of each subsequent log-in. An electronic record of AUP noncompliance incident documentation should be made available to business unit managers to assist in personnel evaluation and unit-level risk management. A similar record of all AUP documentation should be made available to members of the information security team to better enable the discovery of patterns or triggers common in instances of noncompliance. Audit Procedure 1. Inspect employee training records to validate the completeness of the training 2. Interview employees to determine their awareness and understanding of the policy 3. Inspect sample employees to validate the completion of the AUP training 4. Assess the alignment of the training with AUP 5. Observe process of notifying managers of incomplete training and review the escalation matrix 2.3. Preventive Controls Controls are in place to prevent inappropriate user of WAI systems, resources and data. Audit Procedure 1. Inspect web browser security settings to determine if inappropriate websites are blocked, including gambling, game playing, chain letters, and sexual related; 2. Inspect workstation settings to determine: A. If the devices that are prohibited from AUP are blocked and observe approvals for those who have access; B. If there is a control to keep unauthorized, unofficial software and applications from being installed; C. Group policies are in place to disable users from changing certain security related settings. 3. Inspect file system security settings to determine if appropriate permissions are set up for users who have access; 4. Inspect if company issued devices that contain company data is password protected. 2.4. Detective controls Controls are in place to detect inappropriate use of WAI systems, resources and data. Page 4 of 6 We Care Auto Insurance Policy Library Audit procedure 1. Inspect monitoring procedures to determine if inappropriate use is adequately investigated; 2. Inspect system usage logs to determine if system usage access is logged with sufficient information; 3. Interview the security manager and inspect samples of inappropriate social media usage as well as samples of DLP alerts to determine they are appropriately investigated. 2.5. Corrective Controls and Plan of Action Controls are in place to outline the procedures to follow in the event an employee or contractor uses any portion of information systems in an unauthorized manner. Mandatory retraining for any employee who is retained after violating the AUP should be required to further reduce the likelihood of future noncompliance. Audit procedure 1. Review processes for escalating inappropriate use to violate Corporate security 2. Review security levels defined for investigating security incidents caused by AUP violation; 3. Inspect samples of security tickets to obtain assurance that: a. Corporate Security is investigating potential inappropriate usages according to defined SLAs. b. Repeated violators are communicated to HR for appropriate actions. 3. Conclusion WAI has created a detailed Acceptable Use Policy with the goal of protecting information systems and other corporate assets from misuse. While the AUP has jumpstarted an enterprise-wide cultural shift to be mindful of security and risks, there are some gaps in the policy which need to be addressed: 1. Have the security team document and store policy violations for up to two years in order to review and continuously improve the policy. 2. Increase awareness of the policy by maximizing accessibility through both active and passive exposure. 3. Add more definition to internal roles and responsibilities to ensure each level of the organization understands their specific role in preserving the security and availability of corporate information services. 4. Include security retraining for any employee or associate failing to adhere to the policy to prevent and reduce future noncompliance issues and further increase awareness. 5. Designate a fixed periodic review of the policy with the appropriate stakeholders to ensure it is up-to-date and supports current corporate initiatives. Page 5 of 6 We Care Auto Insurance Policy Library By implementing these recommendations, WAI will strengthen the risk and security focus across the organization. This renewed focus will help to limit risk exposure, corresponding costs and better align the AUP to deliver on critical business goals. 4. Audit Resources and Schedule Lead Auditor Name Jimmy Jouthe Auditors Name Brent Easley, Brock Donnelly IT Manager Name, Operations Zhe Wang IT Manager Name, Security Wayne Wilson Page 6 of 6