WeCareAutoInsurance-Audit-Plan Team-5

advertisement
We Care Auto Insurance
Policy Library
Computer Systems Acceptable Use
Audit Plan
We Care Auto Insurance Policy Library
Table of Contents
WeCare Auto Insurance Acceptable Use Policy ...........................................................................................3
Audit Plan ...................................................................................................................................................................3
1.
Purpose......................................................................................................................................................3
2.
Evaluation .................................................................................................................................................3
2.1.
Policy Review ......................................................................................................................................3
Audit Procedure ..............................................................................................................................................3
2.2.
Awareness and Training .................................................................................................................4
Audit Procedure ..............................................................................................................................................4
2.3.
Preventive Controls ..........................................................................................................................4
Audit Procedure ..............................................................................................................................................4
2.4.
Detective controls .............................................................................................................................4
Audit procedure ..............................................................................................................................................5
2.5.
Corrective Controls and Plan of Action .....................................................................................5
Audit procedure ..............................................................................................................................................5
3.
Conclusion ................................................................................................................................................5
4.
Audit Resources and Schedule .........................................................................................................6
Page 2 of 6
We Care Auto Insurance Policy Library
WeCare Auto Insurance Acceptable Use Policy
Audit Plan
1. Purpose
The purpose of this audit plan is to perform a thorough audit of WeCare Auto Insurance
(WAI) Acceptable Use Policy (AUP). The scope is to evaluate and measure the level of
compliance of WAI systems and networks and its employees to the AUP. This audit plan is
also intended to address known risks and determine the policy’s effectiveness in protecting
WAI systems. The result of the audit will serve as a baseline for the frequent improvement
of the AUP in alignment with WAI business goals.
2. Evaluation
There are several key areas of the AUP that need to be periodically evaluated:

Policy Review

Awareness and Training

Preventive Controls

Detective Controls

Corrective Controls
A full set of recommendations will be issued at the completion of the evaluation based on
the findings of the audit. These fact-based findings will spell out new risk exposure, gaps in
compliance and other areas of AUP that contradict or are otherwise misaligned with the
most current business goals of WAI as defined by leadership. Each finding will be
accompanied by a recommendation on whether to accept that risk or how best to implement
necessary controls to either mitigate or transfer that risk.
2.1.
Policy Review
The AUP policy is clearly documented, formally reviewed and approved by Sr.
management and QA team. The purpose and scope should immediately convey why the
policy exists. Similarly, each incidence of noncompliance should be documented for
archival posterity and to maintain a record of individual violations. The WAI AUP should
include verbiage outlining the procedure by which management should document
incidents at discovery as well as distinct verbiage outlining how the security team should
document their subsequent review of each incident.
Audit Procedure
1. Review the policy and ensure that it is clearly and adequately defined
2. Review the approval process and amendments of the policy
3. Inspect if the changes to the policy have been clearly approved and logged
Page 3 of 6
We Care Auto Insurance Policy Library
2.2.
Awareness and Training
The most current version of the AUP policy will be posted on WAI’s intranet and be
accessible to all WAI employees. All WAI employees and affiliates should receive
notifications requiring acceptance of the AUP and go through AUP training prior to each
device initial log-in to the WAI network and upon the release of each subsequent version
of the AUP for accepted devices. Access to WAI networks will be contingent upon
continual active acceptance of AUP terms on each device used to access WAI
information. Active acceptance can be further enhanced through a passive reminder of
employee responsibilities on the credential screen of each subsequent log-in.
An electronic record of AUP noncompliance incident documentation should be made
available to business unit managers to assist in personnel evaluation and unit-level risk
management. A similar record of all AUP documentation should be made available to
members of the information security team to better enable the discovery of patterns or
triggers common in instances of noncompliance.
Audit Procedure
1. Inspect employee training records to validate the completeness of the training
2. Interview employees to determine their awareness and understanding of the
policy
3. Inspect sample employees to validate the completion of the AUP training
4. Assess the alignment of the training with AUP
5. Observe process of notifying managers of incomplete training and review the
escalation matrix
2.3.
Preventive Controls
Controls are in place to prevent inappropriate user of WAI systems, resources and data.
Audit Procedure
1. Inspect web browser security settings to determine if inappropriate websites are
blocked, including gambling, game playing, chain letters, and sexual related;
2. Inspect workstation settings to determine:
A. If the devices that are prohibited from AUP are blocked and observe approvals
for those who have access;
B. If there is a control to keep unauthorized, unofficial software and applications
from being installed;
C. Group policies are in place to disable users from changing certain security
related settings.
3. Inspect file system security settings to determine if appropriate permissions are
set up for users who have access;
4. Inspect if company issued devices that contain company data is password
protected.
2.4.
Detective controls
Controls are in place to detect inappropriate use of WAI systems, resources and data.
Page 4 of 6
We Care Auto Insurance Policy Library
Audit procedure
1. Inspect monitoring procedures to determine if inappropriate use is adequately
investigated;
2. Inspect system usage logs to determine if system usage access is logged with
sufficient information;
3. Interview the security manager and inspect samples of inappropriate social media
usage as well as samples of DLP alerts to determine they are appropriately
investigated.
2.5.
Corrective Controls and Plan of Action
Controls are in place to outline the procedures to follow in the event an employee or
contractor uses any portion of information systems in an unauthorized manner.
Mandatory retraining for any employee who is retained after violating the AUP should be
required to further reduce the likelihood of future noncompliance.
Audit procedure
1. Review processes for escalating inappropriate use to violate Corporate security
2. Review security levels defined for investigating security incidents caused by AUP
violation;
3. Inspect samples of security tickets to obtain assurance that:
a. Corporate Security is investigating potential inappropriate usages according to
defined SLAs.
b. Repeated violators are communicated to HR for appropriate actions.
3. Conclusion
WAI has created a detailed Acceptable Use Policy with the goal of protecting information
systems and other corporate assets from misuse. While the AUP has jumpstarted an
enterprise-wide cultural shift to be mindful of security and risks, there are some gaps in the
policy which need to be addressed:
1. Have the security team document and store policy violations for up to two years in
order to review and continuously improve the policy.
2. Increase awareness of the policy by maximizing accessibility through both active and
passive exposure.
3. Add more definition to internal roles and responsibilities to ensure each level of the
organization understands their specific role in preserving the security and availability
of corporate information services.
4. Include security retraining for any employee or associate failing to adhere to the
policy to prevent and reduce future noncompliance issues and further increase
awareness.
5. Designate a fixed periodic review of the policy with the appropriate stakeholders to
ensure it is up-to-date and supports current corporate initiatives.
Page 5 of 6
We Care Auto Insurance Policy Library
By implementing these recommendations, WAI will strengthen the risk and security focus
across the organization. This renewed focus will help to limit risk exposure, corresponding
costs and better align the AUP to deliver on critical business goals.
4. Audit Resources and Schedule
Lead Auditor Name
Jimmy Jouthe
Auditors Name
Brent Easley, Brock Donnelly
IT Manager Name, Operations
Zhe Wang
IT Manager Name, Security
Wayne Wilson
Page 6 of 6
Download