Consider your team has been selected by the Chief Information Officer (CIO) to perform an audit of the HR Department.
Create a 10 – to 12-slide presentation (not including the title and reference slides) that discusses the specific audit steps that should be performed to evaluate the following areas:
- Handling of ethical issues, including security related legal/regulatory compliance (non-privacy related), intellectual property and licensing
- Compliance with privacy related laws and regulations
- Adequacy of security policies and security awareness training
- Identification of security related risks/threats
Include a minimum of 2 audit steps for each of the above areas. The audit steps should follow the following format:
- Area: From the list above
Example:Security related risks/threats
- Potential Risk To Be Reviewed: Describe the risk – Example: Viruses and malware can negatively impact the confidentiality, integrity, and availability of organizational data.
- Evaluation of Tools and Methods: Describe the control objective and the specific controls you will evaluate to determine potential risk is mitigated. Please note that typically, there will be more than one control that should be reviewed for a potential risk.
Examples: Determine whether anti-virus software is in use.
Determine whether virus signatures are periodically updated.
Determine whether periodic virus scans are performed.
- Criteria/measures To Be Used: Describe the criteria/measures that you will use to evaluate the adequacy of each area/review step that you review (i.e., what criteria will you use to perform your evaluation/how will you determine that the risk has been mitigated to an acceptable level).
Examples: 100% of servers and PCs have virus software installed
100% of the virus software installed is set to automatically update, including virus signatures.
100% of the virus software installed is set to autoaticaaly perform a scan at least weekly