Administrative IT Controls Review and Testing

Policies are plans or courses of action intended to influence and determine decisions and actions relating to a specific critical component of an organization. They establish that the subject of the policy is a focal point for management, often assign specific responsibilities and define consequences for failure to follow the policy. They should be integrated at all applicable levels of the organization and should be regularly reviewed and updated to ensure they remain relevant to the business process(es) they control. Policies may be used as the basis for legal action against violators. They should contain specific items to ensure that they are admissible in court. Furthermore, in the event of a security breach, these policies may be used to prove what steps the organization has taken to protect sensitive data and that the organization is in compliance with regulatory or legal requirements.

Work Area: Database Design & Creation, Administrative IT Controls Review and Testing

Focus: The Administrative IT Controls Review and Testing is a broad-spectrum review of the major areas of Information Systems security. The review compares the organization’s current security posture against industry specific regulatory guidelines or information systems “best practices.”

Scope: As a minimum, we review the information systems general controls areas below by examining written policies, procedures and other documentation, interviewing employees and managers in affected areas, conducting physical inspections and examining the configuration of network devices, servers and workstations.

Results: The anticipated result of the review is a prioritized list of differences between regulatory or best practice requirements and the controls in place at the organization.