INFORMATION SECURITY AUDIT POLICY
Information Security Audit Policy
Table of Contents
Table of Contents. 2
Document Control 3
Background. 4
Purpose. 4
Scope. 4
Policy. 4
Enforcement 4
Document Control
DOCUMENT NAME
Information Security Audit Policy
AUTHORISATION
Reviewed By
Authorised By
Name : Manish Jaiswal
Name : Ganesh Raj
Signature :
Signature :
DISTRIBUTION LIST: Audit Team.
VERSION HISTORY
VERSION
DATE
PREPARED BY
CHANGES & REASONS FOR CHANGE
1.0
Sep 2002
Rangarajan
Initial Formulation
1.1
Oct 2003
Sanjay Joglekar
Yearly Review and Change
1.2
Sep 2004
Manish Jaiswal
Changed the name of the reviewer. Yearly Review
1.3
Oct 2005
Manish Jaiswal
Yearly Review
1.4
Mar 2006
Manish Jaiswal
Change the name of the approver
Background
1. Information security is achieved though implementing a framework of safeguards that are technical, administrative or managerial. The effective and efficient functioning of all the safeguards is important to achieve security of information in the Company. By corollary, vulnerability in one part of the organisation may lead to a significant risk in another part of the organisation. Hence, periodic assessments to ensure the effectiveness of security controls are an important part of the information security management system at P&O Ports.
Purpose
2. This policy defines the process of the periodic internal audits and independent assessment by outside specialist agencies for information security at P&O Ports.
Scope
3. This policy applies to all business critical information and information systems in P&O Ports.
Policy
Internal Audits
4. A yearly internal audit will be taken up as per the audit program issued by the Chief Information Security Officer (CISO).
5. The Management Information Security Forum (MISF) will identify suitable objectives for the internal audit as per the policies and in light of any reported incidents or risk perceptions. These would include the assessment of compliance to information security policies, procedures and standards in the identified areas.
6. The audit teams for the internal audits will be identified to ensure that objectivity of the audits are maintained .
7. The audit teams will obtain objective evidence of their findings and submit its report to the MISF.
8. CISO will issue instructions on the closure actions for the audit findings along with the responsibilities and timelines.
9. The concerned personnel as per the stipulated time will submit a formal closure report.
Independent Information Security Audits
10. A periodic information security assessment by a competent third party will be mandated by the MISF at least once in two years.
11. The third party mandated will report to the MISF for audit objectives and findings.
Enforcement
12. The audit and closure actions reports of the internal audits and third party audits will be preserved for a period of three years.
Table of Contents
Table of Contents. 2
Document Control 3
Background. 4
Purpose. 4
Scope. 4
Policy. 4
Enforcement 4
Document Control
DOCUMENT NAME
Information Security Audit Policy
AUTHORISATION
Reviewed By
Authorised By
Name : Manish Jaiswal
Name : Ganesh Raj
Signature :
Signature :
DISTRIBUTION LIST: Audit Team.
VERSION HISTORY
VERSION
DATE
PREPARED BY
CHANGES & REASONS FOR CHANGE
1.0
Sep 2002
Rangarajan
Initial Formulation
1.1
Oct 2003
Sanjay Joglekar
Yearly Review and Change
1.2
Sep 2004
Manish Jaiswal
Changed the name of the reviewer. Yearly Review
1.3
Oct 2005
Manish Jaiswal
Yearly Review
1.4
Mar 2006
Manish Jaiswal
Change the name of the approver
Background
1. Information security is achieved though implementing a framework of safeguards that are technical, administrative or managerial. The effective and efficient functioning of all the safeguards is important to achieve security of information in the Company. By corollary, vulnerability in one part of the organisation may lead to a significant risk in another part of the organisation. Hence, periodic assessments to ensure the effectiveness of security controls are an important part of the information security management system at P&O Ports.
Purpose
2. This policy defines the process of the periodic internal audits and independent assessment by outside specialist agencies for information security at P&O Ports.
Scope
3. This policy applies to all business critical information and information systems in P&O Ports.
Policy
Internal Audits
4. A yearly internal audit will be taken up as per the audit program issued by the Chief Information Security Officer (CISO).
5. The Management Information Security Forum (MISF) will identify suitable objectives for the internal audit as per the policies and in light of any reported incidents or risk perceptions. These would include the assessment of compliance to information security policies, procedures and standards in the identified areas.
6. The audit teams for the internal audits will be identified to ensure that objectivity of the audits are maintained .
7. The audit teams will obtain objective evidence of their findings and submit its report to the MISF.
8. CISO will issue instructions on the closure actions for the audit findings along with the responsibilities and timelines.
9. The concerned personnel as per the stipulated time will submit a formal closure report.
Independent Information Security Audits
10. A periodic information security assessment by a competent third party will be mandated by the MISF at least once in two years.
11. The third party mandated will report to the MISF for audit objectives and findings.
Enforcement
12. The audit and closure actions reports of the internal audits and third party audits will be preserved for a period of three years.
Comentários