Dear The Management Committee of XYZ Company (“XYZ”):
The purpose of this letter is to set out the basis on which we are to act as Information System auditors of the XYZ and the respective areas of responsibility of the XYZ’s Management Committee (“MC”) and of ourselves.
Any organization that depends on technology in the conduct of business needs evidence that such technology is efficiently and securely managed. A security policy is a set of vital mechanisms by which the XYZ’s security objectives can be defined and attained. These key information security objectives should consist of: Confidentiality to ensure that only the people who are authorized to have access to assigned areas are able to do so. It’s about keeping valuable information only in the hands of those people who are intended to see it. Integrity to maintain the value of logs information, which means that it is protected from unauthorized modification. Logs information only has value if we know that it’s correct. A major objective of security policies is thus to ensure that logs information in not modified or destroyed or subverted in any way. Availability to ensure that all the utilities and systems are available and operational when they are needed. A major objective of an access security policy must be to ensure that utilities information is always available to support critical business processing. The purpose of this audit is to evaluate the access and security internal controls related to the XYZ and to assess whether there are internal control weaknesses that could allow errors and irregularities to go undetected.
Based on an initial risk-based assessment plus a discussion with client, the scope has been defined as the 3rd floor VIP rooms and all access points to those rooms. The QTTR audit team has categorized the audit area into three main sections for convenience. Those sections are defined as follows: 1. Outside:
a. Golf putting area
b. Helicopter and helipad
d. Stairs from rooftop
2. Building entrance:
a. 1st floor lobby
d. 3rd floor VIP lobby
3. VIP rooms:
a. Rooms inside the doors from patio/VIP rooms
The audit evaluated the 3rd Floor security and access related policies and procedures by reviewing written documentation, reviewing XYZ authorized staff information and observing physical access points. Using the Second Life - TFL Island avatars were analyzed to ensure system authorization and access privileges (physical) are being enforced on a timely basis. In addition, the keycard system was reviewed to ensure personnel access levels were appropriate for the sample of employees selected. The audit was conducted in accordance with Generally Accepted Auditing Standards
The objectives of our audit are to evaluate security and assess strengths and weaknesses of XYZ’s security and access controls XYZ wide to address: confidentiality, integrity, and availability. We will use professional judgment in determining the standards that apply to the work to be conducted. If this engagement will not satisfy the requirements of all audit report users, laws, and regulations, we will notify you as soon as this comes to our attention. 1. To determine if adequate administrative security controls, such as policies and procedures, are in place to deter unauthorized access, alteration, theft, or physical damage to utilities or properties. 2. To determine if adequate physical and logical security controls are in place to restrict access by unauthorized users to specified sections, and determine whether essential security functions are being addressed effectively. Evaluate the scope of the information security management organization It is not designed to replace or focus on audits that provide assurance of specific configurations or operational processes. As part of our normal audit procedures, we may request...
Please join StudyMode to read the full document