Response needed:
Red Clay Renovations (RCR) is a technology based company that
relies heavenly on technology for business operations. Company
information systems hold data that is critical to business operations.
The Chief Information and Security Officer and the Information
Technology Governance Board have taken great strides in the last year to
enhance the security of the organization while incorporating new
technologies to meet corporate objectives. Policies have been created
that are designed to fill many weak points in corporate security
structure. The policies were disseminated to all employees and a
signature was required for a validation of receipt and understanding.
There is a need to evaluate if policies are understood and adhered to by
all employees. A company wide audit system is necessary to measure
employee awareness of IT security policies. Audit results provide policy
makers and management guidance on the challenges of using information
technology policies (Abou-El-Sood, Kotb, & Allam, 2015).
Audits are designed to provide information to an
organization on the effectiveness of the system audited. Audits can be
conducted by internal teams or outside contractors. It is imperative the
auditors remain impartial in their assessment (Mcdonald, 2000).
Remaining impartial ensures the integrity and accuracy of results. Red
Clay Renovations should utilize their information technology services
and human resources departmental personnel to conduct the internal
audit. Auditors from these departments will be able to solicit honest
responses without having a direct stake in the results.
The employee awareness audit should cover all IT policies
that have been created or revised in the past twelve months. Such
policies include but are not limited to: bring your own device, data
breach response, management and use of social media, website governance,
acceptable use, and preventing and controlling shadow IT policies.
Audits and reviews should be conducted annually. Annual audits will
account for any changes of policies and include company advances in the
use of information technology.
Audits should be conducted onsite at the data gathering
location (Adams, 1999). On site audits helps target audience fell most
comfortable and will provide honest responses. Audit teams should
schedule times with regional managers and executive staff to conduct
onsite audits. Audits should include a questionnaire designed around
employee responsibilities regarding IT policies. Questionnaires should
be followed up by a short one and one interview with an auditor. A
standardized list of interview questions should be developed for one on
one interviews. The questions should be designed to assess an employee’s
understanding of company policy objectives and personnel
responsibility.
Audit results should be delivered to Chief of Staff and
the IT Governance Board. Results can then be disseminated to all
executives that are involved in the policy approval process. Results
should be used to provide a benchmark to measure policy effectiveness.
Audit results should be retained for five years or until no longer
included in benchmark average.
References
Abou-El-Sood, H., Kotb, A., & Allam, A. (2015). Exploring Auditors’ Perceptions of the Usage
and Importance of Audit Information Technology. International Journal Of Auditing, (3), 252.
doi:10.1111/ijau.12039.
Adams, N. H. (1999). NEVER AUDIT ALONE–THE CASE FOR AUDIT TEAMS. Quality
Assurance, 7(4), 195.
Mcdonald, I. G. (2000). Quality assurance and technology assessment: Pieces of a larger puzzle.
Journal Of Quality In Clinical Practice, 20(2/3), 87-94.
Visit the Metropolitan Museum of Art’s collection of Hindu Art.