Appendix A
269
Client Response:
24. Are there any programs that promote security awareness? Are new
employees provided with any orientation to make them familiar with
security policies? Are there any security awareness campaigns?
Guidance:
Security policies are more likely to be followed if they are
properly communicated so employees are aware of them and understand
them. In companies where employees are not aware of company security
policies, awareness programs are critical in educating employees and creat-
ing a culture where information security is an integral part of the business.
Client Response:
25. Does someone own the responsibility of updating security policies as the
business changes? If so, how are the changes communicated?
Guidance:
As business changes, so do the risks. Many of these changes
could warrant changes to the security policy. When discussing this ques-
tion, look for whether both business and IT representatives jointly make
and approve changes to the policy and whether the cost of implementing a
security policy is considered. Having both business and IT personnel in-
volved helps ensure that any changes to policies are feasible from both the
technology and the process perspectives. In addition, this collaboration
also helps ensure that new security measures are cost effective and aligned
with the business requirements.
Client Response:
26. Describe your security architecture.
• Firewall
• Intrusion detection/prevention
• Anti-virus
• Other security architecture — e.g., proxy servers, vulnerability man-
agement
Guidance:
The security architecture is a key component in determining
the security posture of a company. The items above are only a few examples
AU1706_book.fm Page 269 Wednesday, July 28, 2004 11:06 AM