Red Clay Renovation’s (RCR) use and development of Information Technology(IT) has allowed the company to become the internationally recognized and award winning company it is today according to King (2016). While the excessive use of IT by RCR can be credited with the company’s international success, it has also increased the company’s cybersecurity risks according to Winnipeg (2008). The risk faced by RCR and companies like it come in two forms according Winnipeg (2008). Externally, from hackers and other unauthorized sources, seeking to gain access to company’s vital resources for their own gain. Internally, from employees (uneducated or malicious) or weak processes (password policies) that make the company’s critical information vulnerable to compromise. To mitigate this risk RCR has to first identify areas of weakness for when it comes to cybersecurity. This can be formally done by conducting an “audit”. According to Hayes (2003) an audit is when an independent organization performs a formal written assessment of the crucial components of the organization. Hayes (2003) goes on to report that while most companies are accustomed to financial and physical security, they are not so familiar with Information Security audits. RCR IT Governance board, chaired by the Chief Operating Officer (COO), has to be well educated on what an Information Security Audit is and how it is conducted. This brief is designed to help educate the COO and the five directors (A&C, CR, HR, ITS, and M&M) that serve on the IT Governance board on the who, what, when, where and how of the auditing process. The audit that would best fit RCR would be one that assess the employee’s awareness of IT security policies.

Information Security Audits can be conducted internally by RCR IT governance board to keep senior management up to speed on the company’s cybersecurity posture. Proper procedures to conduct a formal Information Security audit should be on hand at all times. According to Beaver (2004), legislation, such as Sarbanes-Oxley, HIPAA and Gramm-Leach-Bliley is forcing companies to scrutinize their IT operations and making External Information Security audit very popular. According to Beaver (2004), RCR should look for the best auditors by considering the following: 1. Don’t dismiss not-technical background candidates, 2. Look for certifications, 3. Look for experience, 4. Look for strong communications skills and 5. Don’t assume a brand name is always better. Beaver (2004) reports that most stakeholders look for reports from external auditing companies before investing in companies like RCR.

According to Hayes (2003), to understand what is covered by an Information Security Audit, RCR IT governance board has to understand the difference between a “penetration test” and Information Security audit. Hayes (2003) goes on to report that a penetration test is a narrowly focused look at a company’s security as it pertains to critical resources. An Information Security Audit is a systematic, measurable technical assessment that will cover all of RCR security policy and practices. An Information Security Audit should seek to measure RCR security policy compliance and recommend solutions to deficiencies found according to Hayes (2003).

Information Security should be a continuous process according to Page (2003). Having a timely, thorough and continuous Information Auditing process is a critical piece of an organization success. Internal audits should be both formal and informal, sporadic and planned. While external audits should be formal and planned.

Information Security Audits should be scope driven according to Winnipeg (2008). This means some audits should encompass all of RCR Information Security processes company wide, while other should be pin-pointed to certain areas of the company. RCR should conduct a formal, externally conducted, enterprise-wide audit of all its IT Security Processes. RCR should follow up with internal, formal and informal audits to ensure the process is continuous.

Information Security Audits should be conducted in accordance with policy and procedures. The procedures to be followed depends on the type of audit being conducted according to Page (2003). Informal self-audits should be conducted according to RCR written policies and procedures. External audits should be done in accordance with the policies and procedures of the independent organization conducting it.

In conclusion, RCR needs to continuously assess its equipment and people to ensure they are and remain compliant with Information Security procedures. Information Security Audits are designed to identify weakness in equipment, procedures and processes that can be exploited by hackers or other unauthorized persons seeking to gain access to critical company resources.

Reference:

Beaver, K. (2004, Sep). Best practices for choosing an outside IT auditor. Retrieved from SearchSecurity: http://searchsecurity.techtarget.com/tip/Best-practices-for-choosing-an-outside-IT-auditor

Hayes, B. (2003, May 26). Conducting a Security Audit: An Introductory Overview. Retrieved from symantec.com: http://www.symantec.com/connect/articles/conducting-security-audit-introductory-overview

King, V. J. (2016, March 30). CSIA 413 Case Study for Red Clay Renovations. Retrieved from UMUC.edu: https://learn.umuc.edu/d2l/le/content/170372/viewContent/7211604/View

Page, P. (2003, May 24). Security Auditing A Continuous Process. Retrieved from San.org: https://www.sans.org/reading-room/whitepapers/auditing/security-auditing-continuous-process-1150

Winnipeg. (2008, June). Assessment of Information Security Awareness. Retrieved from Winnipeg: http://www.winnipeg.ca/audit/pdfs/reports/ITSecurityAwareness.pdf