Audit Planning

A key component of the Information Security Program are audit assurance and compliance policies.

AAC Control Domains

AAC-01: Audit Planning - Auditing Policy

  • AAC-01.1: Do you develop and maintain an agreed upon audit plan (e.g., scope, objective, frequency, resources,etc.) for reviewing the efficiency and effectiveness of implemented security controls?


*Policy: Modify Internal Audits, Management Oversight Policy and Procedure, add to P_0018_Information_Security_Audits
*SOP: None
*Audits: None
*Artifacts: Jira
*Systems: Salesforce
*Related Jira Ticket(s): OD-209
*Notes: Will contain overall guidelines for infosec audits

  • AAC-01.2: Does your audit program take into account effectiveness of implementation of security operations?


*Policy: Modify Internal Audits, add to P_0018_Information_Security_Audits
*SOP: None
*Audits: None
*Artifacts: None
*Systems: None
*Related Jira Ticket(s): OD-209
*Notes: Need to decide on KPI's for infosec operations (SSL rating, Pentest Tools results (vulnerability), Pentest results, etc)

AAC-02: Independent Audits -

  • AAC-02.1: Do you allow tenants to view your SOC2/ISO 27001 or similar third-party audit or certification reports?


*Policy: P_0018_Information_Security_Audits
*SOP: SOP_0005_Requests_For_External_Audit_Reports
*Audits: None
*Artifacts: Jira (Support Desk)
*Systems: None
*Related Jira Ticket(s): OD-209, OD-211
*Notes: Google states that they simply make it available to customers

  • AAC-02.2: Do you conduct network penetration tests of your cloud service infrastructure at least annually?


*Policy: P_0018_Information_Security_Audits, AU_0003_Annual_IT_Review
*SOP: SOP_0006_Network_Penetration_Testing
*Audits: None
*Artifacts: Pentest Report
*Systems: None
*Related Jira Ticket(s): OD-210, OD-212
*Notes:

  • AAC-02.3: Do you conduct application penetration tests of your cloud infrastructure regularly as prescribed by industry best practices and guidance?


*Policy: P_0018_Information_Security_Audits, AU_0003_Annual_IT_Review, AU_0002_Engineering_Review
*SOP: SOP_0007_Application_Penetration_Testing
*Audits: None
*Artifacts: Pentest Report
*Systems: None
*Related Jira Ticket(s): OD-213, OD-210
*Notes: Need to partner with Chris on best avenues to test and record

  • AAC-02.4: Do you conduct internal audits at least annually?


*Policy: Modify Internal Audits, add to P_0018_Information_Security_Audits
*SOP: None
*Audits: None
*Artifacts: Jira
*Systems: Salesforce
*Related Jira Ticket(s): OD-209
*Notes:

  • AAC-02.5: Do you conduct independent audits at least annually?


*Policy: Modify Internal Audits, add to P_0018_Information_Security_Audits
*SOP: None
*Audits: None
*Artifacts: Jira
*Systems: Salesforce
*Related Jira Ticket(s): OD-209
*Notes: Will contain overall guidelines for infosec audits

  • AAC-02.6: Are the results of the penetration tests available to tenants at their request?


*Policy: P_0018_Information_Security_Audits
*SOP: SOP_0005_Requests_For_External_Audit_Reports
*Audits: None
*Artifacts: Jira (Support Desk)
*Systems: None
*Related Jira Ticket(s): OD-209, OD-211
*Notes: Google states that they simply make it available to customers

  • AAC-02.7: Are the results of internal and external audits available to tenants at their request?


*Policy: P_0018_Information_Security_Audits
*SOP: SOP_0005_Requests_For_External_Audit_Reports
*Audits: None
*Artifacts: Jira (Support Desk)
*Systems: None
*Related Jira Ticket(s): OD-209, OD-211
*Notes: Google states that they simply make it available to customers

AAC-03: Information System Regulatory Mapping

  • AAC-03.1: Do you have a program in place that includes the ability to monitor changes to the regulatory requirements in relevant jurisdictions, adjust your security program for changes to legal requirements, and ensure compliance with relevant regulatory requirements?


*Policy: Modify Management Oversight Policy and Procedure, Corporate Compliance Policy and Procedure add to P_0018_Information_Security_Audits
*SOP:
*Audits: AU_0001_Annual_Management_Review
*Artifacts: None
*Systems: None
*Related Jira Ticket(s): OD-209, OD-207
*Notes: Google states that they simply make it available to customers

Related Documents

  • None