Overview

An internal audit function has been created to keep a record of various artifacts that demonstrate that our information security policies and procedures are followed properly.

Purpose

To provide artifacts that various audits are being performed on an ongoing basis.

Procedure

The internal audit team is responsible for ensuring that the tasks specified in all information security policies and procedures are being performed as required. Verification of task completion requires that an artifact be generated. The generated artifact can either take the form of a deliverable (e.g. penetration test PDF) or a digital signature (from the task owner).

Tasks fall into the following categories:

  1. Periodic (e.g. monthly, quarterly, annually)
  2. On demand (e.g. information security training for a new employee)

Artifact Storage

Artifacts are stored using online cloud storage vendors that meet the following criteria:

  1. Failsafe Backups – encrypted, redundant, resilient back up service
  2. Security Control – control over who has access (and access level) to artifacts (e.g. protects audit information and audit tools from unauthorized access, modification, and deletion).
  3. Audit logs - logs containing who posted an artifact and when an artifact was posted (e.g. Timestamp)
  4. Certified Compliance with all of the following ISO 27001, FedRamp, Applicable SSAE SOC Reports

Audit Retention

Audits records shall be retained for a period of at least one year.

Audit Review

In the event that an audit contains findings that need to be remediated, the internal audit function shall notify IT management. IT management is responsible for determining how an issue is to be remediated including use of the Change Control Process.

Monthly Audits and Deliverables

The Monthly InfoSec Audit page details the monthly audits/deliverables.

Quarterly Audits and Deliverables

The Quarterly InfoSec Audit page details the quarterly audits/deliverables.

Annual Audits and Deliverables

The Annual InfoSec Audit page details the annual audits/deliverables.

On-Demand Deliverables

The On-Demand InfoSec Artifacts page details various deliverables that can be generated at any time.

Policy Audit

The Management Oversight Policy and Procedure requires an annual review of this policy.

Enforcement

Staff members found in policy violation may be subject to disciplinary action, up to and including termination.

Revision 1.0.1 - last updated December 31, 2019