Smaller scope audits are grouped together into a general quarterly infosec audit. The general quarterly infosec audit contains the following audits:

Quarterly Audit #1:

  1. Verify that wireless network passcode has been changed (must be changed every 90 days)
  2. Verify that unsuccessful login attempt policy is enforced in OrgChart Now application
  3. Verify 'employee access checklists' are updated and on file as required
  4. Verify correctness of employee roster - updated artifact on file
  5. Verify correctness of the 'information systems inventory' - updated artifact on file (See System Acquisition for details).

Quarterly Audit #2:

  1. Verify that publicly accessible systems do not contain non-public information
  2. Verify that security awareness trainings are completed and on file as required (Reference Information Security Training)
  3. Verify that background checks are completed and on file as required
  4. Verify confidentiality agreements are completed and on file as required

Larger scope audits are broken out into specific deliverables:

  1. Information Systems Review - Audit Report with Digital Signature that verify 'information systems inventory' is updated and that a Information Systems Risk Assessment (Reference System Acquisition) is complete for each system. This includes 3 year re-review of existing systems when necessary.
  2. Approved Software Inventory - Audit Report with Digital Signature and read only artifact of current approved software applications that can be installed (e.g. the 'approved software inventory' should be accurate and on file).
  3. Access Control Audit - Audit Report with Digital Signature as artifact (See Access Control Policy and Procedure for details). The current 'information systems inventory' is used as the basis for this audit.
  4. Quarterly Management Review - Audit Report with Digital Signature as artifact (See Management Review for details)
  5. Quarterly Spot Check of Employee Computers - Audit Report with Digital Signature as artifact of 3 randomly selected employees (See Access Control Policy and Procedure for details).