Information Security Audit Policy
Revised: 06/30/2009
1. Purpose.
Information Security personnel utilize various methods to perform electronic scans of the TCCC-RYSS’s Networks and Firewalls, or on any system connected to the TCCC-RYSS Information Technology Network.
Information Security personnel are authorized to conduct audits to:
• Ensure integrity, confidentiality and availability of information and resources
• Investigate possible Security incidents
• Ensure compliance to TCCC-RYSS Information Technology Policies and Procedures documentation
• Monitor Authorized User or system activity where appropriate
2. Scope.
This policy covers all computer and communication devices owned or operated by TCCC-RYSS. This policy also covers any computer and communications device that are connected to the TCCC-RYSS Information Technology Network, but which may not be owned or operated by the TCCC-RYSS. Information Security personnel will not perform Denial of Service or other disruptive activities.
3. Policy.
Authorization to Audit
Only Information Security personnel or other specifically authorized parties may audit devices that are owned by TCCC-RYSS or are connected to the TCCC-RYSS Information Technology Network. Third-party organizations may only perform audits with the explicit written permission of the Information Technology Services department.
Access
Information Security personnel shall be granted access to the following in order to effectively perform audits:
• User level or system level access to any computing or communications device
• Access to information (electronic, hardcopy, etc.) that may be produced, transmitted or stored on the TCCC-RYSS Information Technology Network
• Access to work areas (labs, offices, cubicles, storage areas, etc.)
• Access to interactively monitor and Log traffic on the TCCC-RYSS Information Technology Network
Remediation
Information Security personnel will report all results to the appropriate supervisory personnel and will follow up with the processes necessary to resolve any exceptions.
4. Enforcement.
Any Authorized User found to be in violation of this policy will be considered an Unauthorized User, and as such are subject to disciplinary action pursuant with the Enforcement section of the Unauthorized Use Policy
