Information security plans are the rubrics for how an organization handles the CIA triangle in regards to information assets, so they are fairly important. In researching the best practices for information security plan audits, I came across two articles that offer so best practices for handling audit schedules. The first article by Ed Tittel, Security audit action list for CIOs, offers a number of best practices for security policy reviews, physical security audits, and penetration testing. In the article, it suggest doing regular testing to identify security vulnerabilities – physical and digital. It is the authors opinion that an audit be completed at least annually in all areas as well as when any new technology, policy or system is changed. Event driven audits are an opportune time, according to the article, to identify inefficiencies or problems in a process or information system.
The popular anti-malware company Symantec, published their own discussion of the information security plan audit. In their post, they explain the value of security plans, the importance of pre-audit homework (understanding issues facing your network, data, assets, etc.), and communication (Hayes, 2003). I believe that auditors often forget that communicating with the effected departments throughout the process will help illuminate additional details, educated individuals of threats and how they can help prevent intrusions, as well as improve the efficiency of the process.
Hayes, B. (2003). Conducting a security audit: An introductory overview. Symantec. Online resource. Retrieved from, http://www.symantec.com/connect/articles/conducting-security-audit-introductory-overview
Tittel, E. (2003). Security audit action list for CIOs. TechRepublic. Online resource. Retrieved from, http://www.techrepublic.com/article/security-audit-action-list-for-cios/5054775