IT Audit Policy and Plans
Company Background & Operating Environment
Red Clay Renovations is an internationally recognized, awarding winning firm that specializes in the renovation and rehabilitation of residential buildings and dwellings. The company specializes in updating homes using “smart home” and “Internet of Things” technologies while maintaining period correct architectural characteristics. Please refer to the company profile for additional background information and information about the company’s operating environment.
Policy Issue & Plan of Action
The corporate board was recently briefed by the Chief Information Officer concerning the company’s IT Security Program and how this program contributes to the company’s risk management strategy. During the briefing, the CIO presented assessment reports and audit findings from IT security audits. These audits focused upon the technical infrastructure and the effectiveness and efficiency of the company’s implementation of security controls. During the discussion period, members of the corporate board asked about audits of policy compliance and assessments as to the degree that employees were (a) aware of IT security policies and (b) complying with these policies. The Chief Information Officer was tasked with providing the following items to the board before its next quarterly meeting:
(a) Issue Specific Policy requiring an annual compliance audit for IT security policies as documented in the company’s Policy System
(b) Audit Plan for assessing employee awareness of and compliance with IT security policies
a. Are employees aware of the IT security policies in the Employee Handbook?
b. Do employees know their responsibilities under those policies?
(c) Audit Plan for assessing the IT security policy system
a. Do required policies exist?
b. Have they been updated within the past year?
c. Are the policies being reviewed and approved by the appropriate oversight authorities (managers, IT governance board, etc.)?
Your Task Assignment
As a staff member supporting the CISO, you have been asked to research this issue (auditing IT security policy compliance) and then prepare an “approval draft” for a compliance policy. You must also research and draft two separate audit plans (a) employee compliance and (b) policy system audit. The audit policy should not exceed two typed pages in length so you will need to be concise in your writing and only include the most important elements for the policy. Make sure that you include a requirement for an assessment report to be provided to company management and the corporate board of directors.
• For the employee compliance assessment, you must use an interview strategy which includes 10 or more multiple choice questions that can be used to construct a web-based survey of all employees. The questions should be split between (a) awareness of key policies and (b) awareness of personal responsibilities in regards to compliance.
• For the policy system audit, you should use a documentation assessment strategy which reviews the contents of the individual policies to determine when the policy was last updated, who “owns” the policy, who reviewed the policy, and who approved the policy for implementation.
Research:
1. Review the weekly readings including the example audit assessment report.
2. Review work completed previously in this course which provides background about the IT Policy System and specific policies for the case study company.
3. Find additional resources which discuss IT compliance audits and/or policy system audits.
Write:
1. Prepare briefing package with approval drafts of the three required documents. Place all three documents in a single MS Word (.doc or .docx) files.
2. Your briefing package must contain the following:
• Executive Summary
• “Approval Drafts” for
o Issue Specific Policy for IT Security Policy Compliance Audits
o Audit Plan for IT Security Policy Awareness & Compliance (Employee Survey)
o Audit Plan for IT Security Policies Audit (Documentation Review)
As you write your policy and audit plans, make sure that you address security issues using standard cybersecurity terminology (e.g. 5 Pillars of IA, 5 Pillars of Information Security). See the resources listed under Course Resources > Cybersecurity Concepts Review for definitions and terminology.
3. Use a professional format for your policy documents and briefing package. Your policy documents should be consistently formatted and easy to read.
4. You must include a cover page with the assignment title, your name, and the due date. Your reference list must be on a separate page at the end of your file. These pages do not count towards the assignment’s page count.
5. Common phrases do not require citations. If there is doubt as to whether or not information requires attribution, provide a footnote with publication information or use APA format citations and references.
6. You are expected to write grammatically correct English in every assignment that you submit for grading. Do not turn in any work without (a) using spell check, (b) using grammar check, (c)
Red Clay Renovations Company Profile
Company Overview
Red Clay Renovations is an internationally recognized, awarding winning firm that specializes in the renovation and rehabilitation of residential buildings and dwellings. The company specializes in updating homes using “smart home” and “Internet of Things”technologies while maintaining period correct architectural characteristics. The company’s primary line of business is Home Remodeling Services(NAICS 236118).Corporate Governance& Management Red Clay Renovations was incorporated in the State of Delaware in 1991 and is privately held. (Its stock is not publicly traded on a stock exchange.)The company maintains a legal presence (“Corporate Headquarters”) in Delaware to satisfy laws relating to its status as a Delaware corporation. The company has a five member Board of Directors (BoD). The Chief Executive Officer(CEO) and Chief Financial Officer (CFO)each own 25% of the corporation’s stock; both serve on the BoD. The CEO is the chair person for the BoD. The three additional members of the BoD are elected from the remaining stock holders and each serve for a three year term.The BoD provides oversight for the company’s operations as required by state and federal laws.Its primary purpose is to protect the interests of stockholders. Under state and federal law, the BoD has a fiduciary duty to ensure that the corporation is managed for the benefit of the stockholders (seehttp://www.nolo.com/legal-encyclopedia/fiduciary-responsibility-corporations.html). The BoDhas adopted a centrally managed “Governance, Risk, and Compliance” (GRC) methodology to ensure that the corporation meets the expectations of stakeholders while complying with legal and regulatory requirements.
The company’s senior management includes the Chief Executive Officer (CEO), Chief Financial Officer (CFO), Chief Operating Officer (COO), Director of Architecture & Construction Services (A&C),Director of Customer Relations(CR),Director of Human Resources (HR), the Director of Information Technology Services (ITS), and the Director of Marketing and Media (M&M). The Director of ITS is dual-hatted as the company’s Chief Information Security Officer (CISO). These individuals constitute the Executive Board for the company and are responsible for implementing the business strategies, policies,and plans approved by the BoD. A separately constituted IT Governance Board is chaired by the Chief Operating Officer. The five directors (A&C, CR, HR, ITS, and M&M) serve as members of the IT Governance board. This board considers all matters related to the acquisition, management,and operation of the company’s information technology resources.The CEO, CFO, and COO have been with the company since it started in 1991. The Directors for A&C, CR, and HR have over 20 years each with the company. The Director for M&M has ten years of service. The Director of ITS / CISO has been with the company less than two years and is still trying to bring a semblance of order to the IT management program –especially in the area of IT security services. This is a difficult task due to the company’s failure to promptly hire a replacement for the previous director who retired two years ago
operations
The Operations Center is the company’s main campus and is located in suburban Baltimore, MD(Owings Mills). The Owings Mills facility houses the company’s data center as well as general offices for the company’s operations. These operations include: accounting & finance, customer relations, human resources, information technology services, marketing, and corporate management. There are approximately 100 employees at the Operations Center. Day to day management of the Owings Mills facility is provided by the company’s Chief Operating Officer (COO).The company’s Chief Executive Officer, corporate counsel, and support staff maintain a presence in the company’s Wilmington, DE offices but spend most of their time at the Owings Mills operations center.Field Offices are located in downtown Baltimore and suburban Philadelphia. Each office has a managing director, a team of 2-3 architects, a senior project manager, a business manager, and an office manager. Support personnel (receptionist, clerks,etc.) are contractors provided by a local staffing services firm. Each office operates and maintains its own IT infrastructure.The company’s architects, project managers, and other support personnel frequently work from renovation sites using cellular or WiFi connections to access the Internet. Many field office employees are also authorized to work from home or an alternate work location (“telework site”) one or more days perweek.
Acquisitions:
s Red Clay acquired “Reality Media Services,” a five person digital media & video production firm in 2015 (NAICS Codes 512110, 519130, and 541430). RMS creates a video history for each residential construction project undertaken by Red Clay Renovations. RMS also provides Web design and social media services for Red Clay Renovations to promote its services. RMS employees work primarily out of their own home offices using company provided equipment (computers, video / audio production equipment). Each employee also uses personally owned cell phones, laptops, digital cameras, and camcorders. While RMS is now wholly owned by Red Clay, it continues to operate as an independent entity. Red Clay senior management is working to change this, however, starting with bringing all IT and IT related resources under the company’s central management. As part of this change, Red Clay has set up a media production facility (“Media Studio”) in its headquarters location which includes office space for RMS personnel. The production facility and RMS operations are under the management control of the Director, Marketing & Media Services.
Legal and Regulatory Environment:
The firm is licensed to do business as a general contractor for residential buildings in three states (DE, MD, PA). The company’s architects maintain professional licensure in their state of residence. The company’s general counsel is licensed to practice law in Delaware and Maryland. The Chief Financial Officer is a Certified Public Accountant (CPA) and licensed to practice in all three states.The company collects, maintains, and stores personal information from and about customers over the normal course of doing business. This includes credit checks, building plans and drawings for homes, and information about a customer’s family members which needs to be taken into consideration during the design and construction phases of a project (e.g. medical issues / disabilities, hobbies, etc.).When renovations are required due to a medical condition or disability, the company works with health insurance companies, Medicare/Medicaid, and medical doctors to plan appropriate modifications to the home and to obtain reimbursement from insurers. This sometimes requires that the company receive, process, store, and transmit Protected Health Information (PHI) generated by medical practitioners or as provided by the customer. The company’s legal counsel has advised it to be prepared to show compliance with the HIPAA Security Rule for PHI for information stored on computer systems in its field offices and in the operations center.Red Clay began offering “Smart Home” renovation services in 2005 (NAICS Codes 541310 and 236118). These services are primarily offered out of the Baltimore and Philadelphia field offices. A large percentage of the company’s “smart home” remodeling work is financed by customers through the Federal Housing Administration’s 203K Rehab Mortgage Insurance program. Red Clay provides assistance in filling out the required paperwork with local FHA approved lenders but does not act process mortgages itself. Red Clay does, however, conduct credit checks on prospective customers and accepts credit card payments for services.
As a privately held stock corporation, Red Clay Renovations is exempt from many provisions of the Sarbanes-Oxley Act of 2002. But, in certain circumstances, i.e. a government investigation or bankruptcy filing, there are substantial criminal penalties for failure to protect business records from destruction or spoliation
Policy System:
The company’s Chief of Staff is responsible for the overall organization and management of the company’s collection of formal policies and procedures (“policy system”). The company’s policies provide guidance to employees and officers of the company (CEO, CFO, and the members of the Board of Directors)with respect to their responsibilities to the company. Policies may be both prescriptive (what “must” be done) and proscriptive (what “must not” be done).Responsibility for writing and maintaining individual policies is assigned to a designated manager or executive within the company. Each policy identifies the responsible individual by title, e.g. Director of Human Resource.
The major policy groupings are:•Human Resources •Financial Management •Information Technology •Employee Handbook •Manager Desk book Selected policies are published as an Employee Handbook and a Manager’s Desk book to communicate them to individual employees and managers and to ensure that these individuals are aware of the content of key policies which affect how they perform their duties.