ABSTRACT
Auditors are not in the business of catching people failing at their jobs, but instead they are there to provide answers to unsolved problems and questions of security. The audit committee may be the same individuals in charge of auditing, or they may be an advisory committee, formed to assist with the process of deciding on important security issues relevant to the auditing process. Having different sets of security standards for each department within an organization essentially creates an environment where the least secure method of doing business prevails. With regard to auditing security, the organization’s security policy is the set of rules with which employees must comply. The security policy is the document to which all security audits must be accountable. The security policy should include an overview of the organization’s security philosophy, a formal and complete risk analysis, and a list of all currently implemented security controls.
