Chidinma Agwu
CISS 3362- Security Policy
Dr. Ahmad Al-Omari
Practice Assignment
Nonconformity
Written amendments to the cable routing tables
did not demonstrate any formal authorization.
Network change requests were not available to
support the amendments.
In the archives, completed loan application and
sanction forms were found to be badly damaged
due to the poor state of the roof.
A written instruction requires all employees to
inform the Security Manager if they see
equipment without the appropriate asset
inventory tag. Not all personnel interviewed were
aware of this requirement.
At the time of the audit, the process for reviewing
compliance with security policies and
standards/procedures had not been
implemented. The audit plan, yet to be started,
did identify that compliance checks will be carried
out to ensure compliance with legal requirements
is being achieved and maintained.
Procedures within the data center did not detail
the steps to be followed in the event of a major
systems failure; however, the operator on duty at
the time of the audit said that he had been
instructed to contact the duty manager.
Security conditions had not been addressed in the
following contracts with suppliers:
 TB - telecommunications provider
 SED - responsible for running IT
operations
The current testing standard version 1.1 does not
currently state that a Security Test Plan has to be
This study source was downloaded by 100000830769998 from CourseHero.com on 04-15-2022 09:39:19 GMT -05:00
https://www.coursehero.com/file/48446175/CISS-3362-Practicedocx/
Control
A.12.5.1- Change control procedures;
The implementation of changes shall be
controlled by the use of formal change control
procedures.
A.15.1.3- Protection of organizational records;
Important records shall be protected from loss,
destruction and falsification, in accordance with
statutory, regulatory, contractual, and business
requirements.
A.7.2.2- Information labeling and handling;
An appropriate set of procedures for information
labeling and handling shall be developed and
implemented in accordance with the classification
scheme adopted by the organization.
A.15.2.1- Compliance with security policies and
standards;
Managers shall ensure that all security procedures
within their area of responsibility are carried out
correctly to achieve compliance with security
policies and standards.
A.13.1.1- Reporting information security events;
Information security events shall be reported
through appropriate management channels as
quickly as possible.
A.8.1.1- Roles and responsibilities;
Security roles and responsibilities of employees,
contractors and third party users shall be defined
and documented in accordance with the
organization’s information security policy.
A.12.2.1- Input data validation;
Security roles and responsibilities of employees,
 compiled; therefore not ensuring that security is contractors and third party users shall be defined
build into the system. and documented in accordance with the
organization’s information security policy.
While speaking with the network administrator it A.10.10.4- Administrator and operator logs;
became apparent that the firewall routinely fell System administrator and system operator
over every Friday morning. These incidents were activities shall be logged.
not recorded in the Security Incident Log. When
questioned, the administrator said he knew about
the problem; therefore, there was no need to
record it in the log.
Procedures state that no software unless provided A.12.4.1- Control of operational software;
by corporate IT must be loaded onto the network There shall be procedures in place to control the
without the prior permission of the IT manager. installation of software on operational systems.
The marketing department was using a new data
analysis tool, which was sent to them direct from
the developers after their agreement to take part
in the testing of the new tool in return for a free
copy of the finished product.

Files containing confidential information on five

major clients could not be found within records.
The filing clerk stated that they had probably been
taken home by one of the staff and not yet been
returned. The clerk also said that they could not
take any further action and would wait until the
files were returned.

Security Procedure CIA12 requires that suitability
identity checks by undertaken for all employees.
No objective evidence to support this process was
observed in the case of the security guard, the
receptionist, and the systems administrator; the
latter being the brother of the wife of the
Managing Director.
A.11.5.2- User identification and authentication;
All users shall have a unique identifier (user ID) for
their personal use only, and a suitable
authentication technique shall be chosen to
substantiate the claimed identity of a user.

A common password was used throughout the A.11.3.1- Password use;

organization to gain access to Microsoft office Users shall be required to follow good security
software. This was used to save time in issuing practices in the selection and use of passwords.
and reissuing passwords to 500 users in the
network

This study source was downloaded by 100000830769998 from CourseHero.com on 04-15-2022 09:39:19 GMT -05:00

https://www.coursehero.com/file/48446175/CISS-3362-Practicedocx/
Powered by TCPDF (www.tcpdf.org)