A stаff аuditоr prepаred audit prоcedures with the оbjective of obtaining an understanding of how Smith Company communicates information to improve security knowledge and awareness in its organization. The staff auditor’s procedures, however, have not been submitted for review to the senior auditor. Using the staff auditor’s draft of audit procedures included below, review each procedure to ensure that it meets the objective of the audit. ............................................................................................................................................................................. Client – Smith Company Audit Program – Security Knowledge and Awareness Audit Objective – Obtain an understanding of how the organization communicates information to improve security knowledge and awareness in its organization and to model appropriate security behaviors to personnel. Audit Procedures: #1 Review Training Materials #2 Review Incident Reports #3 Evaluate Follow‐Up Mechanisms #4 Questionnaire
Smith Cоmpаny hаs cоntrаcted with yоur fi rm to conduct an Information Security Assessment.Smith has supplied a recent incident report and an overview of its information security policy.A staff auditor has prepared a security knowledge and awareness audit strategy. The staff auditor’s strategy, however, has not been submitted for review to the senior auditor.Using the materials included in the exhibits, select from the option list provided the best answerfor each question below. Exhibits-1.docx Question Answer What is the best order to perform the evaluation procedures identified below? A. Test staff knowledge B. Interview management and staff C. Review training materials D. Evaluate follow-up mechanisms E. Review incident reports Which step when performing evaluation procedures best associates with the following statement: “Provides insights into potential gaps in security knowledge and awareness.” What aspect of IT risk management is not addressed in the IT policies? In the Information Assurance Incident Report, what insight was provided regarding potential gaps in security knowledge and awareness?