- Are there documented policies or practices, including any employee onboarding guidance?
- What is the level of formality of the security practices in place? are verbal conventions, written documents or something in between?
- What is the understanding by the management and/or staff on common security practices?
- Are there presumptions being made by some staff which are not shared?
- How are any of these implemented / required / verified within existing organizational practice?
- Password expectations (password management, complexity, requirements
- entry/exit policies and account management
- information classification that limits access (e.g. who has access to financial data? partner data?)
- Acceptable use policies (what can and cannot staff do with their work devices)
- Travel policies (VPN usage, etc.)
Specific aspects to explore are:
Storage: Store documents and files received in secure and encrypted volumes or disks. Be aware of (and avoid using) any insecure temporary locations.
Communication: Utilize secure communication channels to receive policies and discuss them.
If (through interviews or even the audit agreement process); you have received copies of policies, a thorough review of the written policies is required to assess if they are being followed, enforced, or have changed since being formalized.
- List of existing agreements and policies and their gaps
- Resources to formalize/expand agreements to policies
- Providing initial support to help the organization decide on and agree to baseline guidance around critical digital security controls, such as an Onboarding checklist, entry/exit policies, etc
Identifying Informal Agreements_The activity aims to assess which kind of informal agreements regarding best practices and security directives are formulated, accessed…
Security policy review_The activity aims to understand the organization's internal security policy context, looking for existing policies, understanding how they…
Interviews_The auditor conducts interviews with various staff members to gather information on the organizations risks and capacity. Q&A sessions are…
A Day in the Life_The auditor checks staff devices for updated systems and software, anti-virus and other security capabilities, and identifies software…
References and resources for Organizational Policy Review
- Policy Templates Organizational Security Policies - Template (AccessNow; Available in English and Spanish)
- Policy Templates Frontline Policies (Open Briefing, Available in English and Spanish). See also the associated Knowledge Base with directions on how to use the templates.
- Policy Templates and Process SAFE AND DOCUMENTED FOR ACTIVISM (English, Spanish; focused on activist organizations)
- Policy Templates Information Security Policy Templates (SANS)
- Meta-Framework Cybersecurity Framework (NIST)