4.2. INFORMATION SYSTEMS SECURITY STANDARDS

Information systems security standards are minimum criteria, rules, and procedures established by senior management that must be implemented to help ensure the achievement of the IS security policy. They are implemented by staff (e.g., system security administrators and users) under the direction of management. Information systems security standards should specify the detailed requirements of each IS control. A few examples of detailed controls that should be specified in the standards would be an eight-character minimum password length, a 30-day password expiration period, and a requirement that passwords be composed of at least two alpha and two numeric characters. Standards should not be specific to any particular computer platform (i.e., make, model, or operating system). Instead, they should be general enough to apply to all existing and proposed information systems that possess some form of logical and/or physical security. Whenever management deems that the standards need to be changed, the changes can be communicated to staff and implemented without the need for the approval of the board of directors. This enables the organization to react more quickly to technological advances that may have weakened preexisting standards.

With regard to auditing, IS security standards provide a management approved benchmark or baseline against which the adequacy of controls applied to individual information systems can be assessed. Exhibit 4.2 ...

Get Auditing Information Systems, Second Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.