ISO/TR 13569:1996

TECH N ICAL
ISO/TR
REPORT
First edition
1 996-1 1-1 5
Banking, securities and other financial
services - Information security guidelines
Banque, valeurs mobilières et autres services financiers - Lignes
directrices pour la sécurité de l'information
Reference number
lSO/TR 13569:1996(E)
ISO/TR 13569: 1996(E)
Contents
1 I~TRODUCTION . 1
2 REFERENCES . 1
3 EXECUTIVE SUMMARY . 1
4 HOW TO USE THIS TECHNICAL REPORT . 2
5 REQUIREMENTS . 3
6 INFORMATION SECURITY PROGRAMME COMPONENTS . .3
6.1 GENERAL DUTIES . 3
6.1.1 Directors .
6.1.2 Chief Executive Oflcer .
6.1.3 Managers .
6.1.4 Employees, vendors, and contractors should: .
6. I. 5 Legal function. .
6.1.6 Information Security OfJicers .
6.1.7 Information Systems Security Administration .
6.2 RISK ACCEPTANCE . 6
6.3 INSURANCE . 6
6.4 AUDIT . 6
6.5 REGULATORY COMPLIANCE . 7
6.6 DISASTER RECOVERY PLANNING . 7
6.7 INFORMATION SECURITY AWARENESS . 7
6.8 EXTERNAL SERVICE PROVIDERS . 8
6.9 CRYPTOGRAPHIC OPERATIONS . 8
6.10 PRIVACY . 9
7 CONTROL OBJECTIVES AND SUGGESTED SOLUTIONS. . 9
7.1 INFORMATION CLASSIFICATION . 10
7.2 LOGICAL ACCESS CONTROL . 10
7.2. I Identification of users .
7.2.2 Authentication of users. .
7.2.3 Limiting sign-on attempts. .
7.2.4 Unattended terminals . .
7.2.5 Operating system access control features . . 12
7.2.6 Warning .
..............................
7.3 AUDIT TRAILS . 12
7.4 CHANGE CONTROL . 13
7.4.1 Emergency problems .
7.5 COMPUTERS . . 13
7.5,1 Physical protection. .
7.5.2 Logical access control .
7.5.3 Change .
7.5.4 Equipment maintenance . . .
7.5.5 Casual viewing . .
7.5.6 Emulation concerns. . . 14
7.5.7 Business continuity .
O IS0 1996
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or
utilized in any form or by any means, electronic or mechanical, including photocopying and
microfilm, without permission in writing from the publisher.
International Organization for Standardization
Case postale 56 CH-121 1 Genève 20 Switzerland
Printed in Switzerland
ii
O IS0 ISO/TR 13569:1996(E)
............................................................. 15
7.5.8 Audit trails .
7.5.9 Disposal of equipment . . 15
7.5. I O Distributed Computing . . .
7.6 NETWORKS . 15
.................................................................................................. 15
7.6. I Network inregri@ .
7.6.2 Access control . 15
7.6.5 Change . . 16
7.6,6 Connection with ot
7.6.7 Network mo . 16
............................... 16
7.6. I O Audit trails .
............................................................ 17
........................................................ 17
...................................................................................... 18
.................................................................................................. 18
................................................................... 18
a
.................................... 18
7.7.1 O Proper@ rights. .
7.7. I I Viruses .
7.7.13 Remote control .
7.7.14 Software provided to customers. .
7.8.2 Management . .
............................................... .20
7.8.3 Unauthorized use of
...............................................................
.................................................................
.................................... .20
.................................................................................................... 21
.............................................................
....................................................................
O
...................................... .22
7. I O. 2 Repudiation. . .
7.10.3 Misdirection of
............................................ .23
II. 1 Authorized users . . .23
7.
............................................ .24
7.11.4 Disclosure. . . .24
7. II. 6 Message retention. .
7. I I. 7 Message Reception .
ISOiTR 13569:1996(E) O IS0
7.12 PAPER DOCUMENTS . 24
7.12. I Modification . 24
7.12.2 Viewing . 25
7.12.3 Storage facilities . 25
7.12.4 Destruction .
7.12.5 Business continuity . 25
......................................................................................................................
7.12.6 Preservation of evidence 25
................................................................................................................................................
7.12.7 Labeling 25
7.12.8 Forgeddocuments .
7.12.9 Output distribution schemes . 25
7.13
MICROFORM AND OTHER MEDIA STORAGE . 25
7.13.1 Disclosure .
7.13.2 Destruction .
7.13.3 Business continuity .
......................................................................................................................................
7.13.4 Environmental 26
7.14 FINANCIAL TRANSACTION CARDS . 26
...................................................................................................................................
7.14.1 Physical securig 26
7.14.2 Insider abuse . 26
.........................................................................................................................
7.14.3 Transportation of PINS 26
..............................................................................................................................................
7.14.4 Personnel 26
7.14.5 Audit . 26
7.14.6 Enforcement .
7.14.7 Counterfeit card prevention . .
7.15 AUTOMATED TELLER MACHINES . 27
7.15. I User i&ntification .
7.15.2 Authenticity of information . 27
7.15.3 Disclosure of information . 27
7.15.4 Fraud prevention . .
7.15.5 Maintenance and service . . 27
7.16 ELECTRONIC FUND TRANSFERS . 28
7.16.1 Unauthorized source . . 28
...............................
..............................................................................
7.16.2 Unauthorized changes
...................................... 28
......................................................................................................................
7.16.3 Replay ofmessages
...................................................................................................................................
7.16.4 Record retention 28
......................................................................................................................
7.16.5 Legal basis for payments 28
7.17 CHEQUES . 28
8 SOURCES OF FURTHER HELP . 28
8.1 FINANCIAL SERVICES INSTITUTIONS . 28
8.2 STANDARDS BODIES . 28
8.3 BUILDING, FIRE, AND ELECTRICAL CODES . 29
8.4 GOVERNMENT REGULATORS . 29
GLOSSARY OF TERMS . 30
ANNEX A SAMPLE DOCUMENTS . 34
A.l Sample Board of Directors Resolution on Information Security . 34
A.2 Sample Information Security Policy (High Level) . 35
A.3 Sample Employee Awareness Form . 36
A.4 Sample Sign-On Warning Screens . 37
A.5 Sample Facsimile Warnings . 37
A.6 Sample Information Security Bulletin . 38
A.1 Sample Risk Acceptance Form . 39
ANNEX B BASIC PRINCIPLES FOR DATA PROTECTION . 41
ANNEX C NAMES AND ADDRESSES OF NATIONAL ORGANISATIONS . 43
INDEX . 56
iv
O IS0
Foreword
IS0 (the International Organization for Standardization) is a worldwide federation of national standards
bodies (IS0 member bodies). The work of preparing International Standards is normally carried out
through IS0 technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work. IS0
collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The main task of technical committees is to prepare International Standards, but in exceptional
circumstances a technical committee may propose the publication of a Technical Report of one of the
following types:
-
type 1, when the required support cannot be obtained for the publication of an International
Standard, despite repeated efforts;
-
type 2, when the subject is still under technical development or where for any other reason there is
the future but not immediate possibility of an agreement on an International Standard;
-
type 3, when a technical committee has collected data of a different kind from that which is
normally published as an International Standard ("state of the art", for example).
Technical reports of types 1 and 2 are subject to review within three years of publication, to decide
whether they can be transformed into International Standards. Technical Reports of type 3 do not
necessarily have to be reviewed until the data they provide are considered to be no longer valid or useful.
ISO/TR 13569, which is a Technical Report of type 3, was prepared by Technical Committee ISO/TC 68,
Banking, securities and other financial services, Subcommittee SC 2, Strategy, security and general
operations.
a
e
TECHNICAL REPORT O IS0 ISO/TR 13569: 1996(E)
Banking, securities and other financial
services - Information security guidelines
IS0 9564-1 : 1991, Personal Ident$cation Number
1 Introduction
management and security - Part I: PIN protection
Financial institutions increasingly rely on Information
principles and techniques.
Technology (IT) for the efficient conduct of business.
IS0 9564-2: 1991, Personal Ident$cation Number
Management of risk is central to the financial service
management and security - Part 2: Approved
sector. Financial institutions manage risk through
algorithm(s) for PIN encipherment.
prudent business practice, careful contracting,
insurance, and use of appropriate security
IS0 1 O 126- 1 : 199 1 , Banking - Procedures for
mechanisms.
message encipherment (wholesale) - Part I: General
principles.
There is a need to manage information security within
financial institutions in a comprehensive manner.
IS0 10126-2:1991, Banking - Procedures for
message encipherment (wholesale) - Part 2: DEA
This Technical Report is not intended to provide a
algorithm.
generic solution for all situations. Each case must be
examined on its own merits and appropriate actions
IS0 10202: 199 1 - 1996, Financial transaction cards -
selected. This Technical Report is to provide
Security architecture offinancial transaction systems
guidance, not solutions.
using integrated circuit cards (all parts).
The objectives of this Technical Report are:
National Standards:
ANSI X9lTG-2, Understanding and Designing
to present an information security programme
Checks (USA).
structure.
Regulations:
to present a selection guide to security controls
US Ofice of the Comptroller of the Currency,
that represent accepted prudent business practice.
Banking Circular BC-226 Policy Statement.
to be consistent with existing standards, as well
Other documents:
as emerging work in objective and accreditable
Institute of Internal Auditors Standards for the
security criteria.
Professional Practice of Internal Auditing.
This Technical Report is intended for use by financial
Code of Practice for Information Security
institutions of all sizes and types that wish to employ
Management.
a prudent and commercially reasonable information
I)
security programme. It is also useful to providers of
service to financial institutions. This Technical
3 Executive summary
Report may also serve as a source document for
educators and publishers serving the financial
Financial institutions and their senior management
industry.
have always been accountable for the implementation
of effective controls for protecting information assets.
The confidentiality, integrity, authenticity, and
2 References availability of that information are paramount to the
business. As such, it is imperative that these assets be
NOTE - Annex C contains references to national regulations,
available and protected from disclosure, modification,
standards and codes. The list below includes only those
documents referenced in the main body of this Technical Report.
fabrication, replication, and destruction, whether
accidental or intentional. It is imperative for a
International Standards:
financial institution to protect the transfer of its assets
IS0 8730: 1990, Banking - Requirements for message
which are encoded in the form of trusted information.
authentication (wholesale).
Business depends more and more on computerized
IS0 8732:1988, Banking - Key management
information systems. It is becoming impossible to
(wholesale).
separate technology from the business of finance.
There is increasing use of personal computers and
networks, and a greater need than ever for these to
work together. In many institutions, more work is
ISO/TR 13569: 1996(E) O IS0
done on personal computers and local area networks
4 How to use this Technical Report
than on the large mainframes. Security controls for
This Technical Report was designed to serve many
these local computers are not as well developed as
purposes. This clause provides a "road map" to the
controls over mainframes. The security needed for
remainder of the Technical Report.
all information systems is growing dramatically.
Image systems, digital voice/data systems, distributed
Clause 5: Requirements: This clause defines a
processing systems, and other new technologies are
starting point in building a security programme. It
being used increasingly by financial institutions, This
sets out minimum requirements for an adequate
makes information security even more important to
information security programme. It may also serve as
the commercial success or even the survival of an
a measure against which an institution can evaluate
institution.
the state of its information security programme.
Security controls are required to limit the
Clause 6: Information security programme
vulnerability of information and information
components: This clause contains more specific
processing systems. The level of protective control
information on how an Information Security
must be cost effective, i.e., consistent with the degree
Programme should operate. Specific responsibilities
of exposure and the impact of loss to the institution.
are suggested for various officers and functions of an
Exposures include financial loss, competitive
institution. Lines of communication between
disadvantage, damaged reputation, improper
fwictions, that are considered helpful for sound
disclosure, lawsuit, or regulator sanctions. Well
security practice are identified. This clause can be
thought out security standards, policies and guidelines
used by senior officials to ensure that structural
are the foundation for good information security.
impediments to sound security practice are
minimized. Information security personnel may also
Work is ongoing within the US, Canada and the
use this clause to evaluate the effectiveness of the
European Community to establish a Common Criteria
information security programme.
for the evaluation of information technology
products. These criteria coupled with financial sector
Clause 7: Control Objectives and Suggested
pre-defined functionality classes will enable financial
Solutions: This clause is the heart of this Technical
institutions to achieve uniform, trusted, security
Report. It discusses threats to information in terms
facilities. This guideline should be used as an input
specific enough to enable financial personnel to
to that process.
ascertain if a problem exists at their institution,
without educating criminals. The first four
With the continuing expansion of distributed
subclauses address controls common to many
information there is growing interest and pressure to
delivery platforms: classification, logical access
provide reasonable assurance that financial
control, change control, and audit trails. Subsequent
institutions have adequate controls in place.
This
subclauses address security concerns for information
inlerest is demonstrated in laws and regulations. An
processing equipment, human resources, and those
excerpt from the US Office of the Comptroller of the
specific to the delivery platform used. Electronic
Currency, Banking Circular BC-226 Policy Statement
fund transfers and cheque processing subclauses
illustrates this concern.
finish this clause.
"It is the responsibility of the Board of Directors
Clause 8: Sources of further help:
This clause lists
to ensure that appropriate corporate policies,
the types of organisations which may be of assistance
which identiQ management responsibilities and
to information security professionals. It is intended
control practices for all areas of information
that this clause be used with Annex C.
processing activities, have been established. The
existence of such a 'corporate information
Annex A: Sample Documents: This Annex is a
security policy,' the adequacy of its standards,
collection of ready-to-use sample forms for a variety
and the management supervision of such
of information security related purposes.
activities will be evaluated by the examiners
during the regular supervisory reviews of the
Annex B: Privacy Principles:
This Annex presents a
institution."
sample set of Privacy Principles.
This Technical Report includes a guideline for
Annex C: Sources of Further Assistance: This annex
building a comprehensive information security
lists the names and contact information for national
programme.
organisations which can be of assistance to
Information Security personnel.
O IS0
assets and the specification of appropriate
5 Requirements
levels of security,
At the highest level, the acceptance of ethical values
and control imperatives must be communicated and
d. includes an awareness or education
periodically reinforced with management and staff.
programme to ensure that employees and
Information is an asset that requires a system of
contractors are aware of their information
control, just as do other assets more readily reducible
security responsibilities,
to monetary terms. Prudent control over the
information assets of the institution is good business
e. provides for the resolution and reporting
practice.
of information security incidents,
The protection of information should be centred
f. establishes written plans for business
around the protection of key business processes. The
resumption following disasters,
notion of information and its attributes change within
the context of a business process and security
g. provides identification of, and procedures
requirements should be examined at each stage of that
for addressing exceptions or deviations from
process.
the information security policy or derivative
documents,
Developing, maintaining, and monitoring of an
information security programme requires
h. encourages coordination with appropriate
participation by multiple disciplines in the
parties, such as audit, insurance, and
organisation. Close coordination is required between
regulatory compliance officers,
the business manager and the information security
staff. Disciplines such as audit, insurance, regulatory
i. establishes responsibility to measure
compliance, physical security, training, personnel,
compliance with, and soundness of, the
legal, and others should be used to support the
security programme,
information security programme. Information security
is a team effort and an individual responsibility.
j. provides for the review and update of the
programme in light of new threats and
The basic requirement of this technical guideline is
technology. For example, the emergence of
the establishment of an information security
IT evaluation criteria should assist security
programme that:
professionals in the selection and
implementation of standardized security
a. includes an institution-wide information
controls.
security policy and statement, containing:
k. provides for the production of audit
i. a statement that the institution
records where necessary and the monitoring
considers information in any form
of audit trails.
to be an asset of the institution,
ii. an identification of risks and the
6 Information security programme
requirement for implementation of
components
controls to provide assurance that
information assets are protected.
Subclause 6.1 addresses the information security
Clause 7 of this Technical Report
responsibilities within the institution. Subclauses 6.2
discusses suitable controls,
and beyond address functions related to information
security. The controls suggested in this Technical
iii. a definition of information
Report are those which enforce or support protection
security position responsibilities for
of information and information processing resources.
each manager, employee and
While some of these controls may address other areas
contractor. Clause 6 of this
of bank governance, this Technical Report should not
Technical Report lists suggested
be viewed as a complete checklist of managment
responsibilities.
controls.
iv. a commitment to security
6.1 General duties
awareness and education.
b. establishes one or more officer(s) 6.1.1 Directors
responsible for the information security
Directors of financial institutions have a duty to the
programme,
institution and its shareholders to oversee the
management of the institution. Effective information
c. provides for the designation of individuals
security practices constitute prudent business
responsible for the protection of information
practice, and demonstrates a concern for establishing
O IS0
Examples of circumstances that should trigger
the public trust. Directors should communicate the
idea that information security is an important such a review include:
objective and support an information security
0 large loss from a security failure,
programme.
preparation of an annual report to the Board
6.1.2 Chief Executive Officer
of Directors and Audit Committee,
The Chief Executive Officer, as the most senior
0 acquisition of a financial institution,
officer of the institution, has ultimate responsibility
for the operation of the institution. The CEO should
purchase or upgrade of computer systems or
authorize the establishment of, and provide support
software,
for, an information security programme consistent
with recognized standards, oversee major risk
acquisition of new communications services,
assessment decisions, and participate in
communicating the importance of information
introduction of a new financial product,
security.
introduction of new out-source processing
6.1.3 Managers
vendor,
Managers serve as supervisory and monitoring agents
discovery of a new threat.
for the institution and the employees. This makes
them key players in information security programmes.
Additionally, managers who are "owners' of
Each manager should:
information should:
0 understand, support, and abide by
0 be responsible for the classification of
institution's information security policy,
information or information processing systems he
standards, and directives,
controls.
0 ensure that employees, vendors, and
0 define the security requirements for his
contractors also understand, support and abide by
information or information processing systems.
information security policy, standards, and
directives, for example, the Code of Practice for
authorize access to information or information
Inforamtion Security Management,
processing systems under his control.
0 implement information security controls
inform the Information System Security Officer
consistent with the requirements of business and
of access rights and keep such access information
prudent business practice,
up-to-date.
0 create a positive atmosphere that encourages
NOTE - All business information should have an identified
employees, vendors, and contractors to report
"owner." A procedure for establishing ownership is required to
information security concerns,
ensure that all business information will receive appropriate
protection.
report any information security concerns to
the Information Security Officer immediately,
6.1.4 Employees, vendors, and contractors
should:
0 participate in the information security
communication and awareness programme,
0 understand, support, and abide by
organisational and business unit information
apply sound business and security principles
security policies, standards and directives,
in preparing exception requests,
be aware of the security implications of their
0 define realistic business "need-to-know" or
actions,
"need-to-restrict" criteria to implement and
maintain appropriate access control,
0 promptly report any suspicious behavior or
circumstance that may threaten the integrity of
identi@ and obtain resources necessary to
information assets or processing resources,
implement these tasks,
0 keep each institution's information
0 ensure that information security reviews are
confidential. This especially applies to
performed whenever required by internal policy,
contractors and vendors with several institutions
regulations, or information security concerns.
as customers. This includes internal
confidentiality requirements, e.g. Chinese Walls.
O IS0
ISO/TR 13569: 1996(E)
participation in work groups are some ways of
NOTE - Security programme components should be incorporated
staying current with new developments,
into service agreements and employees' employment contracts.
understand the current information
processing technologies and the most current
6.1.5 Legal function
information protection methods and controls by
Institutions may wish to include the following
receiving internal education, attending
responsibilities for the legal department or function:
information security seminars and through
on-the-job training
0 monitor changes in the law through
legislation, regulation and court cases that may
0 apply management and organisational skills,
affect the information security programme of the
knowledge of the business, and where
institution.
appropriate, professional society recognition, in
the execution of their duties,
0 review contracts concerning employees,
customers, service providers, contractors, and
0 encourage the participation of managers,
vendors to ensure that legal issues relating to
auditors, insurance staff, legal staff, and other
information security are addressed adequately.
disciplines that can contribute to information
protection programmes,
0 render advice with respect to security
incidents.
0 review audit and examination reports dealing
with information security issues, and ensure that
0 develop and maintain procedures for
they are understood by management. The officer
handling follow-up to security incidents, such as
should be involved in the formulation of
preservation of evidence.
management's response to the audit findings and
follow-up periodically to ensure that controls and
procedures required are implemented within the
6.1.6 Information Security Officers
stipulated time frames,
For the purpose of this Technical Report, we define
an Information Security Officer as the senior official
confirm that the key threats to information
or group of officials charged with developing, assets have been defined and understood by
implementing, and maintaining the programme for management,
protecting the information assets of the institution.
assume responsibility or assist in the
The Information Security Officers should:
preparation and distribution of an appropriate
warning of potentially serious and imminent
0 manage the overall information security threats to an organisation's information assets,
programme,
e.g., computer virus outbreak. See clause A.6 for
a sample warning,
0 have responsibility for developing
Information Security Policies and Standards for
coordinate or assist in the investigation of
use throughout the organisation. These policies
threats or other attacks on information assets,
and standards should be kept up-to-date,
reflecting changes in technology, business
assist in the recovery from attacks,
direction, and potential threats, whether
assist in responding to customer security
accidental or intentional,
issues, including letters of assurance and
0 assist business units in the development of
questions on security. Although a letter of
specific standards or guidelines that meet assurance is sent from the institution to the
information security policies for specific
customer, it will often reflect the customer's
products within the business unit. This includes
desires rather than the institution's security
working with business managers to ensure that an
policy.
effective process for implementing and
maintaining controls is in place,
6.1.7 Information Systems Security
Administration
0 ensure that when exceptions to policy are
required, the risk acceptance process is
Each business unit and system manager must
completed, and the exception is reviewed and
determine the need-to-know access privileges for
reassessed periodically,
users within their business sectors and communicate
these documented privileges to the administrator.
0 remain current on threats against financial
These access privileges should be reviewed
information assets. Attending information
periodically and changes should be made when
security meetings, reading trade publications, and
appropriate.
I
O IS0
0 undertake a plan to come into compliance as
Each information access control system should have
soon as possible, or
one or more Information Systems Security
Administrator(s) appointed to ensure that access
0 seek an exception based upon a risk
control procedures are being monitored and enforced.
assessment of the special circumstances
Administrators should operate under dual control,
especially for higher level privileges. These access involved.
control procedures are described in detail in 7.2.
The Information Security Officer should participate
in the preparation of the compliance plan or
The Information System Security Administration
exception request for presentation to appropriate
should:
levels of management for decision.
0 be responsible for maintaining accurate and
complete access control privileges based on The Information Security Officer should consider
instructions from the information resource owner changes to the information security programme
whenever the exception procedure reveals situations
and in accordance with any applicable internal
not previously addressed.
policies, directives, and standards,
0 remain informed by the appropriate manager
whenever employees terminate, transfer, take a While a complete treatment of risk management is far
beyond the scope of this Technical Report, clause A.7
leave of absence, or when job responsibilities
provides a sample risk acceptance form that identifies
change,
relevant factors in making risk acceptance decisions.
monitor closely users with high-level
privileges and remove privileges immediately
6.3 Insurance
when no longer required,
in planning the information security programme, the
0 monitor daily access activity to determine if
Information Security Officer and business manager
any unusual activity has taken place, such as
should consult with the insurance department and, if
repeated invalid access attempts, that may
possible, the insurance carrier. Doing so can result
threaten the integrity, confidentiality, or
in a more effective information security programme
availability of the system. These unusual
and better use of insurance premiums.
activities, whether intentional or accidental in
origin, must be brought to the attention of the
insurance carriers may require that certain controls,
information resource owner for investigation and
called Conditions Prior to Liability or conditions
resolution,
precedent, be met before a claim is honored.
Conditions Prior to Liability often deal with
0 ensure that each system user be identified by
information security controls. Since these controls
a unique identification sequence (USERID)
must be in place for insurance purposes, they should
associated only with that user. The process
be incorporated into the institution's information
should require that the user identity be
security programme. Some controls may also be
authenticated prior to gaining access to the
required to be warranted, i.e., shown to have been in
information resource by utilizing a properly
place continuously since inception of the policy.
chosen authentication method,
Business Interruption coverage and Errors and
make periodic reports on access activity to
Omissions coverage, in particular, should be
the appropriate information owner,
integrated with information security planning.
0 ensure that audit trail information is
6.4 Audit
collected, protected, and available.
The following quotation from the Institute of Internal
The activities of the ISSA should be reviewed by an
Auditors Standards for the Professional Practice of
independent party on a routine basis.
Internal Auditing defines the auditor's role as follows:
"Internal auditing is an independent appraisal
6.2 Risk acceptance
function established within an organisation to
Business Managers are expected to follow the
examine and evaluate its activities as a service to
institution's information security policy, standards and
the organisation. The objective of internal
directives whenever possible. If the manager believes
auditing is to assist members of the organisation
that circumstances of his particular situation prevent
in the effective discharge of their responsibilities.
him from operating within that guidance, he should
To this end, internal auditing furnishes them with
either:
analyses, appraisals, recommendations, counsel,
O IS0
ISOîïR 3569: 1996(E)
and information concerning the
...