Lesson 10 of 33
In Progress

Audit & Security Testing

1                  Introduction

1.1              Purpose

The purpose of this document is to provide principles that will guide the audit and security testing of processes, services and technology used within the GSOC.

1.2          Scope

The GSOC Audit and Security Testing Policy applies to the following:

  • All processes within the GSOC.
  • Services provided by the GSOC.
  • All hardware and software used to support the GSOC services.

1.3              Audience

All KPMG staff, suppliers and business partners involved with the operations of the GSOC, and representatives from member firms that have opted into the GSOC service shall read and understand this policy document.

A Glossary of the terminology used can be found in the GSOC Information Security Policy [1].

Any exceptions shall be managed and maintained.

2                  Policy Statements

2.1              Scoping

The scope of all audits and security testing activities shall be clearly defined and approved by the GSOC Manager before commencement.

All equipment and infrastructure included in the scope for security testing or audit shall be assessed to determine the impact of such activities on the operation of the GSOC.

All stakeholders that will be impacted by security testing and audit activities as well those that must be present shall be identified in advance and arrangements made to ensure that they are aware, and available when required.

2.2              Scheduling and Timeframes

The GSOC Manager shall identify in writing the allowable dates for any audits and security testing and make necessary arrangements to facilitate such activities. The only exception is where audits / security testing must be conducted with no advanced notice. The Global CISO must be notified in writing of such audit / security tests.

2.3              Approvals

Any audits or security testing with potential impact to the operations must be approved before said audit / test can proceed.

2.4              Audit / Security Testing Approach

An audit / security testing approach shall be defined prior to any audit / security testing.

2.5              Findings Notification

Audit findings shall be made available to the GSOC Manager and Global CISO.

2.6              Third Party Services

Approval shall be sought from Third Parties for audits and security testing performed on third party services or infrastructure used by the GSOC outside of the GSOC.

3                  References