Based on what is in your risk assessment, policies, and monitoring plans, create your audit checklist. An audit tells you if you did what you said you were going to do. This checklist should include at least 20 items that will be checked during a standard audit. Create a table with four columns. The title for each column should be as follows:
- Audit Item (under this header, list the 20 items that will be checked)
- Item Described
- Audit Criteria
For the Item Described column, include a sentence or two about the item being audited. The Source should describe where this control came from (such as a policy, monitored control). For the Audit Criteria, include what the auditor should look for, including acceptable ranges.
Determine if there is any improvement possible on the existing controls and processes. As you create the assessment plan, keep in mind that an assessment looks for ways to continuously improve.
Determine if there is any improvement possible on the existing controls and processes. Provide a 10-step high-level assessment approach. An assessment looks for ways to continuously improve.
Provide 10 bullet points describing the approach the company would go through to conduct a self-assessment.
The following is an example:
- Review what tools may be available that may offer security controls in a better fashion.
- Review what tools may combine one or more existing tools.
- Review trends in incidents or user requests to suggest different processes.
Submit all sections of your Enterprise Security Strategy Plan.