Computer Systems, Networks, Intellectual Property Protection: Audit Policy

Note: " Senior Management " needs to be more well-defined (for reporting
        purposes.
-------------------------------------------------------------------------
 updated: 18Jan02 by: Bill Schell 
-------------------------------------------------------------------------
draft-version 0.64 - dated:   15 June, 2000    written by:  Bill Schell 
==========================================================================


1.0) Introduction:  This documents policy regarding "Computer
Audits".  This covers both formal (conducted by a Corporate Audit group)
as well as informal / self / internal computer systems, network security,
Intellectual property & computer-systems, networks, and "physical"
securityÓ audits.



1.1) Purpose:  The purpose of having a Computer Audit Policy
it to provide consistency across operations in the
application of standard audit criteria in the hopes of protecting
the intellectual property over which we have control, and preventing
it's theft, misuse and/or corruption.



1.2) Scope:  This policy is applicable to all operations, worldwide as
well as personnel employed by and contracted to this organization.




2	Audit Policy Description:

2.1 Basic components of Audits:

Several 'basic' subject areas will be covered in any Computer Audit
a business unit, regardless of "formal" or "in-formal" and all business
units shall comply with these audit areas, regardless of an impending audit schedule or not:

  **  basic OS (Windows, Unix, etc) Security
  **  WAN Router ACLs (sometimes implemented in an external firewall)
  **  Web Access controls
       (proxy-gateway monitoring, maintenance, record-keeping / discipline
  **  Backup & Recovery tasks / documentation / off-site-storage
  **  Disaster Recovery Planning (details at:http://security.mot.com/DR/)
  **  Physical security of computers, servers, network equipment, etc.
  **  Annual Network Architecture Review & record-keeping & follow-up &
             budget-cycle

All sub-sections may or may not be audited, at any time, however,
all sub-sections are expected to be in compliance at all times.

general information on this set of sub-sections and text
explanations and scoring charts for self-audits / check-audits may
be obtained at:  

    http://nextoy.gsd.mot.com/VANC/AuditCC/AuditCC.html

and/or 

    http://www.spb.mot.com/~bill/VANC/AuditCC/AuditCC.html



2.2   Formal (initiated, conducted & scored by the Corporate Audit
Committee (a division of the Corporate Finance functional group) 
Audit Process

All GSD centers and sites will follow the standard Motorola audit
guidelines spelled out in this / thes set of documents:

     EISS:   http://security.mot.com/EISS/

SIC:   
http://finance.corp.mot.com/Corp_Finance/Corp_Audit/SIC/default.html

specifically for computing: sub-section 8:
   who's web-site is 

http://finance.corp.mot.com/Corp_Finance/Corp_Audit/SIC/L._8.0_Computer_Systems.html

SOP:   http://cfr.corp.mot.com/sops/SOP/

but not limited to this / these set of documents.  Any business
unit MAY impose more strict guidelines than those set-out by corporate
policy or process.

Corporate Audit typically will audit sites about once every 2 years
or so.



2.3 Informal / internal / 'self' audits by senior GSD Computing
staff & it's assignees / designees:



2.4  Frequency of Computer Audits:

Minimum frequency of assessments within GSD will be once per year
for self-internal audits with a proctor or senior GSD Computer staff
or assignees / designees

Frequency of Corporate "Formal" audits is at the discretion of the
Corporate Audit Committee




2.5 New Centres:

NEW Computer & Network Staff will be trained on the
audit requirements documentation templates & logic / reasoning /
business justifications, by a senior existing Global networks
staff member, within 3 months of hiring.


Similar training will be provided to new center MDs within 3 months
of hiring.




2.5.1 Newly  acquired centers:

will have an informal assessment within 3 months of being acquired
or adopted, and then will have newly-acquired centre staff training
at the same time



2.5.2  Newly created "satellite" centres (second and additional
centres in any country) will be considered a separate entity for the
purposes of audit (because Corporate Finance will also consider them
a separate entity).   The responsibility for training & compliance
will be soley borne by the first/ major centre in that country. 
However, that centre can request support from senior GSD Computer
staff, and they must comply within 3 months of request.



2.5.3 new-centres & newly-acquired centres are required to have at
least two proctored or assisted  (by senior GSD computer staff)
audits within the first 24 months of operation, and thereafter are
expected to be able to execute "self-audits" which should prepare
them for internal or external audits.


Any site (old or new) may request "check" or "dry-run" audits (see
item 2.7 below) at any time - and should be (if scheduling is not
onerous) be able to receive that check- audit within 3 months of
request.



2.6  results of audits:

any centre that does not receive a 'pass' score on all audit-points
that are checked during an audit (note that not all 'sub-sections'
may be checked), must submit a 'correction plan' within 30 days to
both senior management & to the auditors.   The correction plan must
be reported on (progress on open & completed items) to senior
management & the auditors every thirty days until completion of all
outstanding items.


2.7 "dry-run' or 'check' audits are required to be done, in
conjunction with new-centre- site-staff (and/or staff from other
centres (senior GSD Computer staff and it's asignees or designees)
whenever requested, providing scheduling is not onerous, within 3
months of request.


2.8  spare


2.9  spare

---------------------------------------------------------------------
updated: 18Jan02 by: Bill Schell (now version 1.2)
version 0.8 (draft for comment) by: Bill Schell; as of 1 June 2000
----------------------------------------------------------------------