The purpose of this sample audit work program is to determine whether the right security policies exist. For those policies that do exist, the objective is to determine whether they cover the necessary issues and are disseminated to the right people.

Project work steps covered in this document include: pre-engagement preparation, internet access and security, data confidentiality, email, voicemail, personal computer controls, local area network (LAN), electronic data, social engineering, and miscellaneous procedures. This document can be used as a general guide to understand and review processes when performing an assessment of security policies.