Status: Live
If audits are outsourced, the organization will review the contracts to determine that any information pertaining to the institution must be kept confidential. [UCF ID 01194]
Supporting and supported controls
This control directly supports:
- • Review of external auditor outsourcing contracts and engagement letters [UCF Control ID 01189]
There are no supporting controls.
Authority documents complied with:
FFIEC IT Examination Handbook – Audit, August 2003, Pg 22, Exam Tier I Obj 11.2; NYSE Listed Company Manual, § 202.01; Chemical Facility Anti-Terrorism Standards (CFATS), Department of Homeland Security, 6 CFR Part 27, § 27.250(e); The Standard of Good Practice for Information Security, SM3.1.3(c), CB5.2.4(b), CI5.3.4(b), NW4.3.4(b), UE2.3.6(f); EU 8th Directive (European SOX), Art 23
Banking and Finance Guidance
The external auditor contract should include a statement that any information about the organization must be kept confidential. [Pg 22, Exam Tier I Obj 11.2, FFIEC IT Examination Handbook – Audit, August 2003]
NASD NYSE Guidance
The organization should periodically review how it maintains confidential information. [§ 202.01, NYSE Listed Company Manual]
US Federal Security Guidance
All information received during an audit or inspection will remain confidential, including the identities of those involved in the inspection or audit and those who provided information. [§ 27.250(e), Chemical Facility Anti-Terrorism Standards (CFATS), Department of Homeland Security, 6 CFR Part 27]
General Guidance
Information classifications should be reviewed regularly and whenever changes are made to information, the application, the network, or the end user environment. [SM3.1.3(c), CB5.2.4(b), CI5.3.4(b), NW4.3.4(b), UE2.3.6(f), The Standard of Good Practice for Information Security]
EU Guidance
All information and documents that the auditor or audit firm has access to must be protected by confidentiality and professional secrecy rules. [Art 23, EU 8th Directive (European SOX)]
Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.