6.108 Auditing and Compliance

Policy #:	Title:	Effective Date:
6.108	Auditing and Compliance	07/13/04

PURPOSE
_______________________________________________________________

The purpose of this policy is to establish the requirement for all information technology resources in the County to be audited on a periodic basis to ensure compliance with the information technology use and security policies.

REFERENCE
_______________________________________________________________

July 10, 2004, Board Order 10 - Board of Supervisors Policy – Information Technology and Security Policy.

POLICY
_______________________________________________________________

The Los Angeles County Auditor-Controller shall conduct or coordinate an audit of every department’s compliance to County I/T use and security policies, standards and guidelines. Audits shall be conducted for each department as scheduled by the Office of the Auditor- Controller.

Each County department shall be responsible for assisting the County Auditor-Controller in conducting a security policy audit of information technology resources.

Compliance

County departments that have been audited must develop a written response that includes a plan to remediate any deficiencies found during the audit. Review and remediation of the audit findings is the responsibility of each department.

Policy Exceptions

Requests for exceptions to this Board policy must be reviewed by the CIO and approved by the Board of Supervisors. Departments requesting exceptions should provide such requests to the CIO. The request should specifically state the scope of the exception along with justification for granting the exception, the potential impact or risk attendant upon granting the exception, risk mitigation measures to be undertaken by the department, initiatives, actions and a time frame for achieving the minimum compliance level with the policies set forth herein. The CIO will review such requests, confer with the requesting department and place the matter on the Board's agenda along with a recommendation for Board action.

RESPONSIBLE DEPARTMENT
_______________________________________________________________

Chief Information Office (CIO)

DATE ISSUED/SUNSET DATE
_______________________________________________________________

Issue Date: July 13, 2004

Sunset Date: July 13, 2008

Review Date: August 25, 2008

Sunset Date: July 13, 2012

Review Date: July 19, 2012

Sunset Date: January 13, 2013

Review Date: February 28, 2013

Sunset Date: July 13, 2013

Issue Date: July 13, 2004	Sunset Date: July 13, 2008
Review Date: August 25, 2008	Sunset Date: July 13, 2012
Review Date: July 19, 2012	Sunset Date: January 13, 2013
Review Date: February 28, 2013	Sunset Date: July 13, 2013