Engagement Memo—Protecting Information Systems and Data from Insider Threats
We are initiating an audit of Amtrak’s (the company) information security practices for protecting its systems and data internally from unauthorized disclosure, modification, or compromise. Any employee or contractor who maliciously or unintentionally uses their authorized access to systems and data to do harm is an insider threat to the company. Accordingly, our objective will be to assess the effectiveness of company controls to protect its information systems and data from insider threats. We may expand our scope or modify our objective during the audit.
During the audit, we plan to interview company officials; assess related policies, documents, and procedures; and review relevant company data. We may also assess controls for selected company systems.