There seem to be a few posts doing a bit of reflection:
Internet Storm Center: “An occasional Look in the Rear View Mirror”, discusses that every so often look into what you can do to see if anything can be retired.
At year end we look over the year and look into next year for new goals etc.
So what will happen in 3Q/4Q? Will we develop new and better procedures, guidelines and other items to improve our organizations?
With a couple of weeks left in the quarter it would be great to review and reassess any plans you had and redo if necessary.
Dark Reading: “Why Compromised Identities Are IT’s Fault”
Yes it is IT’s fault because IT has to do a better job policing itself where it matters. But since it is hard to police “yourself” an outside entity should do it.
Dark reading claims:
“Before an organization can fight identity-based attacks, it must survive its own internal battle between IT and security. There are two battle fronts. The first: identity access management (IAM) typically comes under the control of the CIO, where more access is better than less to enable business processes at customer speed, even more so for mobility and cloud projects. IAM is not managed by the CISO, even though identity-based risks are at the core of security issues that keep CISOs up at night. This first front can be summarized as the CIO and CISO divide.”
So somewhere along the lines security lost a small battle (or a big one). In an Audit program (or framework) the outside entity is independent and ultimately reports to accountable people (the board or exec team).
It does not have to be a fight… errr discussion between CISO and CIO and whether it is productivity or security that should ‘win’.
- Plan the audit
- Risk assessment of the plan
- Audit IT functions under Supervision (test the network, servers, software function and more)
- Document audit function
- Create reportsout of the tests – signifying the ineffective controls, control deficiencies, and what these problems would cause for the business
- Evidence of the test results and conclusions must be presented.
- May have to use other experts to find specific issues(like a DBA (Data Base Admin) for example)
- Note Irregularity or illegal acts and reduce risks to an acceptable level
One of the tenets of an Auditor is being ethical in creating the audit tests. The reason for this is if one does not have expertise in a section of IT that needs audit work, then an expert in that field must be brought in. For example if the company has an agile programming project and the auditor does not understand agile programming techniques, it means the auditor must get an agile programming expert to review the project.
So the ethics of the auditor is very important, as knowing when to ask for help is good, as well as having the good sense of when to stop. Knowing to do the right thing is important.
contact us to review your situation.