Teaming with your IT auditor for better security

Slides:

Advertisements

Similar presentations

. . . a step-by-step guide to world-class internal auditing

Advertisements

Self- and Peer-Assessment

Providing Effective Feedback

Providing Feedback to Employees

Value for Money – new requirements and challenges

The Audit Committee and the Evolving role of the Internal Audit function Dr Claudelle von Eck.

Auditing, Assurance and Governance in Local Government

IMFO Audit & Risk Indaba June 2012

Enterprise Security A Framework For Tomorrow Christopher P. Buse, CPA, CISA, CISSP Chief Information Security Officer State of Minnesota.

Supporting people with a learning disability Introduction to Project Management Presenter: Steve Raw FInstLM, FCMI.

A vision for a new national youth work strategy for Wales I want Youth Services to reach out to all young people and.

Dr. Julian Lo Consulting Director ITIL v3 Expert

AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.

Purpose of the Standards

Achieving our mission Presented to Line Staff. INTERNAL CONTROLS What are they?

Effort Reporting: A Departmental Approach to Meeting Audit Requirements Dianne Valdez, MBA, CIA, CISA, CCSA Enrique Valdez Jr., MBA.

PAINTING THE FULL PICTURE

Hiring Manager Role in Onboarding & Assimilation Understanding how your role can impact and improve the new employee experience.

Internal Auditing and Outsourcing

Effectively applying ISO9001:2000 clauses 5 and 8

© Dec. 2006, May 2009 Helmut Jilling (All rights reserved) Improvement Audits - Let’s Get More Bang! Note: This slide show is designed to let you view.

1 Homologues Group Meeting Slovenia, October 2009 Republika SlovenijaEuropean Union Ljubljana, October 2009 Introduction to IT audits PART II IT.

The Evergreen, Background, Methodology and IT Service Management Model

The purpose and role of an audit committee Neeta Major Chief Internal Auditor.

D-1 McGraw-Hill/Irwin ©2005 by the McGraw-Hill Companies, Inc. All rights reserved. Module D Internal, Governmental, and Fraud Audits “I predict that audit.

Achieving Quality: Involving clients, staff and other stakeholders in quality audits Claire Tuffin, Head of Business Excellence.

Process Management Auditing Version JP.10.1-UK Oct 03  The High Performance Organisation Ltd.

Prepared by SOCCCD Office of Human Resources

Chapter Three IT Risks and Controls.

AUDITS What you should know - a campus perspective. Franz Lozano Director/Budget Officer (former Internal Auditor) San Francisco State University Academic.

London and South East Burns Services Review Patient Stakeholder Event 15 th January 2011 The Olympic Lodge Hotel, Aylesbury.

Private & Confidential1 (SIA) 13 Enterprise Risk Management The Standard should be read in the conjunction with the "Preface to the Standards on Internal.

Project Charters Module 3

1 Internal Audit. 2 Definition Is an independent activity established by management to examine and evaluate the organization’s risk management processes.

Portfolio Committee on Appropriations Audit of predetermined objectives 26 March 2013.

Risk Management & Corporate Governance 1. What is Risk?  Risk arises from uncertainty; but all uncertainties do not carry risk.  Possibility of an unfavorable.

FACILITATOR Prof. Dr. Mohammad Majid Mahmood Art of Leadership & Motivation HRM – 760 Lecture - 25.

Nuclear Security Culture William Tobey Workshop on Strengthening the Culture of Nuclear Safety and Security, Sao Paulo, Brazil August 25-26, 2014.

Everyone Communicates Few Connect

Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved.McGraw-Hill/Irwin.

Safety Management System Implementation Michael Niels Thorsen Moscow 15 September 2005.

Introducing Project Management Update December 2011.

College of Public Health and Human Sciences Communicating About Public Health Policy Presenter: Craig Mossbaek Date: August 22, 2013 Public Health Policy.

Slide 1 Improving your Persuasion and Influencing Skills for better negotiated outcomes Presented by Katrena Friel March 2009.

TDRp Implementation Challenges David Vance, Executive Director Peggy Parskey, Assistant Director October 23, 2014.

DAY 1: OVERVIEW The nature of internal auditing

1 Performance Auditing ICAS & IRAS Officers NAAA 21 Jan 2016.

BES-t Practices Training Phase 3 Counseling – Behavior Modification.

Continual Service Improvement Methods & Techniques.

Marking and Feedback CPD Follow up to marking. Expectations and ground rules Respect the views of others Give everyone space to make a contribution All.

Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.

Fraud Risk – some context first Year ending September 2015 there were 604,601 fraud offences reported (ONS) The National Fraud Indicator report in 2013.

Middle Managers Workshop 2: Measuring Progress. An opportunity for middle managers… Two linked workshops exploring what it means to implement the Act.

Auditors’ Dilemma – reporting requirements on Internal Financial Controls under the Companies Act 2013 and Clause 49 of the Listing agreement V. Venkataramanan.

Government Internal Audit Career

AUDITING Elysa Hartati.

CPA Gilberto Rivera, VP Compliance and Operational Risk

Providing assurance on risk management and controls

How to Develop and Instill a Future Focus in a Team

Ulrich’s model of HR.

Making Information Security Manageable with GRC

Making Information Security Actionable with GRC

Here are some top tips to help you bake responsible data into your project design:.

VASSP Ten Top Tips ~ Difficult Conversations with staff

Alignment of COBIT to Botswana IT Audit Methodology

Lockheed Martin Canada’s SMB Mentoring Program

IS Risk Management Framework Overview

Quality Audits, and How to Survive them

Use of External Consultants

Internal Audit’s Role in Preventing Fraud and Corruption

Presentation transcript:

Teaming with your IT auditor for better security Patrick Dunnigan, IT audit principal, Auditor General of Alberta Moderator: Illena Armstrong, editor-in-chief, SC Magazine

About the presenter: Patrick Dunnigan The materials and ideas presented verbally and in the following slides are my own. I am not here to represent the views of my employer. This presentation is based on my experience helping auditees use audits to introduce reasonable and effective IT controls and increase security.

Auditors prevent and cure security ills. Avoiding an audit is like skipping checkups to avoid getting sick. Some auditees see an audit as the illness, not the cure. Auditee

Audit outcomes = business outcomes The goals of an audit are similar to business goals; creating an effective and efficient organization and driving business through: more effective and efficient security for your organization more effective and efficient controls to ensure your security is operating effectively better risk management effective change management

Audits harness the power of teamwork Work together to achieve desired results. Working against each other is counter productive.

The IT auditor’s role on the team Help strengthen commitment to IT that meets an organization's business objectives in a secure environment. Identify threats to the IT environment. Recommend ways to use IT resources efficiently and effectively. Know and follow professional practices. Offer an independent and objective perspective.

Audit purpose and focus Types of audits Regulatory: confirm compliance Value for money: measure results Fraud or criminal: prevent theft, secure data IT auditors focus on: criteria suited to the type of audit security of people, processes and technology

Why independence matters An independent IT auditor offers your organization: an opportunity to look objectively at IT security controls and practices a fresh perspective from a different point of view a chance to make sure the fox is not guarding the hen house

Why independence matters Objectivity: third- party point of view Perspective: focus and expertise Credibility: focus on business risk

Using the audit to strategic advantage Auditors can help: improve processes change culture deflect resistance make future audits easier by improving practices today

Case study: findings lead to better security We recommend that management assess their risks and use an IT control framework to develop and implement well-designed and effective controls to mitigate identified risks. - Agreed! Got resources ($$) to conduct a risk assessment. Ranked risks in conjunction with business and data owners. Identified the costs to mitigate risks. Used COBIT to identify good security controls. Business and data owners decided which risks to mitigate and fund. Moved responsibility from IT to business owners. Got needed resources to implement and manage new technology e.g. SEIM when other budgets were being cut.

Be prepared

Be prepared

Getting the security outcomes you need An audit finds and makes recommendations about people, processes and technology. New technology ≠ better security! Need all three pillars to keep secure

Better security – People People are the most important part of the three legged stool of security. Audits often identify the need for more or better qualified resources, e.g., recommend certifications CISSP, CISM or Security+. Can identify the need for “security” people and not just someone who can spell Nessus.

Better security – Processes The IT auditor can assess security processes. This could include assessing: security incident response management internal / security control documentation security procedures / process documentation security processes for design adequacy and effectiveness

Better security – Documented processes If it ain’t documented it ain’t done (well) Audit recommendations usually identify a need for more documentation. Documentation lets you: demonstrate implementation and effectiveness benchmark yourself against others demonstrate you are getting better / maturing

Better security – Documented processes What if your “security guy” wins 649? Documented and well-designed processes can provide for smooth succession. Documented and effective processes help an organization to: repeat key controls or performance indicators be more efficient mature the processes and controls ensure that controls are not bypassed

More security – Technology The IT auditor can independently assess your security devices / technology. Do you have enough of the right technology? Too much or the wrong security?

Better security – Technology Recommend that you get more or different technology. Audit recommendations often form the basis for a business case. Technology can support your audit. help desk with automated ticketing / workflow SIM / SEM vulnerability assessment

Top 10 ways to add an auditor to your team 10. Get to know your auditor. Talk to him / her / them. Take them out for coffee or lunch! 9. Ask what they think are the high risk or important areas for typical audits. What are their audit plans? 8. Tell them what your security pain points are! Don’t make them guess. 7. Bring them in early: when you start a project, are considering new technology, are outsourcing work or services. 6. Make them a part of your team. Ask for input and advice – but don’t impair independence!

Top 10 ways to add an auditor to your team 5. Ensure that you get to review findings and recommendations. Provide feedback and comments. 4. Make them accountable. Ensure they are capable and follow ground rules, scope and reporting. Challenge them! 3. Prepare your response. Agree, then put a plan in place with required resources, timelines and responsibilities. Put onus on senior management to make it happen! 2. Thank your auditors for helping you make the organization more secure. 1. Follow up. Ask them to audit your remediation efforts to ensure they mitigate findings.

Add an auditor to your IT team IT auditors want the same thing you should – an effective, efficient and secure IT environment. Bring the IT auditor in early and tell them what areas you want to focus on. Use the auditor to get what you want. Listen and provide feedback. Follow up on recommendations. Make sure the auditor is on your team. Questions?