1 / 23

Teaming with your IT auditor for better security

Teaming with your IT auditor for better security. Patrick Dunnigan, IT audit principal, Auditor General of Alberta Moderator: Illena Armstrong, editor-in-chief, SC Magazine. About the presenter: Patrick Dunnigan.

lonna
Download Presentation

Teaming with your IT auditor for better security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Teaming with your IT auditor for better security Patrick Dunnigan, IT audit principal, Auditor General of Alberta Moderator: Illena Armstrong, editor-in-chief, SC Magazine

  2. About the presenter: Patrick Dunnigan The materials and ideas presented verbally and in the following slides are my own. I am not here to represent the views of my employer. This presentation is based on my experience helping auditees use audits to introduce reasonable and effective IT controls and increase security.

  3. Auditors prevent and cure security ills. Avoiding an audit is like skipping checkups to avoid getting sick. Some auditees see an audit as the illness, not the cure. Auditee

  4. Audit outcomes = business outcomes The goals of an audit are similar to business goals; creating an effective and efficient organization and driving business through: • more effective and efficient security for your organization • more effective and efficient controls to ensure your security is operating effectively • better risk management • effective change management

  5. Audits harness the power of teamwork • Work together to achieve desired results. • Working against each other is counter productive.

  6. The IT auditor’s role on the team • Help strengthen commitment to IT that meets an organization's business objectives in a secure environment. • Identify threats to the IT environment. • Recommend ways to use IT resources efficiently and effectively. • Know and follow professional practices. • Offer an independent and objective perspective.

  7. Audit purpose and focus • Types of audits • Regulatory: confirm compliance • Value for money: measure results • Fraud or criminal: prevent theft, secure data • IT auditors focus on: • criteria suited to the type of audit • security of people, processes and technology

  8. Why independence matters An independent IT auditor offers your organization: • an opportunity to look objectively at IT security controls and practices • a fresh perspective from a different point of view • a chance to make sure the fox is not guarding the hen house

  9. Why independence matters • Objectivity: third-party point of view • Perspective: focus and expertise • Credibility: focus on business risk

  10. Using the audit to strategic advantage Auditors can help: • improve processes • change culture • deflect resistance • make future audits easier by improving practices today

  11. Case study: findings lead to better security • We recommend that management assess their risks and use an IT control framework to develop and implement well-designed and effective controls to mitigate identified risks. - Agreed! • Got resources ($$) to conduct a risk assessment. • Ranked risks in conjunction with business and data owners. • Identified the costs to mitigate risks. • Used COBIT to identify good security controls. • Business and data owners decided which risks to mitigate and fund. • Moved responsibility from IT to business owners. • Got needed resources to implement and manage new technology e.g. SEIM when other budgets were being cut.

  12. Be prepared

  13. Be prepared

  14. Getting the security outcomes you need • An audit finds and makes recommendations about people, processes and technology. • New technology ≠ better security! • Need all three pillars to keep secure

  15. Better security – People • People are the most important part of the three legged stool of security. • Audits often identify the need for more or better qualified resources, e.g., recommend certifications CISSP, CISM or Security+. • Can identify the need for “security” people and not just someone who can spell Nessus.

  16. Better security – Processes • The IT auditor can assess security processes. • This could include assessing: • security incident response management • internal / security control documentation • security procedures / process documentation • security processes for design adequacy and effectiveness

  17. Better security – Documented processes • If it ain’t documented it ain’t done (well) • Audit recommendations usually identify a need for more documentation. • Documentation lets you: • demonstrate implementation and effectiveness • benchmark yourself against others • demonstrate you are getting better / maturing

  18. Better security – Documented processes • What if your “security guy” wins 649? • Documented and well-designed processes can provide for smooth succession. • Documented and effective processes help an organization to: • repeat key controls or performance indicators • be more efficient • mature the processes and controls • ensure that controls are not bypassed

  19. More security – Technology • The IT auditor can independently assess your security devices / technology. Do you have enough of the right technology? Too much or the wrong security?

  20. Better security – Technology • Recommend that you get more or different technology. • Audit recommendations often form the basis for a business case. • Technology can support your audit. • help desk with automated ticketing / workflow • SIM / SEM • vulnerability assessment

  21. Top 10 ways to add an auditor to your team 10. Get to know your auditor. Talk to him / her / them. Take them out for coffee or lunch! 9. Ask what they think are the high risk or important areas for typical audits. What are their audit plans? 8. Tell them what your security pain points are! Don’t make them guess. 7. Bring them in early: when you start a project, are considering new technology, are outsourcing work or services. 6. Make them a part of your team. Ask for input and advice – but don’t impair independence!

  22. Top 10 ways to add an auditor to your team 5. Ensure that you get to review findings and recommendations. Provide feedback and comments. 4. Make them accountable. Ensure they are capable and follow ground rules, scope and reporting. Challenge them! 3. Prepare your response. Agree, then put a plan in place with required resources, timelines and responsibilities. Put onus on senior management to make it happen! 2. Thank your auditors for helping you make the organization more secure. 1. Follow up. Ask them to audit your remediation efforts to ensure they mitigate findings.

  23. Add an auditor to your IT team • IT auditors want the same thing you should – an effective, efficient and secure IT environment. • Bring the IT auditor in early and tell them what areas you want to focus on. • Use the auditor to get what you want. • Listen and provide feedback. • Follow up on recommendations. • Make sure the auditor is on your team. • Questions?

More Related