1 / 9

“Are Your Security or Operational Business Policies Correct?”

“Are Your Security or Operational Business Policies Correct?”. Practitioner Discussant Comments Malik Datardina CPA, CA, CISA. Disclaimer!!!. Risk management applied: “The following views are my own and are not of my employer, Deloitte.” . Conceptually. I Data. Lot of promise:

thom
Download Presentation

“Are Your Security or Operational Business Policies Correct?”

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. “Are Your Security or Operational Business Policies Correct?” Practitioner Discussant Comments Malik Datardina CPA, CA, CISA

  2. Disclaimer!!! • Risk management applied: • “The following views are my own and are not of my employer, Deloitte.”

  3. Conceptually I Data • Lot of promise: • Bring CAATs Audit Analytics into Security • Makes it possible to automate access control testing

  4. The Good • Mathematics in abstract can be difficult to grasp. • But paper made it digestible • Use of simple models • Examples relevant to auditors, e.g. “a teller may deposit a customer’s money into the customer’s account” • Brought together necessary concepts e.g. RBAC, REA,

  5. Audience • Understood this was primarily for academic audience; right? • Who is the audience? • Consider multiple audiences • Don’t limit just to audit; beneficial from operations, network, information security, etc.

  6. Why is this necessary? • Solution looking for a problem? • What is the current ‘state of the art’? • Any pitfalls with respect to manual testing? • What are the risks? • How does this procedure address them? • Need to illustrate benefit or cost of this outweighs • External audit: can this save time in audit costs? • Internal audit: explain how this will help from a compliance perspective – how does it address: • PCI, ISO 27001/2, SOC2 (Trust Services/cloud)

  7. Some feedback • Why is this necessary? Solution looking for a problem? • Need to illustrate benefit or cost of this outweighs • External audit: can this save time in audit costs? • Internal audit: explain how this will help from a compliance perspective – how does it address: • PCI, • ISO 27001/2, • SOC2 (Trust Services/cloud)

  8. How does this work practically? • Need to explain how this works in practice: What are the practical steps you need to take to do this? • How do you get access rules in an electronic format? • Can this be obtained from SAP, Oracle, etc? • What is exactly required for the auditor to do to actually create the list of “right rules” to audit the security rules obtained from the device.

  9. Insights from other areas? • Software testing: What can be learned from static analysis (i.e. automated testing of software)? • Intrusion detection systems: Are there potential for false positives? Is there a tuning problem? • Data quality: Are there data quality issues when you get access controls “data dump” from the machine?

More Related