I’m out of town!

When I joined LinkedIn, it was because it was BUSINESS-like and so un-Facebook. As much as I like LinkedIn, it is becoming too much like Twitter and Facebook. Or perhaps it is more accurate to say that LinkedIn features are being used in the same casual manner.

Keep reading →

Bad Interviews Qs

I’m still thinking about the IT auditor interviews I did recently. Not only did I get frustrated with the interviewees, I struggled with my co-interviewers. I not only thought some of their questions were poor, but they branded me a “tough interviewer.”

Keep reading →

Interviewing IT Auditors

A few weeks ago, I did several phone interviews and concluded that no abundance of skilled IT auditors are looking for jobs these days.

First, isn’t the purpose of the interview to determine what a person’s experience is, and whether that experience is a good match for the position? At least 3 of the interviewees provided negative information about themselves unexpectedly:

Keep reading →

Sampling Hazards

A couple of us were arguing about the differences between random, haphazard, and judgmental sampling. One person said that picking samples here and there manually was random sampling. I argued the method described was actually haphazard sampling. Another said that haphazard sampling was not appropriate and that “audit judgment” was valued, not haphazard sampling.

Keep reading →

Need More Data Analytics in Audit

Part 1 of an article at AuditNet notes that audit teams need to increase their use of technology, specifically data analytics, to continue adding value to their companies. The author contends that data analytics can provide more assurance at a lower cost than the traditional cyclical approach to auditing (while I noticed the author, John Verver,  is a VP of  ACL Services and has a vested interest in this, I agree with him).

Keep reading →

It’s not Business, it’s Personal

I wonder sometimes how many controls fail due to personal issues instead of design and performance issues. In other words, do controls fail more because of communication, turf, and personal issues or is it that the control is poorly designed or not performed?

Keep reading →

When Mgmt Ignores Security

Too many security folks push security for its own sake–they insist things should be locked down, blocked, and forbidden.

Good security, as well as risk management, is a matter of degree. You need to secure just enough to get by. In other words, don’t spend time, effort, and money implementing security that you don’t need and/or management has not approved.

Keep reading →

Security Awareness Perfect 7

Audry Agle, a former CISO, offers 7 practical ideas for increasing security awareness below. I’ve summarized some of the points and added comments of my own in italics:

1. Appeal to personal lives - Helping people deal with security issues at home tells them you care about THEM, not just company systems and data.

Keep reading →

Truck Blocks Parking Ramp Exit

A Security Scout adventure…

A friend of mine noticed a truck blocking the exit of the parking ramp where he works, which is a big, international company. Since he was just arriving for the morning, it didn’t seem to matter, but a red light started to blink slowly in the back of his brain.

Keep reading →

No Visitor Verification Required?

A Security Scout adventure…

Recently, I walked up to a receptionist at a Fortune 500 company, and told her I forgot my badge. She smiled and let me in without any verification or escort.

Keep reading →