Evaluating Risk in the Dark

risk in the dark2When you evaluate the risk of a vulnerability, do you do it in the dark?

Or do you take into account other factors that might affect the risk?

What if one of the factors is an existing audit issue that has not been remediated?

While evaluating the risk posed by the lack of a periodic user access review, I took into account that the organization also had issues with adjusting or terminating user access when employees or contractors transferred jobs or left the company.

The audit manager challenged me, “You have to evaluate the periodic review issue on its own [in other words, in the dark]. If you include the transfer/terminate issue, you effectively raise the risk of the review issue.”


Why should they be separated? The purpose of the periodic review is to support the upstream control, transfer and terminate. Since transfers and terminations are problematic, doesn’t that raise the importance of a periodic review? If so, doesn’t that increase the risk of NOT doing a periodic review?

Yes, the manager said, but if you include that risk, the periodic risk is ranked higher than it should be.

No, I said, it raises the risk to where it should be. If the review is done, it will at least catch the problems caused by the poor transfer/terminate control. If the transfer/terminate process is fixed, the risk of not having a periodic review is reduced, but the review is still needed to catch errors and collusion.

Especially if the review occurs only once a year.

What do you think?


Filed under Audit

2 responses to “Evaluating Risk in the Dark

  1. charles opara

    Do you have postings related to CISSP?

    Charles Oparah


    • Hi Charles,
      I haven’t written about the CISSP like I have the CISA, mainly because more of my readers are interested in the CISA (that’s what brings them to my site more than CISSP).

      I find the CISSP more valuable than the CISA, even as an auditor.

      I do mention the CISSP here and there, sometimes in depth, sometimes in passing. This link will list those posts: https://itauditsecurity.wordpress.com/?s=cissp. In that list, these posts are probably the most CISSP-related: “Security Certs for Commoners? Nope” & “Top 10 Pay-Boosting Tech Certifications”.

      Perhaps I should write about the CISSP more. Anything in particular you’re intested in? Let me know and I’ll give you my opinion.


Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.