Hi, welcome to my blog!
Blog Focus
This blog focuses on technology, information security, and IT audit, but certainly not in that order. Miscellaneous tangents will appear occasionally.
My goals for this blog:
- Tackle audit, security, and data analysis issues, often from a slightly different angle.
- Provide how-to articles on various topics, including data analytics.
- Provide perspective on other articles, trends, and some projects in which I’ve been involved.
- Help you understand and do technology, infosec, data analysis, and audit better.
- Make you laugh out loud.
Me
I’m known as Mack. I’ve worked in IT for years, from the help desk to break/fix to system and network administrator. I’ve built a data center, led disaster recovery teams, and pulled IT SOX onto some ugly feet.
I’ve managed the security team of an international company and led the response of several major security incidents.
Probably the most interesting position I’ve had is a moderator of a online security forum where hats of all colors hung out. You can learn a lot from 12 year-olds as well the grey hairs, some of the best in the business.
It was also interesting when that security forum was hacked (if anyone tells you they’re invincible, laugh quietly to yourself, and wait until you see them in the news).
Lately, I’ve been doing IT auditing and data analytics, which has given me a different view of risk and security. My next destination is secret, and I’m enjoying the breeze. I’m having fun and enjoying all that I still have to learn.
Favorite Topics of Mine
ACL
ACL is Audit Command Language, the data analytics software from www.acl.com. Auditors and others use it to join and analyze data. Explore all ACL posts here.
A buddy of mine, skyyler, helps with the ACL heavy lifting on this blog.
I’ve soured a bit on ACL over the years, but still use it and write about it occasionally.
Case Files
These posts describe events that happened under my watch in one of the many positions I’ve held. The names and some details have been changed for obvious reasons, but the stories are true.
Security Scope
Security Scope articles describe basic security principles; I like to refer to it as the “ah-ha” series. These posts also serve as reminders to those of us who know better, but need occasional nudges.
Many of these posts answer questions I am often asked by co-workers, relatives, and friends that don’t understand information security and why it’s important. This series is my personal security awareness campaign.
Security Scout
This series describes security adventures I have as I’m rambling around the landscape.
Quote of the Weak
Occasionally I can’t resist poking some fun at people who say strange things, or say things without realizing how terribly wrong or misinformed they are, or how what they say is so true in a totally different context.
Most Popular Posts
These posts are the more popular ones, month-to-month:
How to Pass Certification Exams
Also check out my interviewing IT auditors series.
Comments Policy
I love reader comments. Let me know what you like, what you hate, and what you’d like to read more about.
For my Comment Policy, see Copyright.
P.S.
If you find a typo, broken link, or a brain leak, please let me know. And leave me a comment once in a while, and let me know what you’re thinking…
Also, some of the details, conversations, and circumstances revealed in this blog are sometimes veiled or enhanced to protect me and the guilty, but scare the innocent…
DISclaimer
All information and humor provided on the ITauditSecurity blog and Onedrive (formerly Skydrive) website is presented as is, without any warranty or guarantee. Anybody using any advice, scripts, jokes, or whatnot on these pages is encouraged to validate the effectiveness and reliability on their own, away from their business network. Also, make sure you seek legal advice, obtain tax advice, and check with your doctor and your mother.
Finally, do not run backwards with scissors.
ITauditSecurity 
This topic has been viewed hundreds of times, and no one has a comment on it?
You like the blog focus? Want more ACL articles? You don’t believe my Security Scout stories?
I’ve only made one person (timethief) laugh?
Remember the reader’s motto:
I came
I saw
I commented.
LikeLike
Hello Mate,
I have just found this blog and absolutely love it. Your way of putting your experiences together is very simple and thus makes it easy to relate. I have already commented on some of your posts and plan to be a regular poster. Keep them coming!
LikeLike
coffeeking,
Thanks for all your input so far; it has been great. Nothing encourages a blogger more than comments, even critical ones. So if you have any of those now or in the future, here’s your golden invitation. Iron sharpens iron. Few things are worse than an environment where everyone agrees with you or when you appear to be the only SME.
Just curious, now did you find the blog? Please tell others you know who might also be interested.
LikeLike
I found your blog through Grayson’s blog, will let other know about it as well.
LikeLike
I frequently comment on your blog posts and notice that you respond to pretty much all of them but I never receive and automated response mail to know when you have responded. Is there is way to fix this, this can lead to some timely discussions!
LikeLike
OK…I just noticed you have a link down there to notify me of follow-up comments…tells you how much I pay attention to these things.
LikeLike
coffeeking,
I try to always reply to every comment with individual attention. I appreciate all comments, positive and otherwise (except for spammers, of course.). I’ve always found you learn more from negative comments, experiences, and people; in addition, you’re head never swells due to a reprimand or complaint :)
As for the notification of reply comments, glad you found the checkbox below the comment box. Bringing it up only highlights it for others, so no problem.
LikeLike
I’ve been fixing a lot of brain leaks and dead links on this blog that no one has told me about. If you can’t say anything nice in a COMMENT, at least you can tell me when I’ve been a knucklehead. I found 2 dead links on this page alone.
So you’re telling me that all the auditors and security pros (critical people by nature) that read this blog don’t have any complaints? Don’t find dead links, typos, and nerve damage? Are you really that dead after a long day’s work (or during lunch)?
LikeLike
just seen this, followed, followed on twitter. Thanks for the good work of sharing. Follow me @bsemakula
LikeLike
Bashir,
Thanks for commenting and following. I look forward to your future comments on specific posts.
LikeLike
Nice blog here! Also your website loads up fast!
LikeLike
Reached your website looking for some notes on CISA. Liked it.
LikeLike
Found your blog when I looked up for IT auditor interviews. Just started looking for a job in IT auditing field and reading your blogs helped me understand what am I going to be up for!
Thoroughly enjoyed the humor btw!!
Keep blogging :)
LikeLike
madzutopia.
Thanks for the kind words. If you find any other IT audit blogs out there that you like, pls let me know. I have not found very many.
I don’t go into the basic mechanics (or art) of auditing in my blog, but you can find a lot of helpful material at IIA or ISACA. For links, see https://itauditsecurity.wordpress.com/2012/09/23/it-audit-for-dummies/
LikeLike
I found your blog recently. I am wondering if you could offer some advice. I have worked on and off in IT for the past 15 or so years (most in desktop support). I never specialized but became somewhat of a generalist. In 2011, I graduated with a BS in Accounting Information Systems but took a career detour instead of finding a job in audit. Of course, I did not do my research on entering the IT Audit field and am now finding that entry-level jobs are a “game” for the young and a path that runs though a major accounting firm, like the Big Four. So, at 40-something, I am now trying to figure out a path within IT that will “re-converge” with IT Audit at a Senior level in a couple more years. I am currently studying for the Security+ certification, to provide a foundation to grow on in security. Your thoughts? Advice? Thanks!
LikeLike
Hi Rob,
In my opinion, Big 4 firms are just a saw mill. They work you to death and pay you little. One tried to recruit me, but I didn’t want to go that route. And I’ve never met an auditor who enjoyed the Big 4. So I’d stay away from them unless that’s your only resort. The good thing about the Big 4 is that after working there 2 years, you’ll be ready for anything. If you survive.
I’d rather steer you to trying to join the audit team of a company instead, or maybe a compliance team. It sounds like you have some IT background, as well as accounting (typically, IT audit deals with technology, not accounting and finance, but having that kind of background is a plus). The best IT auditors I know understand audit, IT, and accounting, but they are rare. Personally, I don’t do accounting.
Or perhaps take the route I did through IT. I went from help desk to server team to network team to security to audit (not all in the same company). The fact that you’re an IT generalist is good. Many IT auditors I’ve worked with and hired as contractors never worked in IT, and it shows.
Whatever job you’re in or go to, tell them about your interest in security/compliance/audit, and ask to work on projects with those components as much as possible (many people hate those projects, so that will help you). That could lead to taking a job in one of those areas. Also, introduce yourself to the audit, compliance, and security teams where you’re at and tell them about your aspirations. They might have some leads for you and should be able to tell you what you need to do to get a job in their area.
After you get your Security+, I’d strongly suggest that you get the CISA certification, as that is the IT audit certification, and studying for it will teach you a lot about audit (see my posts about CISA and certification). Ultimately, it’s more important to understand auditing than it is to understand IT technology. You CAN do IT audit with little technology background as long as you’re solid in audit (although I don’t recommend it) for this reason: the IT guys that you audit can teach you the technology & IT operations, but not how to audit (maintain objectivity and independence, identify the risks, decide what to test, pick a sample, write a workpaper, etc.).
Said another way, if you don’t know audit, you will fail, regardless of how much technology or IT operations you understand (or don’t). I know this because I work with “half-auditors” all the time. They get the audit done and survive, but IT hates them because of all the time they require due to their lack of understanding. And I struggle with them because the next year when I perform the same audit, I find lots of stuff they missed.
Hope this helps. Let’s keep talking. I wish you the best.
LikeLike
Thank you for your response. It was a great help. I was going to take the CISA in December but have deferred it to June to give me more time. I have also been networking with individuals at ISACA for guidance. I’ll keep in touch and let you know how things progress.
LikeLike
Rob,
You’re welcome. Check out my free CISA Study Guide. Yes, let us know how things go.
LikeLike
Hey Mack,
Great site, and thanks for linking to my ACL Bootcamp series! Do you have time for a quick chat on the phone? I’m always looking for good contacts that use and understand our products.
LikeLike
Shane,
I’m flattered, but Skyyler is the man, and he’s always said that he’d rather stay very independent and praise and gripe from afar for various reasons.
As for the bootcamp series, anyone that hasn’t checked them out is wasting too much time doing something else!
LikeLike
Hi Mack,
My friends, 2 in particular, have been forcing me to CISA cert. And along my research i came across your blog. Thanks a ton MACK, got loads of info and courage to go ahead with the cert. Ive been in IT as Mainframes tester for 4 years now and have been planning to shift for almost 2 years now but was in no hurry to make another mistake. So CISA cert and job role for now looks very positive. Please let me know off your suggestions or if you differ on my thought.
Anticipating your reply
Cheers
Sunil
LikeLike
Sunil,
Go for it, especially since you were already thinking about it. If you find you don’t like it or want to go in that direction, you haven’t wasted your time as you learned some things and were able to make a good decision.
If you like it, it will only help you. Good luck. Mack
LikeLike
Great Blog. A lot of useful information and insight. I am an IT professional (Previously Desktop Support, Networking, and SAN Engineer) and about to start a GRC IT Audit position. Thanks for all the effort and time you have put into this site. It is very helpful…
LikeLike
Leather,
Glad you find it helpful! I appreciate you taking the time to say so. Makes my day.
Your background is great for audit, and I’m sure you’ll do great. Just remember to stop doing your old job and looking at issues from that perspective only.
And don’t be surprised at how little IT other IT auditors understand. Stop back after you’ve worked at audit a while and let me know whether the other IT auditors in your group (hopefully you’re not the only one) are very technical. I’d be interested.
Thanks again, and have fun.
LikeLike
Hi!
I am a recuriter and am currently looking to build my network in the IT Audit space – you are obviously the expert and I would love to set up a time to chat with you. Do you have a particular day this week that works best for you?
Thanks!
Lindsay
LikeLike
Hi Lindsay,
Thanks for stopping by, but I don’t do interviews or chats. And I seldom promote companies.
I suggest that you work with ISACA or ISC2 to build your network.
Mack
LikeLike
this isn’t LinkedIn!
LikeLike
You tell ’em, Stephen! Ha Ha.
LikeLike
Mack,
I ran across your blog searching for IT Auditor Requirements. I have my CISSP and am employed as an Information Security Office for the Department of Veteran Affairs; however no formal Auditing Education. What is your recommendation on what Certs/Steps to pursue to become an IT Auditor. Is the CISSP Cert good enough?
LikeLike
Tom,
Few IT auditors have the CISSP, and that’s a great cert to have. But you need to study for the CISA to learn auditing. See my CISA link at the upper right corner under Quick Links.
While understanding security really helps in auditing and will give you an advantage over most IT auditors, it’s more important to know how to audit….Once you learn that, you’ll be ahead of others.
LikeLike
Hi Tom, i have both certifications and i would suggest the CISA as the basis for IT auditing. CISSP great to have but CISA is the necessity
LikeLike
Totally agree!
LikeLike
Great blog – it came up as i have been troubleshooting some RECOFFSET commands i’ve been trying to get working…i had been troubleshooting my scripts for quite some time now and i got the familiar eureka moment while making the dinner this evening…hence i decided to get stuck into ACL for another couple of hours. A scenario you are probably very familiar with.
I have only started using ACL recently and would consider myself intermediate skills but blogs like this make things a lot easier. Especially when it comes to things like RECOFFSETS and print file imports!
Keep up the good work and i’ll be checking in on a regular basis for your tips from now on!
Cheers,
Stephen
LikeLike
Stephen,
Thanks for stopping by. Haven’t used RECOFFSET a ton, which is surprising. It is very useful. I haven’t written about it yet, sorry.
In the past, I got some print file imports to work pretty well, and you can script those too, once you perfect the import. Haven’t done any later, thought. I think they have a good video on it in the ACL Boot Camp series, so check that out.
Your comment on getting “stuck in ACL” made me chuckle (did you see the post, “You Might be an ACL Freak if…”).
You don’t know how many times I’ve missed my ride home from work due to being stuck as you described. In fact, it almost happened again today.
Also, did you see the ‘Teach Yourself ACL’ post? It has links to a couple websites for ACL user groups that you might be able to find some help at. The best one is Texas ACL User Group.
Regards, Mack
Thanks for your encouragement.
LikeLike
Hi Mack,
Great blog, I enjoyed going through. I stumbled upon it while looking for material to self-study ACL. Good job!!!
Just to share and if you will like to advise me. I have most of IT certifications CISA, CISSP, CISM, SAP and also CA (India), CIA and my quest is not yet over; I am going for ACDA also. Do you suggest something more to help in career given the recessionary trends globally, thank you in advance.
Ganesh
LikeLike
Hi Ganesh,
Glad you enjoy the blog. Thanks for taking the time to tell me. Those words never get old, and are greatly appreciated.
From a certification standpoint, you seem to be all set in your career. Don’t stop learning or being curious.
Regardless of economic trends, problem-solvers who can get along with others and explain complicated things in simple terms are always in demand.
The people I’ve known in my life who either had many certs and/or a ton of experience and were highly regarded were also humble people who constantly used their abilities to not only do good work, but to graciously help others.
[Helping others is one reason that I’ve kept the blog going as long as I have (it’s hard work!) and try to answer everyone who comments or asks a question. Besides it’s fun.]
Based on your question, I sense your certs haven’t gone to your head and puffed it up. You seem like you’re already on the right track.
I think success is more defined by who you ARE (character) more than what you KNOW, and by who you help as you pass by.
Wish you the best. Mack
LikeLike
Boss, I just browsed your site and it’s really worth it. Youhave taken lot of efforts. I am myself is a CISA trainer from India and in IT field from the era of unit record machine. Wonderful. Keep it up!
LikeLike
Hello Mack;
I didn’t see a private way to contact you so i decided to use the comment section, i have a degree in elect/elect and desired a career in the energy sector, got all my HSE’s and NEBOSH certs ready before graduating.
However due to the ongoing energy crisis, there’s no employment in that sector anymore
I recently got a job at a bank as an IT support staff without any bg in IT, now i am considering IT fulltime and I hope to write the CISA exam this year, thats how i found your blog. So i’ll be coming here everyday. Sorry for the epistle, i just need guidance
Thanks
LikeLike
HM,
Sorry, but I’m not clear on what guidance you are looking for. If you’ll submit a few questions, I’ll give you my thoughts on them.
I have written quite a few articles on CISA and general IT, so check out the posts under the CISA and technology categories. Also see my certification category for tips on passing exams.
LikeLike
Dear Mack
I’m a college student entering in to my last year. I just learned about IT audit and wanted some advice on finding training and work. I will have a degree in accounting and economics.
LikeLike
Lost,
My suggestion is to read all my posts with CISA in the title. There’s a quick link at the right side of every page. I have provided lots of advice to those new to the field in the comments to those articles. Wish you the best. M
LikeLike
Hi Mack. Kindly guide how to try and learn ACL when we can’t get the trial or demo version of ACL. I heard we get it for IDEA…. I contacted ACL and they replied today that they do not….. Thanks. Rakesh CA, CISA Sydney
LikeLike
Hi,
You are correct. ACL has not provided trial versions for some years. You can get an older version by reading my Teach Yourself ACL post and following the instructions under the ‘Don’t have ACL Software?’ heading.
Basically, you have to buy a book that includes a free version. That’s the only way.
IDEA does offer free versions, so try one of those or buy a book with an older version. A current version will cost you about $500-1200 per copy, depending on the discount your company can get.
Sorry I can’t be more helpful.
LikeLike
Hello Mack. I have read some of your articles and really enjoyed them. This seems like a very valuable resource for someone trying to break into the IT Audit industry like myself. So, this may be a silly question, but can you tell me how I would start at your very first post and be able to read through all of your posts in the order that they were written? Thanks and keep up the good work.
LikeLike
dmac,
Glad you like the blog. I wrote it for readers like yourself! :)
You can start with the very first post in 2009, which is here: https://itauditsecurity.wordpress.com/2009/03/13/15-must-see-sights-in-google-earth/. You can then click the link in the upper right, above the current post, to go to the next post that folllowed.
Keep in mind that I have written most of the posts on this blog, but not all; my buddy skyyler writes some of them. Also, the order of posts don’t always follow one another; we write about what’s on our mind at the moment.
I’d suggest you start with this post, which lists many other posts like it, just for new IT auditors: https://itauditsecurity.wordpress.com/2016/12/19/new-it-auditors-should-start-here/.
Then I would suggest you locate the Categories dropdown box on the right side of every blog page–You can then choose posts regarding a certain category and read all of them.
I’d start with the CISA category since that relates to IT auditors.
Finally, I’d suggest you sign up to receive an email when a post is published. See the Subscribe by Email link at the top right of each page.
No questions are silly, so ask away.
LikeLike
Mack, have you heard of Arbutus Software? I just stumbled across a post from last year about ACL’s change in focus. Arbutus uses the same command language and UI as ACL, but remains focussed on Analytics.
LikeLike
Grant,
Yes I have, thanks. I’m looking into it along with several other tools. I can’t say I was real impressed with their sales rep.
They need to better differentiate their product from ACL. Can Arbutus handle larger files? How much larger? Is it faster? Does it use a database or does it also use text files to store everything?
You can’t find those answers on the website and the sales rep wasn’t very helpful either.
LikeLike
Mack, from your reply it is obvious that I failed to mention that I am -with- Arbutus. It seemed obvious to me as I wrote the post, but on re-reading it I can see how this was not at all obvious. My bad, and I’m very sorry if I misrepresented myself.
I’m also sorry about the sales experience you had from Arbutus. Off-line I might be able to connect you with someone who better suits your needs. As for the web site, everyone has a different perspective on what they want from a web site, and it is very hard to meet everyone’s needs (some technical, some administrative, some comparing to ACL and others to SAS, for example).
To give you just a bit of my background, I was one of the co-founders of ACL, and the technical architect of their products until my departure in 2003. I left to form Arbutus at that time, with the sole intent being to push the state of the art in analytics technology.
Even though your questions were rhetorical, I’d like to take this opportunity to answer them:
– Arbutus Analyzer has been described as ACL++. It operates pretty much like ACL, and is backward compatible with virtually all ACL scripts. Where it differs is in its wide range of Analytics-oriented enhancements. There are far too many to mention here, but if I had some sense of your needs I might be able to suggest some. In the past, the web site offered a direct ACL comparison (kind of like what you seem to want), but with ACL’s changed name and focus they are less of a reference point these days.
– Analyzer will handle files of any size, even billions of records.
– Analyzer is across the board faster than ACL. In some cases only a few percentage points (say totaling a fixed-length file), but in other cases tens or even hundreds of times faster. It depends a bit on the specific action. On my desktop machine I typically expect 4-6 million records per second for a single command. Speed is one of our top priorities.
– Arbutus does not use a database, as no database could possibly keep up with our processing speeds. That said, it (of course) -reads- databases, and can also do so directly, without converting to a flat-file first. Similarly, delimited files are read directly, without conversion first. Most other processing involves reading files, in a manner very similar to ACL.
It’s not clear to me that this is the kind of conversation you want to engage in. But if so, I’m happy to continue conversing like this, through your blog, or you can reach out to me off-line. If you email sales@ArbutusSoftware.com and mention my name, it will surely get forwarded to me.
Mack, good luck in your search for a product, and if you give Arbutus another chance I am certain you won’t be disappointed.
Grant Brodie
Arbutus Software
LikeLike
Grant, I knew where you were from. I just wasn’t going to push it, but at the same time give you the choice to respond. I’ll respond more later.
LikeLike
Mack, thank you for sharing your experience with us. I certainly have found it to be informative and helpful. I have been in this racket for two years, came from an industrial systems background, transition included getting certified as a CISA and CRISC. I’m still learning every day and I am of a continuous learning mindset. I have noticed that so far all I do is cyber security audits, sometimes we get into procurement when it’s applicable but for the most part it’s been cyber security, is there any other type of information systems audits?
LikeLike
Mishal,
Glad we’ve helped. I love the term ‘racket’ to describe auditing. So funny and correct.
Kudos to your for getting certified. I have lots of posts on certification and the CISA specifically. I wish more auditors had a ‘continuous learning mindset’. Not sure how you can swing this racket without that, but many do.
So when you say cyber security audits, I think of audits like network design, firewall/router/network device review, pen tests, and the like. These tend to focus on configuration and admin access.
Also, to me an infosys audit is pretty much any audit that focuses on technology or requires technical knowledge and experience to perform–not something an operations or financial auditor could do very well beyond the basics.
So given those definitions, I can think of many infosys audits. First of all, I would consider a SOX audit of an IT process or system an infosys audit. This type of audit would review how the system (e.g., general ledger) processes transactions, which would end up on in your financial reports. So you’d look at who has access to what, separation of duties, how transactions get reviewed and approved, system backups, change management of the system, patching of the application and servers involved, security configuration of the application and database, etc. The main purpose of a Sarbanes Oxley (SOX) audit is whether the financials that are reported can be relied upon–in other words, only the right people have access to the system and data (and can’t be easily hacked or maliciously changed), and that it processes and reports the financials correctly–the system is controlled and reliable.
Now not all of that is technical, but if you don’t have a technical background, you could miss some of the problems that might exist. You can also do application or database audit like that of systems that aren’t SOX related.
I once did an audit of the cashier system in the lunchroom used to set prices and record all the food purchases as well as inventory. I figured out how to lower the price charged of a cup of coffee by 25 cents (true story).
Another audit is whether the process for selecting and executing technology projects for the business addresses business needs, is done efficiently and cost effectively, and that the appropriate planning, testing, and implementing of the process is performed. Again, that isn’t real technical, but a tech background really helps.
Then there’s a review of the overall backup and recovery plan, the change management process, and any other major process that IT uses. I’ve done audits of how the domain name system (DNS) works, reviewed Active Directory configuration, and how the extract, transform, and load (ETL) process in the company moves data around between systems and applies business rules.
You could also an audit on data governance and, at a high level, all the repositories the company uses for applications and analytics, as well as the systems and tools used to manage them. I recommend doing a high-level audit first to identify the overall problematic themes, and then is subsequent audits, dive in deeper into the most risky areas. This is a good way to grow audit skills; you learn as you go.
For one of my favorite audits, search for the phrase ‘Server Audit for the Dauntless’ on my blog. Another was the server virtualization audit, which looked at the application that is used and the process for creating and removing those servers, along with who has access, etc.
The possibilities are virtually endless (pun intended). Hope that helps.
So does your company not do other types of audits or are you just stuck doing those types of audits?
Late Edit: One way to do other audits: find a risk that hasn’t been covered yet, and volunteer to do the audit. I guarantee you will learn a lot, and you just might impress your mgmt. Repeat this process over and over until you are given these types of audits regularly.
LikeLike