This is Part 2 of a Case File series that describes how real auditors tried to apply questionable methods to auditing and data profiling. See Part I.
I picked one of the fields and said, “Please show me how you profiled the Status field, for example.”
The auditor proudly projected his Excel spreadsheet on the conference room screen. He said, “I filtered the Status field to display only records containing ‘Complete’, noted the number of filtered records in the lower left corner, and recorded the value and the number of records in the document.”
Some auditors struggle with basic auditing. So when these auditors try to data analysis, well you can imagines how that goes.
I recently met with a team of auditors to give them input on what data profiling would be appropriate to perform. And what analytics might be insightful.
This is Part 1 of a 4-part Case File series that describes how real auditors tried to apply questionable methods to auditing and data profiling. Do not try these methods at home or work. Don’t even dream about them, awake or asleep.
When auditors need to identify and understand IT controls, they search the company intranet, review policies, look for Github repositories, review inventories, schedule meetings, and analyze IT asset data.
I stumbled on a better way to get insight into the IT controls in my company, and I didn’t have to email anyone, do any research, or frankly, anything outright. The IT controls came after me.
Fortunately, the IT controls were blind to the fact that I am an IT auditor. To them, I was just an ordinary bloke. But that didn’t last long (more on that later).
It Began a Few Years Back
It all started a couple years ago when I was building the infrastructure required to support our data analytic efforts in internal audit.
If you are in IT, audit, or security (or any other job requiring data analysis), you should NOT be cleaning data manually.
Let me share a recent experience with you….
A young IT auditor texted me at work and asked for some Active Directory user account data that I capture automatically every week, using some scheduled ACL scripts.
If you’re not familiar with my ‘Quote of the Weak’ series, I described it briefly in About. For a list of posts in this series, see here.
It’s 10 o’clock in the cloud. Do you know where all your user IDs are? Are some hidden in the cloud?
Cloud security if often cloudy because it’s not on premise where you can control it easier.
That means you may have powerful user IDs in the cloud that your security team knows nothing about, which means….
About a decade ago, I personally witnessed the handover of the simplest, cheapest, and most effective disaster recover plan ever.
Let me first give you a little background….
I worked for a great IT director, who moved to another company, much bigger, and brought me with him.
In the new company, he again was responsible for all IT, and he brought me along to manage security and disaster recovery.
If I named this company, at least 25% of you would recognize it, even those of you around the world–true story, too.
Most of the team deployed to the 2 departments and started emptying wastebaskets in the ‘wastebasket audit‘ exercise, collecting all the trash in large carts on wheels.
Two others were posted as look-outs in the main hallways outside the target department.
I carried my black bag of tools and approached THE door.
I pulled out my favorite flat-head screwdriver. Originally, I was going to remove the closing arm at the top of the door and then pry the hinge pins out of the hinges.
This is the fifth and final post in a series. See the previous post, Behind Locked Doors: Part 4. Start with Behind Locked Doors: Part 1.