How to Describe What an IT Auditor Does?

If you’re an IT auditor, how do you describe your job to those who don’t understand technology or auditing? Even more interesting, how do others describe your activities?

Here’s what I say, but I’m not satisfied with it:

I review computer systems and networks to determine whether they are secure and that access to those systems is limited to the appropriate people.

I review the policies and procedures that describe how those systems are used and determine whether those documents make sense, are up-t0-date, and are followed.

Continue reading →

Advertisement

Can U Do This Job?

While reading a job description for an IT security analyst recently, I noticed that the details were somewhat vague. The position required so many years of the usual security requirements and experience with routers, firewalls, IPS, but it didn’t mention which ones.

Then I saw this statement, which explained the vagueness:

Continue reading →

When Mgmt Ignores Security

Too many security folks push security for its own sake–they insist things should be locked down, blocked, and forbidden.

Good security, as well as risk management, is a matter of degree. You need to secure just enough to get by. In other words, don’t spend time, effort, and money implementing security that you don’t need and/or management has not approved.

Continue reading →