Some Periodic Reviews Provide Little Assurance

I’ve written before how some periodic reviews provide management with little assurance, but management doesn’t realize how little.

My previous post focused mostly on server access. In this post, I want to look at normal user access.

For example, let’s assume your company has a policy that states that all IDs must be assigned within an Active Directory group. In other words, IDs are assigned to groups, and groups are assigned to assets; IDs should not be assigned directly to an asset.

Assume the control you are testing states that user access is reviewed annually.

Continue reading →

Audit Automation is NOT all Automation

Some Chief Audit Executives (CAEs) and audit managers tend to think that audit automation is a set-it-and-forget-it process. NOT.

In this post, I want to expand on a problem I mentioned in an earlier post , 10 Signs Mgmt Doesn’t Really Support Analytics.

Audit management too often thinks that once a process or an audit is automated, ALL auditor/staff hours previously spent performing that process can be reassigned elsewhere.

That is not the case at all.

Continue reading →

How to Review Your ACL Log

Whether you script your projects or use menu commands, you need to review your ACL log carefully.

Good analysts review their results and the log as they work in ACL, after they think they are done, and have others review their log before the ACL project is relied upon.

(You can’t imagine the dumb mistakes my team and I found that saved us a lot of embarrassment later.)

Continue reading →

FREE CISA Exam Practice Questions

If you’re looking for FREE practice questions for the CISA exam, I found a good resource.

The site provides over 900 questions for you to test yourself.

Continue reading →

Don’t Use GRC app to do Workpapers!

I consulted with a company that implemented a new GRC package, and unfortunately they are using an application designed for GRC to do audit workpapers.

That wasn’t the only move that was questionable…

Continue reading →

Review of ACL Excel Add-in, Now FREE! (NOT)

In case you missed it, ACL released the next version of their Acerno product, renamed it ACL Excel Add-in, and made it FREE!  2021 UPDATE – it doesn’t look like it’s free any more; requires ACL subscription.

UPDATE – I’m guessing that since this product never caught on, they only give it away to subscribers – go figure.

So I thought I’d update my review.

For my original review of Acerno, see A Review of ACL Acerno. It still seems that I’m the only one who ever took the time to review the product (versus marketing blurbs, which are all over the ‘net), which appears to be a statement regarding its popularity.

Despite the poor popularity, since they updated it AND made it free, I decided to dive in for another look.

Note: This add-in is not just for auditors! Any one who regularly reviews data should consider using this simple, EASY-to-use software.

Please take the new & improved poll at the bottom of this post (also free).

Continue reading →

Periodic Access Review Problems

One of my current clients is trying really hard to do periodic access reviews.

They know that mistakes are made in granting access, that users get access and eventually don’t need it anymore, but don’t tell anyone, and that some users leave the company without their manager’s knowledge (I never have understood how that happens, but it does; it has happened in every Fortune 500 company in which I’ve worked).

Continue reading →

FREE Infosec & Web Pentesting Education

Security Monkey posted that PentesterLab has some great resources that provide training on pentesting, like:

• Basics of Web
• Basics of HTTP
• Detection of common web vulnerabilities:
• Basics of fingerprinting
• and more! (like Linux Host Review)

Continue reading →

LinkedIn Hack: Don’t Just Change Password, Reconfigure

We all know that LinkedIn was hacked and lost at least 6.5 million hashed passwords, or at least that’s how many were was posted. Besides changing passwords, is anyone thinking about their LinkedIn lock-down/security settings? What about other social media? See further below instructions for locking down LinkedIn, Facebook, Twitter, and Google+.

Continue reading →

A Review of ACL Acerno

I haven’t been able to find any reviews of ACL Acerno, so I decided I better get to it.

What is Acerno?

According to ACL’s website, ACL Acerno is a Microsoft Excel Add-in that allows you to efficiently and easily investigate the results generated by ACL software or other sources and share your findings. For a quick overview, watch this video or check out the quick reference sheet (pdf)—-This info must have been removed when the software was updated.

Acerno is $250 per user.

Even if you don’t read the rest of this, if you’re an auditor, please take the poll at the end of this post.

Continue reading →

Risk: Look Both Ways

On my walk to work, I cross a lot of 1-way streets. I always look both ways. Sometimes, when a friend or colleague is walking with me, I get teased me about this. I always reply with this question: Have you ever driven down a 1-way street the wrong way? For some reason, I never get a reply and another subject surfaces.

When I crossed one of those streets the other day, I realized that some people look at audit/security/risk the same way. They only look one way because of the people or rules or controls or norms that govern the activity. They fail to think outside of the cubicle and look the other way–the path seldom traveled.

Continue reading →

2010 Mid-Year Review: Most Popular Posts

Top 5 Posts

Here’s the top 5 posts between January and June, 2010. If you missed one of these posts, you might want to check it out.

Teach Yourself ACL

This post about Audit Command Language (ACL) software gets twice as many hits as any other post. If you want to know why this bothers me, see the January 2010 review.

PWC Resignation Letter

The popularity of this one really surprised me. But then again, it’s funny, sad, and really hits home if you’re an auditor (or a recovering one).

Top 10 Pay-Boosting Tech Certifications

In addition to the list published by Dice, I added some comments, and describe how the CISSP has affected my salary.

Continue reading →

Quote of the Weak (Pass the control)

A colleague of mine is doing some testing for an audit director that changes her mind frequently on how to deal with audit findings. Occasionally, she is all about nailing control owners who do not have all their ducks groomed and in a row. At other times, she pushes Audit to work as hard as possible to pass all controls.

Continue reading →