If you want to increase the effectiveness of your audits and find risks that haven’t been identified before, you need to shatter your silos so you can identify more risk.
Too often, audits are performed on one process, one category, or one system: Earning Commissions, Windows Servers, or Wire Transfer. Each one of those is a separate silo (one for oats, one for corn, one for rice).
Continue reading →
Like this:
Like Loading...
Filed under Audit, Data Analytics, fraud, How to..., Technology
Tagged as Audit, boundary, combine, commissions, dauntless, fraud, general ledger, multiple, new, risk, Silos, windows server
At a company I worked at recently, I ran across a Sharepoint site and wondered whether I could download data that I wasn’t supposed to see.
Now I understand the purpose of SharePoint and company intranets is to share data, but even then, some data should be restricted to a limited number of people.
So I decided to check (before doing things like this, you better know How to Stay Out of Jail).
Continue reading →
Like this:
Like Loading...
Filed under Audit, Excel, How to..., Security, Security Scout, Technology
Tagged as access, account, anonymous, authentication, database, download, excel, failure, intranet, lotus notes, permission, rights, risk, search, Security, sharepoint, stay out of jail
If your department doesn’t track metrics on your analytics, you are probably not doing analytics or you are making little progress in analytics.
In either case, its obvious that analytics isn’t very important to your management.
Which is one of the points I made in my post, 10 Signs Mgmt Doesn’t Really Support Analytics.
So far, I have encountered very few audit departments that track meaningful metrics about their analytics.
Counting the number of projects that include analytics isn’t enough.
Continue reading →
Like this:
Like Loading...
Filed under Audit, Data Analytics, How to..., Written by Skyyler
Tagged as acl, analytics, Audit, automation, color, continuous, dollars, excel, finding, frequency, hours, IDEA, issue, metrics, monitoring, Power BI, project type, risk, saved, software, source file, success
Before you choose a career as an IT auditor, consider my top 10 reasons why being an IT auditor is so hard.
Continue reading →
Like this:
Like Loading...
Filed under Audit, Employment, Technology, Top 10
Tagged as bad news, behind locked doors, blame, demotion, difficult, experts, fired, hard, independence, internal attacker, internal audit, it audit, jail, messenger, mistake, prison, public, risk, walked out
One of my current clients is trying really hard to do periodic access reviews.
They know that mistakes are made in granting access, that users get access and eventually don’t need it anymore, but don’t tell anyone, and that some users leave the company without their manager’s knowledge (I never have understood how that happens, but it does; it has happened in every Fortune 500 company in which I’ve worked).
Continue reading →
Like this:
Like Loading...
Filed under Audit, Security, Technology
Tagged as accept, access, AD, admin, annual, group, local, mitigation, periodic, permission, review, risk, Security, server, theatre, user, Windows, Yoda
When you evaluate the risk of a vulnerability, do you do it in the dark?
Or do you take into account other factors that might affect the risk?
What if one of the factors is an existing audit issue that has not been remediated?
Continue reading →
Like this:
Like Loading...
If you’re an IT auditor (or want to be one) and don’t have any audit certifications, which certification should you get, the CISA or the CIA? If you want to get both, which one do you get first?
Full disclosure: I have the CISA, but not the CIA. Back when the CIA was 4 exams, I studied for all the CIA exams except the financial exam, but ended up not taking any of the exams. I also have the CISSP.
Continue reading →
Like this:
Like Loading...
Filed under Audit, Certification, Security, Technology
Tagged as Audit, auditor, basics, certification, cia, cisa, cism, CISSP, cost, cpe, dummies, exam, financial, gold standard, guide, iia, internal, isaca, isc2, IT, learn, master, mcse, path, pay, perception, risk, salary, Security, study, survey, trifecta, tutorial
If you haven’t determined how server virtualization changes your audit plans, you better get moving. I’m not just talking about a virtualization audit (more on that later), but the audits that you typically do every year or on a multi-year cycle.
For example, if every year you do an audit on all networks, servers, applications, and databases that host your key financial reporting or PHI systems, you’re looking at policies and procedures, configuration management, security (including patching), user access, logging, and so on. But do you first consider whether those assets run on virtualized servers?
Continue reading →
Like this:
Like Loading...
Filed under Audit, How to..., Security, Technology
Tagged as access, admin, Audit, backup, change, citrix, configuration, disaster, ESX, expertise, guest, host, hyper-v, policy, recovery, risk, Security, server, snapshot, Unix, user, virtual, VMWare, Windows, Xen
Here’s a couple tips for making your IT audits a bit easier in the new year.
First, for those systems that don’t record the creation or deletion date of user accounts (or folders, permissions, or whatever), get a list of all accounts from IT in January. Then when you do the audit later in the year, get a new list and compare it with the January list. The new and deleted accounts will jump out at you.
Continue reading →
Like this:
Like Loading...
Filed under Audit
Tagged as account, Audit, centralize, future, January, list, new year, paper, risk, search, tips, to do, work
Previously I’ve discussed why auditors are hated and how auditors can be lovable. But when I saw a Q & A in the ISACA journal about hating auditors, I had to dive in again. Here’s the gist of the article, with my comments in italics. Although there’s some similarity to the posts I’ve mentioned above, they take a slightly different tack through the audit seas.
Auditors that do the following are “hated”…
Continue reading →
Like this:
Like Loading...
Filed under Audit
Tagged as auditee, auditor, emotion, facts, Gan Subramaniam, hate, isaca, management, objectivity, Q & A, report, risk, status report
Here’s my take on the issues that I found with the following quote from SC Magazine (for more info, see Quote of the Weak (Securing Virtual Servers):
We don’t treat the virtualization servers any different than the physical servers when it comes to security. We treat them the same. Security is security.
Continue reading →
Like this:
Like Loading...
Filed under Quote of the Weak, Security
Tagged as ethicalhacker, etsy, harden, machines, monitor, Quote of the Weak, risk, Security, server, servers, sprawl, traffic, virtual, VM, VMWare, vulnerability
The Institute of Internal Auditors (IIA) has back-to-basics articles for new auditors (and like Dummies books, the topics can be a reference for the rest of us). Even security pros might want to read a few of these to better understand their auditors, or how those auditors should be doing their jobs.
The topics are as follows (no special order):
Continue reading →
Like this:
Like Loading...
Filed under Audit, How to...
Tagged as Audit, business, control, external, follow-up, iia, internal, interview, kickoff, meeting, procurement, recommendation, report, risk, sampling, success, surprise, workpaper
As an auditor, I’ve been accused many times of looking for trouble. I have to admit that it’s true, because that’s my job. But too often, trouble comes looking for me. Sure it makes my job easier, but it also makes me scratch my head.
When I was in IT operations, before I got into security and audit, I was always thorough and followed common sense and company policy. However, any projects that I was doing that might draw the eyes of either of those departments, I double-checked prior to delivery. Most bosses don’t like surprises, and I was always a details guy. Besides, why poke the bear?
Continue reading →
Like this:
Like Loading...
Filed under Audit, Case Files
Tagged as admin rights, bite, intern, laptop, least privilege, out-of-date, patch, payroll, risk, server, trouble, voicemail
Greg Shipley,* CTO of Neohapsis, wrote an article in Information Week magazine about cloud computing risks, making the following points:
1) One company discovered it was using Amazon’s cloud services when employees tried to expense the bills. It’s 10 o’clock; do you know where your clouds are?
Continue reading →
Like this:
Like Loading...
Filed under Audit, Security
Tagged as amazon, cloud computing, cloud security alliance, control, google, greg shipley, information week, neohapsis, risk, sas 70, SLA, transparency
You might remember the commercial that said, “This isn’t your father’s Oldsmobile,” meaning this car is nothing like the one your father drives. It’s faster, more luxurious, more YOU.
Have you noticed that the opposite is true regarding the hype over social networking and the risk it brings to your business and a computer near you? In other words, to quote an old king, “There is nothing new under the sun.”
Continue reading →
Like this:
Like Loading...
Filed under Security
Tagged as awareness, buzz, Facebook, google, king, linkedin, media, networking, nothing new under the sun, oldsmobile, risk, Security, social, threat, Twitter
IT has come up with all kinds of ways to protect assets without applying patches. Yes, patching takes time if done correctly. However, the solutions have issues that need to be kept in mind.
Continue reading →
Like this:
Like Loading...
Bruce Schneier has 5 questions for assessing security and the trade-offs that are made during the assessment process.
- What assets are you trying to protect?
- What are the risks to these assets?
- How well does the security solution mitigate those risks?
- What other risks does the security solution cause?
- What trade-offs does the security solution require?
Continue reading →
Like this:
Like Loading...
Filed under Audit, Security
Tagged as assets, Audit, Bruce Schneier, internal control, migate, productivity, protect, questions, risk, sarbanes-oxley, Security, trade-off, user
Lenny Zeltser suggest 5 steps that mid-market organizations can take down the security path:
- Identify key data flows
- Understand user interactions
- Examine the network perimeter
- Assess the servers and workstations
- Look at the applications
Continue reading →
Like this:
Like Loading...
Filed under Security
Tagged as application, Audit, baby steps, check the box, checklist, classify, configuration, crash, customer information, data flow, database, famous recipe, hack, home computer, insider, internet facing, lenny zeltser, mitigation, outsider, patch, perimeter, plan, risk, Security, server, sox, Technology, time card, USB drive, users, vendor, workstation