Tag Archives: risk

No Metrics, Little Analytics

analytic metrics, numbersIf your department doesn’t track metrics on your analytics, you are probably not doing analytics or you are making little progress in analytics.

In either case, its obvious that analytics isn’t very important to your management.

Which is one of the points I made in my post, 10 Signs Mgmt Doesn’t Really Support Analytics.

So far, I have encountered very few audit departments that track meaningful metrics about their analytics.

Counting the number of projects that include analytics isn’t enough.

Continue reading

1 Comment

Filed under Audit, Data Analytics, How to..., Written by Skyyler

Top 10 Reasons Why Being an IT Auditor is So Hard

tenBefore you choose a career as an IT auditor, consider my top 10 reasons why being an IT auditor is so hard.

Continue reading

3 Comments

Filed under Audit, Employment, Technology, Top 10

Periodic Access Review Problems

One of my current clients is trying really hard to do periodic access reviews.

They know that mistakes are made in granting access, that users get access and eventually don’t need it anymore, but don’t tell anyone, and that some users leave the company without their manager’s knowledge (I never have understood how that happens, but it does; it has happened in every Fortune 500 company in which I’ve worked).

Continue reading

8 Comments

Filed under Audit, Security, Technology

Evaluating Risk in the Dark

risk in the dark2When you evaluate the risk of a vulnerability, do you do it in the dark?

Or do you take into account other factors that might affect the risk?

What if one of the factors is an existing audit issue that has not been remediated?

Continue reading

2 Comments

Filed under Audit

CISA vs. CIA Certification

cisa study guide, tipsIf you’re an IT auditor (or want to be one) and don’t have any audit certifications, which certification should you get, the CISA or the CIA? If you want to get both, which one do you get first?

Full disclosure: I have the CISA, but not the CIA. Back when the CIA was 4 exams, I studied for all the CIA exams except the financial exam, but ended up not taking any of the exams. I also have the CISSP.

Continue reading

172 Comments

Filed under Audit, Certification, Security, Technology

How Virtualization Changes Audits

If you haven’t determined how server virtualization changes your audit plans, you better get moving. I’m not just talking about a virtualization audit (more on that later), but the audits that you typically do every year or on a multi-year cycle.

For example, if every year you do an audit on all networks, servers, applications, and databases that host your key financial reporting or PHI systems, you’re looking at policies and procedures, configuration management, security (including patching), user access, logging, and so on. But do you first consider whether those assets run on virtualized servers?

Continue reading

2 Comments

Filed under Audit, How to..., Security, Technology

More on Hating Auditors

Previously I’ve discussed why auditors are hated and how auditors can be lovable. But when I saw a Q & A in the ISACA journal about hating auditors, I had to dive in again.  Here’s the gist of the article, with my comments in italics. Although there’s some similarity to the posts I’ve mentioned above, they take a slightly different tack through the audit seas.

Auditors that do the following are “hated”…

Continue reading

4 Comments

Filed under Audit

Securing Virtual Servers

Here’s my take on the issues that I found with the following quote from SC Magazine (for more info, see Quote of the Weak (Securing Virtual Servers):

We don’t treat the virtualization servers any different than the physical servers when it comes to security. We treat them the same. Security is security.

Continue reading

Leave a comment

Filed under Quote of the Weak, Security

IIA Basics for Auditors

The  Institute of Internal Auditors (IIA) has back-to-basics articles for new auditors (and like Dummies books, the topics can be a reference for the rest of us). Even security pros might want to read a few of these to better understand their auditors, or how those auditors should be doing their jobs.

The topics are as follows (no special order):

Continue reading

4 Comments

Filed under Audit, How to...

Case File: Trouble Bites Auditor

As an auditor, I’ve been accused many times of looking for trouble. I have to admit that it’s true, because that’s my job. But too often, trouble comes looking for me. Sure it makes my job easier, but it also makes me scratch my head.

When I was in IT operations, before I got into security and audit, I was always thorough and followed common sense and company policy. However, any projects that I was doing that might draw the eyes of either of those departments, I double-checked prior to delivery. Most bosses don’t like surprises, and I was always a details guy. Besides, why poke the bear?

Continue reading

Leave a comment

Filed under Audit, Case Files

Shipley on Cloud Computing Risks

Greg Shipley,* CTO of Neohapsis, wrote an article in Information Week magazine about cloud computing risks, making the following points:

1) One company discovered it was using Amazon’s cloud services when employees tried to expense the bills. It’s 10 o’clock; do you know where your clouds are?

Continue reading

1 Comment

Filed under Audit, Security

Not Your Father’s Social Network Risks?

You might remember the commercial that said, “This isn’t your father’s Oldsmobile,” meaning this car is nothing like the one your father drives. It’s faster, more luxurious, more YOU.

Have you noticed that the opposite is true regarding the hype over social networking and the risk it brings to your business and a computer near you? In other words, to quote an old king, “There is nothing new under the sun.”

Continue reading

Leave a comment

Filed under Security

Patch Band-aidment

IT has come up with all kinds of ways to protect assets without applying patches. Yes, patching takes time if done correctly. However, the solutions have issues that need to be kept in mind.

Continue reading

Leave a comment

Filed under Security

Schneier’s Security Trade-offs

Bruce Schneier has 5 questions for assessing security and the trade-offs that are made during the assessment process.

  1. What assets are you trying to protect?
  2. What are the risks to these assets?
  3. How well does the security solution mitigate those risks?
  4. What other risks does the security solution cause?
  5. What trade-offs does the security solution require?

Continue reading

Leave a comment

Filed under Audit, Security

5 Security Steps for Non-Big Businesses

Lenny Zeltser suggest 5 steps that mid-market organizations can take down the security path:

  1. Identify key data flows
  2. Understand user interactions
  3. Examine the network perimeter
  4. Assess the servers and workstations
  5. Look at the applications

Continue reading

Leave a comment

Filed under Security