At a company I worked at recently, I ran across a Sharepoint site and wondered whether I could download data that I wasn’t supposed to see.
Now I understand the purpose of SharePoint and company intranets is to share data, but even then, some data should be restricted to a limited number of people.
So I decided to check (before doing things like this, you better know How to Stay Out of Jail).
Filed under Audit, Excel, How to..., Security, Security Scout, Technology
If your department doesn’t track metrics on your analytics, you are probably not doing analytics or you are making little progress in analytics.
In either case, its obvious that analytics isn’t very important to your management.
Which is one of the points I made in my post, 10 Signs Mgmt Doesn’t Really Support Analytics.
So far, I have encountered very few audit departments that track meaningful metrics about their analytics.
Counting the number of projects that include analytics isn’t enough.
Filed under Audit, Data Analytics, How to..., Written by Skyyler
Before you choose a career as an IT auditor, consider my top 10 reasons why being an IT auditor is so hard.
Filed under Audit, Employment, Technology, Top 10
When you evaluate the risk of a vulnerability, do you do it in the dark?
Or do you take into account other factors that might affect the risk?
What if one of the factors is an existing audit issue that has not been remediated?
Filed under Audit
If you’re an IT auditor (or want to be one) and don’t have any audit certifications, which certification should you get, the CISA or the CIA? If you want to get both, which one do you get first?
Full disclosure: I have the CISA, but not the CIA. Back when the CIA was 4 exams, I studied for all the CIA exams except the financial exam, but ended up not taking any of the exams. I also have the CISSP.
Filed under Audit, Certification, Security, Technology
If you haven’t determined how server virtualization changes your audit plans, you better get moving. I’m not just talking about a virtualization audit (more on that later), but the audits that you typically do every year or on a multi-year cycle.
For example, if every year you do an audit on all networks, servers, applications, and databases that host your key financial reporting or PHI systems, you’re looking at policies and procedures, configuration management, security (including patching), user access, logging, and so on. But do you first consider whether those assets run on virtualized servers?
Filed under Audit, How to..., Security, Technology
Previously I’ve discussed why auditors are hated and how auditors can be lovable. But when I saw a Q & A in the ISACA journal about hating auditors, I had to dive in again. Here’s the gist of the article, with my comments in italics. Although there’s some similarity to the posts I’ve mentioned above, they take a slightly different tack through the audit seas.
Auditors that do the following are “hated”…
Filed under Audit
Here’s my take on the issues that I found with the following quote from SC Magazine (for more info, see Quote of the Weak (Securing Virtual Servers):
We don’t treat the virtualization servers any different than the physical servers when it comes to security. We treat them the same. Security is security.
Filed under Quote of the Weak, Security
The Institute of Internal Auditors (IIA) has back-to-basics articles for new auditors (and like Dummies books, the topics can be a reference for the rest of us). Even security pros might want to read a few of these to better understand their auditors, or how those auditors should be doing their jobs.
The topics are as follows (no special order):
As an auditor, I’ve been accused many times of looking for trouble. I have to admit that it’s true, because that’s my job. But too often, trouble comes looking for me. Sure it makes my job easier, but it also makes me scratch my head.
When I was in IT operations, before I got into security and audit, I was always thorough and followed common sense and company policy. However, any projects that I was doing that might draw the eyes of either of those departments, I double-checked prior to delivery. Most bosses don’t like surprises, and I was always a details guy. Besides, why poke the bear?
Filed under Audit, Case Files
Greg Shipley,* CTO of Neohapsis, wrote an article in Information Week magazine about cloud computing risks, making the following points:
1) One company discovered it was using Amazon’s cloud services when employees tried to expense the bills. It’s 10 o’clock; do you know where your clouds are?
You might remember the commercial that said, “This isn’t your father’s Oldsmobile,” meaning this car is nothing like the one your father drives. It’s faster, more luxurious, more YOU.
Have you noticed that the opposite is true regarding the hype over social networking and the risk it brings to your business and a computer near you? In other words, to quote an old king, “There is nothing new under the sun.”
Filed under Security
IT has come up with all kinds of ways to protect assets without applying patches. Yes, patching takes time if done correctly. However, the solutions have issues that need to be kept in mind.
Filed under Security
Bruce Schneier has 5 questions for assessing security and the trade-offs that are made during the assessment process.
Lenny Zeltser suggest 5 steps that mid-market organizations can take down the security path:
Filed under Security
