Do you perform appropriate population validation of the data you rely on in an audit?
Population validation is simply gaining confidence that the data you are using in your audit contains all the appropriate data for your audit objectives (e.g., your server list includes all the SOX servers).
For the difference between population validation and data validation, see Why You Must Validate Data.
So how do you do population validation? Let’s look at an example…
Filed under Audit, How to...
When checking system access, make sure you look at all the different items that affect the user’s access. For example, the user might need one or more of the following:
- Application ID
- Application role or group
- Membership in an local server group, Active Directory (AD) group, or UNIX Group
- Access to the application’s share and/or folder on the server
- Database ID
- Database role, including access permissions (read/write)
- Other permission (from a home-grown application code or enterprise identify management system)
What’s the biggest problem in computer security, according to valsmith at carnal0wnage.attackresearch.com? Well, it’s…
As the author admits, the post leans toward self-promotion of the company, but it makes many good points and deserves a read and a good pondering.
Filed under Audit, Security
I recently found a Sarbanes-Oxley (SOX) Space Lazer (sic) on a network security diagram. No kidding. The following items also appeared:
- Interstate 495
- Wang 5000
- Peanut butter
- Printer of evil
- Gene Hackman
- Automated Retirement Party Flyer Generation Appliance
If you’re an auditor, you’re most likely not the most popular person around, at least in most companies. Unfortunately, auditors are hated (I don’t think that’s too strong a word in some circles) for a number of reasons, as noted below. Fortunately, most of them are avoidable.
- SOX is a waste of time. For most auditees, SOX takes a lot of valuable time away from accomplishing the “real work” of keeping the business running. When you hear this complaint, it usually means one or more of the following is true: Continue reading
I don’t make this stuff up…
In a recent phone interview where I was trying to hire a IT SOX auditor for a short-term project, I had asked most of my interviewing questions. So I asked the candidate, “Do you have any questions for me?”
“You said that this project consists solely of testing IT SOX controls. SOX is now 5 to 6 years old. What is driving this project?”
I swallowed my surprise, and answered, “SOX compliance – annual testing requirements.”
“Oh,” said the consultant, “That makes sense.”
[You know what that means, don’t you? More interviews. Help!]
Interviewing IT Auditors
Bad Interviews Qs
More IT Auditor Interviews…
Pain of Letting (Auditors) Go
David S. Hilzenrath, of the Washington Post, writes:
The Supreme Court yesterday agreed to consider a challenge to the Sarbanes-Oxley Act of 2002, the centerpiece of the government’s response to the watershed accounting scandals at Enron and Worldcom. Continue reading
Lenny Zeltser suggest 5 steps that mid-market organizations can take down the security path:
- Identify key data flows
- Understand user interactions
- Examine the network perimeter
- Assess the servers and workstations
- Look at the applications
Is PCI still relevant? Some are proclaiming that PCI is irrelevant due to the recent, high-profile breaches. David Mortman disagrees, and I’m on his side.
Filed under Audit, Security