際際滷

際際滷Share a Scribd company logo

Whose afraid of the big bad wolf

Northeast Ohio Information Security Forum
Northeast Ohio Information Security Forum

Lets see if you have a picture in your head of auditors. Do see you them, sitting there in the darkness, with a maniacal look on their faces. They pour over your documentation and configuration files just hoping to find the red meat. If there is anything juicy they will find it and feed off it at your expense. Is this the image you have of auditors? Perhaps you were burned during an audit, or just didnt have a very good experience at the auditors hands. With a bit of explanation, your next audit doesnt have to be so stressful and adversarial. Maybe, just maybe, you can walk away with some value to help improve what you do that you hadnt thought of before. Starting from the beginning, we will walk through why IT auditors exist and what role they play in the organizations risk management process. Since we all can relate to risk, maybe we can find the common ground and start to derive value from what auditors provide. Given the right amount of attention and care, organizations can ultimately benefit from IT and Audit working together. Plus you will sleep better at night knowing the bogeyman is just a myth. Speaker Bio Jeff Kirsch is an IT auditor by day and ghostnomad, an infosec geek alter ego, every chance he can get. Always trying to learn new things drives him to find better ways to help others learn about technology. His passion for technology also drives him to help those in technology understand auditors and the audit process.

1 of 25
Whose Afraid of the Big Bad Wolf: Accepting Audit as a Service
Jeff Kirsch 14 years in Audit 10 years in IT Audit
ghostnomad got into computers: age 9 attempted computer science no passion to code on deadlines
Have you been audited? Honesty Then you have lied So auditors need to lie
Defensive Audit Techniques Use terms to depersonalize & confuse Request more information than you need Hide the fact results will sink the auditee
Grand Finale We are here to help Wait, what?
Evil Auditors, Really? Understanding is the foundation we lack Everyone uses their own lingo Nobody likes to be corrected
Lets Talk Audit
Audit Evaluation of a person, organization, system, process, enterprise, project or product. - wikipedia
Inherent Risk Risk exists without consideration of controls We have controls so who cares, right? Are your controls working
Scope What is the purpose of the audit Drives the audit results
Controls A process or procedure which manages risk Controls must have a cost benefit Management defines controls
Types of Audits Financial Audit/Attestation SAS 70 Regulatory/Compliance
Why are results significant? Stockholders Regulators Executives Management Oh hey, you too
How to deal with auditors If you dont understand, ask If they dont understand, explain Communication is key Dont try to hide things, someone will spill the beans at some point
How to Manage Auditors Clarify the scope and dont be afraid to ask how it fits in to testing Keep documents up to date, they reduce face time If you know it is ongoing, develop your own response process
Drive Out Value
The security of an information technology (IT) system typically can be improved if the identified software flaws and configuration settings that affect security are properly addressed. -- NIST Specification for the Extensible Configuration Checklist Description Format (XCCDF) Version 1.1.4
Where is the Value Audit as a Hammer (yeah, I went there) Audit has direct line to upper management Shows the forest when you only see trees
Types of Audits Redux Financial Audit/Attestation SAS 70 Regulatory/Compliance
In IT Audit it is all about controls Information Security is all about controlling What makes you think we are different? Different
My corollary then auditors are like the actuaries Rafal Los said People in infosec are like insurance salesmen Insurance policies make money because you have to know how to price the risk and sell the risk
Where to Find Me Twitter: @ghostnomad Email: [email_address] Blog: www.ghostnomad.com/blog Or www.it-haiku.com
Hidden Message Whose Afraid of the Big Bad Wolf: Accepting Audit as a Service
Questions?

More Related Content

Whose afraid of the big bad wolf

  • 1. Whose Afraid of the Big Bad Wolf: Accepting Audit as a Service
  • 2. Jeff Kirsch 14 years in Audit 10 years in IT Audit
  • 3. ghostnomad got into computers: age 9 attempted computer science no passion to code on deadlines
  • 4. Have you been audited? Honesty Then you have lied So auditors need to lie
  • 5. Defensive Audit Techniques Use terms to depersonalize & confuse Request more information than you need Hide the fact results will sink the auditee
  • 6. Grand Finale We are here to help Wait, what?
  • 7. Evil Auditors, Really? Understanding is the foundation we lack Everyone uses their own lingo Nobody likes to be corrected
  • 9. Audit Evaluation of a person, organization, system, process, enterprise, project or product. - wikipedia
  • 10. Inherent Risk Risk exists without consideration of controls We have controls so who cares, right? Are your controls working
  • 11. Scope What is the purpose of the audit Drives the audit results
  • 12. Controls A process or procedure which manages risk Controls must have a cost benefit Management defines controls
  • 13. Types of Audits Financial Audit/Attestation SAS 70 Regulatory/Compliance
  • 14. Why are results significant? Stockholders Regulators Executives Management Oh hey, you too
  • 15. How to deal with auditors If you dont understand, ask If they dont understand, explain Communication is key Dont try to hide things, someone will spill the beans at some point
  • 16. How to Manage Auditors Clarify the scope and dont be afraid to ask how it fits in to testing Keep documents up to date, they reduce face time If you know it is ongoing, develop your own response process
  • 18. The security of an information technology (IT) system typically can be improved if the identified software flaws and configuration settings that affect security are properly addressed. -- NIST Specification for the Extensible Configuration Checklist Description Format (XCCDF) Version 1.1.4
  • 19. Where is the Value Audit as a Hammer (yeah, I went there) Audit has direct line to upper management Shows the forest when you only see trees
  • 20. Types of Audits Redux Financial Audit/Attestation SAS 70 Regulatory/Compliance
  • 21. In IT Audit it is all about controls Information Security is all about controlling What makes you think we are different? Different
  • 22. My corollary then auditors are like the actuaries Rafal Los said People in infosec are like insurance salesmen Insurance policies make money because you have to know how to price the risk and sell the risk
  • 23. Where to Find Me Twitter: @ghostnomad Email: [email_address] Blog: www.ghostnomad.com/blog Or www.it-haiku.com
  • 24. Hidden Message Whose Afraid of the Big Bad Wolf: Accepting Audit as a Service