Your SlideShare is downloading. ×
0
Whose afraid of the big bad wolf
Whose afraid of the big bad wolf
Whose afraid of the big bad wolf
Whose afraid of the big bad wolf
Whose afraid of the big bad wolf
Whose afraid of the big bad wolf
Whose afraid of the big bad wolf
Whose afraid of the big bad wolf
Whose afraid of the big bad wolf
Whose afraid of the big bad wolf
Whose afraid of the big bad wolf
Whose afraid of the big bad wolf
Whose afraid of the big bad wolf
Whose afraid of the big bad wolf
Whose afraid of the big bad wolf
Whose afraid of the big bad wolf
Whose afraid of the big bad wolf
Whose afraid of the big bad wolf
Whose afraid of the big bad wolf
Whose afraid of the big bad wolf
Whose afraid of the big bad wolf
Whose afraid of the big bad wolf
Whose afraid of the big bad wolf
Whose afraid of the big bad wolf
Whose afraid of the big bad wolf
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Whose afraid of the big bad wolf

1,086

Published on

Let’s see if you have a picture in your head of auditors. Do see you them, sitting there in the darkness, with a maniacal look on their faces. They pour over your documentation and configuration files …

Let’s see if you have a picture in your head of auditors. Do see you them, sitting there in the darkness, with a maniacal look on their faces. They pour over your documentation and configuration files just hoping to find the red meat. If there is anything juicy they will find it and feed off it at your expense. Is this the image you have of auditors? Perhaps you were burned during an audit, or just didn’t have a very good experience at the auditor’s hands. With a bit of explanation, your next audit doesn’t have to be so stressful and adversarial. Maybe, just maybe, you can walk away with some value to help improve what you do that you hadn’t thought of before.

Starting from the beginning, we will walk through why IT auditors exist and what role they play in the organizations risk management process. Since we all can relate to risk, maybe we can find the common ground and start to derive value from what auditors provide. Given the right amount of attention and care, organizations can ultimately benefit from IT and Audit working together. Plus you will sleep better at night knowing the bogeyman is just a myth.

Speaker Bio
Jeff Kirsch is an IT auditor by day and ghostnomad, an infosec geek alter ego, every chance he can get. Always trying to learn new things drives him to find better ways to help others learn about technology. His passion for technology also drives him to help those in technology understand auditors and the audit process.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,086
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Whose Afraid of the Big Bad Wolf: Accepting Audit as a Service
  • 2. <ul><li>Jeff Kirsch </li></ul><ul><li> 14 years in Audit </li></ul><ul><li>10 years in IT Audit </li></ul>
  • 3. ghostnomad got into computers: age 9 attempted computer science no passion to code on deadlines
  • 4. <ul><li>Have you been audited? </li></ul>Honesty Then you have lied So auditors need to lie
  • 5. Defensive Audit Techniques Use terms to depersonalize & confuse Request more information than you need Hide the fact results will sink the “auditee”
  • 6. Grand Finale – We are here to help Wait, what?
  • 7. Evil Auditors, Really? Understanding is the foundation we lack Everyone uses their own lingo Nobody likes to be corrected
  • 8. Lets Talk Audit
  • 9. Audit <ul><li>Evaluation of a person, organization, system, process, enterprise, project or product. </li></ul><ul><li>- wikipedia </li></ul>
  • 10. Inherent Risk <ul><li>Risk exists without consideration of controls </li></ul>We have controls so who cares, right? Are your controls working
  • 11. Scope What is the purpose of the audit Drives the audit results
  • 12. Controls A process or procedure which manages risk Controls must have a cost benefit Management defines controls
  • 13. Types of Audits Financial Audit/Attestation SAS 70 Regulatory/Compliance
  • 14. <ul><li>Why are results significant? </li></ul><ul><li>Stockholders </li></ul><ul><li>Regulators </li></ul><ul><li>Executives </li></ul><ul><li>Management </li></ul>Oh hey, you too
  • 15. How to deal with auditors <ul><li>If you don’t understand, ask </li></ul><ul><li>If they don’t understand, explain </li></ul><ul><li>Communication is key </li></ul>Don’t try to hide things, someone will spill the beans at some point
  • 16. How to Manage Auditors <ul><li>Clarify the “scope” and don’t be afraid to ask how it fits in to testing </li></ul><ul><li>Keep documents up to date, they reduce face time </li></ul><ul><li>If you know it is ongoing, develop your own response process </li></ul>
  • 17. Drive Out Value
  • 18. <ul><li>The security of an information technology (IT) system typically can be improved if the identified software flaws and configuration settings that affect security are properly addressed. </li></ul><ul><li>-- NIST “Specification for the Extensible Configuration Checklist Description Format (XCCDF) Version 1.1.4“ </li></ul>
  • 19. Where is the Value Audit as a Hammer (yeah, I went there) Audit has direct line to upper management Shows the forest when you only see trees
  • 20. Types of Audits Redux Financial Audit/Attestation SAS 70 Regulatory/Compliance
  • 21. <ul><li>In IT Audit it is all about controls </li></ul><ul><li>Information Security is all about controlling </li></ul><ul><li>What makes you think we are different? </li></ul>Different
  • 22. <ul><li>My corollary “then auditors are like the actuaries” </li></ul>Rafal Los said “People in infosec are like insurance salesmen” Insurance policies make money because you have to know how to price the risk and sell the risk
  • 23. Where to Find Me <ul><li>Twitter: @ghostnomad </li></ul><ul><li>Email: [email_address] </li></ul><ul><li>Blog: www.ghostnomad.com/blog </li></ul><ul><ul><li>Or www.it-haiku.com </li></ul></ul>
  • 24. Hidden Message Whose Afraid of the Big Bad Wolf: Accepting Audit as a Service
  • 25. Questions?

×