Whose Afraid Of The Big Bad Wolf

Whose Afraid of the Big Bad Wolf: Accepting Audit as a Service

Jeff Kirsch
14 years in Audit
10 years in IT Audit

ghostnomad got into computers: age 9 attempted computer science no passion to code on deadlines

Have you been audited?
Honesty Then you have lied So auditors need to lie

Defensive Audit Techniques Use terms to depersonalize & confuse Request more information than you need Hide the fact results will sink the “auditee”

Grand Finale – We are here to help Wait, what?

Evil Auditors, Really? Understanding is the foundation we lack Everyone uses their own lingo Nobody likes to be corrected

Lets Talk Audit

Audit
Evaluation of a person, organization, system, process, enterprise, project or product.
- wikipedia

Inherent Risk
Risk exists without consideration of controls
We have controls so who cares, right? Are your controls working

Scope What is the purpose of the audit Drives the audit results

Controls A process or procedure which manages risk Controls must have a cost benefit Management defines controls

Types of Audits Financial Audit/Attestation SAS 70 Regulatory/Compliance

Why are results significant?
Stockholders
Regulators
Executives
Management
Oh hey, you too

How to deal with auditors
If you don’t understand, ask
If they don’t understand, explain
Communication is key
Don’t try to hide things, someone will spill the beans at some point

How to Manage Auditors
Clarify the “scope” and don’t be afraid to ask how it fits in to testing
Keep documents up to date, they reduce face time
If you know it is ongoing, develop your own response process

Drive Out Value

The security of an information technology (IT) system typically can be improved if the identified software flaws and configuration settings that affect security are properly addressed.
-- NIST “Specification for the Extensible Configuration Checklist Description Format (XCCDF) Version 1.1.4“

Where is the Value Audit as a Hammer (yeah, I went there) Audit has direct line to upper management Shows the forest when you only see trees

Types of Audits Redux Financial Audit/Attestation SAS 70 Regulatory/Compliance

In IT Audit it is all about controls
Information Security is all about controlling
What makes you think we are different?
Different

My corollary “then auditors are like the actuaries”
Rafal Los said “People in infosec are like insurance salesmen” Insurance policies make money because you have to know how to price the risk and sell the risk

Where to Find Me
Twitter: @ghostnomad
Email: [email_address]
Blog: www.ghostnomad.com/blog
Or www.it-haiku.com

Hidden Message Whose Afraid of the Big Bad Wolf: Accepting Audit as a Service

Questions?

http://www.ghostnomad.com	154
http://ghostnomad.com	3
http://feedproxy.google.com	1
http://feeds.feedburner.com	1

Whose Afraid Of The Big Bad Wolf

by ghost nomad on Jul 14, 2010

Accessibility

Categories

Tags

Upload Details

Usage Rights

4 Embeds 159

Statistics

Whose Afraid Of The Big Bad Wolf — Presentation Transcript