Your SlideShare is downloading. ×
Whose Afraid Of The Big Bad Wolf
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Whose Afraid Of The Big Bad Wolf


Published on

A talk I gave to the NEOISF group.

A talk I gave to the NEOISF group.

Published in: Technology

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. Whose Afraid of the Big Bad Wolf: Accepting Audit as a Service
  • 2.
    • Jeff Kirsch
    • 14 years in Audit
    • 10 years in IT Audit
  • 3. ghostnomad got into computers: age 9 attempted computer science no passion to code on deadlines
  • 4.
    • Have you been audited?
    Honesty Then you have lied So auditors need to lie
  • 5. Defensive Audit Techniques Use terms to depersonalize & confuse Request more information than you need Hide the fact results will sink the “auditee”
  • 6. Grand Finale – We are here to help Wait, what?
  • 7. Evil Auditors, Really? Understanding is the foundation we lack Everyone uses their own lingo Nobody likes to be corrected
  • 8. Lets Talk Audit
  • 9. Audit
    • Evaluation of a person, organization, system, process, enterprise, project or product.
    • - wikipedia
  • 10. Inherent Risk
    • Risk exists without consideration of controls
    We have controls so who cares, right? Are your controls working
  • 11. Scope What is the purpose of the audit Drives the audit results
  • 12. Controls A process or procedure which manages risk Controls must have a cost benefit Management defines controls
  • 13. Types of Audits Financial Audit/Attestation SAS 70 Regulatory/Compliance
  • 14.
    • Why are results significant?
    • Stockholders
    • Regulators
    • Executives
    • Management
    Oh hey, you too
  • 15. How to deal with auditors
    • If you don’t understand, ask
    • If they don’t understand, explain
    • Communication is key
    Don’t try to hide things, someone will spill the beans at some point
  • 16. How to Manage Auditors
    • Clarify the “scope” and don’t be afraid to ask how it fits in to testing
    • Keep documents up to date, they reduce face time
    • If you know it is ongoing, develop your own response process
  • 17. Drive Out Value
  • 18.
    • The security of an information technology (IT) system typically can be improved if the identified software flaws and configuration settings that affect security are properly addressed.
    • -- NIST “Specification for the Extensible Configuration Checklist Description Format (XCCDF) Version 1.1.4“
  • 19. Where is the Value Audit as a Hammer (yeah, I went there) Audit has direct line to upper management Shows the forest when you only see trees
  • 20. Types of Audits Redux Financial Audit/Attestation SAS 70 Regulatory/Compliance
  • 21.
    • In IT Audit it is all about controls
    • Information Security is all about controlling
    • What makes you think we are different?
  • 22.
    • My corollary “then auditors are like the actuaries”
    Rafal Los said “People in infosec are like insurance salesmen” Insurance policies make money because you have to know how to price the risk and sell the risk
  • 23. Where to Find Me
    • Twitter: @ghostnomad
    • Email: [email_address]
    • Blog:
      • Or
  • 24. Hidden Message Whose Afraid of the Big Bad Wolf: Accepting Audit as a Service
  • 25. Questions?