Presenting IS Audit Findings Effectively
ISACA’s IT audit framework (ITAF) provides guidance to IS auditors. ITAF also includes guidance for writing audit reports. However, after observing many audit reports, there appears to be no uniformity in reporting findings to the auditee management. Generally, there are 3 activities associated with reporting audit findings:
- Exit interviews with the auditee to confirm findings and to request a proposed action plan
- Formal report containing findings and associated risk to the organization
- Presentation to senior management
The following presents 2 stories in which an audit manager used different methods to communicate audit findings effectively.
During 1 audit, the board of directors was keen on having a presentation from the audit manager on audit findings; however, the time allotted to present multiple findings was only 10 minutes. This prompted a change in approach to make the presentation to management. Before this time constraint was implemented, the audit manager intended to explain every finding to the audience, but due to the time limit, the audit manager prepared a presentation containing block diagrams for major processes, e.g., change management, access management, risk management, control monitoring, application development and maintenance. The activities in these process diagrams were marked using traffic signal colors to denote a problem area (red), a weak area (yellow) and a properly controlled area (green) instead of discussing the individual findings. This helped the audit manager to explain to the board where senior management should focus. The presentation was appreciated by the management and, of course, concluded on time.
In another audit, the audit committee requested a presentation that included the chief financial officer (CFO) and chief innovation officer (CIO). The audit manager was concerned because the findings were of a technical nature and using technical terms. The audit manager prepared a presentation to explain how weak IT-related controls were impacting business process efficiency, effectiveness and cost. At the end of the presentation, the CIO thanked audit manager and added, “Now I know I am here to help the business and not just to manage IT.”
When presenting an audit report, it is best to understand and relate the audit findings by:
- Using operational processes, e.g., risk management, change management, access control management, software development and acquisition, data protection, compliance, and security operations, to identify weak areas
- Where possible, expressing the impact of IT-related weak controls on business operations or service delivery
Sunil Bakshi, CISA, CISM, CGEIT, CRISC, ABCI, AMIIB, BS 25999 LI, CEH, CISSP, ISO 27001 LA, MCA, PMP, is a consultant and trainer in IT governance and information security.
Become a More Skilled Networker
While networking plays a valuable role in career advancement, many professionals find networking to be daunting. To help professionals make the most of networking opportunities, ISACA is presenting the “Pragmatic Networking: One of Your Most Effective Career Tools” webinar. This webinar will take place on 25 August at 11AM CDT (UTC -5 hours). ISACA members can earn 1 continuing professional education (CPE) hour by attending this webinar and passing a related quiz.
Because women remain a minority in IT audit and information security, many women find it challenging to network. This webinar, while useful for all professionals, will provide women with additional insights on how to network effectively. Caitlin McGaw, president and chief recruiting officer of Candor McGaw, Inc., will lead this webinar. In it, she will discuss practical methods to become a more skilled networker and the unique advantages that women bring to the networking dynamic. Attendees will learn how to overcome feeling nervous while networking, goal setting for networking, following up after networking and much more.
To register for this webinar, visit the Pragmatic Networking: One of Your Most Effective Career Tools page of the ISACA web site.
Guidance on Implementing a GEIT Framework
Effective governance of enterprise IT (GEIT) helps enterprises lower their costs and provides them with greater efficiency and effectiveness. To help practitioners implement a GEIT system, ISACA has released Getting Started With Governance of Enterprise IT (GEIT). This publication covers how to use a framework to implement GEIT, the resources needed to implement the framework and the benefits that can occur as a result of effective governance.
This guide provides practical guidance on using governance materials. While there is some theoretical content in this guide, much of it describes a business problem and how to approach it with governance tools. The guide describes elements of COBIT and how the COBIT enablers can be used to execute governance and management. The guide then uncovers and addresses the root cause of the sample business problem and shows how changes to the business process could prevent the problem from recurring.
To learn more about this publication or to download it, visit the Getting Started With Governance of Enterprise IT (GEIT) page of the ISACA web site.
Learn to Achieve Better Efficiency in Security at CSX North America Conference
Efficiency remains a concern in the information security industry. Because attacks are becoming more sophisticated, organizations need to be more efficient in detecting and containing breaches. An ISACA keynote address at the CSX 2016 North America Conference will help attendees learn more about the importance of efficiency and how it applies to the security landscape.
Brett Kelsey, CISA, CISSP, will give the keynote address “Achieving Better Efficiency in Security.” In this presentation, he will explain how the information security industry is adapting to modern threats. Kelsey will explain the current threat landscape, the talent shortage and security inefficiencies. After discussing these challenges, Kelsey will address the importance of having an effective, adaptive and collaborative security infrastructure.
The CSX 2016 North America Conference will take place on 17-19 October in Las Vegas, Nevada, USA. To learn more about the conference or register for it, visit the CSX 2016 North America Conference page of the ISACA web site.
The New Age of Near-zero Privacy
As a result of high-profile security breaches, privacy has been greatly diminished over the last few years. ISACA Journal volume 4 author C. Warren Axelrod, Ph.D., CISM, CISSP, discusses the way in which data privacy has changed in his article “The New Age of Near-zero Privacy.”
There seems to be a great deal of confusion as to what privacy actually is; the differences between data privacy and the right to privacy; how privacy is distinct from security, secrecy and safety; and which data should be classified as private or secret and which should not. It is useful to view privacy as a legal right and security technology as a means to achieve it.
First, one must distinguish among physical data privacy, electronic data privacy, physical privacy, secrecy, security and safety.
Privacy vs. Secrecy
In many respects, privacy and secrecy are very similar. The main difference is well expressed by Eric Hughes, as follows: “A private matter is something one doesn’t want the whole world to know, but a secret matter is something one doesn’t want anyone to know.”
Another difference is that private data must be attributable, whereas secrets may be anonymous. Further, secrets do not have to relate to persons; they can be about intellectual property, such as recipes or machine designs.
The same means of protection, authentication and authorization, such as encryption, are often common to privacy and secrecy. However, sometimes secrets might be accidentally disclosed along with privacy-related data, as was the case with Edward Snowden’s leaks, and might lead to dangerous information being made available to enemies as well as intended recipients. For both privacy and secrecy, those for whom the information is meant have to be carefully vetted.
Privacy vs. Security
The terms “privacy” and “security,” as they relate to personal information, are often used interchangeably. Many experts prefer to think of privacy as a legal right with security providing the means (tools, methods, policies and procedures) to ensure that the personal information is protected against unauthorized access and use.
Security vs. Safety
One set of definitions for security and safety, as they relate to software, is:
- Safety-critical software—The software must not harm the world.
- Security-critical software—The world must not harm the software.
Essentially, security and safety engender different cultures, with the cybersecurity professional focused on protecting systems and data from unauthorized access and use, and safety engineers concerned about what harm the system might inflict on persons or the environment were it to malfunction or fail.
Secrecy vs. Safety
Increasingly, it is becoming possible for privacy and secrecy to affect a person’s well-being. It is clear that breaches of web sites such as Ashley Madison not only damage relationships, but can lead to suicide, as was reported after users’ personal information was made public.
Given the generally observed apathy of many of those whose information has been compromised, (which might result from the enormity of the problem and the lack of confidence that it can be eliminated), there seems to be little hope of a major effort to raise data privacy to a level that will motivate a response large enough to make a difference. If that is indeed the case, then individuals will continue to be inconvenienced by the aftermath of data breaches, companies will still absorb the resulting losses as a cost of doing business, and governments will persist in taking ineffectual potshots at perpetrators of fraud and other crimes. Thus, the acceptance of increasing violations of electronic and physical privacy will grow and little will be done.
The hope is that the immense cost to individuals, organizations and society at large of repeated privacy abuses is recognized and awareness is raised, not only of the resultant losses, but also that the challenge can be met if there is enough resolve to take it on.
Read C. Warren Axelrod’s full online-exclusive ISACA Journal article, “The New Age of Near-zero Privacy.”