ISACA successfully organized a SheLeadsTech event focusing on career development of female IT auditors in Shanghai earlier this month. This was a milestone event in China, believed to be the first female-themed event of this scale among IT auditors in China. Executive speakers from ISACA, a leading accounting firm, a bank, and an insurance company conducted speeches and a panel discussion on selected topics.
Tara Wisniewski, ISACA Senior Vice President, Global Affairs, attended the event and introduced the SheLeadsTech strategic program for the audience. More than 50 professionals attended the event, including some senior male professionals in the industry who provided great support. The event was delivered in both English and Chinese.
Some takeaways and observations from the event:
1. Representation of women in the tech workforce is higher in more developed areas than in less developed areas. Female professionals may leverage the advantage of working in Shanghai to expand their horizons and connect with established valuable groups of professionals.
2. Representation of women in technology leadership roles is increasing.
3. Some global organizations have women’s leadership programs to assist women in growing their careers. These programs share common goals to empower women and create platforms for female participants to collaborate across the globe.
4. Women need to realize their unique values to perform work and communicate in and across organizations. For example, women may have an advantage in terms of interpersonal skills, which is important in gathering information and evidence from various people and roles required for IT auditing.
5. The ISACA Shanghai Community works to provide a platform for women in tech, especially in IT auditing, risk management, governance and in supporting female leadership.
Here is what we recommend female professionals in tech to do based upon the above takeaways and observations:
1. Identify existing and nearby women’s leadership groups and programs from either employers or communities, such as ISACA local communities or chapters, or both, and actively participate in the programs. Reach out to people from the programs and build professional relationships. Attending events is a great way to learn from and communicate with the experienced professionals.
2. Intentionally improve soft skills. Attend relevant courses, learn and practice how to persuade people in order to meet specific business goals, how to perform better in presentations, how to communicate with people in more rational ways, etc.
3. Keep learning and improve expertise. Get familiarized with new technologies and trends. For example, learn IoT technologies, and give thought to how IT auditing may be different in IoT environments. Learn big data technologies, and consider what may be unique in terms of data lifecycle and data governance of big data. The ISACA Journal is a valuable resource that provides useful knowledge and experiences covering these areas and can trigger more thoughts.
The Future of Jobs Report 2018, published by the World Economic Forum, presents a well-researched reading with a thorough and comprehensive coverage of global industries and regions. The essence of the report can be captured in the preface by Klaus Schwab, founder and executive chairman, World Economic Forum, which states “Catalysing positive outcomes and a future of good work for all will require bold leadership and an entrepreneurial spirit from businesses and governments, as well as an agile mindset of lifelong learning from employees.”
It was Peter Drucker who said in a 1992 essay for Harvard Business Review that “In a matter of decades, society altogether rearranges itself – its worldview, its basic values, its social and political structures, its arts, its key institutions. Fifty years later a new world exists. And the people born into that world cannot even imagine the world in which their grandparents lived and into which their own parents were born. Our age is such a period of transformation.”
The transformative society, often called a knowledge society, has now gone past the initial technological innovations and is traversing the digital expressway. This no longer require 50 years for a full cycle of change, but just five years.
The report, which addresses a Fourth Industrial Revolution taking place from 2018-2022, puts forth succinctly that the impending transformations, if managed well, can lead to good work, good jobs and improved quality of life, or otherwise can result in widening skill gaps, greater inequality and broader polarization.
The key points are as follows:
- Four specific technological advances – ubiquitous high-speed mobile internet; artificial intelligence; widespread adoption of big data analytics; and cloud technology – are set to dominate the 2018–2022 period as drivers positively affecting business growth.
- Significant change is at hand in composition of value chain and the geographical base of operations.
- Lots of specific human tasks can be automated by 2022.
- The demand for traditional skills will diminish, paving the way for requirement for new skills like those of data analysts and scientists, software and application developers, and those with expertise in e-commerce, social media, machine learning, big data, process automation, information security analysis, human-machine interaction, robotics engineering and blockchain. Also included in this list are human-specific skills, such as training, organizational development and innovation managers.
- Companies prefer to hire new permanent staff with relevant skills, so existing employees should develop mindsets focused on a lifelong pursuit of learning, knowledge acquisition and re-skilling.
- Policymakers, regulators and educators will need to play a fundamental role in helping those who are displaced to repurpose their skills or retrain to acquire new skills.
While this report contains a wealth of valuable information, let us analyze how it impacts the fields of specific interest to ISACA’s professional community.
The report identifies an increase in cyber threats as one of many trends set to negatively impact business growth up to 2022, and increasing adoption of new technology such as big data, mobile internet, artificial intelligence and cloud technology as being among the many trends set to positively impact business growth. But all of the factors are only going to positively impact the cybersecurity profession, as advances in technology and its associated increasing cyber threats will only require more and more cybersecurity professionals.
The report also identifies stable roles, new roles and redundant roles, in which information security analysts are in both stable and new roles, which is very heartening and as expected.
Auditors have been mentioned under redundant roles, probably because it is thought that artificial intelligence can take over routine decisions on auditing and assessment. Though it is true to some extent, auditing as a profession will never diminish completely, as newer technologies will always bring in newer threats and loopholes, which need to be plugged-in by trained auditors. For sure, auditing techniques will evolve tremendously under AI, but the work can never be fully delegated to robots or be completely automated, because while humans can create super-intelligent computers which are completely predictable, humans themselves remain unpredictable. Therefore, human auditors are here to stay.
ISACA and the AICPA should continue to develop and evolve newer standards on auditing to render assurance services for the enterprises advancing technologies as part of the Fourth Industrial Revolution.
Author’s note: The views expressed in this article are the author’s views and do not represent those of the organization or of the professional bodies to which he is associated.
An SVP of Enterprise Risk Management (ERM) at a highly influential financial services company recently told me that succeeding in ERM is all about “breaking down the silos.” It’s a good mantra – one that IT audit and GRC professionals should take to heart and execute on daily.
One increasingly effective way to do that is through expanded understanding of information and cyber security. Information security has become critical to understanding an enterprise, its risk and its processes. To add increased value now, IT audit and GRC professionals have to build solid information security skills. This is the golden ticket to short-term success and long-term career sustainability.
The director of IT SOX compliance for a global medical device company and I were talking about who she hires for her team. She views information security knowledge as part and parcel of the requisite qualifications. She noted that a lot of people coming from public accounting have reviewed change management from an IT controls perspective, but they don’t really understand the technical processes that underlie change management. Without the technical knowledge of how a network works and its security requirements, for instance, the auditor provides a review at a superficial level. Beyond that, without baseline level knowledge of information and cyber security, it is very hard to make the jump to applying what you know to an unknown system and applying critical thinking.
CAEs, IT audit directors and IT risk directors all are crying for talent that can demonstrate critical thinking skills, and a big picture understanding of how to align risk, enterprise strategy and appropriate controls. Critical thinking skills come from a combination of intellectual curiosity and knowledge. Innovation as well as nimble and proactive responses to dynamic business environments require more than rote practice. They require the ability to leverage knowledge and experience to develop pragmatic and, when necessary, creative solutions to risk and controls. Information security is a key domain area that supports critical thinking in IT audit and GRC.
The NA IT audit director at a global financial services company said he views information security skills as a core skill set that is necessary for being hired as a senior IT auditor – and even more so as an IT audit manager – on his team. To add value, he noted, IT auditors need to be able to challenge the configuration and the build of the information security environment (encryption, firewalls and so forth).
His strong statement was: “If an IT auditor doesn’t have information security knowledge and experience, they don’t even know how to ask about how the system was built. A key question they have to ask is ‘Are the in-built controls enough?’ If they have had only general controls experience, they will typically only ask ‘What is the control?’ and “Is the control being followed?’”
As an executive search provider to Fortune 500 companies in the IT audit and GRC space, we have seen an incredible uptick in the requirement for information and cyber security knowledge in candidates for IT audit and GRC roles. This year alone, a major FinTech company built out its “Second Line” IT risk, internal controls and compliance functions, doubling its existing resources in these areas due to risk and regulatory requirements. The CISO was clear: He wanted the new resources to have strong knowledge of information security, including cybersecurity, plus cloud, blockchain, operating system security, NIST, and COBIT 5.
The drivers contributing to the growing need for information security knowledge and skills (mounting external threats, emerging tech, outsourcing and third parties, new regulations such as GDPR) are increasing and will continue to do so.
Developing a solid understanding of information security fundamentals is vital as IT Audit and GRC professionals build out and enhance current skills in order to achieve near-term career goals. Information security skills and knowledge are absolutely critical for crafting sustainable, long-term career growth no matter which career path you chose: IT Audit, GRC, or security.
Start with small steps: reading, online coursework, setting up a tech sandbox in your basement, talking with your information security colleagues and sharing their passion. Participate as a guest resource within IT or information security. Volunteer or lobby to be the audit, risk or compliance representative on the corporate information security roundtable. Finally, consider a serious move: a security-focused certification or certificate.
In the words of Stephane Nappo, Global Head of Information Security for Société Générale International Banking & Financial Services: “A holistic vison can help to build the comprehensive approach we need nowadays … the real scope includes five main factors: cyber-threat, technology issues, business evolution, behavior gaps and legal compliance… Security basics (vulnerability management, access rights review, password policy, system hardening, vendor management, awareness, etc.) are often 20% of costs and 80% of risk coverage.”
The mission for IT audit and GRC professionals for 2019: Be part of that holistic vision. Firm up your information and cyber security skills. Break down those silos. Add value.
Editor’s note: Are you an auditor seeking to improve or demonstrate your cybersecurity knowledge? Take a look at ISACA’s brand-new Cybersecurity Audit Certificate here.
Cybersecurity continues to grab spotlight and mindshare as it pertains to computing and social trends.
The topic itself is broad and expansive, and the true impact of this segment of computing will be around for generations to come. For strong perspective on where the industry stands in its current state, ISACA’s State of Cybersecurity 2018 research is a must-read. This report provides a great assessment of what needs to happen in the cybersecurity field to move from reactive to proactive.
Challenges around cybersecurity are not new and have actually been around since the dawn of computing. However, it is now a topic that everyone talks about. It is a board topic, it is a public safety and livelihood topic, and it is a personal topic. Hitting this trifecta of impact has finally created the sense of urgency and the attention that is needed. Now, the key is that as an industry, as a country, and as a world of over 7 billion people, we need to effectively address these industry challenges to preserve the computing environment for the future.
Today, most cybersecurity efforts are focused on what is referred to as the “EMR” model of educate, monitor, and remediate. This approach is effective but is essentially like the game of “whack-a-mole,” where the core underlying risks and issues are never solved and keep popping up.
So, how does the governing of cybersecurity become proactive?
While EMR is essential, the core foundation of a more secure and trustworthy computing experience requires being more proactive. Proactive means ongoing, real-time, continuous self-testing and self-assessment, and a laser focus on education as it pertains to best practices. This, combined with a continued evolution on the new SaaS (security-as-a-service), will help mitigate and ensure more trust in the future. Still, it will be very difficult to solve all cybersecurity challenges due to the technical debt that exists and will exist for the immediate future.
Safe and secure computing can occur with a connected, comprehensive approach to security embedded in each of the leading digital disruption levers, from the Internet of Things, to conversational artificial intelligence, to blockchain and distributed ledger technology, to wearables and mobility. Industry focus, industry standards, close adherence to best practices, and the constant ability to randomize to protect digital identities is on the horizon and needs to continue to gain acceleration.
However, first and foremost, security best practices begin at the code level. As software engineers and as an innovation industry, we must make sure this is well-executed in each and every opportunity we have.
Author’s note: Mike Wons is the former CTO for the state of Illinois and is now serving as Chief Client Officer for Kansas City, Missouri-based PayIt. Mike can be reached at email@example.com
The fluid technology and regulatory landscape calls on IT compliance professionals to be more flexible and proactive than in the past to remain effective, according to Ralph Villanueva’s session on “How to Design and Implement an Adaptive IT Compliance Function,” Monday at the 2018 GRC Conference in Nashville, Tennessee, USA.
The IT compliance function serves as an important bridge between the audit and IT departments, in addition to articulating business-related IT and security initiatives to management, and recommending and implementing appropriate compliance frameworks.
Business model changes, legal considerations, government requirements and evolving industry regulations are among the common reasons that organizations may need to more frequently explore switching their frameworks than in the past. Villanueva, IT security and compliance analyst with Diamond Resorts, referenced the General Data Protection Regulation (GDPR), which became enforceable in May, as an example of a recent regulatory shift that could have significant compliance ramifications. Additionally, he cited industries such as banking, healthcare and gaming as having special requirements calling for the use of compliance frameworks.
While acknowledging that the need to explore new or additional frameworks can cause “compliance anxiety” and organizational resistance, considering the corresponding investments in time and resources, Villanueva said effective use of people, processes and technology can make the process worthwhile in the long-run. Given the increasing need to implement different frameworks to deal with a growing set of compliance complexities, Villanueva laid out five steps to be actively compliant across several frameworks while remaining in line with budget realities:
- Understanding beats memorizing. Compliance professionals who truly understand the intent of the framework are best positioned to adapt them to their organizations.
- Know your organization. Having a clear handle on the organization’s business model, mission and array of information and technology resources allows for more strategic compliance.
- Anticipate how today’s trends will influence what you do tomorrow. Variables such as the need to incorporate more mobile device security and use of emerging technologies such as artificial intelligence (AI) and machine learning may call for recalibrating compliance processes.
- Know that some fundamentals never change. Despite the volatile landscape, Villanueva said there still needs to be focus on established compliance priorities such as application controls and segregation of duties.
- Keep learning. Investing in personal development and prioritizing networking are some of the best ways to keep current and “future-proof” career paths.
Villanueva cited COBIT 5, NIST 800-53, ISO 27001:2013 and PCI-DSS 3.2 as examples of useful frameworks for compliance professionals, and said identifying commonalities among different frameworks can make for a more efficient approach. Villanueva recommended IT compliance frameworks because they:
- Simplify compliance;
- Reduce the likelihood of missing compliance requirements;
- Maximize everyone’s time;
- Allow for clearly understood expectations;
- Are commonly accepted by control stakeholders.
The importance of compliance professionals should not be overlooked. Aside from potential legal ramifications resulting from inadequate compliance, Villanueva said having strong compliance programs in place is critical to deter corruption and costly illegalities.
“We’re here to make sure that crime doesn’t pay,” Villanueva said.
The benefits of application containers have been shared across a variety of forums and to a diverse audience. The ability to have more application instances without a corresponding increase in hardware is probably the primary benefit that is used to persuade enterprises to adopt application containers. But if that is the primary benefit, meeting the objectives of the rapid deployment associated with DevOps is a close second.
Application containers allow developers to easily modify and test because applications are siloed in their own containers. So, the benefits are appealing from a cost savings perspective as well as support of DevOps deployment. Is there a downside, though?
Perhaps it is not a downside as much as a consideration, but as organizations adopt application containerization, some cultural shifts are necessary. These shifts relate to operational processes that organizations may already have in place; however, containerization requires doing those familiar processes differently. Because the change is for an existing process rather than the implementation of something new, the change is more cultural than operational. For example, in a traditional application environment, generally, there is a structured process for code review, which the time to deployment accommodates. As deployment time is shortened (as in a scenario involving DevOps and application containers), organizations may be challenged in how they perform formal, structured code reviews. So, a cultural shift to identify (and accept) solutions that provide assurance around secure coding in the containerized environment despite the rapid speed of deployment may be required.
Another area where a cultural shift may be required relates to access. Unless an organization develops a strategy around administrator access, it is possible for administrators to have access to multiple hosts, containers and images rather than the specific hosts, containers and images to which the administrator needs access to perform job responsibilities. Ensuring that a least privilege strategy is implemented would addresses this. Also, beyond internal expectations, several compliance initiatives, such as the Health Insurance Portability Accountability Act (HIPAA), the Payment Card Industry Data Security Standard (PCI DSS) and the General Data Protection Regulation (GDPR) rely on strong access controls.
Lastly, an organization’s approach to authentication may require a cultural shift. In administering workloads, orchestrators potentially place workloads that have varying levels of sensitivity on the same host. To address this, an orchestrator may have its own authentication directory. This directory, however, may be separate from other non-orchestrator authentication directories in use. As a result, the orchestrator’s authentication directory may have different authentication practices. A concerted effort to ensure alignment of authentication practices for all directories (orchestrator-related or not) may be necessary. These efforts may include, but are not limited to, restricting administrator authentication access to specific repositories rather than multiple repositories.
The benefits of adopting application containers are appealing. More application instances may be possible without incurring the cost of additional hardware and deployment time may be reduced. Effective adoption, however, depends on how organizations can modify existing protocols to accommodate the containerized environment. Code review, access and authentication are examples of areas for which organizations routinely have controls but where a cultural shift is necessary. Once these shifts have been made, the benefits or application containers can be fully realized.
The 7th annual IT Audit Benchmarking Survey shed light on several IT challenges that are at the top of the agenda for executive management and will have a direct impact on IT audit plans for many enterprises in 2018.
While the survey highlighted several key challenges, I will be drilling more in-depth into one key aspect, which is the co-sourcing of IT audit. Within the survey, it was noted that IT audit’s role has grown since 2012, in that half of all organizations now have a designated IT audit director. Such growth emphasizes the importance of the IT audit role. Given the current technological advancements, IT audit plans are required to be aligned and inclusive of the risks that accompany them. That not only requires a different set of skills that are needed in order to have value-added audit results, but also requires internal management to reconsider their IT audit plans.
Before applying a co-sourcing practice, management should assess its current internal IT audit skills in order to clearly understand what should be added by the co-sourced team and what can be covered by the internal department. In order to conduct such an assessment, management should have started to identify the technological areas for the upcoming IT audits during the early planning stages. Moreover, the internal audit department holds a better understanding regarding the scoped systems, infrastructure, and processes, whereas such details will require further time for the co-sourced team to grasp. Accordingly, audit deadlines should take this into account while preparing the plan in order to deliver valuable audit results.
Another point that should be taken into consideration prior to co-sourcing is the emphasis of knowledge-sharing by the co-sourced team to ensure that the skills of the internal team members have been elevated and enhanced by the co-sourced practice.
Co-sourcing practice is applied by management in order to leverage the business and technical exposure of such individuals within the areas lacked by the internal IT auditors. Management should not utilize the co-sourcing practice to enforce a complete transformation of the internal audit to match the co-sourcing company. Having that said, management should always ensure that the company’s internal practices are applied and taken into consideration throughout the co-sourcing team’s deliverables and work.
Have you ever wondered what happens to all of that data, information and knowledge collected and created by internal auditors? Have you ever thought about audits you performed in the past; all that research, information gathering, development of findings, the useful collection of methods, questionnaires, test plans, etc.? Wouldn’t it be useful to share your learnings with your colleagues?
After 30 years in the internal audit profession, I have seen the data and information collection and sharing methods move from paper-based to electronic in various forms. I have seen new auditors enter the profession trying to learn about auditing, the techniques, technology, and the different methods of collecting and sourcing information, not to mention the best practices for writing the audit report. After learning about knowledge mapping and knowledge management systems, I applied this to developing an internal audit knowledge management strategy and blueprint for an internal audit knowledge management system.
To be a proficient internal auditor requires special skills, attributes, experience and knowledge; not all people have these or know where to find them. Most organisations are always searching for people with the right mix of skills, attributes and experience that could potentially evolve into highly proficient and valuable internal auditors.
In all organizations for which I have worked as an internal auditor, a range of existing complementary systems, tools and business processes have been considered in the design of the knowledge management system (KMS) to ensure a coherent information architecture is designed.
Auditors must collect necessary and sufficient information to produce a rational and comprehensive analysis; many auditors need to document appropriate evidence to explain and defend potentially adverse findings. All auditors require expert knowledge of governmental regulations, business norms and practices, and often generate new knowledge about the regulations, norms and practices that they examine during their engagements.
Because audit plans depend so heavily on the expertise of auditors, the quality and comprehensiveness of the information they collect, and the findings they produce, a systematic approach to knowledge management becomes critical to ensure the accuracy, efficiency and quality of audit engagements across all business disciplines.
Read this white paper about an audit team’s efforts to identify and map its knowledge, and then use that information to develop a knowledge strategy and knowledge management system. Discover how your team can also optimize the quality and management of its knowledge, leading to improved services to all clients.
Knowledge management is concerned with using to best advantage the knowledge and experiences that have been gained across an organisation. Three elements appear in a wealth of literature – data, information and knowledge – and a good understanding of these is the key to grasping the issues faced by many internal auditing organisations. Data is a series of discrete events, observations, measurements, or facts in the form of numbers, words, sounds, and/or images. In the internal audit arena, data can take many forms and can be unstructured or structured. An example of data used in internal auditing is a spreadsheet that contains accounts payable amounts, dates and vendors, purchase order numbers and so on. Information is the organised data that has been arranged for better comprehension or understanding – it has been endowed with relevance and purpose. An example of information used for an internal audit is a transcription of interview notes taken by an auditor after interviewing an auditee to extract pertinent information. One person’s information can become another person’s data. The knowledge that is used and generated by internal auditors can be thought of as a collection of specific data, specific and broad information sets, the skills attained, and experience in similar audit situations.
Being able to effectively manage not only the knowledge of individuals, but also the collective knowledge in the organisation, is crucial to the efficient and effective delivery of outcomes.
It should be noted though, that internal auditing is not a one-person job. Internal auditing requires collaboration and the integration of information and knowledge both from within the auditing organisation and from the auditee’s sources to enable a valuable outcome for all involved.
For an internal auditing organisation to benefit from the knowledge of its staff, it’s important to identify and map the knowledge that is needed to complete quality and efficient internal audits.
This year has welcomed the Revised Payment Services Directive (PSD2), but what is the core reasoning behind writing the new security regulation? “There is a revolution in commerce,” Jorke Kamstra stated in his session Monday at ISACA’s 2018 EuroCACS conference in Edinburgh, Scotland.
Kamstra, information risk manager at Euroclear and an ISACA member, described “open banking” as a buzzword and explored the innovations that are having an impact globally on the retail sector. Today, firms such as Facebook, Money Dashboard and Stripe share a common thread in their offering of financial services, despite not being tagged as a “traditional” bank as we know it.
Customers now have the ability to make payments online using their main banking credentials as opposed to dependence on credit details or the services of a bank. In fact, the artificial intelligence (AI) technologies used to build Amazon Go allow for instant payment as customers physically add goods to their basket in store.
This revolution in commerce has a domino effect on the supporting security measures businesses instil. According to Kamstra, “Security needs to be seamless, frictionless and fast in order to keep up with these innovations.”
The roll-out of PSD2 was designed as a solution to this, filling the gaps of older frameworks and reinforcing consumer protection with measures such as two-factor authentication. When comparing existing frameworks with the new PSD2, existing measures cover 80 percent of controls and are also largely risk-based. However, Kamstra commends the new regulation for its mandatory controls to protect consumers and its guidance on regular testing as best practice.
PSD2 presents new opportunities for non-banks in the form of open APIs. By using banks’ APIs, non-banks can enter the financial market without the compliance and infrastructure considerations required by banks.
What is more, this shift change is encouraging a more mobile and customer-centric approach to banking. The expectations of customers are changing, as is the need to streamline banking and create a more personalized experience. Today, customers are more open to banking outside the traditional realms, and if it means they can do so for multiple accounts across the one interface, they are likely to welcome it.
The emergence of new payment methods such as virtual currencies, biometric authentication and Account Aggregation As A Service (AAAAS) are just a few examples of innovations that are gradually being welcomed as the “norm” for consumers.
Kamstra closed his session with four main actions for his audience:
- Do not forget the customer; people-centric systems are much more likely to be successful than those that are inward focused;
- Look to yearly auditing and testing as best practice;
- Fully understand why PSD2 has been implemented to appreciate the opportunities;
- Use your knowledge as an auditor to go forward and think about how you can innovate in your own organization.
The task of establishing and configuring audit policies is usually left to security experts and/or system administrators who are in charge of implementing security configurations, particularly in small-to-medium enterprises with a lean IT structure. There is usually not much guidance on how these configurations are to be managed.
One common mistake that administrators make is failing to define adequate audit trails to enable early detection of security threats and allow for related investigations. The main reason for this oversight is a failure to balance audit trail needs and systems capacity. Some administrators argue that excessive auditing results in production of huge amounts of event logs that are unmanageable. Deciding on what to audit and what not to audit, or what may or may not be omitted, is therefore not just a configuration task, but rather a risk assessment task that should be embedded in the governance structures of the organization’s IT security frameworks.
Risk assessment process over audit requirements
The audit needs of the organization are guided by the regulations, security threat models, information required for investigations and IT security policy to which the organization is subjected. Identification of the possible threats that the organization faces is usually carried out as part of risk assessment. Security events derived from audit policy settings are key risk indicators that the organization should use to measure how vulnerable the system is to the identified threats. It is therefore critical that enabling audit policies should not be taken casually.
System auditing should be considered across the platforms the organization uses – that is, operating systems, databases and applications. Due consideration of what information is obtained from the operating system (OS) against databases and/or applications should be used to streamline the volume of audit data collected and to safeguard servers’ storage capacity. Where the organization decides not to record audit trails at any of the system levels – that is, OS, databases or applications – an impact analysis should be carried out to ensure that the costs of missing such logs are quantified against regulation penalties and organizational risk appetite.
In order to facilitate the systematic review of an organization's audit needs, guidelines should be developed and approved at the appropriate level in accordance to the governance structure of each organization. Having a guideline that outlines the audit policy objectives, risks, threats and data collection points will ensure that adequate audit logs are maintained. This will, in turn, facilitate log monitoring for suspicious events and allow for detailed investigations if the need arises.
The guidelines should not only focus on configuration of audit settings but should also provide guidance on the steps that are to be followed when procuring log management software to manage event logs. Different log management software is designed to meet logging needs of different organizations, and as such, software procured should be in line with the audit objectives and needs of the organization. The one-size-fits-all concept should not be applied.
The configurations of audit policies across the organization platforms should be a secondary task implemented through clear guidelines that promote risk assessment of the organization’s audit needs.