Auditors have a wealth of knowledge acquired through engagement with employees at all levels of the organization, but they can never replace the role management and the business process owner play in ensuring that controls are adequately designed, implemented and are continuously functioning. No matter how many ‘red’ audit reports auditors issue, as long as management is not on board, the role of an auditor is of no value to the organization.
It is quite interesting to evaluate the significant impact that each of the players in the three lines of defense have in ensuring a sound system of internal controls. To analyse this and dispel some of the myths about the role of auditors in the internal control system, I reviewed the COBIT 5 process MEA02 – Monitor, Evaluate and Assess System of Internal Controls. I will first start by defining the RACI model, which shows the pieces each player has.
How do we stop hackers without understanding their true nature? What are they after, what is valuable to them? And how does what is valuable to them translate to our losses?
Being in the business of threat intelligence, we see how disproportionate hackers’ gains are when compared to the losses they inflict upon affected organizations. By far, not every stolen record gets abused. Yet, since there is no easy way to determine what becomes of the stolen data, the organization has to declare a total loss, even in a case of a minor breach.
Let’s try to understand hackers a little bit more. Who are they? Who do they work for? Where do they reside? What motivates them? How did they learn their craft? What do they do with the stolen data? What are they afraid of?
Deloitte Technology, Media and Telecommunications predicted recently that more than 1B devices would be reader-enabled for biometrics by the end of 2017. This is a very significant milestone for many reasons.
Over the years, there has been a lot of hype about the potential of biometrics for authentication and other purposes, but the lack of availability to consumers meant adoption was behind the hype curve. Device manufacturers have since changed this picture with native biometric support of mobile and tablet devices.
One of the most influential conversations in Cheryl Santor’s career required plenty of gumption.
Santor, working in IT at a mortgage banking firm in the 1990s, had major concerns about non-proprietary memory that had been installed, jeopardizing the main system for collecting loan information. She voiced her concerns to her CIO in no uncertain terms, believing the integrity of the loan origination system was at stake.
It turns out, Santor’s candor – and insights – were respected more than she could have anticipated. About a year later, that same CIO hired her to work at a national bank where she eventually became CISO.
Business leaders must take accountability for governing and managing IT-related assets within their units and functions just as they would other assets, such as those involving physical plant or human resources.
This is critical as achieving enterprise goals becomes increasingly interconnected with successfully managing and governing its technology. COBIT 5 provides the framework needed to connect business goals with IT goals while utilizing non-technical, business language, as explored in a recent ISACA podcast. John Jasinski, a COBIT certified assessor, discusses the framework’s core principles and enablers, and ways in which enterprises can successfully leverage them.
This blog is intended to offer a way for ISACA leaders, constituents and staff to exchange information of interest pertinent to the association, the business environment and/or the profession.
The comments on this site are the author’s own and do not necessarily represent ISACA’s opinions or plans. ISACA does not endorse, monitor or control any links to external sites offered in this blog, and makes no warranty or statement regarding the content on those external sites.
Anyone posting comments on this site should ensure that the content remains on-topic and steers well clear of any statements that could be considered insensitive, offensive or threatening. Given ISACA’s global nature, the need to communicate in a way that is accessible and acceptable to many cultures should be taken into account. ISACA retains the right, at its sole discretion, to refuse content that is considered inappropriate.
To volunteer to write a blog or suggest a topic send an email here.