ISACA Journal Blog

 ‭(Hidden)‬ Admin Links

ISACA > Journal > Practically Speaking Blog

Emotional Labor

Posted: 6/22/2017 3:05:00 PM | Category: Audit-Assurance | Permalink | Email this post

Kamal KhanEmployees perform emotional labor (EL) when they conform their emotions to organizational expectations while interacting with customers. They can only express appropriate emotions that are specified by certain corporate rules and conventions. While not always recognized, this is one of the many factors that increases stress for IS auditors during audit engagements.

An IS audit engagement can be stressful as EL is required at different stages in the audit:

  • During the opening meeting, IS auditors must maintain the pretense of partnership and shared objectives with the client. In reality, the client may regard them with suspicion or even as an unofficial police force. Despite this, clients promise that they will provide all required information to enhance and improve the business for everyone’s common interest.
  • During fieldwork, there may be unforeseen issues, e.g., difficulty getting ahold of clients, suddenly unavailable information or the setup of a new system. Yet IS auditors must maintain a professional approach and cannot be overly demanding, as this may damage the client/auditor relationship. Sometimes, IS auditors will encounter that procedure documentation that was promised is now “being revised and is in the final stages of approval,” while in reality, it never existed.  Through all this, IS auditors are expected to maintain high standards of integrity, honesty and reliability. Even though clients often completely forget what they promised at the opening meeting, IS auditors must remain professional at all times.
  • During the reporting phase, auditees may divulge new information that was not provided in the opening meeting. Sometimes, they may claim they already knew about some access control issues and already planned to replace systems and address all the concerns. Other times, they may reject previously accepted findings, for which IS auditors must now provide justification.

A number of personality factors influence emotional labor.  Being conscientious, hardworking, persistent and achievement-oriented leads to higher job performance. Auditors also demonstrate these characteristics by highlighting significant and relevant issues of material risk to the audit entity and the organization. The higher the position, the higher the requirement for emotional intelligence (EI). However, higher-level client management does not always demonstrate EI. They may often tend to ignore the fact that auditors have a responsibility to provide assurance about the effectiveness of controls to the board and are not around to help them with their personal responsibilities and job functions. Emotional dissonance (ED) exists as IS auditors are officially expected to behave as though their role is positively helping the organization to achieve its goals, while they really may be perceived as a potential career threat to auditees, making them look “less capable” in the eyes of management. This requires IS auditors to perform EL.


The Key for Evaluating IT Asset, Risk Impact and Control Gap

Shemlse Gebremedhin Kassa, CISA, CEH Posted: 6/19/2017 3:43:00 PM | Category: Risk Management | Permalink | Email this post

Shemlse Gebremedhin KassaA previous Journal article I wrote, “Information Systems Security Audit: An Ontological Framework,” briefly describes the security audit activities/process in one hierarchical structure. Now, in my recent Journal article, “IT Asset Valuation, Risk Assessment and Control Implementation Model,” I propose a different model that helps to measure, manage and implement concepts objectively by using the previously proposed ontological framework. The aim of my recent Journal article is to help you quantitatively conduct asset valuation, risk measurement, impact analysis and identification of the existing control gap of the company’s IT resource for a regulatory body, management, auditors and other concerned parties. My colleagues and I challenged to give similar pledge and equal valuation, due to nonexistence of clear and agreed-on models.


Leverage Enterprise Data Management Investments to Facilitate Data Breach Reporting Requirements

Guy Pearce Posted: 6/5/2017 8:17:00 AM | Category: Government-Regulatory | Permalink | Email this post

In Canada, it is the Data Privacy Act and its impact on the Personal Information Protection and Electronic Documents Act (PIPEDA); in the United States, the regulations include the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act (HIPAA), and the US Personal Data Notification and Protection Act; in Australia, it is the Privacy Amendment Act, while in the EU, it is the ePrivacy Directive. There are more regulations than those previously listed. In common with each is the growing requirement for privacy breach reporting, with breach assessment being a major part of that process. This includes identifying the location of the breach, the type of data that have been compromised and identifying exactly who could be compromised by the breach, since they would need to be individually notified in case of a breach of their sensitive data.


Securing Connected Devices

Hemant Patel, CISM, ITIL, PMP, TOGAF
Posted: 5/15/2017 3:13:00 PM | Category: Security | Permalink | Email this post

Some Internet of Things (IoT) security issues and incidents can be attributed to poor knowledge, failure of the security manager to properly educate stakeholders or lack of stakeholder interest in investing in security measures. Some of this hesitance to invest in security comes from the desire to defer upfront or preventive security costs to operational or reactive costs. The cost deferment can be due to the lack of a proper risk model and failing to account for risk costs. In some situations, time pressures may also aid in deferring upfront security measures.

About 5 years ago, I started managing automobile sensors’ data integration architecture, and the term “IoT” was not even used at that time. Centralized device and security policy management was done through software built in-house, as commercial device management hubs were not available. Security policy management was not comprehensive. It was difficult and not cost-effective for every vendor to develop and maintain proprietary hub management software, so we needed to depend on a few industry leaders for such capabilities.


Holistic View of Addressing IoT Risk by Leveraging a Decomposition Strategy

Indrajit Atluri, CRISC, CISM, CEH, CISSP, CSSLP, HCISPP, ITILv3 Posted: 5/8/2017 3:08:00 PM | Category: Risk Management | Permalink | Email this post

In my recent Journal article, I present a strategy to mitigate the risk that the Internet of Things (IoT) evolution is already engendering. The IoT landscape, connecting thousands of systems, devices and sensors, is unlike the traditional IT environment to which we all are accustomed; however, we can certainly leverage the same well-known IT governance methodologies along with state-of-the-art technologies and process changes to manage IoT risk efficiently. Ramping up IoT security alleviates IoT risk momentously, but the common notion is that it is easier said than done.

<< First   < Previous     Page: 1 of 70     Next >   Last >>