The other day I was asked to join some of my IT audit colleagues for dinner. They get together on a regular basis to compare notes, but this particular dinner they wanted some outside blood. So agreed to join them and talk "IT"......
This group challenge is really how fast technology is changing and how to effectively audit this changing environment. Paperless operations, large SharePoint environments, mobile devices and the list goes on. How can they really look under the covers and find gaps, threats, or potential risk. It started some real good discussions, because it is a challenge to keep up with the environment and to ensure safeguards are in place and risk is appropriately addressed.
It comes back to comments I have made in the past, and that is security and risk management is everyone's responsibility in IT. If you are installing a server, desktop, firewall or website - doing so in a safe, secure way is your responsibility. There has to be internal controls and check points to verify your environment on a regular basis to look for vulnerability. Providing detailed documents, process, procedures, and check points to the auditor is a great place to start. The auditor is there to ensure we are following best practice, we follow our own policy - and that we are not taking shortcuts. It is in everyone's best interest to have a secure enterprise.
My advice to my auditor friends is to be aware of the technology changes, and have some skills, but really to look for behavior, policy, procedure, and culture of the organization. If you go to audit an organization and you have the feeling they are in a fire fight mode, running to just keep alive, chances are, they are taking shortcuts. In addition, management will clearly set the tone for the audit, the environment, and how the organization operates. Be observant, more than just looking at technology - look at operational excellence.
I also recommend to organizations to have a regular penetration test done, have vulnerability management, and don't be afraid to have some services out sourced to experts. You can't be an expert in security these days, most organizations can not afford the talent needed to keep the enterprise secure. Look outside the organization for the expertise you need.
We all have a role in keeping our IT Environments secure, and have the ability to respond to critical incidents. Take it serious.
Keep it positive!
Scott Arnett
scott.arnett@charter.net
About Me
- Scott Arnett
- Scott Arnett is an Information Technology & Security Professional Executive with over 30 years experience in IT. Scott has worked in various industries such as health care, insurance, manufacturing, broadcast, printing, and consulting and in enterprises ranging in size from $50M to $20B in revenue. Scott’s experience encompasses the following areas of specialization: Leadership, Strategy, Architecture, Business Partnership & Acumen, Process Management, Infrastructure and Security. With his broad understanding of technology and his ability to communicate successfully with both Executives and Technical Specialists, Scott has been consistently recognized as someone who not only can "Connect the Dots", but who can also create a workable solution. Scott is equally comfortable playing technical, project management/leadership and organizational leadership roles through experience gained throughout his career. Scott has previously acted in the role of CIO, CTO, and VP of IT, successfully built 9 data centers across the country, and is expert in understanding ITIL, PCI Compliance, SOX, HIPAA, FERPA, FRCP and COBIT.
No comments:
Post a Comment