Are your security or operational business policies correct
Download
1 / 9

“Are Your Security or Operational Business Policies Correct?” - PowerPoint PPT Presentation


  • 64 Views
  • Uploaded on

“Are Your Security or Operational Business Policies Correct?”. Practitioner Discussant Comments Malik Datardina CPA, CA, CISA. Disclaimer!!!. Risk management applied: “The following views are my own and are not of my employer, Deloitte.” . Conceptually. I Data. Lot of promise:

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' “Are Your Security or Operational Business Policies Correct?”' - thom


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Are your security or operational business policies correct

“Are Your Security or Operational Business Policies Correct?”

Practitioner Discussant Comments

Malik Datardina CPA, CA, CISA


Disclaimer
Disclaimer!!! Correct?”

  • Risk management applied:

  • “The following views are my own and are not of my employer, Deloitte.”


Conceptually
Conceptually Correct?”

I Data

  • Lot of promise:

    • Bring CAATs Audit Analytics into Security

    • Makes it possible to automate access control testing


The good
The Good Correct?”

  • Mathematics in abstract can be difficult to grasp.

  • But paper made it digestible

    • Use of simple models

    • Examples relevant to auditors, e.g. “a teller may deposit a customer’s money into the customer’s account”

  • Brought together necessary concepts e.g. RBAC, REA,


Audience
Audience Correct?”

  • Understood this was primarily for academic audience; right?

  • Who is the audience?

    • Consider multiple audiences

    • Don’t limit just to audit; beneficial from operations, network, information security, etc.


Why is this necessary
Why is this necessary? Correct?”

  • Solution looking for a problem?

    • What is the current ‘state of the art’?

      • Any pitfalls with respect to manual testing?

      • What are the risks?

      • How does this procedure address them?

    • Need to illustrate benefit or cost of this outweighs

      • External audit: can this save time in audit costs?

      • Internal audit: explain how this will help from a compliance perspective – how does it address:

        • PCI, ISO 27001/2, SOC2 (Trust Services/cloud)


Some feedback
Some feedback Correct?”

  • Why is this necessary? Solution looking for a problem?

    • Need to illustrate benefit or cost of this outweighs

      • External audit: can this save time in audit costs?

      • Internal audit: explain how this will help from a compliance perspective – how does it address:

        • PCI,

        • ISO 27001/2,

        • SOC2 (Trust Services/cloud)


How does this work practically
How does this work practically? Correct?”

  • Need to explain how this works in practice: What are the practical steps you need to take to do this?

    • How do you get access rules in an electronic format?

    • Can this be obtained from SAP, Oracle, etc?

    • What is exactly required for the auditor to do to actually create the list of “right rules” to audit the security rules obtained from the device.


Insights from other areas
Insights from other areas? Correct?”

  • Software testing: What can be learned from static analysis (i.e. automated testing of software)?

  • Intrusion detection systems: Are there potential for false positives? Is there a tuning problem?

  • Data quality: Are there data quality issues when you get access controls “data dump” from the machine?


ad