Teaming with your IT auditor for better security. Patrick Dunnigan, IT audit principal, Auditor General of Alberta Moderator: Illena Armstrong, editor-in-chief, SC Magazine. About the presenter: Patrick Dunnigan.
Patrick Dunnigan, IT audit principal, Auditor General of Alberta
Moderator: Illena Armstrong, editor-in-chief, SC Magazine
The materials and ideas presented verbally and in the following slides are my own.
I am not here to represent the views of my employer.
This presentation is based on my experience helping auditees use audits to introduce reasonable and effective IT controls and increase security.
Avoiding an audit is like skipping checkups to avoid getting sick.
Some auditees see an audit as the illness, not the cure.
The goals of an audit are similar to business goals; creating an effective and efficient organization and driving business through:
An independent IT auditor offers your organization:
Auditors can help:
Do you have enough of the right technology?
Too much or the wrong security?
10. Get to know your auditor. Talk to him / her / them. Take them out for coffee or lunch!
9. Ask what they think are the high risk or important areas for typical audits. What are their audit plans?
8. Tell them what your security pain points are! Don’t make them guess.
7. Bring them in early: when you start a project, are considering new technology, are outsourcing work or services.
6. Make them a part of your team. Ask for input and advice – but don’t impair independence!
5. Ensure that you get to review findings and recommendations. Provide feedback and comments.
4. Make them accountable. Ensure they are capable and follow ground rules, scope and reporting. Challenge them!
3. Prepare your response. Agree, then put a plan in place with required resources, timelines and responsibilities. Put onus on senior management to make it happen!
2. Thank your auditors for helping you make the organization more secure.
1. Follow up. Ask them to audit your remediation efforts to ensure they mitigate findings.