Opinion: Getting the best out of your IT security auditor

Matthew Hackling ~ Ronin Security Consulting ~ Enex TestLab

Many IT managers and their teams treat an audit of their IT function as if it was a trip to the dentist for a root canal.  More informed operators will realise that IT audit, particularly internal audit can assist them in gaining visibility with management of known and often  ignored issues and securing funding and management commitment. 

The following are tips to help you get the most out of an IT audit of your IT security by avoid disruption, piecemeal activities and duplication of effort.

  1. Define the Approach
    1. Define the standards you will be assessed to.  Will this be an assessment against industry standards like ISO 27001/2, regulation like PCI-DSS or your current information security management system (i.e. policy, standards etc.)?  Avoid assessments based on “best practice” or you will end up with findings dreamed up by the inexperienced to fill a report.
    2. Define the finding rating criteria .  Non-compliance with your own standard should be agreed to be a finding of some significance. Non-compliance with an industry standard should be an “opportunity for improvement”
  2. Define the Scope
    1. Define which aspects of the standards will be assessed (e.g. which ISO 27002 domains ?)
    2. Define which business units and business processes will be assessed
    3. Define which systems will be assessed (payroll, general ledger, your key application that makes you money etc.)
  3. Ask for a consolidated request for information from the auditor as a first step, this will avoid constant interruptions of your personnel:
    1. Assign collating of information for submission to one individual
    2. Assign collection of requested information to relevant subject matter experts within the business
  4. Suggest issues for investigation to the auditor that are of concern, along with suggested recommendation. For example “We have issues with restricting privileged access to systems, we could really do with an Identity Management program of works to implement some software to help us with this.”
  5. Check the accuracy of findings in the draft report.  If the auditor has got it wrong, provide some evidence to the contrary and suggested re-wording.
  6. If there is a difference of opinion over an issue, request that they include a “management response” putting forward the IT function’s position on the issue in question
  7. Follow up on the findings and implement the suggested recommendations or work-arounds if the suggested recommendation is not practical.  This will avoid a deja-vu experience in the future.

I hope all these tips help you to get the best out of your IT auditor.

Follow CSO Australia on Twitter: @CSO_Australia

CSO Contributors | About Us:

Matthew Hackling B.Sc. (Security) CISSP

Matthew has over ten years experience operating solely in the area of information security, holds a Bachelors degree in security management from ECU and is also a CISSP. He is a former Account Director in Deloitte’s Security & Privacy Services practice. Matthew has led security testing teams on assessments of large core systems replacement projects for banking institutions.  He operates more in the area of information security governance these days, despite his urges still stay a bit technical.  Hence he plays with backtrack linux, metasploit and new web application security assessment tools in his rare free time.  Currently he runs his own consultancy called Ronin Security Consulting and holds the title of General Manager of Security Testing at Enex TestLab.  He is an active member of the Australian Information Security Association, and held the office of Melbourne Branch Executive for a number of years.  Matt’s security blog is called Infamous Agenda and he is an active twitter user with the handle @mhackling 

[ Recieve the top security news in your inbox - CSO Brieifng newsletters]

Join the CSO newsletter!

Error: Please check your email address.

Tags Enex TestLabMatthew HacklingIT security auditorsecurityTop tipsIT SecurityIT audit

More about Enex TestLabISO

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Matthew Hackling

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place