Posts Tagged ‘Identity Audit’

IT Audit – What is it?

February 18, 2008

If you search on “IT Audit” you will return pages and pages of relevant hits. I have no idea how many pages you have to go out before you hit the end of relevance but it’s more than I care to read. And here I am adding one more.

How can I sort out what I need to do about IT Auditing between what the audit firms, vendors, government (regulation), upper management, and Board compliance committee are telling me to do?

I spent just enough time as an internal auditor and an external auditor in my misspent youth to have yet another opinion to express and I’m going to use a couple posts to do it.

When it comes to IT Auditing, the value that should – in theory – be derived is that an uninterested party (not you) can attest with reasonable certainty that what you SAY you are doing is actually what you are doing. Those policies you say are protecting your mission critical information? They’re actually being implemented and followed (two separate tests there) .

There’s a month’s worth of blog fodder there. But to close for today let’s drag out Rule #1 of IT Auditing. It is not possible to audit yourself. Unless you are the only person you need to satisfy with an audit.

By way of example, in Identity Management circles there is a tendency to call something an Identity Audit (IdA) tool if it creates a record of an activity executed by an Identity Management System (IdM). This would, according to Rule #1, be a valid audit if the IdA tool were completely independent of an IdM tool (not from the same vendor for example) and whose audit strategy (implementation and configuration) was controlled by an independent party from you. But most of these tools are not independent of the tool they audit and therefore are incapable of satisfying Rule #1 of Auditing. We could call them attestation tools (they attest to what was done) but they are not audit tools.

Advertisements

Is compliance possible?

December 10, 2007

This excerpt from an article caught my eye this morning

Compliance is hardly rocket science-or is it? Directives to use firewalls and change vendor-supplied default passwords are simply security best practices. But in other areas, merchants struggle to interpret the standards, haggling with auditors, consultants and sometimes the PCI Council itself over exactly how to protect cardholder data.

Source: Can mid-market merchants comply with PCI standards? – Network World

It’s referring to the difficulties faced – in particular – by mid market companies in achieving PCI compliance but the principles apply in other regulatory areas too.  It’s a point I made in our whitepaper.  The unfortunate reality is that unless there are very clear requirements defining “success”, many companies will spend unnecessary dollars trying to stay in front of an ill-defined process.  My friend Matt  Flynn (also from NetVision) has put some thought into at least one aspect of this problem that he has published in his blog and on the NetVision site as a whitepaper on “Surviving an Identity Audit”.