Are you intimidated when auditors show up at your reception desk? Does the very idea of an audit send a chill through you? This shouldn’t be the case. I firmly believe that, taken in the right spirit, and with the proper amount of preparation, audits and assessments can be an exceptionally valuable part of your information security program.
I’ve walked into far too many organizations who were about to face an audit only to hear comments like “Oh my gosh, the auditors are coming!”, “Be careful, don’t offer any minute detail that the auditors don’t directly ask for”, and “They’re out to get us!”
For the most part, these fears are unfounded. IT audits have only one purpose – to make sure that an organization’s security controls are well designed and functioning. They’re performed for different target audiences – internal management, the Board of Directors, or regulatory agencies, but audits shouldn’t be seen as a “pop quiz”. They’re a test where you know all of the questions in advance.
In this webcast, I’ll describe how you can use five practical tips to extract the maximum value from your audit experience:
- Treat auditing as a lifecycle process rather than a special event
- Understand the scope before the audit begins
- You shouldn’t learn anything from an audit.
- Don’t be afraid to speak up
- Expect and embrace findings
I hope that you’ll be able to join me for the webcast Five Insider Tips: Using IT Audits to Maximize Security on Thursday, April 21 at 2PM Eastern. We’ll discuss these tips in more detail and I’ll take your questions on the proper role of IT audits in your information security program.
Apr 19 2011, 10:10 AM
Filed under: Security, Compliance, Regulations, Information Security, Mike Chapple, IT Audit, webcast, InfoSec, Auditors, tips, assessments, Security Web