Tuesday, November 29, 2011

Security and Auditing are Multidimensional. Not One. Not Two.

"Chris. Are you sure you want to move to IT Audit?"
I wasn't sure what to expect during the shift from corporate security to corporate audit. The IT Audit Manager, Mike Schiller, and IT Security Manager, Brian Wrozek, had done a phenomenal job aligning objectives and approaches. The commonality in our mission objectives and mutual respect between the two teams is part of the reason I felt so comfortable making the move.

"Mike!! Look at all the stuff I found on this one box!"
Mike wasn't impressed. "Chris. What's the objective of this system? Where is it located? What data is stored on this system? How long has it been in operation? What projects are in place that will be completed in the next couple of months that affect the controls on this system?"

My introduction to multiple dimensions... 
Mike patiently walked through every "finding" and discussed each one. When we were done, there were still issues with the system, but they were now more correctly framed in context of the business as an organic function, and not "just" a polarized point-in-time evaluation. His careful mentoring of the team built the understanding that our audits have to encompass a review of the systems, operational processes, and alignment to the business.

In a previous post, we discussed The Circle of Trust - Cloud Audit Assurance. Pulling the three cycles discussed in that post together, they overlay each other nicely to show the nice interrelationships between what you have (Assets), what you want to accomplish (Alignment), and how you are going to do it (Operations). This model is as complex or as simple as you would like. It's a question of detail. Until next time.... Here's the model again (click it for a larger image):