SlideShare a Scribd company logo

2010 06 gartner avoiding audit fatigue in nine steps 1d

Download as PPTX, PDF
Gene Kim, profile picture
Gene Kim

The document outlines nine steps to overcome audit fatigue and improve compliance in organizations facing multiple regulations. It emphasizes the importance of aligning information security with business goals, defining clear roles and responsibilities, and integrating security controls into daily operations to achieve higher performance. Additionally, it highlights the benefits of a proactive compliance strategy, including reduced audit preparation efforts and improved incident response times.

Business
1 of 49
Downloaded 43 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
Avoiding Audit Fatigue: Achieving Compliance In A Multi-Compliance World In Nine StepsGene Kim, CISA, TOCICO JonahCTO and Founder(Twitter: @RealGeneKim) Gartner 2010
Where Did The High Performers Come From?
AgendaThe problems of compliance du jour and the audit blame cycleHow did the high performing IT organizations make their “good to great” transformations?Nine practical steps overcome audit fatigueWhat does integration of security controls into daily operation feel like?Additional resourcesAuthorsGene Kim, Founder/CTO, Tripwire, Inc.Jennifer Bayuk, Cybersecurity Program Director, Stevens Institute of Technology
“Boss, We Are Ready For The Upcoming Audits…”
“OMG. OMG. The Auditors Are Coming When?!?”
“IT Operations Not Quite As Ready As They Thought…”
“Infosec Must Do Heroics, Generating Reports And Presentations From Scratch…”
“Despite Heroics, The Business Still Fails The Audit…”
“InfosecAs Professional Apologist…’”
Problems: AccountabilityInfosec often discovers too late that business and IT management were not as prepared for the audits as was representedBusiness, IT and infosec must perform heroics to generate proof of compliance, often requiring new documents and presentations from scratch in response to auditor questionsBusiness may fail an audit test, requiring remediation work, audit retests, fines, loss of auditor confidence in the infosecprogram, as well as loss of personal trust in the infosec managerA security breach may occur, and the business must now explain how it occurred despite passing the audit
Problem: OrganizationalInformation security is often organized and designed to minimally interfere with business and IT operations, but creates barriers to meeting compliance goalsInformation security is held accountable, but control effectiveness relies upon other business and IT management to be adequately prepared
Problems: The Real Business CostScheduled value-adding work and projects are delayed because of all the urgent and unplanned audit prep workBusiness continues to implement controls as a part of a one-time audit preparation project to achieve compliance, with little thought on how to maintain compliance over time Next time requires just as much effort, instead of integrating controls into daily business and IT operational processesThe business starts treating audit prep as a legitimate value-adding project, even charging time against itMultiple regulatory and contractual requirements result in IT controls being tested numerous times by numerous parties, requiring management to perform work multiple times
Information Security and Compliance RisksInformation security practitioners are always one change away from a security breachFront page newsRegulatory finesBrand damageHigh profile security failures are increasing external pressures for security and complianceSarbanes-Oxley (SOX) Act of 2002, the Gramm-Leach-Bliley Act, Health Insurance Portability and Accountability Act (HIPAA), emerging privacy laws, and the Payment Card Industry Data Security Standard (PCI DSS)
Going from Good to Great
Desired Outcome: Create A Higher Performing, More Nimble and More Secure IT Organization10,0001000Best in Class Ops and Security100101020406080100120140Operations Metrics Benchmarks:Best in Class: Server/sysadmin ratiosHighest ratio of staff for pre-production processes
Lowest amount of unplanned work
Highest change success rate
Best posture of compliance
Lowest cost of complianceSize of Operation# ServersEfficiency of OperationServer/sysadmin ratioSource: IT Process Institute (2001)
Higher Performing IT Organizations Are More Stable, Nimble, Compliant And Secure High performers maintain a posture of compliance
Fewest number of repeat audit findings
One-third amount of audit preparation effort
High performers find and fix security breaches faster
5 times more likely to detect breaches by automated control
5 times less likely to have breaches result in a loss event
When high performers implement changes…
14 times morechanges
One-half the change failure rate
One-quarter the first fix failure rate
10x fasterMTTR for Sev 1 outages
When high performers manage IT resources…
One-third the amount of unplanned work
8 times moreprojects and IT services
6 times moreapplicationsSource: IT Process Institute, May 2008
Visible Ops: Playbook of High PerformersThe IT Process Institute has been studying high-performing organizations since 1999What is common to all the high performers?What is different between them and average and low performers?How did they become great?Answers have been codified in the Visible Ops Methodology
Over Ten Years, We Benchmarked 1500+ IT OrgsSource: EMA (2009) Source: IT Process Institute (2008)
2007: Three Controls Predict 60% Of PerformanceTo what extent does an organization define, monitor and enforce the following?Standardized configuration strategyProcess disciplineControlled access to production systemsSource: IT Process Institute, May 2008
Nine Practical Steps To Overcome Audit Fatigue And The Blame Cycle
The Nine Steps To Avoid Audit FatigueStep 1: Align with tone at the topStep 2: Create a set of merged infosec and compliance/business goalsStep 3: Define ideal information security goal indicatorsStep 4: Gain an end-to-end understanding of the information flowStep 5: Agree upon control ownership, roles and responsibilitiesStep 6: Define the control tests so business process control owners will agree with the resultsStep 7: Schedule and conduct regular control testsStep 8: Organize metrics and remediation reportsStep 9: Detect and respond to significant changes to the control environment
Step 1: Align With Tone At The TopEnsure that compliance activity is clearly managed from the top down.
Step 2: Merge Information Security Into The Compliance/ Business GoalsDocument IT governance goals and the risks to achieving those goalsConfirm that information security and compliance helps achieve those goals.For instance:A manufacturing company must comply with a regulatory requirement that certain chemical toxins are never released into the atmosphere in amounts over 10 particles per second. The manufacturing control system has been designed to ensure that this toxin is released at a rate of only 1 particle per second.
Step 2: Merge Information Security Into The Compliance/ Business GoalsWhat is the business objective?Ensure smooth operation of the manufacturing process, in accordance to the business plan and all associated laws and regulations.What are the information security and compliance risks?The manufacturing control system could fail and release more than the allowed amount of the chemical toxin into the atmosphere.The measurement system may not detect this release. Also, the manufacturing control measurement data could be altered or lost, which would prevent management from validating emissions output compliance.What is my information security goal to address this risk?We must maintain integrity over the particle release measurement process and the measurement data.
Step 2: Merge Information Security Into The Compliance/ Business GoalsWhat control will we implement to meet this goal?An access and measurement testing control process will protect the toxin release measurement software against tampering. The control will alert operations when changes to access are detected and when abnormal variations in the toxin measurements occur. The alert response will include automated and manual procedures that verify that the algorithm installed in the production system is the same as the one that underwent rigorous pre-production system testing.What does plant management (the business process owner) need to do to support this goal?The control process would require the business process owner to configure the production system to minimize the access any given individual needs to change the algorithm and the corresponding data. The control process would also require the business process owner to minimize the job functions that require access to the algorithms and the measurement data.
Step 3: Define Ideal Information Security MeasuresDevelop theoretical ideal indicators that demonstrate that information security goals are being met.Examples# of access roles not validated by management% of accounts not matching management-defined roles% of configurations not pre-approved by management% of changes not approved by management% of systems with centralized logging
Step 4: Gain End-to-End UnderstandingDo an end-to-end business process walk-through to understand and document:Where does sensitive information enter, transit, get stored, and exit the organization?What are the risks to organizational goals and information flow?Where is reliance placed on technology to prevent and detect control failures?
Step 4: Gain End-to-End UnderstandingA merchant has a business process that supports a customer loyalty program. The program includes issuing branded credit cards. The consumer credit information flow starts with a customer filling out an online application form, which is…Sent to the credit calculation application, is then…Sent to a sales application, and…Ends up in an application that runs on the desktop of every customer service representative. What is the business goal?To ensure that customers approved for the credit card services are capable of meeting their obligations, so that any credit extended to the customer is likely to be repaid.
Step 4: Gain End-to-End UnderstandingWhat are the business, information security and compliance risks?Customer information is inaccurateCustomer information is inadvertently disclosed, violating regulatory requirementsThrough what applications does the information flow?The online application form is delivered through a third-party vendor, The credit calculation is done on cloud computing resourcesThe sales application is run internally by IT operationsThe customer service application is run by a combination of internally developed server software and desktop software on the customer service desktops.
Step 5: Agree Upon Control Ownership, Roles And ResponsibilitiesClearly define roles and responsibilities for audit compliance activities at the process owner level.
Step 6: Define The Control Tests So Control Owners Will Agree With The ResultsMake sure that evidence that demonstrates compliance goals have been met can be generated in an automated manner, upon demand.This will mirror the accountability spreadsheet that the auditors will likely constructThis is what enables information security to not be left holding the bag when IT operations is disorganized or unprepared.

More Related Content

PPT
3 2006 06 cs6 4 gait principles v3a
Gene Kim
 
PDF
Audit Sample Report
Randy James
 
PPT
Itpi metricon 0906a final
Gene Kim
 
PPT
Information systems audit and control
Kashif Rana ACCA
 
DOCX
IS Audits and Internal Controls
Bharath Rao
 
PPTX
Information Systems Audit-Related Designations
Michael Lin
 
PPTX
Hp It Performance Suite Customer Presentation
esbosman
 
PPT
Sap security compliance tools_PennonSoft
PennonSoft
 
3 2006 06 cs6 4 gait principles v3a
Gene Kim
 
Audit Sample Report
Randy James
 
Itpi metricon 0906a final
Gene Kim
 
Information systems audit and control
Kashif Rana ACCA
 
IS Audits and Internal Controls
Bharath Rao
 
Information Systems Audit-Related Designations
Michael Lin
 
Hp It Performance Suite Customer Presentation
esbosman
 
Sap security compliance tools_PennonSoft
PennonSoft
 

What's hot (20)

PPT
Ais Romney 2006 Slides 19 Ais Development Strategies
Sharing Slides Training
 
PPTX
IT Audit For Non-IT Auditors
Ed Tobias
 
PPT
SDLC Control
benji00
 
PPT
Data Protection Governance IT
Cristina Villavicencio
 
PPTX
Continous Audit and Controls with Brainwave GRC
Graeme Hein
 
PPTX
Iso 27001 control a.12.1,a.12.2 & a.12.3 - by software outsourcing company in...
iFour Consultancy
 
PPTX
Information System Audit and Control
Asad Raza
 
PDF
Active Directory Change Auditing in the Enterprise
Netwrix Corporation
 
PPTX
ISO 27001 2013 A12 Operations Security Part 2 - by Software development compa...
iFour Consultancy
 
PDF
Why so many SIEM Implmentations Fail
Rita Barry
 
PPT
How much does it cost to be Secure?
mbmobile
 
PPTX
Security at velocity dc cap one
Chef
 
PPT
Info Security & PCI(original)
NCTechSymposium
 
PDF
How to Effectively Audit your IT Infrastructure
Netwrix Corporation
 
PPTX
Information system control and audit
Astri Stiawaty
 
PPT
Information Systems Security Review 2004
Donald E. Hester
 
PPTX
Role management
Abidullah Zarghoon
 
PDF
Maceo Wattley Contributor Infosec
Dr. Maceo D. Wattley
 
PDF
Avoiding the Data Compliance "Hot Seat"
IBM Security
 
PDF
How to measure your cybersecurity performance
Abhishek Sood
 
Ais Romney 2006 Slides 19 Ais Development Strategies
Sharing Slides Training
 
IT Audit For Non-IT Auditors
Ed Tobias
 
SDLC Control
benji00
 
Data Protection Governance IT
Cristina Villavicencio
 
Continous Audit and Controls with Brainwave GRC
Graeme Hein
 
Iso 27001 control a.12.1,a.12.2 & a.12.3 - by software outsourcing company in...
iFour Consultancy
 
Information System Audit and Control
Asad Raza
 
Active Directory Change Auditing in the Enterprise
Netwrix Corporation
 
ISO 27001 2013 A12 Operations Security Part 2 - by Software development compa...
iFour Consultancy
 
Why so many SIEM Implmentations Fail
Rita Barry
 
How much does it cost to be Secure?
mbmobile
 
Security at velocity dc cap one
Chef
 
Info Security & PCI(original)
NCTechSymposium
 
How to Effectively Audit your IT Infrastructure
Netwrix Corporation
 
Information system control and audit
Astri Stiawaty
 
Information Systems Security Review 2004
Donald E. Hester
 
Role management
Abidullah Zarghoon
 
Maceo Wattley Contributor Infosec
Dr. Maceo D. Wattley
 
Avoiding the Data Compliance "Hot Seat"
IBM Security
 
How to measure your cybersecurity performance
Abhishek Sood
 
Ad

Viewers also liked (17)

PPTX
HR Processes - Internal Audit
Prabhjot Kaur Sidhu
 
DOCX
Tugas Transmisi Daya Listrik
Ady Purnomo
 
PPTX
Kherson Steering Group
EuclidNetwork
 
DOC
Avsorchards
noidarealty
 
PPTX
Winnipeg ISACA Security is Dead, Rugged DevOps
Gene Kim
 
PPT
Introducing Euclid Network2
EuclidNetwork
 
PPT
Lifehacking in het onderwijs
de Eindhovense School
 
PDF
ABA Environmental Technologies
ABA - Invest in Austria
 
PPTX
Proactol Afiliate Presentation
MoreNiche
 
PDF
Afstudeeronderzoek Annemiek Van Den Bosch
AnnemiekvdBosch
 
PPTX
Centius training 081410
mhammami00
 
PDF
ABA Business Location Austria
ABA - Invest in Austria
 
PPT
SEO Ranking Factors
MoreNiche
 
PPTX
Cisco Live 2010
MicroTech
 
PPT
TicketForEvent для спортивных мероприятий
Viktor Kharchevskyi
 
PPT
4. removing risk from affiliate marketing
MoreNiche
 
DOC
Fore! (-teen below)
rmschmidt9
 
HR Processes - Internal Audit
Prabhjot Kaur Sidhu
 
Tugas Transmisi Daya Listrik
Ady Purnomo
 
Kherson Steering Group
EuclidNetwork
 
Avsorchards
noidarealty
 
Winnipeg ISACA Security is Dead, Rugged DevOps
Gene Kim
 
Introducing Euclid Network2
EuclidNetwork
 
Lifehacking in het onderwijs
de Eindhovense School
 
ABA Environmental Technologies
ABA - Invest in Austria
 
Proactol Afiliate Presentation
MoreNiche
 
Afstudeeronderzoek Annemiek Van Den Bosch
AnnemiekvdBosch
 
Centius training 081410
mhammami00
 
ABA Business Location Austria
ABA - Invest in Austria
 
SEO Ranking Factors
MoreNiche
 
Cisco Live 2010
MicroTech
 
TicketForEvent для спортивных мероприятий
Viktor Kharchevskyi
 
4. removing risk from affiliate marketing
MoreNiche
 
Fore! (-teen below)
rmschmidt9
 
Ad

Similar to 2010 06 gartner avoiding audit fatigue in nine steps 1d (20)

PPTX
2016 Risk Management Workshop
Stacy Willis
 
PDF
A Guide To IT Compliance Assessment And Management
Skillmine Technology Consulting
 
PPTX
2011 09 18 United "Platitudes, reality and promise"
Gene Kim
 
PPT
Information Security Program & PCI Compliance Planning for your Business
Laura Perry
 
PDF
Credit Union Cyber Security
Stacy Willis
 
PDF
Continuous Control Monitoring_ Ensuring Business Security and Compliance.pdf
CyberPro Magazine
 
PDF
How to Secure your Fintech Solution - A Whitepaper by RapidValue
RapidValue
 
PPT
IT System & Security Audit
Mufaddal Nullwala
 
DOCX
Building Information System
Rabia Jabeen
 
PPT
Chap001
rpvgb
 
PPTX
How to Make Your Enterprise Cyber Resilient
Accenture Operations
 
PPT
gray_audit_presentation.ppt
KhalilIdhman
 
PDF
Introduction to IT compliance program and Discuss the challenges IT .pdf
SALES97
 
PPTX
Log management and compliance: What's the real story? by Dr. Anton Chuvakin
Anton Chuvakin
 
PDF
CISA (1).pdf
Infosec Train
 
PDF
FREQUENTLY ASKED QUESTIONS IN CISA CERTIFIED ROL INTERVIEW
infosec train
 
PDF
Event Monitoring: Use Powerful Insights to Improve Performance and Security
Dreamforce
 
PDF
Facility Environmental Audit Guidelines
amburyj3c9
 
PDF
Information systems and its components iii
Ashish Desai
 
PDF
IT Governance and Compliance: Its Importance and the Best Practices to Follow...
GrapesTech Solutions
 
2016 Risk Management Workshop
Stacy Willis
 
A Guide To IT Compliance Assessment And Management
Skillmine Technology Consulting
 
2011 09 18 United "Platitudes, reality and promise"
Gene Kim
 
Information Security Program & PCI Compliance Planning for your Business
Laura Perry
 
Credit Union Cyber Security
Stacy Willis
 
Continuous Control Monitoring_ Ensuring Business Security and Compliance.pdf
CyberPro Magazine
 
How to Secure your Fintech Solution - A Whitepaper by RapidValue
RapidValue
 
IT System & Security Audit
Mufaddal Nullwala
 
Building Information System
Rabia Jabeen
 
Chap001
rpvgb
 
How to Make Your Enterprise Cyber Resilient
Accenture Operations
 
gray_audit_presentation.ppt
KhalilIdhman
 
Introduction to IT compliance program and Discuss the challenges IT .pdf
SALES97
 
Log management and compliance: What's the real story? by Dr. Anton Chuvakin
Anton Chuvakin
 
CISA (1).pdf
Infosec Train
 
FREQUENTLY ASKED QUESTIONS IN CISA CERTIFIED ROL INTERVIEW
infosec train
 
Event Monitoring: Use Powerful Insights to Improve Performance and Security
Dreamforce
 
Facility Environmental Audit Guidelines
amburyj3c9
 
Information systems and its components iii
Ashish Desai
 
IT Governance and Compliance: Its Importance and the Best Practices to Follow...
GrapesTech Solutions
 

More from Gene Kim (20)

PPTX
Speaker Recording Tips For Virtual DevOps Enterprise (And Why We're Pre-Recor...
Gene Kim
 
PPTX
The Unicorn Project and The Five Ideals (Updated Dec 2019)
Gene Kim
 
PPTX
2019 12 Clojure/conj: Love Letter To Clojure, and A Datomic Experience Report
Gene Kim
 
PPTX
GitHub Universe: 2019: Exemplars, Laggards, and Hoarders A Data-driven Look a...
Gene Kim
 
PPTX
The Unicorn Project and The Five Ideals (older: see notes for newer version)
Gene Kim
 
PPTX
2019 Top Lessons Learned Since the Phoenix Project Was Released
Gene Kim
 
PPTX
Leading A DevOps Transformation: Lessons Learned
Gene Kim
 
PPTX
Keeping The Auditor Away: DevOps Audit Compliance Case Studies
Gene Kim
 
PPTX
2014 State Of DevOps Findings! Velocity Conference
Gene Kim
 
PPTX
DevOps: Who Will Create $2.6 Trillion In Business Value Per Year?
Gene Kim
 
PDF
2013 Velocity DevOps Metrics -- It's Not Just For WebOps Any More!
Gene Kim
 
PPTX
How Can We Better Sell DevOps?
Gene Kim
 
PPTX
Why Everyone Needs DevOps Now: 15 Year Study Of High Performing Technology Orgs
Gene Kim
 
PDF
Kevin Behr: Integrating Controls and Process Improvement
Gene Kim
 
PPTX
SecureWorld - Communicating With Your CFO
Gene Kim
 
PPT
2012 Velocity London: DevOps Patterns Distilled
Gene Kim
 
PPTX
PuppetConf2012GeneKim
Gene Kim
 
PPTX
United2012 Rugged DevOps Rocks
Gene Kim
 
PPTX
Infosec at Ludicrous Speeds - Rugged DevOps
Gene Kim
 
PPTX
When IT Fails The Business Fails...
Gene Kim
 
Speaker Recording Tips For Virtual DevOps Enterprise (And Why We're Pre-Recor...
Gene Kim
 
The Unicorn Project and The Five Ideals (Updated Dec 2019)
Gene Kim
 
2019 12 Clojure/conj: Love Letter To Clojure, and A Datomic Experience Report
Gene Kim
 
GitHub Universe: 2019: Exemplars, Laggards, and Hoarders A Data-driven Look a...
Gene Kim
 
The Unicorn Project and The Five Ideals (older: see notes for newer version)
Gene Kim
 
2019 Top Lessons Learned Since the Phoenix Project Was Released
Gene Kim
 
Leading A DevOps Transformation: Lessons Learned
Gene Kim
 
Keeping The Auditor Away: DevOps Audit Compliance Case Studies
Gene Kim
 
2014 State Of DevOps Findings! Velocity Conference
Gene Kim
 
DevOps: Who Will Create $2.6 Trillion In Business Value Per Year?
Gene Kim
 
2013 Velocity DevOps Metrics -- It's Not Just For WebOps Any More!
Gene Kim
 
How Can We Better Sell DevOps?
Gene Kim
 
Why Everyone Needs DevOps Now: 15 Year Study Of High Performing Technology Orgs
Gene Kim
 
Kevin Behr: Integrating Controls and Process Improvement
Gene Kim
 
SecureWorld - Communicating With Your CFO
Gene Kim
 
2012 Velocity London: DevOps Patterns Distilled
Gene Kim
 
PuppetConf2012GeneKim
Gene Kim
 
United2012 Rugged DevOps Rocks
Gene Kim
 
Infosec at Ludicrous Speeds - Rugged DevOps
Gene Kim
 
When IT Fails The Business Fails...
Gene Kim
 

Recently uploaded (20)

PDF
Traveri Digital Marketing Seminar 2025 by Corey and Jessica Perlman
Corey Perlman, Social Media Speaker and Consultant
 
PPT
Chapter four Project-Preparation material
argachewbochena1
 
PPTX
CkgxkgxydkydyldylydlydyldlyddolydyoyyU2.pptx
DSAISUBRAHMANYAAASHR
 
PDF
Lecture 3 - Risk Management and Compliance.pdf
Quan Risk
 
PDF
A Brief Introduction About Julia Allison
Julia Allison
 
PDF
20250805_A. Stotz All Weather Strategy - Performance review July 2025.pdf
FINNOMENAMarketing
 
PDF
Dr. Enrique Segura Ense Group - A Self-Made Entrepreneur And Executive
Dr. Enrique Segura Ense Group
 
PDF
Types of control:Qualitative vs Quantitative
reshmaaslm06
 
PPTX
job Avenue by vinith.pptxvnbvnvnvbnvbnbmnbmbh
kaniece
 
PDF
Roadmap Map-digital Banking feature MB,IB,AB
Alemayehu
 
PDF
Business model innovation report 2022.pdf
pradvapal
 
PDF
Elevate Cleaning Efficiency Using Tallfly Hair Remover Roller Factory Expertise
farsookmon97766765
 
PDF
Power and position in leadershipDOC-20250808-WA0011..pdf
meghavinikumar2006
 
PDF
The FMS General Management Prep-Book 2025.pdf
psbhandkar4148
 
PDF
Hindu Circuler Economy - Model (Concept)
Avijit Kumar Roy
 
PPTX
Lecture (1)-Introduction.pptx business communication
HamzaGhani10
 
DOCX
Euro SEO Services 1st 3 General Updates.docx
AmirNazir49
 
PPTX
Belch_12e_PPT_Ch18_Accessible_university.pptx
Haitham327103
 
PPTX
Starting the business from scratch using well proven technique
stephenotemason
 
DOCX
unit 1 COST ACCOUNTING AND COST SHEET
MANJU N
 
Traveri Digital Marketing Seminar 2025 by Corey and Jessica Perlman
Corey Perlman, Social Media Speaker and Consultant
 
Chapter four Project-Preparation material
argachewbochena1
 
CkgxkgxydkydyldylydlydyldlyddolydyoyyU2.pptx
DSAISUBRAHMANYAAASHR
 
Lecture 3 - Risk Management and Compliance.pdf
Quan Risk
 
A Brief Introduction About Julia Allison
Julia Allison
 
20250805_A. Stotz All Weather Strategy - Performance review July 2025.pdf
FINNOMENAMarketing
 
Dr. Enrique Segura Ense Group - A Self-Made Entrepreneur And Executive
Dr. Enrique Segura Ense Group
 
Types of control:Qualitative vs Quantitative
reshmaaslm06
 
job Avenue by vinith.pptxvnbvnvnvbnvbnbmnbmbh
kaniece
 
Roadmap Map-digital Banking feature MB,IB,AB
Alemayehu
 
Business model innovation report 2022.pdf
pradvapal
 
Elevate Cleaning Efficiency Using Tallfly Hair Remover Roller Factory Expertise
farsookmon97766765
 
Power and position in leadershipDOC-20250808-WA0011..pdf
meghavinikumar2006
 
The FMS General Management Prep-Book 2025.pdf
psbhandkar4148
 
Hindu Circuler Economy - Model (Concept)
Avijit Kumar Roy
 
Lecture (1)-Introduction.pptx business communication
HamzaGhani10
 
Euro SEO Services 1st 3 General Updates.docx
AmirNazir49
 
Belch_12e_PPT_Ch18_Accessible_university.pptx
Haitham327103
 
Starting the business from scratch using well proven technique
stephenotemason
 
unit 1 COST ACCOUNTING AND COST SHEET
MANJU N
 

2010 06 gartner avoiding audit fatigue in nine steps 1d

  • 1. Avoiding Audit Fatigue: Achieving Compliance In A Multi-Compliance World In Nine StepsGene Kim, CISA, TOCICO JonahCTO and Founder(Twitter: @RealGeneKim) Gartner 2010
  • 2. Where Did The High Performers Come From?
  • 3. AgendaThe problems of compliance du jour and the audit blame cycleHow did the high performing IT organizations make their “good to great” transformations?Nine practical steps overcome audit fatigueWhat does integration of security controls into daily operation feel like?Additional resourcesAuthorsGene Kim, Founder/CTO, Tripwire, Inc.Jennifer Bayuk, Cybersecurity Program Director, Stevens Institute of Technology
  • 4. “Boss, We Are Ready For The Upcoming Audits…”
  • 5. “OMG. OMG. The Auditors Are Coming When?!?”
  • 6. “IT Operations Not Quite As Ready As They Thought…”
  • 7. “Infosec Must Do Heroics, Generating Reports And Presentations From Scratch…”
  • 8. “Despite Heroics, The Business Still Fails The Audit…”
  • 10. Problems: AccountabilityInfosec often discovers too late that business and IT management were not as prepared for the audits as was representedBusiness, IT and infosec must perform heroics to generate proof of compliance, often requiring new documents and presentations from scratch in response to auditor questionsBusiness may fail an audit test, requiring remediation work, audit retests, fines, loss of auditor confidence in the infosecprogram, as well as loss of personal trust in the infosec managerA security breach may occur, and the business must now explain how it occurred despite passing the audit
  • 11. Problem: OrganizationalInformation security is often organized and designed to minimally interfere with business and IT operations, but creates barriers to meeting compliance goalsInformation security is held accountable, but control effectiveness relies upon other business and IT management to be adequately prepared
  • 12. Problems: The Real Business CostScheduled value-adding work and projects are delayed because of all the urgent and unplanned audit prep workBusiness continues to implement controls as a part of a one-time audit preparation project to achieve compliance, with little thought on how to maintain compliance over time Next time requires just as much effort, instead of integrating controls into daily business and IT operational processesThe business starts treating audit prep as a legitimate value-adding project, even charging time against itMultiple regulatory and contractual requirements result in IT controls being tested numerous times by numerous parties, requiring management to perform work multiple times
  • 13. Information Security and Compliance RisksInformation security practitioners are always one change away from a security breachFront page newsRegulatory finesBrand damageHigh profile security failures are increasing external pressures for security and complianceSarbanes-Oxley (SOX) Act of 2002, the Gramm-Leach-Bliley Act, Health Insurance Portability and Accountability Act (HIPAA), emerging privacy laws, and the Payment Card Industry Data Security Standard (PCI DSS)
  • 14. Going from Good to Great
  • 15. Desired Outcome: Create A Higher Performing, More Nimble and More Secure IT Organization10,0001000Best in Class Ops and Security100101020406080100120140Operations Metrics Benchmarks:Best in Class: Server/sysadmin ratiosHighest ratio of staff for pre-production processes
  • 16. Lowest amount of unplanned work
  • 18. Best posture of compliance
  • 19. Lowest cost of complianceSize of Operation# ServersEfficiency of OperationServer/sysadmin ratioSource: IT Process Institute (2001)
  • 20. Higher Performing IT Organizations Are More Stable, Nimble, Compliant And Secure High performers maintain a posture of compliance
  • 21. Fewest number of repeat audit findings
  • 22. One-third amount of audit preparation effort
  • 23. High performers find and fix security breaches faster
  • 24. 5 times more likely to detect breaches by automated control
  • 25. 5 times less likely to have breaches result in a loss event
  • 26. When high performers implement changes…
  • 28. One-half the change failure rate
  • 29. One-quarter the first fix failure rate
  • 30. 10x fasterMTTR for Sev 1 outages
  • 31. When high performers manage IT resources…
  • 32. One-third the amount of unplanned work
  • 33. 8 times moreprojects and IT services
  • 34. 6 times moreapplicationsSource: IT Process Institute, May 2008
  • 35. Visible Ops: Playbook of High PerformersThe IT Process Institute has been studying high-performing organizations since 1999What is common to all the high performers?What is different between them and average and low performers?How did they become great?Answers have been codified in the Visible Ops Methodology
  • 36. Over Ten Years, We Benchmarked 1500+ IT OrgsSource: EMA (2009) Source: IT Process Institute (2008)
  • 37. 2007: Three Controls Predict 60% Of PerformanceTo what extent does an organization define, monitor and enforce the following?Standardized configuration strategyProcess disciplineControlled access to production systemsSource: IT Process Institute, May 2008
  • 38. Nine Practical Steps To Overcome Audit Fatigue And The Blame Cycle
  • 39. The Nine Steps To Avoid Audit FatigueStep 1: Align with tone at the topStep 2: Create a set of merged infosec and compliance/business goalsStep 3: Define ideal information security goal indicatorsStep 4: Gain an end-to-end understanding of the information flowStep 5: Agree upon control ownership, roles and responsibilitiesStep 6: Define the control tests so business process control owners will agree with the resultsStep 7: Schedule and conduct regular control testsStep 8: Organize metrics and remediation reportsStep 9: Detect and respond to significant changes to the control environment
  • 40. Step 1: Align With Tone At The TopEnsure that compliance activity is clearly managed from the top down.
  • 41. Step 2: Merge Information Security Into The Compliance/ Business GoalsDocument IT governance goals and the risks to achieving those goalsConfirm that information security and compliance helps achieve those goals.For instance:A manufacturing company must comply with a regulatory requirement that certain chemical toxins are never released into the atmosphere in amounts over 10 particles per second. The manufacturing control system has been designed to ensure that this toxin is released at a rate of only 1 particle per second.
  • 42. Step 2: Merge Information Security Into The Compliance/ Business GoalsWhat is the business objective?Ensure smooth operation of the manufacturing process, in accordance to the business plan and all associated laws and regulations.What are the information security and compliance risks?The manufacturing control system could fail and release more than the allowed amount of the chemical toxin into the atmosphere.The measurement system may not detect this release. Also, the manufacturing control measurement data could be altered or lost, which would prevent management from validating emissions output compliance.What is my information security goal to address this risk?We must maintain integrity over the particle release measurement process and the measurement data.
  • 43. Step 2: Merge Information Security Into The Compliance/ Business GoalsWhat control will we implement to meet this goal?An access and measurement testing control process will protect the toxin release measurement software against tampering. The control will alert operations when changes to access are detected and when abnormal variations in the toxin measurements occur. The alert response will include automated and manual procedures that verify that the algorithm installed in the production system is the same as the one that underwent rigorous pre-production system testing.What does plant management (the business process owner) need to do to support this goal?The control process would require the business process owner to configure the production system to minimize the access any given individual needs to change the algorithm and the corresponding data. The control process would also require the business process owner to minimize the job functions that require access to the algorithms and the measurement data.
  • 44. Step 3: Define Ideal Information Security MeasuresDevelop theoretical ideal indicators that demonstrate that information security goals are being met.Examples# of access roles not validated by management% of accounts not matching management-defined roles% of configurations not pre-approved by management% of changes not approved by management% of systems with centralized logging
  • 45. Step 4: Gain End-to-End UnderstandingDo an end-to-end business process walk-through to understand and document:Where does sensitive information enter, transit, get stored, and exit the organization?What are the risks to organizational goals and information flow?Where is reliance placed on technology to prevent and detect control failures?
  • 46. Step 4: Gain End-to-End UnderstandingA merchant has a business process that supports a customer loyalty program. The program includes issuing branded credit cards. The consumer credit information flow starts with a customer filling out an online application form, which is…Sent to the credit calculation application, is then…Sent to a sales application, and…Ends up in an application that runs on the desktop of every customer service representative. What is the business goal?To ensure that customers approved for the credit card services are capable of meeting their obligations, so that any credit extended to the customer is likely to be repaid.
  • 47. Step 4: Gain End-to-End UnderstandingWhat are the business, information security and compliance risks?Customer information is inaccurateCustomer information is inadvertently disclosed, violating regulatory requirementsThrough what applications does the information flow?The online application form is delivered through a third-party vendor, The credit calculation is done on cloud computing resourcesThe sales application is run internally by IT operationsThe customer service application is run by a combination of internally developed server software and desktop software on the customer service desktops.
  • 48. Step 5: Agree Upon Control Ownership, Roles And ResponsibilitiesClearly define roles and responsibilities for audit compliance activities at the process owner level.
  • 49. Step 6: Define The Control Tests So Control Owners Will Agree With The ResultsMake sure that evidence that demonstrates compliance goals have been met can be generated in an automated manner, upon demand.This will mirror the accountability spreadsheet that the auditors will likely constructThis is what enables information security to not be left holding the bag when IT operations is disorganized or unprepared.
  • 50. Step 7: Schedule And Conduct Regular Control TestsConduct tests of controls effectiveness frequently enough be able to rely on their effectiveness regardless of variances in audit scope and timing.Ensure that sample size is safely larger than the auditor’sYou will find unprepared IT control owners long before the audits“Hope is not a strategy. Trust is not a control.”
  • 51. Step 8: Organize Metrics And Remediation ReportsTrack the completion of required remediation work, ideally to be completed well in advance of the audit.By compliance objectiveBy business processBy control ownerThis will look like a PMO status report
  • 52. Step 9: Detect And Respond To Significant Changes To The Control EnvironmentHave the situational awareness to know when the information flow or control environment has significantly changed, requiring these steps to be redoneFor example, when an application is changed to allow consumer data to be downloaded to desktops instead of being viewed through pre-defined application reports).
  • 53. What Does Integration Of Security Controls Into Daily Operations Look Like?
  • 54. Find What’s Most Important First
  • 55. Quickly Find What Is Different…
  • 56. Before Something Bad Happens…
  • 60. Based On Objective Evidence…
  • 63. Show Value To The Business…
  • 64. Be Recognized For Contribution…
  • 65. And Do More With Less…
  • 66. Higher Performing IT Organizations Are More Stable, Nimble, Compliant And Secure High performers maintain a posture of compliance
  • 67. Fewest number of repeat audit findings
  • 68. One-third amount of audit preparation effort
  • 69. High performers find and fix security breaches faster
  • 70. 5 times more likely to detect breaches by automated control
  • 71. 5 times less likely to have breaches result in a loss event
  • 72. When high performers implement changes…
  • 74. One-half the change failure rate
  • 75. One-quarter the first fix failure rate
  • 76. 10x fasterMTTR for Sev 1 outages
  • 77. When high performers manage IT resources…
  • 78. One-third the amount of unplanned work
  • 79. 8 times moreprojects and IT services
  • 80. 6 times moreapplicationsSource: IT Process Institute, May 2008
  • 81. It’s The Way…Automate ComplianceProtect Sensitive DataEliminateOutagesTAKE CONTROL.Tripwire VIAVIATMTMTripwire
  • 82. Tripwire VIA™IT Security & Compliance Automation Suite Tripwire VIATMVISIBILITY  INTELLIGENCE  AUTOMATIONFile Integrity MonitoringSecurityEvent ManagerCompliance Policy ManagerLog ManagerTripwire Enterprise Tripwire Log CenterConfiguration Remediation
  • 83. ResourcesFrom the IT Process Institute www.itpi.orgBoth Visible Ops HandbooksITPI IT Controls Performance StudyStop by the Tripwire booth for a copy of Visible Ops Security“Avoiding Audit Fatigue: Nine Steps To Achieve Compliance In A Multi-Compliance World ” white paperFollow Gene KimOn Twitter: @RealGeneKimgenek@tripwire.comBlog: http://www.tripwire.com/blog/?cat=34

Editor's Notes

  • #6: There are many ways to react to this: like, fear, horror, trying to become invisible… All understandable, given the circumstances…