pi Security Audit

Home About Background Blog Faith Contact Members

Let us address your security concerns

  1. Engage us to review the security of your IT environment:
    1. Privacy Impact Assessment to ensure your data is in compliance with privacy standards
    2. Threat Risk Assessment to gain assurance you are providing the best protection of your data
    3. Compliance review against standards such as Internal Controls over Financial Reporting (ICFR), or General Computing Controls (GCC)
    4. Effectiveness review of your current controls and procedures.
  2. Learn about IT security, and also IT in general:
    1. Click Members if you are taking a course that I instruct through The Knowledge Academy
    2. We can develop new courses by arrangement (one on one, or class up to 10 people), such as:
      • Conducting Privacy Impact Assessment (PIA) or Harmonized Threat Risk Assessment (HTRA)
      • Security standards such as ISO27001 ISMS, NIST 800, CIS, CSEC ITSG-33,22,39, COBIT5
      • Programming such as JavaScript, Perl, Visual Basic for Applications (VBA)
      • Relational databases (SQL)
      • Web design using HTML, CSS, XML, XSL
  3. Project Management for development of business applications
  4. Technical Writing to produce user guides, technical manuals, and support scripts
  5. Develop new web sites for you or your company, with on-line forms and backend databases.

My business card (see "About") shows my different areas of expertise.

Last updated: Aug 1, 2019


© 2018-2020 -- pi Sec Audit, a division of 964317 Ontario Inc.

My initials are "PI", hence the pi symbol on my business card.















































































Blog page has moved here.


Top  © 2018-2020 -- pi Sec Audit, a division of 964317 Ontario Inc.










































About - Qualifications

Home About Background Blog Faith Contact Members

Hover over any area of expertise on the card (below left), and the relevant background is displayed in the box (below right).

Click any area of expertise to see my resume (one page summary), or click full CV to see the details.


See < body onLoad >


Top  © 2018-2020 -- pi Sec Audit, a division of 964317 Ontario Inc.















































































Home About Background Blog Faith Contact Members

I want to take a practical and active role in minimizing security risks by improving controls and procedures, such as identity and access management. I really enjoy helping people learn to be more productive, as a leader, mentor and instructor.

What is an IT Auditor?  A professional who reviews the IT Security controls in place to either assure compliance with regulations, or review effectiveness and efficiency. The controls ensure confidentiality, integrity, availability, and accountability of your data and business processes.

  • IT Auditor
  • Freelance trainer
  • IT Security consultant
  • Business Analyst
  • College teacher
  • Programmer
  • Reports for C-level
  • Addressing recommendations
  • Risk evaluation
  • Governance & Compliance
  • Analyzing controls
  • Planning audits

For the question "What is an IT Audit?" there are two parts to the answer:
what is IT Security; and
what is an Audit of IT Security.
Here is a one page executive summary of IT Security Audits and my qualifications as an IT Security Auditor.

IT Security versus CyberSecurity

IT Security concerns Confidentiality, Integrity, Availability, and Accountability (non-repudiation of transactions) of data in a system or application. It includes both the client-side and server-side controls, and the communication between the server and the client (thick or thin). Ultimately it is the responsibility of the system (application) owner to ensure InfoSec controls are sufficient to meet the threats, and to ensure the actions to prevent breaches or loss of data are implemented on a risk-based approach. (See risk-based approach below.)

CyberSecurity (especially CyberSecurity neXus CSX) concerns the totality of all systems working together and extends InfoSec to include Internet of Things IOT, service mid-points (like routers, WiFi hot spots, cell towers), and social media. CSX is focused on privacy of data. Ultimately it is the responsibility of the data owner (i.e. the consumer) to safeguard against loss of privacy; only post information you feel comfortable with your (eventual) grandkids seeing down the road. The problem of course is with big data analytics being able to backwards analyze seemingly innocent data to piece together information that should be private.

IT Security

IT Security protects your information in four dimensions:

(ISC) divides IT Security into eight domains, ranging from personnel and physical security to cryptography. Bearers of the Certified Information Systems Security Professional (CISSP) certificate must have an in-depth knowledge of the eight domains. Each domain has its own set of controls.

There are three frameworks to measure the controls:

There are also industry standards regarding which controls to use:

Audit of IT Security

An IT Security Audit reviews existing business processes and controls, including automated controls, and reports on:

Bearers of the Certified Information Systems Auditor (CISA) certificate must have an in-depth knowledge of conducting audits into IT Security. The following description was generated for a client, ©piSecAudit 2020. [Note the mailing merge fields appear as «Xxx» and are linked to the Excel spreadsheet that contains multiple rows of values for each field.]

Clients often ask whether an IT Audit is required.  Audits serve three purposes.  First, audits are required to demonstrate compliance to regulations, laws, and standards. Second, audits give assurance or level of confidence to senior management that the correct controls have been designed properly and are operating effectively. Third, audits give assurance to investors and stakeholders that the company is being governed efficiently; publicizing that the company is being audited may give the company a competitive advantage. 
Audits may be either financial or technological. In either case the auditors need to have the requisite skills, training, and knowledge to understand the subject matter, the business context, and the industry-specific code of practice.  An IT Audit is focused on the technological side of the client's business.
Being in business means the company is facing and dealing with changes on a regular basis.  All changes introduce risk. Senior management will determine the level of risk that is acceptable for their company. If the risks are too high, then management has four choices. They can: (a) change existing controls or implement new controls to reduce the risk; (b) transfer the risk to a third party such as an insurance company; (c) change the business process in order to avoid the risk; or (d) formally acknowledge and accept the risk. Management will often choose the last option when the cost of implementing controls exceeds the benefit of reducing the risk. On the other hand, some level of risk is necessary for the business. If there is zero risk, there are no changes, and the company will soon go out of business.
Within this context, the IT Audit evaluates the controls against the most prevalent risks facing the company. There are six major phases in an IT Audit. 
1.	Preliminary review of the IT department and senior management of «ClientShortname».
2.	The company's assets are enumerated, identifying the owner and value of each asset.  Each asset has its own set of vulnerabilities, which may be exploited by a threat agent to form a threat scenario. 
3.	Existing and planned controls are identified and listed; the controls may work together to reduce the consequences and probability of occurrence of possible threat scenarios. 
4.	A qualitative risk assessment identifies the current levels of risk. In the interests of reducing the time and effort of an IT Audit, the company's management may adjust the scope of the last two phases to focus on a certain number or certain level of risks. 
5.	The auditors may use various techniques to sample the effectiveness of the key controls. 
6.	The auditors will work with senior management to address any shortcomings or areas where the controls may be adjusted to better deal with the risks, or become compliant with regulations. This step may include a quantitative risk assessment for specific assets. The cost of implementing new controls or improving existing controls is weighed against the value of the assets being protected. Senior management will review the final report before it is published to the Board of Governors, company shareholders, regulatory bodies, and the public as appropriate.
Proposed Audit Work
This proposal describes the work to be done in the six phases described above. The scope or breadth of work and the depth of analysis will be determined during the preliminary review. Using these six phases, «Company» can reduce the overall time of an IT Audit as compared to other firms. Most firms complete an IT Audit in 8 to 12 weeks, dividing the audit into four stages: (a) Planning [40% of the schedule]; (b) Conducting [30%]; (c) Reviewing [15%]; and (d) Reporting [15%]. «Company»'s approach reduces the Planning stage and combines the Conducting and Reviewing stages to complete the same work under 8 weeks.  
1. Preliminary Review
This phase lasts one week, starting on «ScheduleStartDate». The «Company» team will discuss the objectives and timing of the IT Audit with senior management at «ClientShortname». These meetings will quickly identify the scope of the work, including which systems may be out of scope of the IT Audit, and the depth of analysis that the senior management desires. These meetings also establish the escalation paths to be followed if the auditors reach a slow down or push back from the company's managers. 
This phase includes a site visit on «SiteVisitDate». The site visit includes introducing the «Company» team to the staff and managers involved in the audit at «ClientShortname», as well as gathering overall impressions from the staff and managers on hot topics that may be important to include in the IT Audit. During the site visit «Company» staff will observe key areas such as physical controls and the conditions in the company's data centre or server room(s). Often first impressions can lead to focused attention in later phases. 
In the site visit, the IT department of «ClientShortname» should be prepared to receive requests from the «Company» team, such as the list of hardware, network, and software assets, including the operating systems and applications, the current patch levels, the identification of the asset owner, and the value of each asset. «Company» will ask for documents that describe common IT procedures, such as patch management, change management, problem incident reporting and resolution, and project management. «Company» will also ask managers to identify the controls that are currently implemented or planned to be implemented in the near future. Typically these requests are expected to be met by the end of the second week of the engagement, although the sooner the requests can be met, the sooner «Company» can start examining the documents. 
2. Enumeration of Assets and Vulnerabilities 
This phase typically last two weeks. The information requested in the first phase is expected by the end of the first week of this second phase, although some information may be available more quickly, allowing «Company» to start examining those documents that much sooner.  
Each asset has its own list of vulnerabilities or weaknesses. This is particularly true of the hardware, network, operating systems and third-party applications that have been purchased from a vendor. Applications which have been developed in house will not have a well-established list of vulnerabilities, although there may still exists some vulnerabilities inherent in the design and implementation. «Company» will examine the project management and application development and testing processes used by «ClientShortname», and may conduct testing of the in house applications in the fifth phase.
3. Enumeration of Controls
This phase typically starts during the second phase and lasts one week beyond the end of the second phase. By the end of this third phase, «Company» expects to have a good understanding of the design of the controls that are currently implemented or planned to be implemented in the near future. «Company» can also assess the design of the controls against various standards such as COBIT 2019, NIST SP.800, and ITIL. This phase is completed within four weeks of the scheduled start date, «ScheduleStartDate».
4. Qualitative Risk Assessment
This phase last one week. «Company» first compiles a list of reasonable threat scenarios, based on the threat actors who may exploit the vulnerabilities associated with each type of asset. Then «Company» will meet with the staff and managers in the IT Department of «ClientShortname», in order to consider how existing and planned controls affect the assessed levels of: (a)  impact or consequences of the threats if realized; and 
(b) likelihood or probability of occurrence of each threat becoming realized. These two factors are combined to form the risk rating, typically expressed in relative terms as Low, Medium, High, or Critical.  This risk assessment is based on the IT managers and staff's understanding of the business processes, and allows senior management to focus of the highest risk ratings. 
5. Audit conduct and review
This phase starts during the fourth phase and lasts two weeks beyond the end of the fourth phase. Most firms conduct the audit in one stage and then review the results in the next stage. «Company»'s approach combines these two stages into a single phase. 
«Company» auditors plan the audit conduct work at the same time as the qualitative risk assessment, in order to select the appropriate sampling methodology, and then select the samples from the population of instances. During the actual audit conduct work, the auditors test the samples against the key controls that are used to mitigate the highest risks.  
The observed test results are compared to the expected results and if there is a discrepancy, the next day the auditors review the test results with the managers to determine if there are other compensating controls in place, or somehow the testing was faulty; in most cases the managers are unaware of the discrepancy and can either take immediate action to rectify the situation or notify senior management of the problem. This continual review and fact checking during the audit conduct work saves time in the final phase of the audit, because senior management has already seen the results of the audit work and is aware of the problems. 
6. Audit report and recommendations
This phase lasts one week, and is typically completed within 8 weeks of the scheduled start date. «Company» works with senior management to address any shortcomings or areas where the controls may be adjusted to better deal with the risks, or become compliant with regulations. This step may optionally include a partial quantitative risk assessment for specific assets (this may delay completion of this phase) in order for management to weigh the costs of improving existing controls or implementing new controls against the value of the assets being protected. Senior management will review the final report before it is published to the Board of Governors, company shareholders, regulatory bodies, and the public as appropriate.


Top  © 2018-2020 -- pi Sec Audit, a division of 964317 Ontario Inc.















































































Home About Background Blog Faith Contact Members

This area contains tools I find useful for building my faith. If you are offended by evangelical Christianity, please do not read this area.