pi Security Audit
Let us address your security concerns
- Engage us to review the security of your IT environment:
- Privacy Impact Assessment to ensure your data is in compliance with privacy standards
- Threat Risk Assessment to gain assurance you are providing the best protection of your data
- Compliance review against standards such as Internal Controls over Financial Reporting (ICFR), or
General Computing Controls (GCC)
- Effectiveness review of your current controls and procedures.
- Learn about IT security, and also IT in general:
- Click Members if you are taking a course that I instruct through The Knowledge Academy
- We can develop new courses by arrangement (one on one, or class up to 10 people), such as:
- Conducting PIA or TRA
- Security standards such as ISO27001 ISMS, NIST 800, CIS, CSEC ITSG-33,22,39, COBIT5
- Relational databases (SQL)
- Web design using HTML, CSS, XML, XSL
- Project Management for development of business applications
- Technical Writing to produce user guides, technical manuals, and support scripts
- Develop new web sites for you or your company, with on-line forms and backend databases.
My business card (see "About") shows my
different areas of expertise.
Last updated: Aug 1, 2019
© 2018, 2019 -- pi Sec Audit, a division of 964317 Ontario Inc.
My initials are "PI", hence the pi symbol on my business card.
About - Qualifications
Hover over any area of expertise on the card (below left), and
the relevant background is displayed in the box (below right).
Click any area of expertise to see my resume (one page summary), or
click full CV to see the details.
Top © 2018, 2019 -- pi Sec Audit, a division of 964317 Ontario Inc.
I want to take a practical and active role in minimizing security risks
by improving controls and procedures, such as identity and access management.
I really enjoy helping people learn to be more productive, as a leader, mentor
What is an IT Auditor?
A professional who reviews the IT Security controls in place to either
assure compliance with regulations, or
review effectiveness and efficiency.
The controls ensure confidentiality, integrity, availability, and accountability
of your data and business processes.
- IT Auditor
- Freelance trainer
- IT Security consultant
- Business Analyst
- College teacher
- Reports for C-level
- Addressing recommendations
- Risk evaluation
- Governance & Compliance
- Analyzing controls
- Planning audits
For the question "What is an IT Audit?" there are two parts to the answer:
what is IT Security; and
what is an Audit of IT Security.
Here is a one page executive
summary of IT Security Audits and my qualifications as an IT Security Auditor.
IT Security versus CyberSecurity
IT Security concerns Confidentiality, Integrity, Availability, and Accountability (non-repudiation of transactions) of data in a system or application. It includes both the client-side and server-side controls, and the communication between the server and the client (thick or thin). Ultimately it is the responsibility of the system (application) owner to ensure InfoSec controls are sufficient to meet the threats, and to ensure the actions to prevent breaches or loss of data are implemented on a risk-based approach. (See risk-based approach below.)
CyberSecurity (especially CyberSecurity neXus CSX) concerns the totality of all systems working together and extends InfoSec to include Internet of Things IOT, service mid-points (like routers, WiFi hot spots, cell towers), and social media. CSX is focused on privacy of data. Ultimately it is the responsibility of the data owner (i.e. the consumer) to safeguard against loss of privacy; only post information you feel comfortable with your (eventual) grandkids seeing down the road. The problem of course is with big data analytics being able to backwards analyze seemingly innocent data to piece together information that should be private.
IT Security protects your information in four dimensions:
Confidentiality to ensure only authorized people can read or update it,
Integrity to ensure it is not corrupted,
Availability to ensure you have it when required,
Accountability of changes to ensure
non-repudiation of transactions, and to protect the production enviroment.
(ISC) divides IT Security into eight domains, ranging from personnel and physical security to cryptography. Bearers of the Certified Information Systems Security Professional (CISSP) certificate must have an in-depth knowledge of the eight domains. Each domain has its own set of controls.
There are three frameworks to measure the controls:
COBIT 5 which focuses on control objectives,
ITIL which focuses on processes, and
ISO 270001 which lists prescriptive controls.
There are also industry standards regarding which controls to use:
Centre for Internet Security (CIS) guidelines,
Canadian government Communications Security Establishment of Canada (CSEC, now known as
Canadian Center for Cyber Security CCCS)
IT Security Guidelines ITSG.
Audit of IT Security
An IT Security Audit reviews existing business processes and controls, including automated controls, and reports on:
Review of the design of controls,
Assessment of the effectiveness and efficiency of controls, and
Recommendations to improve controls, or simply about best practices (where controls seem to be missing).
Bearers of the Certified Information Systems Auditor (CISA) certificate must have an in-depth knowledge of conducting audits into IT Security. As with any audit, there are four phases:
Planning which includes a system description, initial risk assessment, preliminary findings, formal announcement letter, and a plan for the Execution. Each audit follows an audit program, which is focused on in-scope elements listed in the system description; the plan shows how quickly the program will be performed. The scope and the depth of the audit program are based on three factors: time, cost, and risk. The initial risk assessment will show the areas with the highest risks facing the business. Ideally the program will be performed on all High-risk areas and also some Medium-risk areas. Only in long audits are all areas examined. Management's sign-off marks their acceptance of the formal announcement letter and thereby commits their resources to aid the audit's Execution phase (mostly to answer questions and provide evidence required by the auditors).
Execution (Conduct) in which the audit plan is executed. Each step in the audit program includes the tests to be performed, a description of the sample population and sample size, and the expected results. If the observed result does not reasonably match the expected result, the auditors prepare a finding (observation) for management to (a) verify the observed results, (b) consider the risk to the business of the observed result not aligning with the expected result, and (c) to enter discussions with the auditors as to what are feasible ways in which the finding may be corrected. These discussions form the basis for the audit recommendations. Critical high-risk findings may require an immediate fix. The Execution phase ends after a different auditor and manager perform a Quality Assurance review on the work.
Reporting in which the client managers are asked whether they agree with the findings and recommendations raised in the Execution phase, and are asked to provide their planned response (as a management action plan (MAP) consisting of specific actions and timelines. The draft report contains the report of all findings and MAPs; this is often reviewed by the Chief Audit Executive and senior management, before the Final Report is submitted to the Audit Committee, which is part of the Board of Directors.
Not all findings need to be remediated. Management should take a risk-based approach; low risk and some medium risk findings may be addressed by other means, such as obtaining insurance against the occurrence, or simply accepting the risk. Time and effort should be focused on preventing or correcting high- and critical-level risks.
Implementation in which the auditors follow up with managers on their MAPs, according to the timelines stated in the MAPs. Management can sometimes (with stated justification) defer the timelines. The auditor must agree that the remediation properly addresses the finding before the MAP can be closed; however if it takes years to implement the MAP then it is possible the finding is no longer applicable; a follow up audit is required to confirm this. It is not unusual for the same business process to have a follow-up audit after a suitable time period to ensure the new controls, procedures, and processes are functioning as planned.
Internal Controls over Financial Reporting (ICFR) requires businesses to certify annually that certain "general" IT Security controls have been designed properly and are functioning correctly. The penalties for failure to comply include loss of reputation, and in extreme cases sending the CFO to jail. IT General Controls (ITGC) are a required component of ICFR compliance. ITGC reports are prepared by IT Security Auditors. The Audit Committee on your Board of Directors may ask for other IT Security audits to be performed from time to time.
Top © 2018, 2019 -- pi Sec Audit, a division of 964317 Ontario Inc.
I am available for full-time or contract work near Ottawa
(from Kingston to Cornwall), or for remote work on-line.