Home/Tag: IT Audit

How to Improve the Broken Risk Assessment Process

I recently participated in a CIO round-table to discuss mechanisms in which management teams assess information technology risks. Almost all of the CIOs said they were performing regular risk assessments, but they also expressed a lot of concern that the assessments were performed consistently or with high quality. The major concern between the CIOs was that they didn't have a realistic view [...]

By |2020-01-17T21:21:43+00:00December 2nd, 2015|Cyber Risk Management, IT Audit & Compliance|0 Comments

Target 2013 Breach: Understanding the Need for Secure Network Segmentation

A recent post from Cyber Security Investigative Reporter, Brian Krebs, does a great job of reminding IT and Information Security professionals everywhere why proper Network Segmentation is so important. The post, “Inside Target Corp., Days after 2013 Breach” goes into detail about how once criminals infiltrated Target’s corporate network, they were able to run free within the network/domain, easily gaining access [...]

By |2020-01-17T21:22:04+00:00October 1st, 2015|Cyber Risk Management|2 Comments

Deploying a HIPAA Compliant Encryption Policy

HIPAA, or the Health Insurance Portability and Accountability Act, presents a fairly robust set of standards and rules that any organization within the United States handing PHI (Personal Health Information) are compelled by law to address. On the surface, many of HIPAA’s rules appear strait forward, but as I quickly learned while performing a recent AT601 Compliance Attestation, things are not [...]

Lessons Learned from a Cybersecurity Review

The past week presented me with a neat opportunity. I was asked to assess a so called “Cybersecurity” plan of action for a small organization which has a strong internet presence but little internal expertise in the way of IT operations and security. When I was initially approached about my expertise on cybersecurity and willingness to review the external assessment for [...]

Managing Changes in the Manufacturing Environment

Engineers face unique problems when it comes to making changes to equipment on the manufacturing floor. Not only are there large (and expensive) components which have to be precisely installed and tested, but from a programming perspective, engineers also have to manage the PLC (Programmable Logic Controller). The PLC, like source code, contains the specific instructions which make the machinery on the [...]

TSA Failure Highlights the Importance of Audit and Assurance

Executives should love IT auditors because auditors provide something every CEO/CIO wants: A view into the operating effectiveness of their company or department. Without audit functions a company might be wasting money, man-power, or spending a lot of time doing things that have no impact on the business. Today, a story broke that an audit of the TSA's security procedures revealed [...]

Top 10 IT Risk Frameworks and Resources

I have an entire folder full of risk frameworks that I draw from for inspiration when I'm performing a risk assessment or internal audit project. Here's a few links that I hope you find helpful. If you have something useful not listed below please share in the comments! NIST Cybersecurity Framework Here NIST Cloud Computing Framework Here NIST Computer Security Framework [...]

By |2020-01-17T21:26:28+00:00May 7th, 2015|Cyber Risk Management|3 Comments

5 Easy Steps to Securing your PC or Mac!

True IT guys seem to be few and far between in the world of public accounting, but I have noticed more and more of us starting to get sucked into the wonderful world of audit spreadsheets, AICPA guidelines and risk frameworks! After spending the past year roaming the halls of the Atlanta Grant Thornton office, I still stick out a bit [...]

By |2020-01-17T21:26:28+00:00April 23rd, 2015|Cyber Risk Management|1 Comment

Application Risk Management

Many large and medium sized businesses have the interesting problem of understanding and inventorying the various applications in use across diverse regions and departments. Without this clear understanding of how these applications are being used, who owns them, what type of data is stored inside, and the management of each application, CIOs and management's ability to assess risks are greatly handicapped. [...]