Audit and Security

I heard of a place where internal audit was told to do a comprehensive security of all aspects of an organization. All aspects.

How is that possible?

The IT organization is likely working at 110% with all their energy and effort to manage, monitor, invest and improve an organizations security so how can a short audit effectively grade how they are doing? Now I suppose that if the auditors were knowledgeable about security aspects and if there were huge gaps in what IT was doing then those would surface in the audit. But how could an audit detect deep matters in the enterprise in a short audit?

Further, how can an IT organization comprehensively know that all is in control? Further, how can a CIO assure a board that everything is under control?

They can’t.

They can only attest that they are doing all they know to do, they are vigilant and they are working to set the tone across the enterprise that all must work together to secure the organization.

They can only assure that they are doing all they know to do.

These are difficult times for CIOs.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s