Auditing
mallard20
Member Posts: 9 ■□□□□□□□□□
I got a big problem here and need the help of fellow forum members. I originally took a position of Information Security Technician and now report to the Internal Auditor. Once I started reporting to him/her, he kinda changed my work as auditing the IT department only. I don't mind that at all, I am just lost at exactly what is expected of me and how to do what is expected of me. I am currently enrolled in Audit 507 at SANS in July in DC. I guess what I am trying to ask is, Is there anyone else out there whose sole role is auditing what the IT department does? Can you do security and the auditing or do they go hand in hand? And help would be greatly appreaciated. Thanks in advance.
Comments
-
dynamik Banned Posts: 12,312 ■■■■■■■■■□The company should have a security policy that determines what you need to audit. There is so much that you can audit that there's no way anyone here can just give you a generic answer as to what to do. If you don't have such a policy, you need to sit down with all the big players involved to determine what is important to them and the company.
I'm not sure what you mean when you ask if you can do security and auditing. Auditing is a subset of security, but it is just a piece of the puzzle. -
mallard20 Member Posts: 9 ■□□□□□□□□□I say that because at first they wanted me to do security and auditing, however the internal auditor said how could I possibly audit what I did.
-
dynamik Banned Posts: 12,312 ■■■■■■■■■□Yea. If you overlooked something when you initially did it, you would probably overlook it again in the audit. Ideally, you should have someone else audit the tasks you perform.
It depends on your situation. One person could do the security tasks and one person could do the auditing, or perhaps you could divide the security responsibilities and audit each other's tasks. -
cacharo Member Posts: 361What type of auditing are you talking about?
Does your company currently hold any certifications? i.e. ISO, SAS70, etcTreat people as if they were what they ought to be, and you help them become what they are capable of being. -
JDMurray Admin Posts: 13,092 AdminStart by looking at the Web site for The Institute of Internal Auditors (IIA). See if your boss will get you a membership in the IIA and start attending the monthly meetings and workshops of your local chapter. There is nothing like learning about auditing from a whole bunch of other auditors. If you can, have your boss expense your membership costs in the Information Systems Audit and Control Association (ISACA) and Information Systems Security Association (ISSA) too. Lots of auditors in those Information Security organizations too.
There's also a lot of information about the different types of auditing in the Wikipedia. -
mallard20 Member Posts: 9 ■□□□□□□□□□Thanks so much for all of your input. I will be taking a look at those websites. Hopefully, I will have a broader outlook once I attend SANS.