I have been involved in information security, either auditing it or being responsible for the function at a couple of financial institutions, for a very long time. To me, cyber is not separate from information security. If I were to make a distinction, information security would include not only digital information, but also hard copy reports and other information not stored electronically. But I will treat the terms interchangeably today.
Why do I say audits would be short?
Because they often were short when either I or my team of IT auditors performed them.
The first thing I do is ask for the information security risk assessment.
If they haven’t done one, it is difficult to know where we should focus our limited audit resources. I want to assess the areas where there is greater risk to the business and its success, the achievement of enterprise objectives.
It is difficult to assess whether they have adequate defenses or responses if they haven’t identified the greater sources of risk.
If they have done a risk assessment based on NIST or ISO guidance, it is usually disconnected from the achievement of business objectives and I again have a problem.
I don’t want to audit the “risk to information assets” (per NIST and ISO). I want to audit the risks to business objectives and success.
We can…