Abstract
A corollary to assume breach is to assume control failure. In the words of many a CIO, if you don’t check it then it wasn’t done. Anyone who has managed operations or service vendors knows that some IT workers have a different definition of dones than you. Given time and exposure to the real world, things drift from their modeled description. Policies don’t match what people are doing. Project status updates are inflated. Network diagrams aren’t current or complete. Log data isn’t captured or if it is, the data slumbers unanalyzed somewhere. People leave the organization but their accounts remain active. Implementation projects get paused mid-implementation because of operational emergencies, but they are never resumed. Maintenance slips and patching doesn’t complete. I’m not pessimistic—this just happens in a large, busy IT organization. However, if a control isn’t working as described by policy, then you need to find it and fix before the auditors or attackers spot them. That is what internal audit is about.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
Author information
Authors and Affiliations
Rights and permissions
Copyright information
© 2016 Raymond Pompon
About this chapter
Cite this chapter
Pompon, R. (2016). Internal Audit. In: IT Security Risk Control Management. Apress, Berkeley, CA. https://doi.org/10.1007/978-1-4842-2140-2_22
Download citation
DOI: https://doi.org/10.1007/978-1-4842-2140-2_22
Published:
Publisher Name: Apress, Berkeley, CA
Print ISBN: 978-1-4842-2139-6
Online ISBN: 978-1-4842-2140-2
eBook Packages: Professional and Applied ComputingProfessional and Applied Computing (R0)Apress Access Books