Post on 27-Dec-2015
“Are Your Security or Operational Business Policies
Correct?”
Practitioner Discussant CommentsMalik Datardina CPA, CA, CISA
Disclaimer!!!Risk management applied:“The following views are my own and are not
of my employer, Deloitte.”
Conceptually
I Data
Lot of promise: Bring CAATs Audit Analytics into Security Makes it possible to automate access control
testing
The GoodMathematics in abstract can be difficult
to grasp.But paper made it digestible
Use of simple models Examples relevant to auditors, e.g. “a teller
may deposit a customer’s money into the customer’s account”
Brought together necessary concepts e.g. RBAC, REA,
AudienceUnderstood this was primarily for academic
audience; right? Who is the audience?
Consider multiple audiencesDon’t limit just to audit; beneficial from
operations, network, information security, etc.
Why is this necessary?Solution looking for a problem?
What is the current ‘state of the art’? Any pitfalls with respect to manual testing? What are the risks? How does this procedure address them?
Need to illustrate benefit or cost of this outweighs External audit: can this save time in audit costs? Internal audit: explain how this will help from a
compliance perspective – how does it address: PCI, ISO 27001/2, SOC2 (Trust Services/cloud)
Some feedbackWhy is this necessary? Solution looking for a
problem?Need to illustrate benefit or cost of this
outweighs External audit: can this save time in audit costs? Internal audit: explain how this will help from a
compliance perspective – how does it address: PCI, ISO 27001/2, SOC2 (Trust Services/cloud)
How does this work practically?Need to explain how this works in practice:
What are the practical steps you need to take to do this?How do you get access rules in an electronic
format?Can this be obtained from SAP, Oracle, etc?What is exactly required for the auditor to do
to actually create the list of “right rules” to audit the security rules obtained from the device.
Insights from other areas?Software testing: What can be learned
from static analysis (i.e. automated testing of software)?
Intrusion detection systems: Are there potential for false positives? Is there a tuning problem?
Data quality: Are there data quality issues when you get access controls “data dump” from the machine?