5 insider tips for using it audits to maximize security
TRANSCRIPT
© 2011 NetIQ Corporation. All rights reserved.
5 Insider Tips: Using IT Audits to Maximize Security
Mike Chapple – Senior Director for Enterprise Support Services at the University of Notre Dame
Renee Bradshaw – Senior Product Marketing Manager, NetIQ
© 2011 NetIQ Corporation. All rights reserved.
An Insider’s Guide to Effective Audits − Treat audits as a lifecycle process. − Understand the scope.− You shouldn’t learn anything!− Don’t be afraid to speak up!− Embrace findings.
Aligning Compliance, Security, and Business Goals
Q and A
Agenda
© 2011 NetIQ Corporation. All rights reserved.
About the Speaker
Mike ChappleSenior Director for Enterprise Support Services at the University of Notre Dame• Assistant professor, Information Security, University of
Notre Dame• Former senior advisor to the Executive Vice President
at University of Notre Dame • Former Executive Vice President and Chief Information Officer
at Brand Institute • Former active duty intelligence officer in the U.S. Air Force• Published author, including the best-selling CISSP: Certified
Information Systems Security Professional Study Guide • Ph.D. and BS, Computer Science and Engineering, University
of Notre Dame; MBA, Auburn University; MS, Computer Science, University of Idaho
5 Insider TipsUsing IT Audits
to Maximize Security
Mike Chapple, Ph.D
Senior Director, Enterprise Support Services
University of Notre Dame
Tip #1
Treat Audits as a Lifecycle Process
Audits Shouldn’t be your Super Bowl
But More Like a Doctor’s Visit
Auditing as a Lifecycle
Prepare
Assess
Audit
Remediate
Tip #2
Understand the Scope
Covered Devices
Business Processes
Standards
PCI DSS
SOX
HIPAA
SAS 70
COBIT
GLBA
FISMA
Audit Process
Tip #3
You Shouldn’t Learn Anything!
This is Not the Time for Discovery!
Tip #4
Don’t be Afraid to Speak Up!
It’s Now or Never
Just Keep It Civil
Tip #5
Embrace Findings
Learn and Adapt
Auditing as a Lifecycle
Prepare
Assess
Audit
Remediate
5 Insider TipsUsing IT Audits
to Maximize Security
Mike Chapple, Ph.D
Senior Director, Enterprise Support Services
University of Notre Dame
© 2011 NetIQ Corporation. All rights reserved.
Aligning Compliance, Security, and Business Goals
Renee Bradshaw – Senior Product Marketing Manager, NetIQ
© 2011 NetIQ Corporation. All rights reserved.
Compliance should be a “by-product” of security efforts.− Compliance mandates only provide
minimum standard
Focus first on minimizing risk and improving security.− Leverage your audit findings− Define tools and controls which align to risk
tolerance and business objectives− Realize improvement in overall security posture
Plan for Good SecurityDirect compliance efforts towards risk mitigation
24
© 2011 NetIQ Corporation. All rights reserved.
Implement a common set of controls− Encompasses regulatory, industry, and
internal corporate mandates− Simplifies audits; provides reporting
framework− Avoids conflicting controls and
unnecessary expense− Adds controls as the regulatory
environment changes
Improve security and efficiency of IT environment− Automates routine, labor-intensive tasks− Reduces the cost of compliance − Avoids “audit panic”
Ease the Compliance BurdenCreate an adaptable compliance program
25
© 2011 NetIQ Corporation. All rights reserved.
The best way to achieve compliance is to get the security basics right.
Realize positive, long-term business impact.− Reduce breach risk− Avoid non-compliance penalties − Operational efficiencies − Improve security posture
Back to BasicsGood security makes compliance easier
26
© 2011 NetIQ Corporation. All rights reserved.
Complete our survey. − Enter for a chance to win
an Apple iPad!
Access informative white papers; gain insight. − “Achieving ROI from your PCI DSS
Investment” − “Sustainable Compliance: How to
Align Compliance, Security and Business Goals”
Learn More at NetIQ.com
27
tinyurl.com/ROIfromPCI
tinyurl.com/sustainable-compliance