practitioner discussant comments malik datardina cpa, ca, cisa
TRANSCRIPT
![Page 1: Practitioner Discussant Comments Malik Datardina CPA, CA, CISA](https://reader036.vdocument.in/reader036/viewer/2022071807/56649e305503460f94b213f7/html5/thumbnails/1.jpg)
“Are Your Security or Operational Business Policies
Correct?”
Practitioner Discussant CommentsMalik Datardina CPA, CA, CISA
![Page 2: Practitioner Discussant Comments Malik Datardina CPA, CA, CISA](https://reader036.vdocument.in/reader036/viewer/2022071807/56649e305503460f94b213f7/html5/thumbnails/2.jpg)
Disclaimer!!!Risk management applied:“The following views are my own and are not
of my employer, Deloitte.”
![Page 3: Practitioner Discussant Comments Malik Datardina CPA, CA, CISA](https://reader036.vdocument.in/reader036/viewer/2022071807/56649e305503460f94b213f7/html5/thumbnails/3.jpg)
Conceptually
I Data
Lot of promise: Bring CAATs Audit Analytics into Security Makes it possible to automate access control
testing
![Page 4: Practitioner Discussant Comments Malik Datardina CPA, CA, CISA](https://reader036.vdocument.in/reader036/viewer/2022071807/56649e305503460f94b213f7/html5/thumbnails/4.jpg)
The GoodMathematics in abstract can be difficult
to grasp.But paper made it digestible
Use of simple models Examples relevant to auditors, e.g. “a teller
may deposit a customer’s money into the customer’s account”
Brought together necessary concepts e.g. RBAC, REA,
![Page 5: Practitioner Discussant Comments Malik Datardina CPA, CA, CISA](https://reader036.vdocument.in/reader036/viewer/2022071807/56649e305503460f94b213f7/html5/thumbnails/5.jpg)
AudienceUnderstood this was primarily for academic
audience; right? Who is the audience?
Consider multiple audiencesDon’t limit just to audit; beneficial from
operations, network, information security, etc.
![Page 6: Practitioner Discussant Comments Malik Datardina CPA, CA, CISA](https://reader036.vdocument.in/reader036/viewer/2022071807/56649e305503460f94b213f7/html5/thumbnails/6.jpg)
Why is this necessary?Solution looking for a problem?
What is the current ‘state of the art’? Any pitfalls with respect to manual testing? What are the risks? How does this procedure address them?
Need to illustrate benefit or cost of this outweighs External audit: can this save time in audit costs? Internal audit: explain how this will help from a
compliance perspective – how does it address: PCI, ISO 27001/2, SOC2 (Trust Services/cloud)
![Page 7: Practitioner Discussant Comments Malik Datardina CPA, CA, CISA](https://reader036.vdocument.in/reader036/viewer/2022071807/56649e305503460f94b213f7/html5/thumbnails/7.jpg)
Some feedbackWhy is this necessary? Solution looking for a
problem?Need to illustrate benefit or cost of this
outweighs External audit: can this save time in audit costs? Internal audit: explain how this will help from a
compliance perspective – how does it address: PCI, ISO 27001/2, SOC2 (Trust Services/cloud)
![Page 8: Practitioner Discussant Comments Malik Datardina CPA, CA, CISA](https://reader036.vdocument.in/reader036/viewer/2022071807/56649e305503460f94b213f7/html5/thumbnails/8.jpg)
How does this work practically?Need to explain how this works in practice:
What are the practical steps you need to take to do this?How do you get access rules in an electronic
format?Can this be obtained from SAP, Oracle, etc?What is exactly required for the auditor to do
to actually create the list of “right rules” to audit the security rules obtained from the device.
![Page 9: Practitioner Discussant Comments Malik Datardina CPA, CA, CISA](https://reader036.vdocument.in/reader036/viewer/2022071807/56649e305503460f94b213f7/html5/thumbnails/9.jpg)
Insights from other areas?Software testing: What can be learned
from static analysis (i.e. automated testing of software)?
Intrusion detection systems: Are there potential for false positives? Is there a tuning problem?
Data quality: Are there data quality issues when you get access controls “data dump” from the machine?