Raising Awareness and Gaining Support
The Information Security Office is responsible for assisting internal and external auditors in completing control checks against IT systems and data. In the event that there are IT-specific findings once the audit concludes, the ISO is also responsible for communicating and managing the necessary corrective actions.
Once we have determined that there are IT-specific findings to be addressed, the next step will always be about raising awareness and understanding. This effort will explain what findings we received, why we received them, what needs to be done to address them, and what our risks are if we do not addressed them. Depending on the level of risk, such communication activities will start with University executive management.
In addition to raising awareness, the Chief Information Security Officer will work to gain support from deans, directors, and department heads. This is critical to ensure that any required changes that impact their areas directly, or require involvement from their areas, is supported universally.
Whether conducted by internal or external auditors, an audit will generally follow a similar process. The real difference will come from the specific area that the auditors are investigating and the depth on checks they make. The process steps are outlined below.
- Planning - Auditors meet with management of targeted area and share scope of audit with timeline.
- Fieldwork - Auditors conduct a controls review and "walk-thru", interview key staff, complete tests against responses, and communicate with stakeholders.
- Reporting - Auditors report on results and recommendations to address findings as well as receive a formal response from management.
- Corrective Action - Management will drive necessary change to resolve or simply address findings identified.
Depending on the type of audit and who conducted it, there may be formal follow-up established to validate that the correction actions are completed.
Managing Corrective Actions
Once an audit is completed and management over the scope of the investigation has responded to any findings, corrective actions will be identified and pursue. In some circumstances, no action is possible and management will look to mitigate the inherent risks that the finding relate to. Corrective actions should be formally managed and documented to ensure that evidence can be provided of such.
When an audit results in IT-specific findings, the Information Security Office will work to complete the following:
- Develop and communicate an executive summary of the findings with management
- Raise awareness with responsible individuals for further discussion
- Leverage project management services to drive change
- Act as a resource for insight and validation of change
- Report on results with management
The objective of such a process is to effectively and efficiently make progress where critical gaps exist.