Dan Swanson on IT auditing

The long view of security strategies for your network.

Dan Swanson has been working in internal audit for more than 24 years and provides an excellent free newsletter that some readers of this column will find valuable.

His brief newsletter concentrates on IT governance and often includes security-related topics. For example, his Oct. 17 issue pointed to a good book on project investment governance and reporting; concisely introduced a Web page with ISO 27001 security standards compliance information; alerted readers to a new series of podcasts from the Computer Emergency Response Team Coordination Center; and published abstracts of several interesting articles on corporate governance and risk management (for example, this article).

Readers may go here to join Dan’s mailing list. You must have or create a free Yahoo Groups ID for successful registration.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Dan Swanson has been working in internal audit for more than 24 years and provides an excellent free newsletter that some readers of this column will find valuable.

His brief newsletter concentrates on IT governance and often includes security-related topics. For example, his Oct. 17 issue pointed to a good book on project investment governance and reporting; concisely introduced a Web page with ISO 27001 security standards compliance information; alerted readers to a new series of podcasts from the Computer Emergency Response Team Coordination Center; and published abstracts of several interesting articles on corporate governance and risk management (for example, this article).

Readers may go here to join Dan’s mailing list. You must have or create a free Yahoo Groups ID for successful registration.

There’s a collection of Dan’s auditing-related papers in his columns from _Compliance Week_. Although a full subscription will appeal primarily to professional auditors (it costs $999 a year), there is a 30-day free subscription available that includes weekly e-mail newsletters, one issue of the print magazine and free access to the archives.

Dan will be giving a Webinar on Nov. 14 at 11 a.m. PST (2p.m. EST); the $249 registration free provides access to a live lecture and presentation on auditing compliance and ethics programs. Topics include:

* Audit scope
* What is the goal?
* Planning efforts
* The general audit steps
* Audit risk assessment
* Audit objectives
* Audit approach
* What auditors like to see
* Audit testing
* Issues to watch out for
* Other considerations
* The audit report

Full details of the Webinar are available online.

On the same topic, Dan has written an 88-page white paper that is available free and without registration. Entitled “Internal Audit Guide: Evaluating a Compliance and Ethics Program,” the draft report from the Open Compliance and Ethics Group (OCEG) includes an executive overview (PDF file pages 10-12) that summarizes key points:

“The purpose of the Guide is to support more effective implementation of existing compliance and ethics programs, the objectives of which are to:

* Provide assurance to the board and management that compliance and ethics programs are designed effectively and operating as designed.
* Identify opportunities for improvement.
* Reinforce and support self-assessment efforts that have been completed, and promote a continuous improvement philosophy within the organization.

Additionally, the Guide offers an audit methodology which can be used to provide assurance to the board and management on compliance and ethics practices.”

I was interested to note that the PDF file was automatically stamped with a digital rights management indicator: a page footer reading “LICENSED TO <IP address> ON SUNDAY, OCTOBER 29, 2006. SINGLE USER LICENSE GRANTED.” This footer would ensure that rogue copies of the document might be traceable to specific downloads and supports the attempt to provide up-to-date, corrected copies from a single server.

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services and teaching. He is Chief Technical Officer of Adaptive Cyber Security Instruments, Inc. and Associate Professor of Information Assurance in the School of Business and Management at Norwich University. Visit his Web site for white papers and course materials.